how we handle your data
plain-english summary first · GDPR-compliant detail below · last updated 2026-05-04
- ●your uploaded TMX files are deleted from storage the moment cleaning finishes — never reused, never shared.
- ●cleaned outputs auto-expire from storage 24 hours after completion.
- ●we keep your email, signup IP, and job history metadata (file size, timestamps, segment counts — never content) until you ask us to delete the account.
- ●no advertising trackers, no analytics scripts, no marketing emails. payment is via Stripe — we never see your card.
- ●everything is hosted in the EU (Hetzner Germany / Cloudflare R2 EU jurisdiction / Mailgun EU).
━━ who we are
TM Cleaner is operated by terratra. For data-protection enquiries, requests to access / delete your data, or any other privacy questions, email hello@terratra.com. We aim to respond within 30 days of any GDPR data- subject request.
━━ what we collect, and why
| data | why | legal basis | retained |
|---|---|---|---|
| email address | account identity · magic-link sign-in · account-related notifications (only if you initiated them) | contract (Art. 6(1)(b)) | until account deletion |
| signup IP address | rate-limit / anti-abuse (cap free-tier accounts per IP) | legitimate interest (Art. 6(1)(f)) — preventing platform abuse | until account deletion |
| uploaded TMX files | the cleaning operation you requested | contract | hard-deleted the moment cleaning completes (typically minutes) |
| cleaned output files | letting you download the result | contract | 24 hours after cleaning completes (then auto-purged via R2 lifecycle); you can also manually delete from the dashboard at any time |
| job history metadata | filename, size, segment counts, removed counts, timestamps, cost — for your dashboard view + billing reconciliation. NEVER segment text content. | contract + legitimate interest | until account deletion |
| Stripe customer ID + card metadata | processing top-up payments. WE NEVER SEE OR STORE YOUR CARD — Stripe stores it; we keep only their reference id (cus_…). | contract + legal obligation (tax records) | Stripe retains payment records per their policy + applicable tax law (typically 7-10 years) |
| session cookie | keeps you signed in. ONE cookie, signed, SameSite=Lax, HttpOnly, Secure. No tracking, no advertising id. | strictly necessary (no consent required under GDPR / ePrivacy) | 7 days · refreshed on each visit · cleared on sign-out |
━━ who we share data with
We use a small, deliberate set of EU-based subprocessors. Each is contractually bound to GDPR-compliant handling of your data. We do NOT share or sell your data to advertisers, brokers, or anyone else.
| processor | purpose | data location |
|---|---|---|
| Hetzner Online GmbH | application + database hosting | Germany (EU) |
| Cloudflare R2 | file storage (uploads + outputs) | EU jurisdiction |
| Mailgun (EU) | transactional email (magic links + contact replies) | EU (api.eu.mailgun.net) |
| Stripe | payment processing | global · GDPR-certified · DPA in place |
━━ your rights under GDPR
As a data subject in the EU/EEA you have the following rights. To exercise any of them, email hello@terratra.com from the email address tied to your account. We respond within 30 days (Art. 12(3)).
- ✓access (Art. 15) — get a copy of every piece of data we hold on you
- ✓rectification (Art. 16) — correct any inaccurate data
- ✓erasure / "right to be forgotten" (Art. 17) — delete your account and everything in it (we keep tax-mandated billing records minimally; everything else goes)
- ✓portability (Art. 20) — export your job history as machine-readable JSON / CSV
- ✓restriction (Art. 18) + objection (Art. 21) — pause processing or object to legitimate-interest processing (the signup-IP rate limit)
- ✓complaint to a supervisory authority — you can file with your local DPA at any time. We'd rather you give us a chance to fix it first, but the right is yours.
━━ what we do NOT do
- ✗no advertising · no ad networks · no third-party trackers
- ✗no Google Analytics · no Hotjar · no Sentry by default (operator opt-in)
- ✗no selling, renting, or "sharing" data with brokers
- ✗no marketing emails (transactional only — sign-in links, billing receipts, account-critical notices)
- ✗no training of AI / ML models on your TM content. ever.
- ✗no profile-fingerprinting (we don't hash IPs to track returning visitors)
━━ international transfers
Operational data (uploads, outputs, account, billing metadata) stays in the EU. The single exception is Stripe — payment processing that may transit the United States under their EU Data Processing Addendum (Standard Contractual Clauses, GDPR-compliant transfer mechanism).
━━ security
TLS 1.2+ on every connection · HSTS preload · strict CSP · XXE-safe XML parsing (defusedxml) · no password storage (magic-link auth) · 7+ external security audit passes against the cleaning + billing surfaces. Full posture documented at /under-the-hood.
In the unlikely event of a personal-data breach we will notify the relevant supervisory authority within 72 hours (Art. 33) and notify affected users without undue delay (Art. 34).
━━ changes to this policy
We'll update the "last updated" date at the top of this page when something material changes. Substantive changes (new processor, new data category, retention-period extension) will also be emailed to active accounts at least 30 days before they take effect.