๐ Last Updated: February 2026๐ Version: 1.0๐ Language: English
1. Executive Summary
Our Commitment: Efficient AI Algorithms is committed to full compliance with the European Union's General Data Protection Regulation (GDPR) and applicable national legislation in each Member State where we operate.
Who We Are
Efficient AI Algorithms (trade name, DBA) is a company headquartered in Maricopa County, Arizona, United States. We act as a data controller when offering services directly to consumers in the EU, and as a data processor when processing data on behalf of European business clients.
Scope of Application
This policy applies to the processing of personal data of:
Residents of the European Union and European Economic Area (EU/EEA)
ProtectTrack users located in EU territory
Employees and family members monitored by European companies or organizations
Data Protection Officer Contact
For any inquiries related to the protection of your personal data:
Response time: 1 month (extendable to 3 months for complex cases)
2. Definitions
In accordance with Article 4 of the GDPR, the following terms have the meaning indicated:
Key Terms
Term
Definition
Personal data
Any information relating to an identified or identifiable natural person. Expressly includes location data (Art. 4.1 GDPR).
Location data
GPS coordinates, location history, speed, altitude, and any data indicating the geographical position of a person or device.
Special categories
Data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation (Art. 9 GDPR).
Controller
The entity that determines the purposes and means of the processing of personal data.
Processor
The entity that processes personal data on behalf of the controller.
Data subject
The natural person whose personal data is being processed.
Consent
Freely given, specific, informed and unambiguous indication of wishes (Art. 4.11 GDPR).
โ ๏ธ Note on geolocation data: The EDPB (Guidelines 01/2020) warns that location data is "particularly revealing of life habits" and may infer sensitive information such as religion, sexual orientation, or health status. Therefore, we apply enhanced protection measures.
3. Data We Collect
ProtectTrack collects the following categories of personal data:
๐ Data Minimization Principle: We only collect data strictly necessary to provide the service. Location data is automatically deleted after 30 days.
Data We DO NOT Collect
We do not sell personal data to third parties
We do not collect biometric data
We do not perform profiling for marketing purposes
We do not share locations with advertisers
4. Legal Bases by Use Case
Under GDPR, each processing activity must be linked to a specific legal basis. Below we detail the applicable bases for each ProtectTrack use case:
Below the national threshold, consent from a parent, guardian, or legal representative is required.
๐ง Families โ Alzheimer's Patients
Primary legal basis: Consent from curator or legal representative (Art. 6.1.a)
โ ๏ธ Art. 9 Applicability: GPS tracking of dementia patients likely reveals health data by the very nature of the service, triggering the protections of Article 9 GDPR.
Spanish legal framework (Law 8/2021)
Law 8/2021 eliminates judicial incapacitation, establishing a support system
Legal capacity of persons with disabilities is presumed
Early Alzheimer's: Direct consent from the patient should be attempted
Advanced Alzheimer's: Representative curator may consent while respecting previously expressed wishes and preferences
Vital interests (Art. 6.1.d + Art. 9.2.c)
Only applicable in emergencies where the person is physically or legally incapable of consenting. Not suitable for routine continuous monitoring.
๐ Employee Monitoring
โ IMPORTANT: Employee consent is generally invalid due to the inherent power imbalance in the employment relationship. The WP29 (Opinion 2/2017) states that "employees are almost never in a position to freely give, refuse or revoke consent."
The WP29 (Opinion 5/2005) expressly recognizes that "processing of location data may be justified when carried out as part of the monitoring of the transport of persons or goods."
Legitimate purposes:
Route and logistics optimization
Vehicle security and theft protection
Delivery time compliance
Business asset management
Requirement: A documented Legitimate Interest Assessment (LIA) must be conducted before deployment.
5. Granular Consent
In accordance with EDPB Guidelines 05/2020, if a controller has "bundled several purposes without seeking separate consent for each, there is no freedom of choice."
Separate Consents
ProtectTrack requests independent consents for:
โ Real-time GPS tracking
โ Location history storage
โ Geofence configuration and alerts
โ Data sharing with authorized family members
โ International transfers to the United States
Prior Information (Art. 13)
Before obtaining consent, we provide clear information about:
Controller identity (Efficient AI Algorithms, Arizona, USA)
โ Yes โ Potentially thousands of users in the EU
New technologies
โ Yes โ PWA platform for real-time GPS streaming
AEPD List (Art. 35.4)
The Spanish Data Protection Agency includes in its Criterion 3: "processing involving observation, monitoring, supervision, geolocation or control of the data subject on a systematic basis."
Content of Our DPIA
Our Impact Assessment includes:
Systematic description of GPS data processing
Assessment of necessity and proportionality
Assessment of risks to rights and freedoms
Measures to mitigate identified risks
Review: Every 3 years or upon significant changes in processing (CNIL recommendation).
8. Data Subject Rights
In accordance with Articles 15-22 of the GDPR, you have the following rights:
Right
Description
Deadline
Access (Art. 15)
Obtain a copy of all your data, including complete GPS location history, coordinates, timestamps, and settings
1 month
Rectification (Art. 16)
Correct inaccurate or incomplete personal data
1 month
Erasure (Art. 17)
Delete all location points, histories, geofence settings, alert histories, and derived analytics
1 month
Restriction (Art. 18)
Restrict processing while a claim is being verified
1 month
Portability (Art. 20)
Receive your location data in a structured, machine-readable format
1 month
Objection (Art. 21)
Object to processing based on legitimate interest; tracking ceases immediately
Without delay
Available Portability Formats
In accordance with WP29 (Guidelines WP242), GPS location data is included in the right to portability. We offer:
GPX โ GPS Exchange Format (universal open XML standard)
GeoJSON โ Lightweight JSON format for geographic data
CSV โ With columns: timestamp, latitude, longitude, altitude, speed, accuracy
JSON โ Complete export with metadata
โ ๏ธ Duality of Data Subjects: Both the tracker (account holder) and the tracked person are data subjects with independent rights under GDPR. ProtectTrack respects and balances both sets of rights.
Clearly indicating which right you wish to exercise
Providing sufficient information to verify your identity
We will respond within a maximum of 1 month, extendable to 3 months for complex requests (with prior notification).
9. Protection of Vulnerable Persons
ProtectTrack implements enhanced safeguards for minors and persons with reduced capacity.
Minors
โ ๏ธ Household exemption (Art. 2.2.c): May apply to the parent performing the tracking, but never extends to the service provider. Recital 18 is explicit: exemptions do not cover controllers or processors who provide the means for personal processing.
Implemented measures:
Age verification: System to confirm the minor's age and the parental authority holder
Verifiable parental consent: Mechanisms to confirm the identity of parent/guardian
Age-appropriate notices: In accordance with Art. 12, information in "clear and plain language that a child can easily understand"
Gradual controls: Greater autonomy as the minor approaches the digital consent age
Privacy by default: High privacy settings enabled by default (ICO Age Appropriate Design Code)
Alzheimer's and Dementia Patients
Spanish legal framework (Law 8/2021)
Judicial incapacitation has been eliminated
A support system is established (curatorship, de facto guardianship)
The legal capacity of persons with disabilities is presumed
Representative curator only exists for exceptional cases
Our approach:
Early Alzheimer's: We attempt to obtain direct consent from the patient
Advanced Alzheimer's: Curator may consent respecting previously expressed wishes and preferences
Geofences first approach: Less intrusive option than continuous tracking
Periodic review: Assessment of tracking necessity
Respect for advance directives: Preferences expressed when the person had full capacity
Ethical principle: According to Oxford University research (PubMed 2011), "the preferences and best interests of people with dementia must be central" and "no one should be coerced into using tracking technology."
10. Employee Monitoring
GPS tracking of employees is subject to particularly strict requirements under GDPR and Spanish labor law.
Guiding principle from WP29 (Opinion 2/2017):
"Vehicle tracking devices are not personal tracking devices" โ employers should not consider them as tools to monitor the behavior or whereabouts of drivers.
Strict Rules
Requirement
Detail
Tracking outside working hours
PROHIBITED โ "It is unlikely that there is a legal basis for monitoring the location of employees' vehicles outside agreed working hours"
Temporary deactivation
Employees must be able to temporarily disable GPS tracking in special circumstances (medical visits, personal errands during permitted vehicle use)
Purpose limitation
Location data cannot be used for purposes other than those originally communicated
Prior information
Art. 90 LOPDGDD: inform in an "express, clear and unambiguous" manner before deployment
Triple Proportionality Test (Spanish Constitutional Court)
Suitability: The measure must be appropriate for the intended purpose
Necessity: No less intrusive alternative must exist
Proportionality: Benefits must outweigh costs to worker's rights
Relevant Case Law
Bฤrbulescu v. Romania (ECtHR 2017): Established 6 criteria for evaluating workplace surveillance: prior notice, scope of monitoring, legitimate reasons, less intrusive alternatives, consequences for employee, and available safeguards
Florindo Gramaxo v. Portugal (ECtHR 2022): First ECtHR case directly addressing GPS as workplace surveillance, confirming that location data constitutes personal data even from work phones
Penalties for Non-Compliance
CNIL (2023): 10 sanctions totaling โฌ97,000 for geolocation violations in the workplace
CNIL โ Cityscoot: โฌ125,000 for collecting geolocation data every 30 seconds (considered disproportionate)
11. Data Security
In accordance with Article 32 of the GDPR, we implement technical and organizational measures appropriate to the high risk inherent to geolocation data.
Technical Measures
Measure
Implementation
Encryption in transit
TLS 1.3 for all API communications and GPS streaming WebSocket connections
Encryption at rest
AES-256 for GPS coordinates, user profiles, and metadata
Pseudonymization
According to ENISA guidelines (2019, 2021): replacement of identifiers with tokens, separation of identity and location data
Access control
RBAC (Role-Based Access Control) with granular permissions by role
Authentication
Mandatory MFA for all access, especially administrators
Least privilege
Each role only has access to strictly necessary data
Privacy by Design and by Default (Art. 25)
Tracking disabled by default: User must explicitly activate tracking
Reduced precision: When full accuracy is not necessary
Adjustable frequency: User can choose update frequency
Minimal retention: 30 days with automatic deletion
12. Security Breach Notification
Location data breaches almost always meet the "risk" threshold for mandatory notification.
Notification Deadlines
Recipient
Deadline
Legal basis
Supervisory authority
72 hours maximum
Art. 33 GDPR
Affected data subjects
Without delay (if high risk)
Art. 34 GDPR
โ ๏ธ CRITICAL โ No One-Stop-Shop:
Having no establishment in the EU, the one-stop-shop mechanism DOES NOT apply to ProtectTrack. This means that in the event of a breach, we must notify each supervisory authority of each Member State where affected data subjects reside โ potentially up to 27 separate notifications within 72 hours.
Specific Risks of Location Data
Physical safety: Risk of stalking or kidnapping if locations of minors or vulnerable patients are exposed
Unauthorized surveillance: Access to real-time GPS data by malicious third parties
Life pattern exposure: Daily routines, addresses, medical visits
Discrimination: Exploitation of employee data for unfair employment decisions
Notification Content
All notifications will include:
Nature of the breach
Categories and approximate number of affected persons
DPO contact
Likely consequences
Measures taken or proposed
13. EU Representative
In accordance with Article 27 of the GDPR, controllers without an establishment in the EU that process data of European residents must designate a representative in the Union.
Current status: Pending formal designation.
While we complete this process, all communications may be directed to: Email:legal@algoritmos.io
Once designated, the representative will:
Act as point of contact for supervisory authorities and data subjects
Be established in one of the Member States where data subjects reside
Have their contact details published in this policy
14. Changes to This Policy
We may update this policy to reflect changes in our practices, legal requirements, or services.
Update Process
Prior notice: We will inform of material changes at least 30 days in advance
New consent: If changes retroactively affect consent-based processing, we will request new consent
Version history: We maintain a public record of all previous versions
Version History
Version
Date
Changes
1.0
February 2026
Initial version
15. Contact
Data Protection Officer
For data protection inquiries, rights exercise, or complaints: