TraceLayerSign in

Privacy Policy

Last updated: March 14, 2026

1. Who We Are

TraceLayer ("we", "us") operates the TraceLayer compliance platform. This policy explains how we collect, use, and protect your personal data.

2. Data We Collect

  • Account data: Email address, company name, password (hashed)
  • Integration credentials: API keys and tokens you provide — stored encrypted at rest
  • Compliance evidence: Data collected from your connected tools (IAM users, repositories, etc.)
  • Usage data: Audit logs of actions performed in the platform
  • Billing data: Handled by LemonSqueezy — we store only subscription status and IDs

3. How We Use Your Data

  • To provide and operate the Service
  • To send transactional emails (verification, password reset, alerts)
  • To process payments through LemonSqueezy
  • To improve the Service and diagnose errors

We do not sell your data. We do not use your compliance evidence data for any purpose other than providing the Service to you.

4. Data Storage and Security

Your data is stored in the European Union (EU) region. Integration credentials are encrypted at rest using AES-256. We use HTTPS for all data in transit. Access to production data is restricted to authorised personnel only.

5. Your GDPR Rights

If you are in the EU/EEA, you have the following rights:

  • Access: Export all your data from Settings → Account → Export Data
  • Erasure: Delete your account and all data from Settings → Account → Delete Account
  • Portability: Your data export is provided in machine-readable JSON format
  • Rectification: Update your data from the Settings page
  • Objection: Contact us at privacy@tracelayer.io

6. Cookies

We use only essential cookies — specifically, tokens stored in localStorage to keep you signed in. We do not use advertising or tracking cookies. We do not use Google Analytics or similar tracking services.

7. Third-Party Services

  • LemonSqueezy — payment processing (their privacy policy)
  • Resend — transactional email delivery
  • Sentry — error monitoring (anonymised stack traces only)

8. Data Retention

We retain your data for as long as your account is active. After account deletion, all personal data is permanently deleted within 30 days. Anonymised aggregate statistics may be retained indefinitely.

9. Contact

For privacy questions or to exercise your rights, contact us at privacy@tracelayer.io.