Privacy Policy
Version 1.0 • Effective May 21, 2026
This Privacy Policy explains how Traceage (“Traceage”, “we”, “us”) collects, uses, shares, and protects personal information when you visit our website or use the Traceage Cloud platform (the “Service”). It applies to visitors, account holders, and authorised users of customer organisations.
Information We Collect
We collect the following categories of information:
- Account data — name, work email address, phone number, password (stored only as a salted hash), and organisation details you provide when registering.
- Authentication data — multi-factor authentication settings and secrets, session metadata, and, if you sign in with a third-party provider, the OAuth scopes you authorise (typically your email address, basic profile, and a unique identifier). We do not receive your third-party account password.
- Billing data — subscription tier, billing contact, and transaction records. Card details are processed by our payment processor and are never stored on Traceage servers.
- Operational data — supply chain records, batch and traceability data, and IoT telemetry that you or your organisation submit to the Service.
- Usage and device data — pages viewed, features used, IP address, browser type, and similar analytics collected through cookies and similar technologies. See our Cookie Policy for details.
- Audit logs — security-relevant events (sign-ins, permission changes, data exports) retained to support compliance and incident investigation.
How We Use Information
- To provide, operate, secure, and improve the Service.
- To authenticate users and enforce access controls.
- To process subscriptions, billing, and related communications.
- To detect, prevent, and investigate fraud, abuse, and security incidents.
- To send service, security, and (where you have opted in) product communications.
- To meet legal, regulatory, and contractual obligations.
We do not sell personal information, and we do not use customer operational data to train machine-learning models without explicit instruction from the customer organisation.
How We Share Information
We share personal information only as described below:
- Sub-processors — vetted third parties that process data on our behalf to deliver the Service (see the list below).
- Within your organisation — administrators of your organisation can access account and activity data for users they manage.
- Legal and regulatory disclosures — where required by law, regulation, legal process, or to protect the rights, safety, and security of users and the public.
- Business transfers — in connection with a merger, acquisition, or sale of assets, subject to the protections of this policy.
Sub-processors
Traceage relies on the following sub-processors. We update this list as our vendor set changes; a dedicated sub-processor page may be published separately as the list grows.
| Sub-processor | Purpose | Region |
|---|---|---|
| DigitalOcean | Cloud infrastructure and hosting | United States |
| Cloudflare | DNS, CDN, and DDoS protection | Global edge network |
| Stripe | Subscription billing and payment processing | United States / EU |
| Postmark | Transactional email delivery | United States |
International Data Transfers
Traceage operates internationally, and your information may be processed in countries other than your own. Where personal data is transferred out of the European Economic Area or the United Kingdom, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses with each sub-processor.
Data Retention
We retain personal information only as long as necessary for the purposes above:
| Category | Retention |
|---|---|
| Account data | For the life of the account, then deleted within 90 days of closure |
| Billing records | Up to 7 years, as required by tax and accounting law |
| Audit logs | Up to 12 months, longer where compliance obligations require |
| Analytics data | Up to 14 months in aggregate or de-identified form |
Your Rights
Depending on your location, you may have the right to access, correct, export, restrict, or delete your personal information, and to object to certain processing. Under the GDPR these include the rights of access, rectification, erasure, restriction, portability, and objection. Under the CCPA/CPRA, California residents may request access and deletion and may opt out of any “sale” or “sharing” of personal information — Traceage does not sell or share personal information as those terms are defined.
To exercise any of these rights, contact us at privacy@traceage.io. If your data is managed by a customer organisation, we will direct your request to that organisation as the controller.
Security
We protect personal information with encryption in transit and at rest, role-based access controls, multi-factor authentication, and continuous monitoring. See our Security page for details. No system is perfectly secure, and we cannot guarantee absolute security.
Children’s Privacy
The Service is intended for business use and is not directed to children under 16. We do not knowingly collect personal information from children.
Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated through the Service or by email. The “Effective” date above reflects the current version.