Privacy Policy
Última actualización: 2026-06-27
This policy describes how personal data collected on atak-server.com is processed, in compliance with Regulation (EU) 2016/679 (GDPR) and Spanish LOPDGDD 3/2018.
Controller
PENDING: Identity and tax ID — see Legal Notice
Email: info@atak-server.com
Data collected
- Email — service delivery and communications
- Alias / callsign — to personalise the TAK certificate
- Telegram ID / chat ID — to deliver the configuration package and provide support through the official bot
- Generated TAK certificate — issued in the user's name and linked to their access to the server
- Groups / team — assignment to a TAK group or team, required for operational visibility between members
- Payment data — handled entirely by Stripe; we do not store cards
- GPS positions and TAK activity — during use of the service, transmitted via mTLS and stored temporarily on the server for coordination among members of the same group
- Access logs / technical logs — connection IP, timestamps, client certificate (maintenance and security)
Purposes and legal basis
- Contract performance (GDPR art. 6.1.b): TAK service provision
- Legal obligations (art. 6.1.c): billing, tax
- Legitimate interest (art. 6.1.f): security, fraud prevention
Processors (third parties)
- Stripe Payments Europe — payment processing. EU/US servers under EU SCCs.
- Brevo (formerly Sendinblue) — transactional email delivery. EU servers.
- Cloudflare — CDN proxy, DDoS protection and DNS resolution. Processes IPs and connection metadata. SCC + EU-US Data Privacy Framework.
- Tailscale Inc. — private network for internal communication between federated TAK servers. Processes IPs and connection metadata. No access to communication contents (WireGuard end-to-end encryption). US coordination servers under SCC.
- Google Ireland Ltd. (Google Analytics 4) — web analytics for atak-server.com. Activated only if user accepts the cookie banner. Configured with IP anonymisation. Transfers to U.S. under SCC + EU-US Data Privacy Framework.
- Piensasolutions (Tesys Internet S.L.U.) — relay VPS. Servers in Spain.
- Telegram FZ-LLC — used as the delivery channel for configurations and files to the user through the official bot. Use of Telegram implies processing of data (messages, user ID, metadata) under Telegram's privacy policy. Telegram servers outside the EEA.
Geolocation data (specific treatment)
Due to the nature of the service, geolocation data deserves specific treatment:
- What is stored: GPS positions, map markers, tracks, group messages and shared files (Mission Packages), device telemetry (battery, heading, speed when available).
- For how long: during the active subscription for support and federation between servers. Deleted or anonymised within max 30 days after termination.
- Who accesses: members of the same TAK group (operational visibility between them), technical administrators of the operator for support, and automated federation processes. Cloudflare/Tailscale only process connection metadata, not content (mTLS end-to-end).
- How to delete: at user request via email (info@atak-server.com) or automatically when the subscription is terminated. Operational logs deleted at 30 days, technical logs at 90 days.
- Backups: encrypted operational backups at rest for max 7 days. Rotated/deleted thereafter.
- Traceability: each connection is logged with timestamp, source IP and client certificate for security and anti-abuse purposes.
- Technical format: data is transmitted and stored in CoT (Cursor on Target) format, the open protocol used by the TAK platform.
- Maximum retention during active use: 90 days in directly identifiable form. After that period, identifiers are pseudonymized (cryptographic hash with pepper) or data is deleted, per our internal tak-retention system aligned with GDPR.
Retention
- Account data (email, callsign, subscription): for the duration of the active subscription + 6 years after termination (Spanish tax obligation, art. 30 Commercial Code).
- Identifiable usage data (GPS, ATAK messages, telemetry): retained during the active subscription for support and service analytics. After termination, deleted or anonymised within a maximum of 30 days.
- Anonymised data (no possibility of re-identification): retained indefinitely and may be processed for statistical, product-improvement and commercial purposes (see next section).
- Access / technical logs (IP, timestamps, client certificate): 90 days.
Processing of anonymised data for commercial purposes
The controller may process data generated by use of the TAK application (GPS positions, telemetry, activity patterns, anonymised messages, coverage metrics) once irreversibly anonymised (no possibility of re-identifying the individual user or group) for the following purposes:
- Aggregate statistical analysis on service usage and operational patterns.
- Internal product and infrastructure improvements.
- Generation of aggregated/anonymised datasets that may be commercialised to third parties (market studies, research bodies, sector partners — tactical / SAR / airsoft).
This section refers exclusively to data generated by use of the TAK application, not website browsing data (we use no analytics cookies).
Once anonymised, the data ceases to be personal data under GDPR art. 4.1 and recital 26, so subsequent processing is not subject to this policy.
Legal basis for the prior anonymisation step: legitimate interest of the controller (GDPR art. 6.1.f) in product improvement and economic sustainability. A balancing test has been carried out.
Right to object: you may object at any time to the prior processing by writing to info@atak-server.com. Objection applies to data generated from the request onwards; already-anonymised data cannot be recovered as it is no longer personal.
User rights
Access, rectification, deletion, objection, restriction and portability. To exercise them, write to info@atak-server.com. You have the right to file a complaint with the Spanish DPA (aepd.es).
International transfers
Processors may handle data in the U.S. under EU Standard Contractual Clauses (SCCs) and, in Stripe's case, also under the EU-US Data Privacy Framework.