trackslash Privacy Notice
Version: 2026-07-18
Last updated: 18 July 2026
This notice explains how Bad Bundle Limited handles personal information for the development preview at trackslash.com (the Preview). It does not cover independent installations of the open-source track-slash software; the operator of each independent installation is responsible for its own privacy practices.
Who we are
Bad Bundle Limited is a company registered in England and Wales under company number 16035056. Our registered office is Silverstream House, 4th Floor, 45 Fitzroy Street, Fitzrovia, London, United Kingdom, W1T 6EB.
For privacy questions or requests, contact [email protected].
Information we handle
Depending on how you use the Preview, we handle:
- Account information: username, display name, optional email address, profile image, account identifiers, and account dates.
- Authentication information: password hashes, passkey public-key material and metadata, hashed session and API tokens, token names, expiry dates, and last-used dates. We do not receive the biometric or device secret used to unlock a passkey.
- Project content: projects, memberships, issues, comments, sprints, context pages, tags, links, descriptions, attachments, filenames, and related activity metadata.
- Technical and security information: IP addresses, request paths, timestamps, request identifiers, error details, rate-limit activity, and security events generated by the application or infrastructure.
- Communications: information you provide when reporting a problem, requesting privacy assistance, or discussing the Preview with us.
If you make a project public, project information and related content may be visible to people who are not signed in.
Why we use it
We use personal information to:
- create accounts and provide the Preview under the Preview Terms;
- authenticate users and enforce project permissions;
- store, display, and transmit content at users' direction;
- secure, diagnose, maintain, and improve the Preview;
- prevent misuse and enforce rate limits and acceptable-use rules;
- respond to security, privacy, and operational enquiries; and
- comply with legal obligations and protect legal rights.
Our lawful bases under UK data-protection law are performance of the Preview Terms, our legitimate interests in operating and securing an experimental service, and compliance with legal obligations. Where another basis is required for a particular use, we will identify it at the relevant time.
We do not currently use Preview information for advertising or automated decisions that produce legal or similarly significant effects.
Cookies and local credentials
The Preview uses essential cookies for signed-in sessions and cross-site request forgery protection. These cookies are required for account and security functions. The application does not currently set advertising or product-analytics cookies.
Service providers and disclosures
We use service providers to run and protect the Preview, including:
- Cloudflare for network delivery and security services;
- Google Cloud Storage for attachment and object storage; and
- infrastructure, database, logging, and backup providers used to operate the application.
These providers process information under their own contractual and security arrangements. We may also disclose information when required by law, to protect users or the Preview, or as part of a corporate reorganisation subject to appropriate safeguards.
Some providers may process information outside the United Kingdom. Where UK data-protection law requires safeguards for an international transfer, we use an applicable adequacy regulation, contractual safeguard, or other lawful transfer mechanism.
Retention
We keep account information and user content while an account or project remains active and while reasonably needed to operate the Preview. Deleted or closed information may remain for a limited period in logs, backups, or security records until those systems are rotated or the information is no longer needed.
Because the Preview is experimental, fixed retention periods have not yet been established for every category. We determine retention using operational need, security, dispute resolution, legal obligations, and the cost and risk of continued storage. We do not keep personal information indefinitely without a continuing reason.
Security and data loss
We use technical and organisational measures intended to protect Preview information, including hashed credentials, access controls, security headers, request limits, and private object storage. No system is completely secure, and the Preview is not ready for production use. Keep your own copies of important information.
Suspected vulnerabilities should be reported through the Security Policy.
Your rights
Depending on the circumstances, UK data-protection law may give you rights to access, correct, erase, restrict, or receive a copy of your personal information, and to object to certain processing. You may also withdraw consent where a use is based on consent.
Contact [email protected] to exercise a right. We may need to verify your identity before responding.
You may complain to the UK Information Commissioner's Office at ico.org.uk, although we encourage you to contact us first so we can try to resolve the issue.
Children
The Preview is not intended for anyone under 18. Please contact us if you believe a child has provided personal information through the Preview.
Changes
We may update this notice as the Preview, its infrastructure, or legal requirements change. The version and last-updated date identify the current notice.