Privacy policy

The data controller for personal data processed via machinetrail.com is BSI OU, a private limited company registered in Estonia (e-Residency company), operating the Machinetrail service.

For any privacy-related question, request, or complaint, contact us at privacy@machinetrail.com. We respond to verified rights requests within 30 days, as required by GDPR Article 12(3).

We deliberately minimise the personal data we handle. Specifically, we process:

• •VIN / PIN / serial searches — submitted anonymously; not tied to an identified person unless you also provide your email.
• •Email address — only when you opt in via our free preview / decode email capture, or when you purchase a report.
• •Payment data — name, billing address, and card metadata are collected and processed by Stripe; we never see or store full card numbers.
• •Product analytics — anonymised event data captured by PostHog (EU host) to understand which features work.
• •Server logs — IP address, user-agent, and timestamp, retained for short periods for security and abuse prevention.

We rely on the following GDPR Article 6 legal bases:

• •Contract (Art. 6(1)(b)) — to deliver a paid VIN report and provide customer support.
• •Legitimate interest (Art. 6(1)(f)) — to operate, secure, and improve the service, prevent fraud, and maintain minimal server logs.
• •Consent (Art. 6(1)(a)) — for analytics where required by local ePrivacy rules, and for marketing emails.
• •Legal obligation (Art. 6(1)(c)) — to retain transaction records for accounting and tax law compliance.

We use a small number of carefully chosen processors. Each has a GDPR-compliant Data Processing Agreement (DPA) in place with us.

• •Stripe Payments Europe Ltd. (Ireland) — payment processing for the EUR 19.99 report.
• •PostHog (EU host) — product analytics; data stored in the European Union.
• •Vercel Inc. (United States, EU edge regions) — hosting and CDN; traffic served from EU edge locations.
• •Hetzner Online GmbH (Germany) — primary Postgres database hosting; all report and email data at rest sits in Germany.

Machinetrail uses only functional cookies set by PostHog for session attribution and product analytics. We do not use advertising cookies, third-party tracking pixels, or cross-site identifiers.

Where local law (ePrivacy Directive / national implementations) requires consent for non-essential cookies, we request it before loading analytics.

• •Anonymous VIN/PIN lookups — 90 days, for caching and abuse detection.
• •Paid reports and invoice records — retained indefinitely as accounting and customer records required by Estonian and EU law.
• •Email list entries — retained until you unsubscribe or request erasure.
• •Server logs — typically 30 days.

As a data subject under the EU GDPR, you have the following rights with respect to your personal data:

• •Right of access (Art. 15) — request a copy of the personal data we hold about you.
• •Right to rectification (Art. 16) — correct inaccurate or incomplete data.
• •Right to erasure / “right to be forgotten” (Art. 17) — delete your data, subject to legal retention obligations.
• •Right to restriction (Art. 18) — limit how we process your data while a dispute is resolved.
• •Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
• •Right to object (Art. 21) — object to processing based on legitimate interests, including marketing.
• •Right to lodge a complaint (Art. 77) — with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, aki.ee) or with the supervisory authority in your EU/EEA country of residence.

To exercise any of these rights, email privacy@machinetrail.com.

All primary data storage sits inside the European Union (Germany, Ireland, EU edge regions). Some payment-flow data is routed through Stripe's United States infrastructure. Such transfers are covered by the European Commission's Standard Contractual Clauses (SCCs, 2021/914) and, where applicable, Stripe's certification under the EU-US Data Privacy Framework. We perform a transfer impact assessment before relying on any non-EU sub-processor.

Machinetrail is a B2B-leaning service for buyers, dealers, and lenders of used heavy equipment. It is not directed at, and we do not knowingly collect data from, individuals under 18 years of age.

We may update this privacy policy from time to time. Material changes will be announced via an in-app banner for at least 30 days before they take effect, and the “last updated” date below will change. Prior versions are available on request.