Privacy Policy
Last updated: April 6, 2026
1. Introduction
CTRMotion (ctrmotion.com) respects your privacy. This policy describes what data we collect, how we use it, and how we protect it. By using our service, you agree to the practices described in this policy.
2. Data We Collect
| Category | Data |
|---|---|
| Account data | Name, email, password (hashed), Google OAuth profile |
| Organization data | Organization name, member list, roles |
| Billing data | Stripe customer ID, subscription ID, payment method (last 4 digits) |
| Listing data | Business names, addresses, search keywords |
| Visit data | Timestamps, status, metrics |
| Technical data | IP address, browser, device |
3. How We Use Your Data
- Providing and supporting the service
- Processing payments and managing billing
- Authentication and account security
- Improving the platform and developing new features
- Detecting and preventing security incidents
- Fulfilling legal obligations
4. Legal Basis for Data Processing (GDPR)
- Contract: Performance of the service agreement entered into with you
- Legitimate interest: Platform security, fraud prevention, service improvement
- Consent: For marketing communications, where required
- Legal obligation: Retention of tax and financial records
5. Third Parties
| Service | Purpose | Data shared | Location |
|---|---|---|---|
| Stripe | Payment processing | Name, email, billing address | USA |
| Supabase | Database | All account data | USA |
| Google OAuth | Authentication | Email, name, photo | USA |
| OpenAI | AI search keywords | Anonymized business category data | USA |
| Grafana / Loki | Log monitoring | Technical logs (no PII) | USA |
| Resend | Email address | USA |
We do not sell your personal data to third parties.
6. International Data Transfers
The platform uses services that process data in the United States of America (Stripe, Supabase, OpenAI, Grafana Cloud).
For users in the European Union, data transfers are conducted on the basis of Standard Contractual Clauses (SCCs).
Each third party is responsible for its own data protection agreements.
7. Data Retention Periods
| Data type | Retention period |
|---|---|
| Active account | For the duration of the account |
| After account deletion | 30 days, then permanent deletion |
| After listing subscription cancellation | Visit and analytics data retained for 90 days |
| Billing records | 7 years |
| Technical logs | 30 days |
Note: Full account deletion and listing subscription cancellation are separate processes. Upon account deletion, all data is permanently removed within 30 days, whereas upon listing subscription cancellation, only visit and analytics data is retained for 90 days.
8. Data Security
We employ industry-standard security measures to protect your data:
- Data encryption at rest and in transit (TLS)
- Row Level Security (RLS) at the database level for organization isolation
- Password hashing (bcrypt)
- Multi-factor authentication (MFA) support
- Regular security audits and monitoring
9. Your Rights (GDPR)
Under the General Data Protection Regulation (GDPR), you have the following rights:
- Right of access: Request a copy of the data held about you
- Right to rectification: Correct inaccurate data
- Right to erasure: Request deletion of your data
- Right to restriction: Restrict the processing of your data
- Right to portability: Receive your data in a structured format
- Right to object: Object to the processing of your data
- Withdrawal of consent: Request cessation of consent-based processing
- Right to lodge a complaint: File a complaint with a supervisory authority (GDPR Article 77)
We do not engage in automated decision-making or profiling (GDPR Article 22).
To exercise these rights, please contact us at: privacy@ctrmotion.com
10. California Residents' Rights (CCPA/CPRA)
Under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), California residents have the right to:
- Request information about the personal data collected
- Request deletion of personal data
- Request correction of inaccurate personal data
- Limit the use of sensitive personal information
- Opt out of the sale or sharing of personal information
We do not sell or share personal information. To exercise your rights, please contact us at: privacy@ctrmotion.com
11. Do Not Track Signals
Our platform does not currently respond to “Do Not Track” browser signals.
12. Data Protection Officer (DPO)
A Data Protection Officer (DPO) has not been appointed at this time. For privacy-related inquiries, please contact us at: privacy@ctrmotion.com
13. Children's Privacy
The CTRMotion service is not intended for individuals under the age of 18. We do not knowingly collect personal data from minors. If we discover that data from a person under 18 has been collected, we will promptly delete it.
14. Cookies
For detailed information about cookies, please refer to our Cookie Policy.
15. Changes to This Policy
We may periodically update this Privacy Policy. In the event of significant changes, we will notify you by email or through an in-platform notification. Continued use of the service following such changes constitutes acceptance of the updated policy.
16. Contact
For privacy-related inquiries, please contact us:
Email: privacy@ctrmotion.com