GTM Tower Logo

Privacy Policy

Last updated: January 16, 2025

1. Introduction

gtmTower ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our website and browser extension (collectively, the "Service").

We comply with the Swiss Federal Act on Data Protection (FADP/DSG), the revised Swiss Data Protection Act (nDSG), and the European General Data Protection Regulation (GDPR) where applicable.

2. Data Controller

The data controller responsible for your personal data is:

Marc Waser

Letzigraben 114

8047 Zurich, Switzerland

marc@gtmtower.com

3. Personal Data We Collect

We collect the following categories of personal data:

3.1 Account Information

  • Name
  • Email address
  • Profile picture (if provided via Google OAuth)

3.2 Google Account Data

To use the gtmTower browser extension, you must connect your Google account. We access:

  • Google account identifier
  • OAuth access and refresh tokens (to interact with Google Tag Manager on your behalf)
  • Basic profile information (name, email, profile picture)

We only access Google Tag Manager data that you explicitly authorize. We do not access any other Google services or data beyond what is necessary for the Service to function.

3.3 Payment Information

Payment processing is handled by Stripe. We do not store your full credit card number, CVC, or other sensitive payment details on our servers. We receive and store:

  • Stripe customer ID
  • Subscription status and plan details
  • Billing period information
  • Last four digits of your card (for display purposes)

3.4 Technical Data

  • IP address (anonymized for analytics)
  • Browser type and version
  • Device information
  • Pages visited and interactions with our Service

4. How We Use Your Data

We use your personal data for the following purposes:

  • Service Provision: To create and manage your account, authenticate you, and provide the gtmTower Service
  • Google Tag Manager Integration: To interact with Google Tag Manager on your behalf through the browser extension
  • Payment Processing: To process subscriptions and payments through Stripe
  • Communication: To send transactional emails (account confirmation, password reset, subscription updates)
  • Analytics: To understand how our Service is used and improve it
  • Legal Compliance: To comply with applicable laws and regulations

5. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process your personal data based on:

  • Contract Performance: Processing necessary to provide the Service you requested (Art. 6(1)(b) GDPR)
  • Legitimate Interests: Processing for analytics and service improvement, where our interests do not override your rights (Art. 6(1)(f) GDPR)
  • Consent: Where you have given explicit consent for specific processing activities (Art. 6(1)(a) GDPR)
  • Legal Obligation: Processing necessary to comply with legal requirements (Art. 6(1)(c) GDPR)

6. Third-Party Services and Data Transfers

We use the following third-party services to operate gtmTower. Some of these services are located outside Switzerland and the EEA, which means your data may be transferred internationally.

6.1 Stripe (Payment Processing)

  • Purpose: Payment processing and subscription management
  • Location: United States
  • Safeguards: Stripe is certified under the EU-U.S. Data Privacy Framework. Stripe complies with PCI-DSS standards.
  • Privacy Policy:stripe.com/privacy

6.2 Resend (Email Service)

  • Purpose: Sending transactional emails
  • Location: United States
  • Data Processed: Email address, name
  • Safeguards: Standard Contractual Clauses (SCCs)
  • Privacy Policy:resend.com/legal/privacy-policy

6.3 Google (OAuth Authentication)

  • Purpose: User authentication and Google Tag Manager API access
  • Location: United States
  • Safeguards: Google is certified under the EU-U.S. Data Privacy Framework
  • Privacy Policy:policies.google.com/privacy

6.4 Hetzner (Hosting)

6.5 Umami Analytics

  • Purpose: Privacy-focused website analytics
  • Location: Self-hosted in Germany (Hetzner)
  • Data Processed: Anonymized IP address, page views, browser information
  • Note: Umami is a privacy-focused analytics tool that does not use cookies and does not track personal data

7. Cookies and Tracking

We use only essential cookies that are strictly necessary for the Service to function:

  • Session Cookies: To keep you logged in and maintain your session
  • Security Cookies: To protect against cross-site request forgery (CSRF)

We do not use marketing, advertising, or third-party tracking cookies. Our analytics solution (Umami) is cookie-free and privacy-focused.

8. Data Retention

We retain your personal data as follows:

  • Account Data: Retained while your account is active. Deleted immediately upon account deletion.
  • Payment Records: Retained for the period required by applicable tax and accounting laws (typically 10 years in Switzerland).
  • Analytics Data: Anonymized and aggregated data may be retained indefinitely for statistical purposes.

9. Your Rights

Under the Swiss Data Protection Act and GDPR, you have the following rights:

  • Right of Access: Request information about the personal data we hold about you
  • Right to Rectification: Request correction of inaccurate personal data
  • Right to Erasure: Request deletion of your personal data
  • Right to Restrict Processing: Request limitation of processing in certain circumstances
  • Right to Data Portability: Request a copy of your data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, please contact us at marc@gtmtower.com.

You also have the right to lodge a complaint with a supervisory authority. In Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC). In the EU, you may contact the supervisory authority in your country of residence.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (TLS/HTTPS)
  • Encryption of sensitive data at rest
  • Regular security assessments
  • Access controls and authentication mechanisms
  • Secure hosting infrastructure in Germany

11. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately at marc@gtmtower.com.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Marc Waser

Letzigraben 114

8047 Zurich, Switzerland

marc@gtmtower.com