Privacy & Cookie Policy

Second Stage GmbH (hereinafter referred to as "we", "us", or "our") is committed to protecting the privacy of our users. This Privacy & Cookie Policy outlines how we collect, use, and protect your personal information when you use the TRACKS marketing intelligence platform at tracks.secondstage.io (the "Platform").

Data Controller: Second Stage GmbH, Roedernstrasse 5, 13053 Berlin, Germany
Contact: hello@secondstage.io

Last updated: March 31, 2026

We collect the following categories of personal data:

1.1 Account Data

When you register and use TRACKS, we collect:

• Email address (required for registration and authentication)
• Name (optional, max 30 characters)
• Company name (optional, max 50 characters)
• Job title (optional, max 50 characters)
• Department (optional, max 50 characters)
• LinkedIn profile URL (optional, max 250 characters)
• Profile avatar image (optional, up to 2MB; JPEG, PNG, GIF or WebP)

1.2 Usage Data

We automatically collect limited usage data to ensure the functionality of the Platform:

• Last seen timestamp (updated at most every 10 minutes of activity)
• Dashboard preferences (sorting order, filter settings)
• Account creation and modification timestamps

1.3 Game and Campaign Data

When you create games and campaigns on the Platform, we store:

• Game metadata (name, platforms, Steam ID, release date, images)
• UTM tracking link configurations
• Game landing page URLs
• Team membership and invitation data

1.4 Data We Do Not Collect

TRACKS does not use third-party analytics or tracking pixels (such as Google Analytics, Mixpanel, or similar services). We do not track your browsing behaviour, perform session recording, or use heatmap tools.

We process your personal data for the following purposes:

• Authentication and account management: To create your account, authenticate you via magic link, and maintain your session.
• Service provision: To provide the TRACKS marketing intelligence platform, including campaign dashboards, UTM link generation, and attribution tracking features.
• Team collaboration: To enable invitations to games and manage team memberships.
• Transactional communications: To send sign-in links, sign-up confirmations, and game invitations via email.
• Customer support: To provide assistance through our integrated support widget.
• Error monitoring: To detect, diagnose and resolve technical issues with the Platform.

We process your personal data on the following legal bases under the GDPR:

• Performance of a contract (Art. 6(1)(b) GDPR): Processing necessary to provide the TRACKS platform and fulfil our contractual obligations, including account creation, authentication, and service delivery.
• Legitimate interest (Art. 6(1)(f) GDPR): Processing necessary for error monitoring, platform security, and improvement of our services.
• Consent (Art. 6(1)(a) GDPR): Where you have given consent, for example when providing optional profile information or accepting non-essential cookies.
• Legal obligation (Art. 6(1)(c) GDPR): Processing required to comply with applicable laws and regulations.

TRACKS uses a passwordless "Magic Link" authentication system. When you sign in, a time-limited link is sent to your email address. Clicking this link authenticates you via a cryptographically signed JWT (JSON Web Token) using EdDSA (Ed25519) encryption.

• Sign-in and sign-up tokens expire after 15 minutes.
• Invitation tokens expire after 48 hours.
• Your authenticated session is maintained via a signed and encrypted cookie.
• All connections to the Platform are encrypted via HTTPS/TLS.

No passwords are stored or transmitted at any point.

We use the following third-party services to operate the Platform:

5.1 Mailjet (Email Delivery)

We use Mailjet as our transactional email provider to send sign-in links, sign-up confirmations, and game invitations. Mailjet processes your email address and email content on our behalf. Emails are transmitted via TLS encryption.

Provider: Mailjet SAS, Paris, France.
Privacy Policy: https://www.mailjet.com/privacy-policy/

5.2 Cloudflare R2 (File Storage)

User-uploaded files (profile avatars and game images) are stored on Cloudflare R2, an S3-compatible object storage service. Files are validated for type and size before upload.

Provider: Cloudflare, Inc., San Francisco, USA.
Privacy Policy: https://www.cloudflare.com/privacypolicy/

5.3 AppSignal (Error Monitoring)

We use AppSignal for application performance monitoring and error tracking. This helps us detect and resolve technical issues. AppSignal may process request metadata (such as IP addresses and request paths) as part of error reports.

Provider: AppSignal B.V., Amsterdam, Netherlands.
Privacy Policy: https://www.appsignal.com/privacy-policy

5.4 Help Scout (Customer Support)

We use the Help Scout Beacon widget to provide in-app customer support. When you interact with the support widget, Help Scout may collect usage data such as your browser type and pages visited within the Platform.

Provider: Help Scout, Inc., Boston, USA.
Privacy Policy: https://www.helpscout.com/company/legal/privacy/

5.5 Heroku (Hosting)

The Platform is hosted on Heroku, a cloud platform service. Heroku processes data necessary for hosting, including server logs that may contain IP addresses and request information.

Provider: Salesforce, Inc., San Francisco, USA.
Privacy Policy: https://www.salesforce.com/company/privacy/

6.1 Essential Cookies

The Platform uses the following essential cookies that are strictly necessary for its operation:

• Authentication cookie (signed and encrypted): Stores your authenticated user session. Without this cookie, you cannot remain signed in to the Platform.
• CSRF token: A security token embedded in pages to protect against cross-site request forgery attacks.

These cookies are necessary for the Platform to function and cannot be disabled.

6.2 Third-Party Cookies

The Help Scout Beacon widget may set cookies for customer support functionality. Please refer to the Help Scout Privacy Policy for details on their cookie usage.

6.3 Managing Cookies

You can manage or delete cookies through your browser settings. Please note that disabling essential cookies will prevent you from using the Platform. For instructions on managing cookies, consult your browser's help documentation:

• Google Chrome
• Mozilla Firefox
• Apple Safari
• Microsoft Edge

We retain your personal data for as long as your account is active and as required to provide the services under our agreement. Specifically:

• Account data: Retained for the duration of your account. Upon termination of the contractual relationship, data is made available for download for two (2) weeks, after which your account and associated data are deleted.
• Uploaded files: Profile avatars and game images are retained for the duration of your account and deleted upon account termination.
• Transactional emails: Email delivery records are retained by our email provider (Mailjet) in accordance with their retention policies.
• Error logs: Technical error data is retained by AppSignal in accordance with their retention policies.

We may retain certain data beyond account termination where required by law (e.g. tax or commercial law obligations).

Some of our third-party service providers are located outside the European Economic Area (EEA), in particular in the United States. Where data is transferred to countries outside the EEA, we ensure adequate safeguards are in place, such as:

• EU Standard Contractual Clauses (SCCs)
• Adequacy decisions by the European Commission
• EU-U.S. Data Privacy Framework certification of the recipient

Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR): You may request confirmation of whether we process your personal data and obtain a copy of it.
• Right to rectification (Art. 16 GDPR): You may request correction of inaccurate personal data. You can update most of your profile information directly through the Platform.
• Right to erasure (Art. 17 GDPR): You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected.
• Right to restriction of processing (Art. 18 GDPR): You may request that we restrict the processing of your data under certain circumstances.
• Right to data portability (Art. 20 GDPR): You may request to receive your personal data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21 GDPR): You may object to the processing of your personal data where processing is based on legitimate interests.
• Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at hello@secondstage.io.

You also have the right to lodge a complaint with a supervisory authority. The competent authority for Second Stage GmbH is the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit).

TRACKS is a business-to-business platform intended for use by entrepreneurs and professionals. We do not knowingly collect personal data from children under the age of 16. If you believe that we have inadvertently collected data from a child, please contact us at hello@secondstage.io so we can promptly delete it.

We may update this Privacy & Cookie Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by posting the updated policy on the Platform. The "Last updated" date at the top of this policy indicates when it was last revised.

We encourage you to review this policy periodically.

If you have questions or concerns about this Privacy & Cookie Policy or our data practices, please contact us at:

Second Stage GmbH
Roedernstrasse 5
13053 Berlin
Germany

Email: hello@secondstage.io