Legal draft · Noindex

Privacy notice drafting page—not an operative notice.

Trace does not yet have a verified operating legal entity, complete processing inventory or professional privacy-law approval. This page identifies what must be resolved before a public privacy notice can be relied on.

Do not rely on this page as a privacy notice. It does not identify a legally verified controller and does not provide a complete or approved description of processing. No live pilot should process customer case data until the applicable privacy notice, DPA, security terms and operational procedures are complete.

Publication gate

Information required before this can become operative.

  • full legal name, legal form, registration number and registered address of the website operator and controller;
  • verified privacy contact and, if applicable, data protection officer details;
  • complete website and application data-flow inventory, including forms, hosting logs and analytics;
  • purpose and legal-basis analysis for each category of processing;
  • recipient, processor and subprocessor list with contractual status;
  • international-transfer analysis and safeguards, where relevant;
  • specific retention criteria and deletion procedures;
  • rights-request contact and identity-verification procedure;
  • competent supervisory-authority information; and
  • professional EU privacy-law review and formal approval by the eventual operator.

Entity placeholder: “Trace” is currently a product and brand name on this site. It must not be substituted for the controller’s verified legal identity.

Implementation inventory · Verify before use

Current website signals to reconcile with the final notice.

The present codebase appears to use the following browser and server storage. This is a technical inventory for legal review, not a settled statement of purpose, legal basis or retention compliance:

  • local storage and a first-party preference cookie for the visitor’s necessary-only or analytics choice, configured with a 180-day maximum age;
  • only after analytics is allowed, HTTP-only cookies for an anonymous cohort identifier and assigned homepage, audience and pricing experiment variants, configured with a 180-day maximum age;
  • local storage for the visitor’s analytics preference;
  • after analytics is allowed, session storage for an anonymous session identifier, categorical landing attribution and a limited client-side event buffer;
  • first-party event dispatch to /api/events only after the visitor selects analytics, subject to the final server implementation and configured destination; and
  • public pilot, contact or diagnostic forms, whose production storage, recipients, retention, spam controls and response process must be verified before launch.

The current analytics code is designed to block common personal fields and not send form content as event properties. That technical control still requires end-to-end verification; it is not a legal conclusion or guarantee that no personal data is processed.

No live request data through the public site

Visitors should not submit identity documents, data exports, credentials, live data-subject requests or other sensitive case material through a public website form. An accepted pilot needs a separately approved secure transfer route and contractual scope.

Required notice structure

Sections the reviewed notice should contain.

Exact content must follow the verified processing operation. These headings are drafting prompts, not pre-approved answers.

01 / WHO

Controller and contacts

Legal identity, address, privacy route, representative and DPO where applicable.

02 / WHAT

Data categories and sources

Website, application, commercial, support and pilot-case data described separately.

03 / WHY

Purposes and legal bases

A purpose-specific analysis, including legitimate-interest detail where used.

04 / WHERE

Recipients and transfers

Processors, subprocessors, other recipients, locations and transfer safeguards.

05 / HOW LONG

Retention and deletion

Concrete periods or criteria for leads, analytics, contracts, security logs and case data.

06 / CONTROL

Rights and complaints

How rights can be exercised, identity handled and complaints made to the competent authority.

Next legal action: appoint the operating entity and legal owner, complete the actual processing register, confirm every production vendor and data route, then have EU privacy counsel approve a notice that matches the deployed service. Until then, this page remains noindex and non-operative.