🎉 Your first traffic plan is free, basic event maps are free forever! 🎉
Traffic ChartTraffic Chart

Privacy policy

Last updated: May 18, 2026

This privacy policy describes how Traffic Chart B.V. ("Traffic Chart", "we", "us") processes personal data of visitors to traffic-chart.com and users of the Traffic Chart software platform on app.traffic-chart.com. We are the data controller within the meaning of article 4(7) of the EU General Data Protection Regulation (GDPR).

Version of 18 May 2026. We publish the new version here on every material change, and active customers also receive an email notice.

1. Controller and contact

Traffic Chart B.V., registered at Rijsseltweg 10, 7211 EP Eefde, the Netherlands. Dutch Chamber of Commerce number 86454498. For the German-speaking market Traffic Chart GmbH operates in parallel (Karlsruhe, AG Mannheim HRB 758302); the German entity is joint controller for data of customers in the DACH region.

Privacy questions, GDPR requests and data-breach notifications go to customer@traffic-chart.com. We have not appointed a Data Protection Officer; our size does not trigger the article 37 GDPR requirement. The Dutch Autoriteit Persoonsgegevens is our lead supervisory authority.

2. Categories of personal data

2.1 Marketing site, contact submissions

When you fill in a form on an audience landing page (municipalities, events, professionals) or on /contact/, we process:

  • first and last name;
  • organisation or municipality;
  • work email address;
  • phone number (with country code);
  • number of traffic plans or events per year (optional, only on the audience forms);
  • free-form message (optional);
  • IP address and browser user-agent string (technically necessary for spam detection via reCAPTCHA Enterprise);
  • timestamp of the submission.

2.2 Marketing site, trial signups

When you create a free trial account, we process:

  • first and last name;
  • email address;
  • language preference for the product;
  • IP address and user-agent;
  • reCAPTCHA score (a numeric risk indicator, not biometric);
  • confirmation that you accepted these terms and this policy (date and time).

2.3 Product, app.traffic-chart.com

When you use the Traffic Chart platform to draft traffic plans or event maps, we process:

  • account data: name, email, organisation, language preference, roles and permissions inside the account;
  • authentication data: hashed password (we never store plain-text passwords), session tokens, multi-factor settings if enabled;
  • plan data: the plans you draft, uploaded basemaps, sign placements, lengths, areas, share links, PDF exports;
  • usage data: in-app page views, click events on editor functions, timestamps for plan creation and changes, exports;
  • billing data: payment method, billing address, VAT number, transaction history. We never see full card data; that is processed by Stripe (see section 4).

2.4 Marketing site, automatic telemetry

To detect where visitors get stuck on forms we log anonymous lifecycle events (form viewed, first input, field invalid, submission succeeded or failed). These events contain no field values, only field names, error codes, and a per-session random UUID. We also keep standard Vercel server logs (HTTP method, status, path, IP) for up to 30 days.

3. Purposes and legal bases

For each processing activity we identify the purpose and the legal basis under article 6(1) GDPR.

  • Performance of the contract (art. 6(1)(b)): creating your account, displaying, storing and exporting your plans, sending transactional email (welcome, password reset, invoice), billing and collection.
  • Legitimate interest (art. 6(1)(f)): securing the platform against abuse (reCAPTCHA, rate-limiting, IP logging on forms), measuring funnel conversion and form friction on the marketing site, following up on leads who contacted us through a form, running customer relationship management. You can object to these processings at customer@traffic-chart.com.
  • Consent (art. 6(1)(a)): newsletter, non-functional cookies, customer-logo use in marketing. You can withdraw consent at any time via the link in every email or by contacting us.
  • Legal obligation (art. 6(1)(c)): retaining invoicing data under the Dutch fiscal retention period (7 years, article 52 AWR), cooperating with lawful requests from supervisory authorities and law-enforcement.

We do not process special categories of personal data (article 9 GDPR) or criminal-conviction data (article 10 GDPR). You do not need to supply these to use the service.

4. Subprocessors and third parties

We engage subcontractors to deliver the service. Each subprocessor is bound by a data-processing agreement compliant with article 28 GDPR. Current list:

  • Supabase Inc., database and backend, hosted in the EEA (Ireland). Stores form submissions, telemetry events and user accounts.
  • Vercel Inc., hosting of the marketing site and API routes. Routes traffic via EU edges; logs retained up to 30 days.
  • Brevo SA (Sendinblue), Belgium, transactional email (welcome, contact routing) and marketing automation.
  • Google Ireland Limited, reCAPTCHA Enterprise for anti-spam on forms, and Google Tag Manager / Analytics for aggregate analytics. Processing under Google's Standard Contractual Clauses for any onward transfer to the US.
  • Stripe Payments Europe Ltd., Ireland, payment processing for subscriptions and pay-as-you-go plans. We do not see full card data; Stripe is PCI-DSS Level 1 certified.
  • OpenStreetMap Foundation, basemap tiles rendered inside the editor. When a map loads, your IP is sent by your browser to the OSM tile servers.

We do not sell personal data, and we do not share it with third parties for their own marketing purposes. We share only when (i) a subprocessor delivers the service for us, or (ii) a legal obligation compels us.

5. Transfers outside the EEA

Most processing takes place inside the European Economic Area. For processing by subprocessors with a US parent (Vercel, Google), we rely on the EU-US Data Privacy Framework certification or, where that does not apply, on the European Commission's Standard Contractual Clauses (4 June 2021), supplemented by a Transfer Impact Assessment per provider.

6. Retention

  • Contact and quote requests: 24 months after the last interaction. If a customer relationship begins, the request data becomes part of the customer file and account retention applies.
  • Active account data: for as long as the account exists and the service is taken up.
  • Closed accounts: 12 months after termination account data and plan content are permanently deleted. Earlier deletion on request is honoured within 30 days, except for data we must retain by law.
  • Billing data: 7 years after the end of the fiscal year (article 52 AWR).
  • Form telemetry (form_events table): 90 days, then auto-deleted.
  • Server logs: 30 days.
  • Newsletter subscription: until you unsubscribe. After unsubscribe we keep your email on a suppression list so we will not contact you again.

7. Cookies and similar technologies

  • Functional: a locale cookie that remembers your language preference, a theme cookie for dark or light mode, and a session cookie for form telemetry. Placed without consent on the basis of article 11.7a(3) of the Dutch Telecommunications Act.
  • Statistics, anonymous: Google Analytics with IP anonymisation and without advertising features. Used for aggregate visitor counts and source / medium reporting.
  • Marketing: not active on the marketing site. No Facebook Pixel, no LinkedIn Insight Tag, no retargeting cookies.

On the product (app.traffic-chart.com) we place strictly functional cookies for authentication and session management. Disabling them in your browser prevents you from logging in.

8. Security

We apply appropriate technical and organisational measures under article 32 GDPR: end-to-end TLS on all connections, password hashing with bcrypt, least-privilege production access, automated database backups in a separate region, an annual external penetration test of the product, and a WCAG-EM accessibility audit (report linked in the site footer).

Suspect a vulnerability or a data breach? Email customer@traffic-chart.com with "security" in the subject. We acknowledge within one business day and report substantiated breaches to the Autoriteit Persoonsgegevens within 72 hours under article 33 GDPR.

9. Your rights

Under the GDPR you have the following rights:

  • Access (art. 15), a copy of the personal data we process about you.
  • Rectification (art. 16), correction of inaccurate or incomplete data.
  • Erasure (art. 17, "right to be forgotten"), we delete your data, except where a legal retention obligation overrides.
  • Restriction of processing (art. 18), we freeze processing while a dispute or correction request is pending.
  • Portability (art. 20), we deliver the data you supplied in a structured, commonly used, machine-readable format (JSON or CSV).
  • Objection (art. 21), against processings based on legitimate interest and against direct marketing.
  • Withdraw consent (art. 7(3)), for processings where consent is the basis, without affecting the lawfulness of processing prior to withdrawal.

Exercise these rights at customer@traffic-chart.com. We reply within one month, extendable by two months for complex requests (art. 12(3)). We may ask for additional identification to verify your request, but do not require copies of passports or ID cards.

10. Complaints

If you disagree with how we handle your data, please contact us first. You also have the right to file a complaint with the Autoriteit Persoonsgegevens, Postbus 93374, 2509 AJ The Hague ( autoriteitpersoonsgegevens.nl ). German data subjects may also approach the Landesbeauftragte für den Datenschutz Baden-Württemberg (baden-wuerttemberg.datenschutz.de).

11. Automated decision-making

We do not take decisions based solely on automated processing (including profiling) that produce legal effects on you. reCAPTCHA Enterprise calculates a risk score per form submission, but a rejected submission never leads to an automated adverse decision. If your form gets blocked by mistake, contact us.

12. Changes

We update this policy when our processing changes or when law requires it. Material changes trigger an email notice to active customers. The last updated date is shown at the top. Earlier versions are available on request.

13. Contact

Traffic Chart B.V.
Rijsseltweg 10
7211 EP Eefde
The Netherlands
Email: customer@traffic-chart.com