1. Summary
We respect your privacy. This policy explains what personal data we collect about you, why we collect it, how we use it, who we share it with, and the rights you have under the EU General Data Protection Regulation (“GDPR”) and the Lithuanian Law on the Legal Protection of Personal Data.
- We collect account, billing, usage, support and website-visitor data about you (the “data subject”).
- For data our Customers upload about their Travellers, our Customer is the controller and we are a processor — see section 3.
- We use Stripe for payments, third-party providers for hosting, email and product analytics — see Subprocessors.
- You have a right to access, correct, delete, restrict, port your data, object to processing, and lodge a complaint with a supervisory authority.
2. Who we are
The controller of your personal data (for the data we process for our own purposes) is:
MB Travel Solutions (operating the “Deer Track” service)
Company code 306998943
V. Nagevičiaus g. 3
LT-08237 Vilnius
Lithuania
Email: privacy@deertrack.net
We have not appointed a statutory Data Protection Officer because we are not required to under GDPR Article 37. You can still reach our privacy team at the address above.
3. Our roles — controller vs. processor
We act in two distinct capacities depending on the data involved:
| Capacity | Data | Governs |
|---|---|---|
| Controller | Your account, billing, support, marketing and website-visitor data. | This Privacy Policy. |
| Processor | Personal data our Customers upload to the Service about their Travellers and contacts (e.g., names, emails, phone numbers, passport details, dietary or accessibility notes that a Customer chooses to record). | Our Data Processing Addendum; the Customer is the controller. |
4. What data we collect
4.1 Account & profile data
Name, email, password (hashed), role, profile image, language, time zone, team membership.
4.2 Billing data
Company name, billing address, VAT number, invoice history. Card data is collected by Stripe and never stored on our servers — we store a token reference.
4.3 Usage & device data
Pages and features you use, IP address, device and browser type, operating system, time stamps, referrer, language preferences, and diagnostic logs.
4.4 Support data
Communications you send us (email, chat, support tickets) and any attachments.
4.5 Marketing data
Where you have consented or where a soft opt-in applies: email open/click events, event registrations, content you download.
4.6 Customer Data uploaded by our Customers
We process this on behalf of the Customer (controller). It may include Traveller names, contacts, itineraries, supplier records, travel documents and any other content a Customer chooses to upload. We do not use Customer Data for our own purposes; see the DPA.
5. Why we use your data & legal bases
| Purpose | Categories of data | Legal basis (GDPR Art. 6) |
|---|---|---|
| Providing the Service to you | Account, usage, support | Contract performance (Art. 6(1)(b)) |
| Billing, invoicing, fraud prevention | Billing, usage, IP | Contract performance + legal obligation (Art. 6(1)(b),(c)) |
| Service security, debugging, abuse prevention | Usage, device, logs | Legitimate interests — operating a secure service (Art. 6(1)(f)) |
| Product analytics & improvement | Usage, aggregated | Legitimate interests — improving the Service (Art. 6(1)(f)); consent where required |
| Marketing emails about Deer Track | Email, marketing | Consent (Art. 6(1)(a)) or legitimate interests for existing customers in similar products (Art. 6(1)(f)) |
| Complying with tax, accounting and legal obligations | Account, billing | Legal obligation (Art. 6(1)(c)) |
| Defending or asserting legal claims | As needed | Legitimate interests (Art. 6(1)(f)) |
Where we rely on legitimate interests, we have balanced them against your rights and freedoms. You can ask us for our balancing assessment.
6. Cookies & similar technologies
Our website and product use strictly necessary cookies (sign-in, security, load balancing), functional cookies (preferences), and — with your consent — analytics cookies. We do not use advertising or cross-site tracking cookies. For details and how to manage your consent, see our Cookie Notice.
7. Who we share data with
We share personal data only with:
- Subprocessors — vetted vendors who process data on our behalf (hosting, email delivery, analytics, payments). See the current list at /legal/subprocessors.
- Professional advisers — accountants, auditors, lawyers, insurers, under confidentiality.
- Acquirers — in connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality and continued protection of personal data.
- Authorities — where required by law, valid legal process, or to protect rights, safety, or property; we challenge overbroad requests and will notify you where lawful and feasible.
We do not sell personal data.
8. International transfers
Some subprocessors are located outside the European Economic Area. Where personal data is transferred outside the EEA, we rely on:
- European Commission adequacy decisions (where they apply); or
- the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914), with supplementary measures where appropriate.
For Stripe specifically, transfers are governed by Stripe’s data processing terms incorporating the SCCs. Other subprocessors and their transfer mechanisms are listed on the Subprocessors page.
9. Retention
- Account data — for the duration of your subscription, plus up to 30 days after termination during the export window, then deleted or anonymised within 90 days unless we are required to keep it longer.
- Billing & tax records — at least 10 years from the end of the relevant tax year, in line with Lithuanian tax law.
- Support communications — up to 3 years from last contact.
- Marketing preferences — until you withdraw consent or object.
- Server logs — typically 30–90 days, longer for security-relevant events.
- Customer Data — retained and deleted in accordance with the DPA and Customer instructions.
10. Security
We apply technical and organisational measures appropriate to the risk, such as encryption in transit (TLS) and at rest, least-privilege access controls, multi-factor authentication for administrative access, audit logging, vulnerability scanning, vendor due diligence, and an incident-response process. Detailed measures are listed in Annex II of the DPA. No internet service is perfectly secure; if you believe your account has been compromised, contact security@deertrack.net immediately.
11. Your rights
Subject to applicable conditions and exemptions under GDPR, you have the right to:
- request access to your personal data;
- request rectification of inaccurate or incomplete data;
- request erasure (the “right to be forgotten”);
- request restriction of processing;
- object to processing based on legitimate interests, including direct marketing;
- request portability of data you have provided to us;
- withdraw any consent at any time, without affecting prior processing;
- lodge a complaint with a supervisory authority, in particular the State Data Protection Inspectorate of Lithuania (Valstybinė duomenų apsaugos inspekcija, VDAI, vdai.lrv.lt), or with the supervisory authority of your habitual residence.
To exercise your rights, email privacy@deertrack.net. We will respond within one month, extendable by up to two further months for complex requests.
Traveller requests.If you are a Traveller and your data is in our Customer’s account, you should generally direct your request to that Customer (the controller). We will forward requests we cannot fulfil to the relevant Customer where appropriate.
12. Children
The Service is intended for business users aged 18+ and is not directed at children. We do not knowingly collect personal data directly from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
13. Automated decision-making
We do not make decisions that produce legal or similarly significant effects on you based solely on automated processing. The Service may include AI-assisted features that suggest itinerary content or extract data from documents; outputs are advisory and a human user always reviews them.
14. Changes to this policy
We may update this policy from time to time. If we make material changes, we will notify you by email or in-product notice at least 30 days before they take effect. The “Last updated” date at the top of this page indicates when it was most recently revised.
15. Contact
MB Travel Solutions
Company code 306998943
V. Nagevičiaus g. 3
LT-08237 Vilnius
Lithuania
Privacy: privacy@deertrack.net
Security: security@deertrack.net