pointeron
FeaturesUse CasesPricingStoreDocsAPI
Sign UpLog in

Privacy Policy

Last updated: March 15, 2026

1. Data Controller

The data controller responsible for your personal data is:

revelbit d.o.o.
Jesenje 23D
1281 Kresnice
Slovenia, European Union
Email: privacy@pointeron.com

Data Protection Officer
Email: dpo@pointeron.com

2. What Data We Collect

We collect and process the following categories of personal data:

2.1 Account Data

  • Name, email address, and password (hashed) when you create an account
  • Organization name and billing address
  • Payment information (processed by Stripe — we do not store full card numbers)

2.2 Location Data

  • GPS coordinates, speed, heading, altitude, and accuracy of tracked devices
  • Timestamps associated with location points
  • Device identifiers (IMEI, serial numbers, iCloud device IDs)

2.3 Usage Data

  • API request logs (IP address, endpoint, timestamp, response code)
  • Browser type, operating system, and device type when accessing the dashboard
  • Session data for authentication and security purposes

2.4 iCloud Data

  • Apple ID credentials (encrypted at rest) when you connect iCloud devices
  • Only location data is accessed from iCloud — we never read messages, photos, contacts, or other personal content

2.5 Data About Tracked Persons

If you are a tracked person (someone whose location is being monitored through Pointeron), your location data is collected indirectly through the tracking device or service configured by the organization. In accordance with GDPR Article 14, you are informed about this data collection through the consent request email and consent management page provided to you before tracking begins.

3. Legal Basis for Processing

Under Article 6 of the GDPR, we process your data based on:

  • Contract performance (Art. 6(1)(b)) — Processing necessary to provide the Pointeron platform and services you have subscribed to
  • Legitimate interest (Art. 6(1)(f)) — Security monitoring, fraud prevention, service improvement, and troubleshooting
  • Legal obligation (Art. 6(1)(c)) — Tax and accounting records, responding to lawful requests from authorities
  • Consent (Art. 6(1)(a)) — Marketing communications (you may withdraw consent at any time)

Specifically:

  • Account creation and authentication — Contract performance (Art. 6(1)(b))
  • Location tracking and geofencing — Contract performance (Art. 6(1)(b)) for the account holder; Consent (Art. 6(1)(a)) for tracked persons
  • Payment processing — Contract performance (Art. 6(1)(b))
  • Security monitoring and fraud prevention — Legitimate interest (Art. 6(1)(f))
  • Tax and accounting records — Legal obligation (Art. 6(1)(c))
  • Marketing communications — Consent (Art. 6(1)(a))

Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your fundamental rights. You may request a copy of our Legitimate Interest Assessment by contacting privacy@pointeron.com. You have the right to object to processing based on legitimate interest at any time under Article 21.

Providing your personal data is necessary to use the Pointeron platform. If you choose not to provide certain data (such as account details or payment information), you may not be able to use some or all features of the Service. Providing location data for tracking purposes is voluntary and based on consent.

4. How We Use Your Data

  • Providing real-time location tracking, geofencing, and alert services
  • Processing payments and managing subscriptions
  • Sending transactional notifications (geofence alerts, system notifications)
  • Maintaining security and preventing unauthorized access
  • Improving the platform based on aggregated, anonymized usage patterns
  • Responding to support requests

5. Data Sharing and Third Parties

We share personal data only with the following categories of recipients:

  • Stripe, Inc. — Payment processing (PCI DSS Level 1 certified). See Stripe's Privacy Policy.
  • Apple Inc. — iCloud location data retrieval (only when you connect iCloud devices)
  • Infrastructure providers — Cloud hosting within the EU for data storage and processing
  • Error tracking — Self-hosted GlitchTip for error monitoring (no data leaves our infrastructure)

We do not sell, rent, or trade your personal data to any third party. We do not use your data for advertising purposes.

6. International Data Transfers

Your data is stored and processed within the European Union. When third-party processors (such as Stripe) transfer data outside the EU, they do so under Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms under Chapter V of the GDPR.

7. Data Retention

  • Account data — Retained for the duration of your account plus 30 days after deletion
  • Location data — Retained according to your plan's data retention period (default: 90 days). Configurable per organization.
  • Billing records — Retained for 10 years as required by Slovenian tax law (ZDavP-2)
  • API logs — Retained for 90 days for security and debugging purposes
  • iCloud credentials — Deleted immediately upon device removal or account deletion

8. Your Rights Under GDPR

As a data subject in the EU, you have the following rights:

  • Right of access (Art. 15) — Request a copy of your personal data. You are entitled to one free copy of your personal data
  • Right to rectification (Art. 16) — Correct inaccurate personal data
  • Right to erasure (Art. 17) — Request deletion of your personal data ("right to be forgotten")
  • Right to restriction (Art. 18) — Restrict processing of your data under certain conditions
  • Notification obligation (Art. 19) — We will communicate any rectification, erasure, or restriction of your data to each recipient to whom the data has been disclosed, unless this proves impossible or involves disproportionate effort
  • Right to data portability (Art. 20) — Export your data in structured JSON format at any time from the Data Export page in the dashboard, or programmatically via the API
  • Right to object (Art. 21) — Object to processing based on legitimate interest
  • Right to withdraw consent (Art. 7(3)) — Withdraw consent at any time without affecting prior processing
  • Automated decision-making (Art. 22) — We do not make automated decisions about you based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you

To exercise any of these rights, contact us at privacy@pointeron.com. We will respond within 30 days as required by the GDPR.

For tracked persons: If you are an individual being tracked through Pointeron, you can exercise your right to data access and data deletion directly from your consent management page without needing to contact us by email.

9. Administrative Data Access

When our support team needs to access your organization's data for troubleshooting or support purposes:

  • Consent required — Administrators must submit a formal Data Access Request specifying the reason, data scopes, and duration before accessing any organization data
  • Owner approval — The organization owner must explicitly approve each request before any access is granted
  • Scope-limited — Access is restricted to only the specific data categories approved (e.g., assets, devices, locations)
  • Time-limited — Each access session has a maximum duration. Access automatically expires when the time limit is reached
  • Revocable — Organization owners can revoke access at any time during an active session
  • Fully audited — Every access request, approval, denial, session start, and session end is recorded in the immutable activity log, visible to the organization owner

You can view and manage all data access requests from the Support page in your dashboard.

10. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Hashed passwords using Argon2id
  • Role-based access control within the platform
  • Consent-based administrative data access with full audit trail
  • Regular security audits and vulnerability assessments
  • Automated monitoring for unauthorized access attempts

See our Security page for more details.

11. Cookies

We use the following cookies:

  • Session cookie (essential) — Maintains your authenticated session. Expires after 120 minutes of inactivity.
  • Theme preference (functional) — Stores your dark/light mode preference. No personal data.
  • CSRF token (essential) — Prevents cross-site request forgery attacks.

We do not use advertising cookies, tracking pixels, or analytics cookies that identify individual users.

12. Consent for Tracking Persons

If you use Pointeron to share or view the location of individuals (such as family members, employees, or team members), you are solely responsible for obtaining and maintaining valid, informed consent from each tracked person in accordance with applicable law, including GDPR Article 6 and any applicable employment or family law.

  • Each tracked individual must be aware that their location is being shared and must have agreed to it
  • Tracked individuals must be able to withdraw consent and disable location sharing at any time
  • Using Pointeron to monitor another person without their knowledge or consent may constitute a criminal offense under EU and national law, including Directive (EU) 2024/1385 and applicable criminal codes
  • For employee tracking, employers must conduct a Data Protection Impact Assessment (DPIA) and limit tracking to working hours unless specific justification exists

Tracked individuals can exercise their GDPR data rights directly from their consent management page, without needing to contact us by email:

  • Data access (Art. 15) — Request a JSON export of all location data collected about them. The export is generated automatically and available for download for 7 days.
  • Data deletion (Art. 17) — Request permanent deletion of all their location data. Deletion is processed automatically and both parties receive confirmation.
  • Pause or withdraw — Temporarily pause or permanently withdraw tracking consent at any time.

All data subject requests are tracked with a 30-day fulfillment deadline, full audit trail, and status visibility for both the tracked person and the organization.

13. Children's Privacy

Pointeron is not directed at children under the age of 15. We do not knowingly collect personal data from children. If we become aware that a child under 15 has provided us with personal data, we will delete it promptly. In Slovenia, the age of digital consent is 15 under ZVOP-2. Parental or guardian consent is required for users under this age.

14. Supervisory Authority

If you believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with the Information Commissioner of the Republic of Slovenia:

Informacijski pooblaščenec Republike Slovenije
Dunajska cesta 22
1000 Ljubljana, Slovenia
Phone: +386 1 230 97 30
Website: www.ip-rs.si

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice in the dashboard. The "Last updated" date at the top reflects the most recent revision.

16. Contact

For any privacy-related questions or requests:
revelbit d.o.o.
Email: privacy@pointeron.com
Address: Jesenje 23D, 1281 Kresnice, Slovenia

Privacy Policy | Pointeron