Privacy Policy
Last updated 7 July 2026
This policy explains what personal data [Traceset — your registered legal entity] (“Traceset”, “we”) collects when you use our version-tracking service for engineering files, why we collect it, and the rights you have. We aim to meet the standard of the EU/UK GDPR for everyone, wherever you are.
Who we are
Traceset is a workspace where engineering consultancies upload design files, keep every version, and see what changed. For the personal data described here we act as the data controller. Contact us at [privacy@your-domain].
What we collect and why
| Data | Why | Lawful basis |
|---|---|---|
| Name, email, discipline/role | Create your account, identify you to teammates | Contract (Art. 6(1)(b)) |
| Password (hashed), sign-in / session data | Authenticate you and keep your account secure | Contract; legitimate interest in security |
| Firm & project membership, roles | Give the right people access to the right workspace | Contract (Art. 6(1)(b)) |
| Files you upload, comments, activity log | Provide version tracking and collaboration | Contract (Art. 6(1)(b)) |
Uploaded files are your firm's business content. They may incidentally contain personal data (for example, author names in CAD/PDF metadata); we process them only to provide the service.
Cookies
We use only strictly necessary cookies — the session cookies that keep you signed in — which are exempt from consent under the ePrivacy rules. We do not use analytics, advertising or cross-site tracking cookies, so there is no consent banner to click through. Your light/dark theme choice is stored locally in your browser and never leaves your device. Our sign-in and hosting providers (below) may set essential security cookies.
Who processes it for us
We host Traceset on trusted infrastructure providers who process data on our behalf under data-processing agreements:
- Supabase — authentication and database (currently hosted in Singapore).
- Cloudflare — application hosting and file storage (files currently in the EU).
- Resend — transactional email (invites, password resets), when enabled.
We currently load one web font from Google Fonts; we are moving to self-hosting so no request reaches a third party as you browse.
International transfers
Because our providers operate globally, your data may be processed outside your country (for example, in Singapore or the EU). Where data leaves the UK/EEA we rely on appropriate safeguards such as Standard Contractual Clauses with our processors.
How long we keep it
We keep your account data for as long as your account is active. Deleted files sit in the trash for 30 days and are then permanently removed. Notifications and activity history are cleaned up on a rolling basis (roughly 90 days and 12 months respectively). When you delete your account we remove your personal data promptly (see below).
Your rights
You can access and download your data, correct it, delete your account, and object to or restrict processing. The quickest options are built in:
- Download my data and Delete account are on your account settings page.
- Update your name, role, email and password there too.
- For anything else, email [privacy@your-domain]. We respond within 30 days and you may complain to your local data-protection authority.
When you delete your account we remove your name, email and password and unlink you from your uploads and comments. Files you added to shared projects remain with those projects as your firm's records, but are no longer attributed to you.
Changes
We'll update this page when our practices change and revise the date at the top.
See also our Terms of Service.