Privacy Policy

How Tracemate collects, uses, and protects your personal data

Last updated: January 22, 202518 min read

At Tracemate ("Tracemate," "we," "us," or "our"), a service provided by Bartels Software Studio OÜ, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service at tracematehq.com (the "Service").

Data Controller
Bartels Software Studio OÜ
Sepapaja 6, 15551, Tallinn, Estonia
Registry Code: 16625044
Contact: help@tracematehq.com
Quick Summary
We collect minimal data necessary to provide our service. We never sell your personal information to third parties. You can access, export, and delete your data, subject to legal retention requirements. We use cookie-free analytics, and sensitive payment data is handled by our merchant of record, Polar.sh.

1. Information We Collect

1.1 Information You Provide

We collect information that you voluntarily provide when you:

  • Create an account: Email address and name (required for authentication and communication)
  • Upload images for tracing: Images you upload to create custom Gridfinity bin designs
  • Save design projects: Your bin configurations and design settings
  • Contact us for support: Any information you provide in communications with us
  • Purchase a subscription: Payment and billing information processed by our merchant of record (see Section 4)

1.2 Automatically Collected Information

When you access the Service, we may automatically collect certain technical information necessary for the operation of internet services and security purposes:

  • Device information: Browser type, operating system, screen resolution
  • Network information: IP address (may be stored in logs for security purposes)
  • Browser user agent: Technical browser identification string
  • Access timestamps: Date and time of your visits

This technical information is inherent to how the internet works and is necessary to deliver web content to your device. Some of this data may be retained in server logs for security monitoring and incident investigation.

1.3 Analytics Data

We use Umami, a privacy-focused, self-hosted analytics solution in a cookie-free configuration:

  • No cookies are used for analytics tracking
  • No advertising or cross-site tracking
  • Analytics data is aggregated where possible
  • IP addresses may be processed transiently for technical delivery but are not used for profiling or stored long-term

We analyze only summarized metrics to understand general usage patterns, identify areas for improvement, and improve the overall user experience. No individual user tracking or profiling is performed.

1.4 Uploaded Content Warning

Please avoid uploading images containing sensitive personal data or identifiable individuals (such as photos containing people, names on labels, or addresses on packaging) unless you have the right to share them. You are responsible for ensuring you have appropriate rights to any content you upload.

2. Legal Basis for Processing

Under GDPR, we process your personal data based on the following legal grounds:

2.1 Contract Performance

  • Account creation and login: Email and name are required to provide you with access to the Service
  • Generating designs from uploads: Processing your uploaded images to create Gridfinity bin designs
  • Transactional emails: Sending account verification, password reset, and subscription updates
  • Subscription management: Processing subscription data shared by Polar.sh

2.2 Legitimate Interest

  • Security logs and abuse prevention: Processing IP addresses and timestamps to protect the Service and users
  • Support communications: Responding to your inquiries and providing assistance
  • Service improvement: Analyzing aggregated usage patterns to enhance features

2.3 Legal Obligation

  • Tax and accounting records: Retaining transaction records as required by law
  • Legal requests: Responding to valid legal processes

3. How We Use Your Information

We use the collected information for the following purposes:

  • Provide the Service: Process your uploads, generate Gridfinity bin designs, and maintain your account
  • Authentication: Verify your identity and manage access to your account
  • Communication: Send transactional emails (account verification, password reset, subscription updates) and respond to support inquiries
  • Improve the Service: Analyze aggregated usage patterns to enhance features and user experience
  • Security: Detect and prevent fraud, abuse, and security incidents
  • Legal Compliance: Comply with applicable laws and regulations

4. Data Storage and Infrastructure

We use the following service providers to operate our Service. Each provider has been selected for their security practices and compliance with data protection regulations:

4.1 Hosting and Infrastructure

  • Hetzner: Our servers are hosted in Germany (EU) and are protected under GDPR
  • Convex: Backend processing for our application, storing your account data and project files with encryption in transit and at rest

4.2 Communication Services

  • Google Workspace: Used for direct email communication (e.g., support inquiries sent to our email addresses)
  • Resend: Transactional email delivery service for account notifications

4.3 Domain and DNS

  • Spaceship: Domain registration and DNS management

4.4 Security Measures

We implement appropriate technical and organizational measures to protect your data:

  • Encryption of data in transit (TLS/HTTPS)
  • Encryption of data at rest
  • Regular security assessments and monitoring
  • Access controls and authentication
  • Secure development practices

4.5 Data Retention

We retain your personal information for the following periods:

  • Account data: Kept until you delete your account
  • Uploaded images and projects: Stored until deleted by you or upon account deletion
  • Server and security logs: Retained for up to 90 days for security monitoring
  • Transaction records: Retained as required by tax and accounting laws (typically 7 years)
  • Support correspondence: Retained for up to 2 years after resolution

You may delete your account and data at any time through the self-service account deletion feature in your profile settings. Data contained in backups is deleted within the backup retention period.

5. Payments and Subscriptions

Subscription payments and billing are handled by Polar.sh, which acts as our Merchant of Record.

What This Means For You
When you purchase a subscription, you are purchasing from Polar.sh, not directly from Tracemate. Polar.sh handles all payment processing, tax compliance, and billing on our behalf. This ensures proper tax handling worldwide and makes Tracemate accessible globally.

Regarding payment data:

  • Credit card and payment details are collected and processed exclusively by Polar.sh
  • We never store sensitive payment information on our servers
  • Polar.sh may share with us: your name, email, subscription status, purchase history, and billing country for account management purposes

Please review Polar.sh's Privacy Policy for details on how they handle payment data.

6. Sharing of Information

We do not sell your personal information. We may share your information only in the following circumstances:

  • Service Providers: With the trusted third-party services listed in Section 4, solely for operating the Service
  • Payment Processor: With Polar.sh for subscription management (as detailed in Section 5)
  • Legal Requirements: When required by law, court order, or governmental authority, or to protect our rights, safety, or property
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, with advance notice where possible

7. Cookies and Tracking

We take a privacy-first approach to cookies and tracking technologies:

7.1 Essential Cookies

We use essential cookies for login sessions and security. These cookies are strictly necessary for the Service to function and cannot be disabled.

7.2 Analytics

Our Umami analytics operates in a cookie-free configuration and does not set any cookies on your device.

7.3 No Advertising Cookies

We do not use third-party tracking, advertising, or marketing cookies.

You can control cookie preferences through your browser settings. Disabling essential cookies may affect your ability to use certain features of the Service.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

8.1 Rights Under GDPR (EU/EEA Residents)

  • Access: Request a copy of your personal data
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your personal data ("right to be forgotten")
  • Portability: Receive your data in a machine-readable format
  • Restriction: Request limitation of processing
  • Objection: Object to processing based on legitimate interests
  • Withdraw Consent: Withdraw consent at any time where processing is based on consent

8.2 Rights Under Other Laws

Residents of California (CCPA), Brazil (LGPD), and other jurisdictions with privacy laws may have similar rights. We will honor valid requests in accordance with applicable laws.

8.3 How to Exercise Your Rights

To exercise any of these rights, please contact us at help@tracematehq.com. We will respond within the timeframe required by applicable law (typically 30 days). In complex cases, we may extend this period by up to two additional months where permitted by law.

8.4 Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection authority if you believe we have not handled your personal data in accordance with applicable law. For Estonia, this is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

9. International Data Transfers

Our primary hosting infrastructure is located in Germany (EU).

Some of our service providers (such as Convex) may process data outside the EU/EEA. When this occurs, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs) approved by the EU
  • Adequacy decisions by the European Commission
  • Other legally recognized transfer mechanisms

10. Children's Privacy

The Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at help@tracematehq.com.

11. Data Processing Agreements

We maintain Data Processing Agreements (DPAs) with service providers that process personal data on our behalf, as required under GDPR.

If you require a copy of our DPA for your records, please contact us.

12. Automated Decision-Making

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the new Privacy Policy on this page with an updated "Last updated" date
  • Sending an email notification for significant changes (where required by law)

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes become effective constitutes your acceptance of the updated policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: