Privacy Policy for TraceFlows

Last Updated: September 26, 2025

IMPORTANT: This Privacy Policy is a template and not legal advice. You should consult with a legal professional to ensure it is compliant with all applicable laws and regulations for your specific business and jurisdiction.

1. Introduction and Overview

Welcome to TraceFlows ("TraceFlows," "we," "us," or "our"). We provide a powerful suite of analytics tools, including session recording and user behavior analysis, designed to help website owners and operators (our "Customers") understand how end-users ("Visitors") interact with their websites and web applications (the "Customer Sites"). Our mission is to provide these insights while respecting the privacy of all individuals involved.

This Privacy Policy is a comprehensive document designed to be transparent about our data handling practices. It explains in detail how we collect, use, process, share, and protect information. This policy covers our dual roles:

As a Data Processor: When our Customers use our Service to collect and analyze data from their Customer Sites, we act as a data processor on their behalf. Our Customers are the data controllers in this scenario.
As a Data Controller: When we collect information directly from individuals who visit our website (www.traceflows.com), sign up for our Service, or otherwise interact with our company, we act as the data controller.

This policy is structured to clearly distinguish between these roles and to provide specific information relevant to Customers, Visitors, and our own website users. We are committed to complying with global privacy laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

2. Definitions

To ensure clarity, here are some key terms used throughout this policy:

Service: Refers to the TraceFlows platform, including all software, tools, features, and documentation provided by us.
Customer: Any person or entity that has registered for our Service and agreed to our Terms of Service.
Visitor: Any individual who visits a Customer Site that has the TraceFlows tracking script installed.
User: Any individual who visits our own website (www.traceflows.com) or interacts directly with our business.
Personal Data: Any information that relates to an identified or identifiable individual.
Session Replay Data: Data captured from a Visitor's interaction with a Customer Site, such as mouse movements, clicks, scrolls, and non-sensitive keystrokes, which allows for a visual replay of the session. This is primarily powered by the rrweb open-source library.
Processing: Any operation performed on Personal Data, such as collection, recording, organization, storage, adaptation, retrieval, use, disclosure, or erasure.

3. Information We Process on Behalf of Our Customers (Data Processor)

When a Customer installs the TraceFlows script on their website, we begin processing data from their Visitors. In this capacity, the Customer is the data controller and is responsible for the lawful collection of data. Our processing is governed by the Data Processing Addendum (DPA) with our Customer.

3.1. What Information We Process

Session Replay Data: Using rrweb, we capture a comprehensive log of events that occur during a Visitor's session. This includes DOM mutations, mouse movements, scrolling activity, and input events. Crucially, our script is configured by default to avoid capturing sensitive information. Input fields for passwords, credit card numbers, and other common sensitive fields are automatically excluded from capture.
Technical and Device Information: We automatically collect technical data about the Visitor's environment, including:
- IP Address (which may be anonymized by the Customer).
- Browser type and version (e.g., Chrome, Firefox).
- Operating System and version (e.g., Windows 11, macOS).
- Device type (e.g., desktop, mobile, tablet).
- Screen resolution.
- Referring URL and session source.
Customer-Defined Data: Customers may choose to associate session data with their own internal user IDs or other custom data points for more effective analysis. The Customer is solely responsible for ensuring that this does not involve sending sensitive Personal Data to our Service without a proper legal basis.

3.2. Customer Responsibilities

Our Customers bear the primary responsibility for the data they collect. They must:

Provide a clear and comprehensive privacy policy on their own website that discloses their use of services like TraceFlows.
Ensure they have a valid legal basis (e.g., consent, legitimate interest) for collecting and processing Visitor data.
Properly configure the TraceFlows service to suppress or redact any sensitive or personal information they do not wish to collect. We provide the tools for this, but the Customer is responsible for their implementation.

4. Information We Collect for Our Own Service (Data Controller)

When you interact directly with TraceFlows by visiting our website or signing up for our service, we act as the data controller.

4.1. Information You Provide to Us

Account Information: When you register for a TraceFlows account, we collect your name, email address, and a hashed password. We may also ask for your company name and role.
Payment Information: For paying Customers, we use a secure third-party payment processor (e.g., Stripe). We do not directly collect or store your full credit card information. We only receive a token representing your card, along with its expiration date and the last four digits, for billing and verification purposes.
Communications: When you contact us via email, support chat, or any other channel, we collect the information you provide in your communication to us.

4.2. Information We Collect Automatically

Service Usage Data: We monitor how our Customers use our own platform. This includes login times, features used, pages visited within our app, and other interaction data. This helps us improve our service and identify potential issues.
Cookies and Tracking Technologies: We use cookies and similar tracking technologies to track the activity on our Service and hold certain information. For more detailed information about the cookies we use, the purposes for which we use them, and how you can manage them, please read our Cookie Policy.

5. How and Why We Use Information

5.1. Use of Data Processed for Customers

We process Visitor data strictly to provide the Service to our Customers as instructed by them. Our use is limited to:

Displaying session replays and aggregated analytics within the Customer's TraceFlows dashboard.
Generating heatmaps, funnel reports, and other analytics visualizations.
Troubleshooting and debugging our Service.
Generating anonymized, aggregated statistical data to improve our Service (e.g., "X% of sessions on our platform are from mobile devices"). This data does not identify any individual Visitor or Customer.

5.2. Use of Data We Control

We use the data we collect from our Users and Customers for the following purposes:

To Provide and Maintain the Service: To set up and manage your account, process payments, and ensure the platform is running correctly.
To Communicate with You: To send you service-related announcements, invoices, security alerts, and support messages.
For Marketing and Growth: To send you information about new features, promotions, or other news about TraceFlows (you can opt-out of marketing communications at any time).
For Security and Compliance: To prevent fraud, enforce our Terms of Service, and comply with our legal obligations.
To Improve Our Service: To analyze usage patterns and feedback to make our platform better, more intuitive, and more powerful.

6. Legal Basis for Processing (For EEA/UK Users)

If you are in the European Economic Area (EEA) or the United Kingdom, our legal basis for collecting and using the Personal Data described above will depend on the data concerned and the specific context in which we collect it.

Performance of a Contract: We process your account and payment data to fulfill our contractual obligation to provide the Service to you.
Legitimate Interests: We process data for our legitimate interests, such as for service improvement, security, and marketing, provided that these interests are not overridden by your data protection interests or fundamental rights and freedoms.
Consent: In some cases, we may ask for your consent to process your data, for example, before placing certain types of cookies on your device. You can withdraw your consent at any time.
Legal Obligation: We may need to process your data to comply with a legal requirement.

We are not in the business of selling your Personal Data. We may disclose data under the following limited circumstances:

Sub-processors: We use a limited number of third-party service providers (sub-processors) to help us run our business. These include cloud hosting providers (e.g., AWS, Google Cloud), payment processors, and communication tools. We have strict contracts (DPAs) in place with these providers to ensure they protect your data.
Legal Requirements: We may disclose your information if required to do so by law or in the good faith belief that such action is necessary to comply with a legal obligation, protect and defend our rights or property, or in urgent circumstances to protect the personal safety of users of the Service or the public.
Business Transfers: If TraceFlows is involved in a merger, acquisition, or asset sale, your Personal Data may be transferred. We will provide notice before your Personal Data is transferred and becomes subject to a different privacy policy.
With Your Consent: We may share your information with any other third party with your prior consent.

8. International Data Transfers

TraceFlows operates globally, which means your Personal Data may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different from the laws of your country.

Specifically, our servers are located in the United States. When we transfer Personal Data from the EEA, UK, or Switzerland to other countries, we rely on appropriate legal mechanisms for the transfer, such as the European Commission's Standard Contractual Clauses (SCCs) and the UK's International Data Transfer Addendum.

9. Data Security

We take the security of your data very seriously. We have implemented a range of technical and organizational measures designed to protect the information we process. These measures include:

Encryption in Transit: All data transferred between you and our servers is encrypted using TLS.
Encryption at Rest: All data stored in our databases is encrypted.
Access Control: We follow the principle of least privilege, ensuring that our employees only have access to the data necessary to perform their job functions.
Regular Security Audits: We regularly review our security practices and infrastructure to protect against vulnerabilities.

However, please note that no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.

10. Data Retention

We retain data for different periods depending on its nature and the context in which it was collected.

Visitor Data: We retain the Session Replay Data we process for our Customers for the period specified in their subscription plan. Once this retention period expires, the data is automatically and permanently deleted from our systems.
Customer Account Data: We retain your account information for as long as your account is active with us. If you close your account, we may retain some of your information for a reasonable period for legal, accounting, or auditing purposes.

11. Your Data Protection Rights

Depending on your location and subject to applicable law, you may have the following rights with regard to your Personal Data:

Right to Access: You have the right to request a copy of the Personal Data we hold about you.
Right to Rectification: You have the right to request that we correct any inaccurate or incomplete data about you.
Right to Erasure (Right to be Forgotten): You have the right to request that we delete your Personal Data.
Right to Restrict Processing: You have the right to request that we restrict the processing of your Personal Data.
Right to Data Portability: You have the right to receive your data in a structured, commonly used, and machine-readable format.
Right to Object: You have the right to object to our processing of your Personal Data.

If you are a Visitor to a Customer Site, you must direct your request to the owner of that website (our Customer), who is the data controller.

If you are a Customer of TraceFlows, you can exercise many of these rights through your account settings. For any other requests, you can contact us directly at the email below.

12. Data Subject Request Process

12.1. How to Submit a Request

To exercise your data protection rights, please submit your request via email to privacy@traceflows.com. Include the following information:

Your full name and email address associated with your account (if applicable)
A clear description of the request and the right you wish to exercise
Sufficient information to verify your identity
If acting on behalf of another person, proof of authorization

12.2. Verification and Response Timeline

We will acknowledge your request within 3 business days and respond within 30 days. For complex requests, we may extend this period by an additional 60 days with advance notice. We may request additional information to verify your identity before processing your request.

12.3. Fees and Limitations

We will not charge a fee for reasonable requests. However, we may charge a fee for excessive, repetitive, or manifestly unfounded requests. We may refuse requests that are excessive, repetitive, or would adversely affect others' rights and freedoms.

13. Automated Decision-Making and Profiling

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on individuals. Any automated processing we perform is limited to:

Technical functionality required to provide the Service
Aggregated analytics that do not identify individuals
Basic fraud prevention and security measures

If our practices change to include automated decision-making with legal or significant effects, we will update this policy and provide appropriate information and safeguards.

14. Data Breach Response

14.1. Notification Timeline

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you within 72 hours of becoming aware of the breach. For Customer data processed on their behalf, we will notify the Customer without undue delay.

14.2. Information Provided

Breach notifications will include:

Nature of the breach and categories of data involved
Approximate number of individuals affected
Likely consequences of the breach
Measures taken to address the breach and prevent future occurrences
Contact information for further inquiries

15. Third-Party Services and Integrations

Our Service integrates with various third-party providers to deliver functionality. These integrations are governed by data processing agreements that ensure appropriate safeguards:

Cloud Infrastructure: Amazon Web Services (AWS), Google Cloud Platform - for hosting and data storage
Payment Processing: Stripe - for subscription and payment management
Customer Support: Intercom - for chat support and customer communications
Analytics: Google Analytics - for website usage analytics (our website only)
Email Services: SendGrid/AWS SES - for transactional and service emails
Monitoring: DataDog, Sentry - for application monitoring and error tracking

A complete list of current sub-processors is available in our Subprocessor List.

16. Pseudonymization and Data Minimization

16.1. IP Address Handling

IP addresses collected as part of session recording can be configured by Customers to be:

Collected in full for technical functionality
Pseudonymized by masking the last octet (e.g., 192.168.1.XXX)
Completely anonymized by hashing with a time-based salt
Not collected at all (may impact some functionality)

16.2. Session Data Minimization

Our session recording script automatically excludes:

Input fields with type="password"
Fields with names/classes containing "password", "ssn", "credit-card"
Elements with data-tf-ignore attribute
Content within forms marked as sensitive by the Customer

17. California Residents (CCPA/CPRA)

If you are a California resident, you have specific rights under the CCPA/CPRA. We do not "sell" or "share" (for cross-context behavioral advertising) the Personal Data of our Customers or Visitors.

17.1. Your California Privacy Rights

Right to Know: You can request information about the personal information we have collected about you
Right to Delete: You can request that we delete personal information we have collected from you
Right to Correct: You can request that we correct inaccurate personal information
Right to Opt-Out: You can opt out of the sale or sharing of your personal information (Note: We do not sell or share personal information)
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

17.2. Categories of Personal Information

We may collect the following categories of personal information from California residents:

Identifiers (name, email, IP address)
Commercial information (subscription details, payment history)
Internet activity (usage patterns, session recordings via Customer Sites)
Professional information (job title, company name)

17.3. Submitting California Privacy Requests

California residents can submit privacy requests by emailing privacy@traceflows.com or calling 1-800-XXX-XXXX. We will verify your identity and respond within 45 days.

18. Children's Privacy

Our Service is not directed to individuals under the age of 16. We do not knowingly collect Personal Data from children under 16. If we become aware that a child under 16 has provided us with Personal Data, we will take steps to delete such information.

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The "Last Updated" date at the top of this policy indicates when it was last revised. We encourage you to review this Privacy Policy periodically to stay informed about our data protection practices. Your continued use of the Service constitutes your acceptance of any changes.

20. Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy or our data handling practices, please contact our Data Protection Officer:

Email: privacy@traceflows.com

Privacy Policy for TraceFlows

Last Updated: September 26, 2025

1. Introduction and Overview

As a Data Processor: When our Customers use our Service to collect and analyze data from their Customer Sites, we act as a data processor on their behalf. Our Customers are the data controllers in this scenario.
As a Data Controller: When we collect information directly from individuals who visit our website (www.traceflows.com), sign up for our Service, or otherwise interact with our company, we act as the data controller.

2. Definitions

To ensure clarity, here are some key terms used throughout this policy:

Service: Refers to the TraceFlows platform, including all software, tools, features, and documentation provided by us.
Customer: Any person or entity that has registered for our Service and agreed to our Terms of Service.
Visitor: Any individual who visits a Customer Site that has the TraceFlows tracking script installed.
User: Any individual who visits our own website (www.traceflows.com) or interacts directly with our business.
Personal Data: Any information that relates to an identified or identifiable individual.
Session Replay Data: Data captured from a Visitor's interaction with a Customer Site, such as mouse movements, clicks, scrolls, and non-sensitive keystrokes, which allows for a visual replay of the session. This is primarily powered by the rrweb open-source library.
Processing: Any operation performed on Personal Data, such as collection, recording, organization, storage, adaptation, retrieval, use, disclosure, or erasure.

3. Information We Process on Behalf of Our Customers (Data Processor)

3.1. What Information We Process

Session Replay Data: Using rrweb, we capture a comprehensive log of events that occur during a Visitor's session. This includes DOM mutations, mouse movements, scrolling activity, and input events. Crucially, our script is configured by default to avoid capturing sensitive information. Input fields for passwords, credit card numbers, and other common sensitive fields are automatically excluded from capture.
Technical and Device Information: We automatically collect technical data about the Visitor's environment, including:
- IP Address (which may be anonymized by the Customer).
- Browser type and version (e.g., Chrome, Firefox).
- Operating System and version (e.g., Windows 11, macOS).
- Device type (e.g., desktop, mobile, tablet).
- Screen resolution.
- Referring URL and session source.
Customer-Defined Data: Customers may choose to associate session data with their own internal user IDs or other custom data points for more effective analysis. The Customer is solely responsible for ensuring that this does not involve sending sensitive Personal Data to our Service without a proper legal basis.

3.2. Customer Responsibilities

Our Customers bear the primary responsibility for the data they collect. They must:

Provide a clear and comprehensive privacy policy on their own website that discloses their use of services like TraceFlows.
Ensure they have a valid legal basis (e.g., consent, legitimate interest) for collecting and processing Visitor data.
Properly configure the TraceFlows service to suppress or redact any sensitive or personal information they do not wish to collect. We provide the tools for this, but the Customer is responsible for their implementation.

4. Information We Collect for Our Own Service (Data Controller)

When you interact directly with TraceFlows by visiting our website or signing up for our service, we act as the data controller.

4.1. Information You Provide to Us

Account Information: When you register for a TraceFlows account, we collect your name, email address, and a hashed password. We may also ask for your company name and role.
Payment Information: For paying Customers, we use a secure third-party payment processor (e.g., Stripe). We do not directly collect or store your full credit card information. We only receive a token representing your card, along with its expiration date and the last four digits, for billing and verification purposes.
Communications: When you contact us via email, support chat, or any other channel, we collect the information you provide in your communication to us.

4.2. Information We Collect Automatically

Service Usage Data: We monitor how our Customers use our own platform. This includes login times, features used, pages visited within our app, and other interaction data. This helps us improve our service and identify potential issues.
Cookies and Tracking Technologies: We use cookies and similar tracking technologies to track the activity on our Service and hold certain information. For more detailed information about the cookies we use, the purposes for which we use them, and how you can manage them, please read our Cookie Policy.

5. How and Why We Use Information

5.1. Use of Data Processed for Customers

We process Visitor data strictly to provide the Service to our Customers as instructed by them. Our use is limited to:

Displaying session replays and aggregated analytics within the Customer's TraceFlows dashboard.
Generating heatmaps, funnel reports, and other analytics visualizations.
Troubleshooting and debugging our Service.
Generating anonymized, aggregated statistical data to improve our Service (e.g., "X% of sessions on our platform are from mobile devices"). This data does not identify any individual Visitor or Customer.

5.2. Use of Data We Control

We use the data we collect from our Users and Customers for the following purposes:

To Provide and Maintain the Service: To set up and manage your account, process payments, and ensure the platform is running correctly.
To Communicate with You: To send you service-related announcements, invoices, security alerts, and support messages.
For Marketing and Growth: To send you information about new features, promotions, or other news about TraceFlows (you can opt-out of marketing communications at any time).
For Security and Compliance: To prevent fraud, enforce our Terms of Service, and comply with our legal obligations.
To Improve Our Service: To analyze usage patterns and feedback to make our platform better, more intuitive, and more powerful.

6. Legal Basis for Processing (For EEA/UK Users)

Performance of a Contract: We process your account and payment data to fulfill our contractual obligation to provide the Service to you.
Legitimate Interests: We process data for our legitimate interests, such as for service improvement, security, and marketing, provided that these interests are not overridden by your data protection interests or fundamental rights and freedoms.
Consent: In some cases, we may ask for your consent to process your data, for example, before placing certain types of cookies on your device. You can withdraw your consent at any time.
Legal Obligation: We may need to process your data to comply with a legal requirement.

We are not in the business of selling your Personal Data. We may disclose data under the following limited circumstances:

Sub-processors: We use a limited number of third-party service providers (sub-processors) to help us run our business. These include cloud hosting providers (e.g., AWS, Google Cloud), payment processors, and communication tools. We have strict contracts (DPAs) in place with these providers to ensure they protect your data.
Legal Requirements: We may disclose your information if required to do so by law or in the good faith belief that such action is necessary to comply with a legal obligation, protect and defend our rights or property, or in urgent circumstances to protect the personal safety of users of the Service or the public.
Business Transfers: If TraceFlows is involved in a merger, acquisition, or asset sale, your Personal Data may be transferred. We will provide notice before your Personal Data is transferred and becomes subject to a different privacy policy.
With Your Consent: We may share your information with any other third party with your prior consent.

8. International Data Transfers

9. Data Security

We take the security of your data very seriously. We have implemented a range of technical and organizational measures designed to protect the information we process. These measures include:

Encryption in Transit: All data transferred between you and our servers is encrypted using TLS.
Encryption at Rest: All data stored in our databases is encrypted.
Access Control: We follow the principle of least privilege, ensuring that our employees only have access to the data necessary to perform their job functions.
Regular Security Audits: We regularly review our security practices and infrastructure to protect against vulnerabilities.

10. Data Retention

We retain data for different periods depending on its nature and the context in which it was collected.

Visitor Data: We retain the Session Replay Data we process for our Customers for the period specified in their subscription plan. Once this retention period expires, the data is automatically and permanently deleted from our systems.
Customer Account Data: We retain your account information for as long as your account is active with us. If you close your account, we may retain some of your information for a reasonable period for legal, accounting, or auditing purposes.

11. Your Data Protection Rights

Depending on your location and subject to applicable law, you may have the following rights with regard to your Personal Data:

Right to Access: You have the right to request a copy of the Personal Data we hold about you.
Right to Rectification: You have the right to request that we correct any inaccurate or incomplete data about you.
Right to Erasure (Right to be Forgotten): You have the right to request that we delete your Personal Data.
Right to Restrict Processing: You have the right to request that we restrict the processing of your Personal Data.
Right to Data Portability: You have the right to receive your data in a structured, commonly used, and machine-readable format.
Right to Object: You have the right to object to our processing of your Personal Data.

If you are a Visitor to a Customer Site, you must direct your request to the owner of that website (our Customer), who is the data controller.

If you are a Customer of TraceFlows, you can exercise many of these rights through your account settings. For any other requests, you can contact us directly at the email below.

12. Data Subject Request Process

12.1. How to Submit a Request

To exercise your data protection rights, please submit your request via email to privacy@traceflows.com. Include the following information:

Your full name and email address associated with your account (if applicable)
A clear description of the request and the right you wish to exercise
Sufficient information to verify your identity
If acting on behalf of another person, proof of authorization

12.2. Verification and Response Timeline

12.3. Fees and Limitations

13. Automated Decision-Making and Profiling

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on individuals. Any automated processing we perform is limited to:

Technical functionality required to provide the Service
Aggregated analytics that do not identify individuals
Basic fraud prevention and security measures

If our practices change to include automated decision-making with legal or significant effects, we will update this policy and provide appropriate information and safeguards.

14. Data Breach Response

14.1. Notification Timeline

14.2. Information Provided

Breach notifications will include:

Nature of the breach and categories of data involved
Approximate number of individuals affected
Likely consequences of the breach
Measures taken to address the breach and prevent future occurrences
Contact information for further inquiries

15. Third-Party Services and Integrations

Our Service integrates with various third-party providers to deliver functionality. These integrations are governed by data processing agreements that ensure appropriate safeguards:

Cloud Infrastructure: Amazon Web Services (AWS), Google Cloud Platform - for hosting and data storage
Payment Processing: Stripe - for subscription and payment management
Customer Support: Intercom - for chat support and customer communications
Analytics: Google Analytics - for website usage analytics (our website only)
Email Services: SendGrid/AWS SES - for transactional and service emails
Monitoring: DataDog, Sentry - for application monitoring and error tracking

A complete list of current sub-processors is available in our Subprocessor List.

16. Pseudonymization and Data Minimization

16.1. IP Address Handling

IP addresses collected as part of session recording can be configured by Customers to be:

Collected in full for technical functionality
Pseudonymized by masking the last octet (e.g., 192.168.1.XXX)
Completely anonymized by hashing with a time-based salt
Not collected at all (may impact some functionality)

16.2. Session Data Minimization

Our session recording script automatically excludes:

Input fields with type="password"
Fields with names/classes containing "password", "ssn", "credit-card"
Elements with data-tf-ignore attribute
Content within forms marked as sensitive by the Customer

17. California Residents (CCPA/CPRA)

If you are a California resident, you have specific rights under the CCPA/CPRA. We do not "sell" or "share" (for cross-context behavioral advertising) the Personal Data of our Customers or Visitors.

17.1. Your California Privacy Rights

Right to Know: You can request information about the personal information we have collected about you
Right to Delete: You can request that we delete personal information we have collected from you
Right to Correct: You can request that we correct inaccurate personal information
Right to Opt-Out: You can opt out of the sale or sharing of your personal information (Note: We do not sell or share personal information)
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

17.2. Categories of Personal Information

We may collect the following categories of personal information from California residents:

Identifiers (name, email, IP address)
Commercial information (subscription details, payment history)
Internet activity (usage patterns, session recordings via Customer Sites)
Professional information (job title, company name)

17.3. Submitting California Privacy Requests

California residents can submit privacy requests by emailing privacy@traceflows.com or calling 1-800-XXX-XXXX. We will verify your identity and respond within 45 days.

18. Children's Privacy

19. Changes to This Privacy Policy

20. Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy or our data handling practices, please contact our Data Protection Officer:

Email: privacy@traceflows.com

Privacy Policy for TraceFlows

1. Introduction and Overview

2. Definitions

3. Information We Process on Behalf of Our Customers (Data Processor)

3.1. What Information We Process

3.2. Customer Responsibilities

4. Information We Collect for Our Own Service (Data Controller)

4.1. Information You Provide to Us

4.2. Information We Collect Automatically

5. How and Why We Use Information

5.1. Use of Data Processed for Customers

5.2. Use of Data We Control

6. Legal Basis for Processing (For EEA/UK Users)

7. Data Sharing and Disclosure

8. International Data Transfers

9. Data Security

10. Data Retention

11. Your Data Protection Rights

12. Data Subject Request Process

12.1. How to Submit a Request

12.2. Verification and Response Timeline

12.3. Fees and Limitations

13. Automated Decision-Making and Profiling

14. Data Breach Response

14.1. Notification Timeline

14.2. Information Provided

15. Third-Party Services and Integrations

16. Pseudonymization and Data Minimization

16.1. IP Address Handling

16.2. Session Data Minimization

17. California Residents (CCPA/CPRA)

17.1. Your California Privacy Rights

17.2. Categories of Personal Information

17.3. Submitting California Privacy Requests

18. Children's Privacy

19. Changes to This Privacy Policy

20. Contact Us

Privacy Policy for TraceFlows

1. Introduction and Overview

2. Definitions

3. Information We Process on Behalf of Our Customers (Data Processor)

3.1. What Information We Process

3.2. Customer Responsibilities

4. Information We Collect for Our Own Service (Data Controller)

4.1. Information You Provide to Us

4.2. Information We Collect Automatically

5. How and Why We Use Information

5.1. Use of Data Processed for Customers

5.2. Use of Data We Control

6. Legal Basis for Processing (For EEA/UK Users)

7. Data Sharing and Disclosure

8. International Data Transfers

9. Data Security

10. Data Retention

11. Your Data Protection Rights

12. Data Subject Request Process

12.1. How to Submit a Request

12.2. Verification and Response Timeline

12.3. Fees and Limitations

13. Automated Decision-Making and Profiling

14. Data Breach Response

14.1. Notification Timeline

14.2. Information Provided

15. Third-Party Services and Integrations

16. Pseudonymization and Data Minimization

16.1. IP Address Handling

16.2. Session Data Minimization

17. California Residents (CCPA/CPRA)

17.1. Your California Privacy Rights

17.2. Categories of Personal Information

17.3. Submitting California Privacy Requests

18. Children's Privacy

19. Changes to This Privacy Policy

20. Contact Us