Privacy Policy

Version 1.3 • Effective June 5, 2026

This Privacy Policy explains how Traceage (“Traceage”, “we”, “us”) collects, uses, shares, and protects personal information when you visit our website or use the Traceage platform (the “Service”). It applies to visitors, account holders, and authorised users of customer organisations.

Who We Are

The Service is provided by Traceage Ltd, a company incorporated in the Republic of Ghana (company number CS126230824), with its registered office at B240/18 Frimpongwe Street, North Kaneshi, Accra, Ghana. Traceage Ltd is registered as a data controller with the Ghana Data Protection Commission. You can reach us about privacy at privacy@traceage.io.

This policy describes personal data for which Traceage is the controller — principally account, authentication, billing, and website-usage data. Where we process personal data on behalf of a customer organisation (for example, records that organisation submits to the Service), that organisation is the controller; its own privacy notice and our Data Processing Agreement govern, and we act only as a processor on its instructions.

Information We Collect

We collect the following categories of information:

  • Account data: name, work email address, phone number, password (stored only as a salted hash), and organisation details you provide when registering.
  • Authentication data: multi-factor authentication settings and secrets, session metadata, and, if you sign in with a third-party provider, the OAuth scopes you authorise (typically your email address, basic profile, and a unique identifier). We do not receive your third-party account password.
  • Billing data: subscription tier, billing contact, and transaction records. Card details are processed by our payment processors and are never stored on Traceage servers.
  • Operational data: supply chain records, batch and traceability data, and IoT telemetry that you or your organisation submit to the Service.
  • Usage and device data: pages viewed, features used, IP address, browser type, and similar analytics collected through cookies where you opt in. See our Cookie Policy for details.
  • Audit logs: security-relevant events (sign-ins, permission changes, data exports) retained to support compliance and incident investigation.

How We Use Information

  • To provide, operate, secure, and improve the Service.
  • To authenticate users and enforce access controls.
  • To process subscriptions, billing, and related communications.
  • To detect, prevent, and investigate fraud, abuse, and security incidents.
  • To send service, security, and (where you have opted in) product communications.
  • To meet legal, regulatory, and contractual obligations.

We do not sell personal information, and we do not use customer operational data to train machine-learning models without explicit instruction from the customer organisation.

Legal Bases for Processing

Where the EU or UK GDPR applies, we rely on the following legal bases:

  • Contract: to provide and secure the Service, authenticate users, and enforce access controls.
  • Legal obligation: to meet tax, accounting, and regulatory requirements, including the retention of billing records.
  • Legitimate interests: to prevent fraud and abuse and to secure the platform, where those interests are not overridden by your rights and freedoms.
  • Consent: for non-essential analytics cookies and any product marketing. You may withdraw consent at any time.

Automated Decision-Making

Traceage does not make decisions producing legal or similarly significant effects about you based solely on automated processing. Our analytics and risk-detection features support human review and decision-making; they do not replace it.

How We Share Information

We share personal information only as described below:

  • Sub-processors: vetted third parties that process data on our behalf to deliver the Service (see the list below).
  • Within your organisation: administrators of your organisation can access account and activity data for users they manage.
  • Legal and regulatory disclosures: where required by law, regulation, legal process, or to protect the rights, safety, and security of users and the public.
  • Business transfers: in connection with a merger, acquisition, or sale of assets, subject to the protections of this policy.

Sub-processors

We engage vetted third parties to process data on our behalf in order to deliver the Service. The principal categories — and the providers that handle payments and tamper-evident anchoring — are listed below. Additional sub-processors, including email delivery, SMS one-time passcodes, DNS, and regional payment providers, are engaged under the same contractual safeguards. Our current sub-processor list is available on request at privacy@traceage.io.

Sub-processorPurpose
DigitalOceanCloud infrastructure and hosting
Google Cloud PlatformRegion-pinned data residency and AI/analytics processing
StripeSubscription billing and payment processing
PolygonBlockchain anchoring for tamper-evident records

Where the platform anchors records to the Polygon public blockchain for tamper-evidence, only a cryptographic hash of the record is written on-chain — never personal or operational data. Anchoring therefore does not place personal information on a public network, and the rights described below (including erasure) continue to apply to the underlying records we hold.

International Data Transfers

Traceage operates internationally, and your information may be processed in countries other than your own. Where personal data is transferred out of the European Economic Area or the United Kingdom, we put in place appropriate safeguards, such as Standard Contractual Clauses, where required.

Data Retention

We retain personal information only as long as necessary for the purposes above:

CategoryRetention
Account dataFor the life of the account, then deleted within a reasonable period after closure
Billing recordsAs long as required by applicable tax and accounting law
Audit logsFor a limited period, longer where compliance obligations require
Analytics dataFor a limited period, in aggregate or de-identified form

Your Rights

Depending on your location, you may have the right to access, correct, export, restrict, or delete your personal information, and to object to certain processing. Under the GDPR these include the rights of access, rectification, erasure, restriction, portability, and objection. Under the CCPA/CPRA, California residents may request access and deletion and may opt out of any “sale” or “sharing” of personal information — Traceage does not sell or share personal information as those terms are defined.

To exercise any of these rights, contact us at privacy@traceage.io. If your data is managed by a customer organisation, we will direct your request to that organisation as the controller.

Where we rely on your consent, you have the right to withdraw it at any time— for cookies, use the “Cookie settings” link in the website footer. Withdrawing consent does not affect processing carried out before withdrawal.

Canada. If you are in Canada, you have rights under PIPEDA, including access to and correction of your personal information, and you may complain to the Office of the Privacy Commissioner of Canada.

Complaints.You have the right to lodge a complaint with a data protection authority — in Ghana, the Data Protection Commission; in the EU, your national supervisory authority; in the UK, the Information Commissioner’s Office; in Canada, the Office of the Privacy Commissioner. We would welcome the chance to address your concern first.

Our Representatives

As we expand in the European Union and the United Kingdom, we are appointing representatives under Article 27 of the EU and UK GDPR. Their contact details will be published here once appointed; in the meantime you can contact us directly at privacy@traceage.io.

Security

We protect personal information with encryption in transit and at rest, role-based access controls, multi-factor authentication, and continuous monitoring. See our Security page for details. No system is perfectly secure, and we cannot guarantee absolute security.

Children’s Privacy

The Service is intended for business use and is not directed to children under 16. We do not knowingly collect personal information from children.

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the Service or by email. The “Effective” date above reflects the current version.