TraceApi Privacy Policy

1. Introduction

Welcome to TraceAPI ("we," "our," or "us"). We provide a Business-to-Business (B2B) Software-as-a-Service (SaaS) platform designed to help manufacturers and enterprises generate and manage Digital Product Passports (DPPs).

This Privacy Policy explains how we collect, use, process, and protect personal data when you visit our website (https://traceapi.eu) or use our platform and APIs (collectively, the "Services").

Our Role Under GDPR:

• As a Data Controller: We act as a Data Controller for the personal data of our direct customers (e.g., account administrators, billing contacts) when they register for our Services.
• As a Data Processor: When our customers use TraceAPI to upload, generate, or manage supply chain data (which may inadvertently contain personal data of their employees or suppliers), we act purely as a Data Processor. We process this data strictly in accordance with our customer's instructions and our Data Processing Agreement (DPA).

2. What Data We Collect

We practice data minimization and only collect data necessary to provide our B2B Services.

A. Information you provide to us (As a Controller):

• Account & Authentication Data: Name, business email address, and encrypted password credentials (managed securely via our Keycloak identity provider).
• Billing Information: Company name, VAT ID, business address, and payment history (processed securely by our payment provider; we do not store raw credit card numbers).
• Communication Data: Information you provide when contacting our support team or requesting a demo.

B. Information collected automatically:

• Usage & Technical Data: IP addresses, browser types, device information, and API request logs. We use this strictly to ensure the security, reliability, and performance of the Services.

C. Tenant Supply Chain Data (As a Processor):

• Data uploaded to generate Digital Product Passports: (e.g., supplier details, batch numbers). TraceAPI claims no ownership over this data and processes it solely to provide the SaaS infrastructure.

3. Legal Basis for Processing

Under the General Data Protection Regulation (GDPR), we rely on the following legal bases to process your data:

• Performance of a Contract: To create your account, provide API access, and process billing.
• Legitimate Interests: To monitor system security, prevent fraud, and improve our platform's architecture.
• Legal Obligation: To maintain accurate tax and accounting records.

4. Data Residency & International Transfers

TraceAPI is a United States corporate entity (TraceApi LLC), but we have architected our system specifically for European compliance:

• EU Data Residency: All primary databases, Keycloak authentication data, and Digital Product Passports are physically hosted on servers located in Frankfurt, Germany.
• International Transfers: Because TraceApi LLC is a US entity, technical support or system administration may require accessing the Frankfurt servers from the United States. To legally safeguard this access under the GDPR, we operate under the European Commission's Standard Contractual Clauses (SCCs), which are incorporated into our B2B Data Processing Agreement (DPA).

5. Third-Party Sub-processors

We do not sell or rent your personal data. We only share data with trusted third-party sub-processors required to run our infrastructure:

• Cloud Infrastructure Providers: (e.g., Hetzner, Oracle Cloud) located in the EU, used for hosting our databases and application containers.
• Payment Processors: (e.g., Stripe) used for secure B2B billing.
• Transactional Email Providers: Used to send password resets and system alerts.

6. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy:

• Active Accounts: Account and Tenant data is retained for the lifetime of your active subscription.
• Account Deletion: Upon termination of a contract, all associated Passport data and Tenant accounts are permanently deleted within 30 days, unless a longer retention period is required by tax or corporate law (typically 7 years for billing invoices).

7. Your Rights Under the GDPR

If you are located in the European Economic Area (EEA) or the UK, you have the following rights regarding your personal data:

• Right to Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure ("Right to be Forgotten"): Request deletion of your account and associated personal data.
• Right to Restrict Processing: Request that we temporarily halt processing your data.
• Right to Data Portability: Request your data in a structured, machine-readable format (e.g., JSON/CSV).
• Right to Object: Object to our processing of your data based on legitimate interests.

To exercise any of these rights, please email us at privacy@traceapi.eu. We will respond to your request within 30 days.

8. Security Measures

We implement strict technical and organizational measures (TOMs) to protect your data, including TLS 1.3 encryption for all data in transit, AES-256 encryption for data at rest, and Role-Based Access Control (RBAC) across our internal infrastructure.

9. Changes to This Privacy Policy

We may update this Privacy Policy as our platform evolves or regulatory requirements change. We will notify active customers of any material changes via email or a prominent notice on our platform dashboard.

10. Contact Us

If you have any questions about this Privacy Policy or our data handling practices, please contact us at: