Privacy Policy

Account and identity data: When you create an account, we collect your name, work email address, company name, job title, and password (stored as a salted hash, we never see your plaintext password). This information is necessary to provide you with access to the Platform.

Operational data: We collect the supply chain data you submit through the Platform, including facility information, production metrics, emissions data, worker welfare indicators, product traceability records, and compliance documentation. This data is submitted voluntarily and belongs to you.

Usage data: We automatically collect information about how you interact with the Platform, including pages visited, features used, timestamps, IP addresses, browser type, and device information. This helps us improve the Platform and diagnose technical issues.

Communications: If you contact our support team or respond to our emails, we retain records of those communications to resolve issues and improve our service.

Cookies and similar technologies: We use essential cookies to maintain your session and authentication state. We do not use third-party advertising cookies. You can control non-essential cookies through your browser settings.

Providing the service: We use your data to operate, maintain, and improve the TraceLoom Platform, to authenticate you, to process your supply chain data as instructed, and to generate reports and analytics you request.

Communications: We use your email address to send you product updates, security alerts, billing notices, and responses to your support requests. You can opt out of non-essential communications at any time.

Legal and compliance: We may use and retain your data as necessary to comply with legal obligations, resolve disputes, enforce our agreements, or respond to lawful requests from public authorities.

Improvement and research: We may use aggregated, anonymised usage data (with no ability to identify individuals or organisations) to improve the Platform and develop new features.

We do not sell, rent, or share your personal data with third parties for their marketing purposes.

For users in the European Economic Area (EEA) and UK, our legal bases for processing personal data are:

Contract performance: Processing necessary to deliver the services you have contracted for, including account management and operational data processing.

Legitimate interests: Processing for the purpose of improving the Platform, ensuring security, and preventing fraud, where these interests are not overridden by your rights.

Legal obligation: Processing required to comply with applicable laws and regulations.

Consent: Where we rely on consent (e.g., for non-essential cookies or marketing communications), you have the right to withdraw consent at any time.

We retain your personal data for as long as your account is active or as needed to provide you with our services. When you close your account, we will retain your data for 30 days to allow for export, after which it will be deleted or anonymised, unless we are required to retain it for legal or compliance purposes.

Operational supply chain data you submit is retained for the duration of your subscription and for a further 12 months after termination to allow for report regeneration and auditing purposes. After this period, data is permanently deleted unless you request earlier deletion.

Anonymised, aggregated usage data may be retained indefinitely for product improvement purposes.

We do not sell your personal data. We may share your data with third-party service providers who assist us in operating the Platform, subject to strict data processing agreements:

Supabase (Supabase, Inc.): Our primary data processor for authentication, database storage, and API services. Supabase processes data on our behalf under a Data Processing Agreement. Data is stored in AWS us-east-2 (Virginia, USA). Supabase is SOC 2 Type II certified.

Vercel (Vercel, Inc.): Our cloud infrastructure and deployment provider. Application code is hosted on Vercel's platform.

Payment processors: Payment card data is handled exclusively by our PCI-DSS compliant payment processor and is never stored on our systems.

All third-party processors are contractually bound to process your data only as directed by us and to maintain appropriate security standards. We do not transfer your data outside the EEA/UK without appropriate safeguards, such as Standard Contractual Clauses.

Under GDPR and applicable privacy laws, you have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete personal data.
• Right to erasure ("right to be forgotten"): Request deletion of your personal data, subject to legal retention obligations.
• Right to data portability: Request your personal data in a structured, machine-readable format (JSON or CSV).
• Right to restriction: Request that we restrict processing of your data in certain circumstances.
• Right to object: Object to processing based on legitimate interests.
• Right to withdraw consent: Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact our Data Protection Officer at dpo@traceloom.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection supervisory authority.

We implement industry-standard technical and organisational measures to protect your data, including TLS 1.2+ encryption in transit, AES-256 encryption at rest, row-level security in our database, multi-factor authentication options, regular security audits, and access control limited to authorised personnel.

We apply a principle of least privilege: employees only have access to data necessary for their specific job functions. Access logs are maintained and reviewed regularly.

In the event of a data breach that affects your personal data, we will notify you and, where required, the relevant supervisory authority, within 72 hours of becoming aware of the breach, in accordance with GDPR requirements.

No method of transmission over the internet is completely secure. While we strive to protect your data, we cannot guarantee absolute security and encourage you to use strong, unique passwords and enable two-factor authentication on your account.

Strictly necessary cookies: We use session and authentication cookies that are required for the Platform to function. These cannot be disabled without affecting core Platform functionality.

Analytics cookies: We may use privacy-respecting, first-party analytics to understand how the Platform is used. This data is not shared with third-party advertising networks.

We do not use cookies for cross-site tracking or targeted advertising. You can manage cookie preferences through your browser settings. Disabling cookies may affect your ability to use certain features of the Platform.

The Platform is intended for use by businesses and their employees. It is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately and we will delete it.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by email or by posting a notice on the Platform at least 30 days before the changes take effect. Your continued use of the Platform after the effective date constitutes acceptance of the revised policy.

For privacy-related enquiries, requests to exercise your rights, or concerns about our data practices, contact the controller:

EU Representative (Article 27 GDPR): contact traceloom.test@gmail.com for our current EU representative.