1. What We Collect

• Account data: Email address and username (required for authentication).
• Encrypted inventory data: Your firearm, ammunition, suppressor, and session records, including photos of firearms and supporting documents, NFA paperwork, serial numbers, and all associated metadata, are encrypted on your device with AES-256-GCM using a key derived from your password before being sent to our servers. The server never sees plaintext.
• Push notification tokens (Device ID, mobile app only): If you enable push notifications in our iOS or Android app, your device's Expo push token is stored against your account so we can deliver alerts (for example, NFA Form 4 approval detected, maintenance reminders, and low-ammo warnings). This token is an opaque identifier generated by Expo; it is linked only to your account, is not an advertising identifier, and is never used for cross-app tracking or shared with third parties.
• Web usage analytics: Page views and basic navigation data on 2atracker.com (web only) are collected via self-hosted Umami (open-source, cookieless, GDPR-compliant). No personal data is collected. No cookies are set. The mobile apps ship with no analytics SDK.
• Server error reports (Sentry): We use Sentry to receive stack traces and error metadata from our backend servers only. Error reports may contain request URLs and stack traces but never contain decrypted user data. Our mobile apps ship with no Sentry SDK and do not collect crash reports, performance data, or telemetry on your device; mobile crashes are reported only through Apple's and Google's built-in anonymous, aggregated crash tools, which you control in your device settings.
• Fingerprint (.eft) files and FFL customer biometric metadata: If you use the Pro Fingerprint Vault or the FFL dealer dashboard, FD-258 fingerprint scans and derived .eft files are encrypted at rest with your per-user key and auto-purged on the retention schedule described on our biometric privacy page (Illinois BIPA and similar state laws).

2. What We Don't Collect

• We do not use Google Analytics, Facebook Pixel, or any third-party advertising trackers.
• We do not sell, rent, or share your data with any third party.
• We do not serve ads.
• We do not track you across other websites.

3. Zero-Knowledge Encryption

Your firearms data is encrypted with a key derived from your password using Argon2id. The encryption key never leaves your browser session and is never stored on our servers. This means:

• We cannot read your encrypted data, even with full database access.
• We cannot comply with requests to produce decrypted user data because we do not have the keys.
• If you lose your password and recovery key, your encrypted data is permanently unrecoverable.

4. Data Storage & Security

• Data is stored on AWS (us-west-2) with encryption at rest.
• Database backups are automated daily with 7-day retention.
• All connections use TLS 1.2/1.3.
• Sessions are stored server-side in encrypted cache (ElastiCache with TLS).

5. Data Export & Deletion

• You can export your full inventory as CSV or JSON at any time.
• You can permanently delete your account and all associated data from Settings.
• Account deletion is immediate and irreversible.

6. Third-Party Services

• Stripe: Payment processing for subscriptions. We do not store credit card numbers.
• Google OAuth: Optional, for Google Sheets sync. You can revoke access anytime.
• Sentry: Backend error monitoring only — not used in our mobile apps, and no user data in reports.
• AWS: Infrastructure hosting (encrypted at rest and in transit).

7. Contact

Questions about this policy? Email privacy@2atracker.com.