Trace

Privacy Policy

Effective May 2, 2026

This Privacy Policy explains how Trace (“we,” “us,” “our”) collects, uses, and shares information when you use the Trace service at tracerev.com (the “Service”). Trace is operated by Salman Khurshid (sole proprietor), [BUSINESS ADDRESS]. Questions: support@tracerev.com.

1. Who this policy applies to

Trace serves two groups of people, and the data we handle differs for each:

  • Customers — businesses that sign up at tracerev.com to attribute their Stripe revenue. We act as the data controller for customer account data, and as a data processor for usage data they collect from their own end users via our pixel.
  • End users — visitors to a Trace customer’s online store. We process their data on the customer’s behalf to provide attribution analytics. End users should direct privacy requests to the customer (the store) in the first instance, and may copy us at support@tracerev.com.

2. Information we collect

2.1 From customers (account data)

  • Email address (required for account creation)
  • Stripe customer ID and subscription metadata (for billing — managed by Stripe)
  • Site domains added to the dashboard
  • Stripe Connect access tokens (read-only) for connected merchant accounts
  • Manual ad-spend entries you provide

2.2 From end users (processed on the customer’s behalf)

When a customer installs the Trace pixel on their store, we receive the following information from each end-user pageview:

  • A first-party visitor identifier and session identifier (random UUIDs stored as cookies on the customer’s domain)
  • Page URL and path
  • Referrer URL and UTM parameters (utm_source, utm_medium, utm_campaign, utm_term, utm_content)
  • User-agent string, derived browser/OS/device family, screen size, language
  • Approximate geographic location (country/region/city) derived from IP address
  • A hashed (one-way) form of the IP address — the raw IP is not stored
  • If the customer integrates our SDK, a hashed email address linked to the visitor identifier

2.3 From Stripe (payment data)

When a customer connects Stripe via OAuth, we receive: charge IDs, charge amounts, charge timestamps, customer email addresses (used for attribution), and refund events. We do not receive or store credit card numbers, full bank details, or sensitive payment credentials — those remain with Stripe.

3. How we use information

  • To provide the Service — joining Stripe charges to visitor sessions and computing attribution reports
  • To send transactional emails — magic-link login, billing receipts, security alerts
  • To process payments via Stripe
  • To detect fraud and abuse, including rate-limiting requests
  • To debug errors and improve reliability — error reports may include account email and request metadata, never raw payment data

We do not sell information. We do not use information to train machine-learning models. We do not share information with advertisers.

4. Sub-processors

We rely on the following third-party services. Each has its own privacy policy linked below:

  • Vercel (US) — application hosting. Privacy.
  • Supabase (US) — database, authentication, file storage. Privacy.
  • Stripe (US) — payment processing for our subscription billing, and read-only access to customer Stripe accounts via Stripe Connect. Privacy.
  • Resend (US) — transactional email delivery (magic links, billing notices). Privacy.
  • Sentry (US) — error monitoring. Privacy.
  • Upstash (US/EU) — Redis cache for rate limiting. Privacy.
  • Cloudflare (US) — DNS and domain registrar. Privacy.

5. Cookies

The Trace pixel sets two first-party cookies on a customer’s own domain (not on tracerev.com):

  • trace_visitor_id — random identifier, 365 days, used to attribute repeat visits to the same first-touch source.
  • trace_session_id — random identifier, 30 minutes, used to group pageviews into a single session.

On tracerev.com itself, we set Supabase authentication cookies for logged-in users. We do not use third-party advertising cookies, retargeting pixels, or cross-site tracking.

6. Data retention

  • Event data (pageviews, sessions): 24 months, then deleted
  • Identity rows (email-to-visitor links): for the lifetime of the customer’s account, plus 30 days
  • Revenue and attribution rows: for the lifetime of the customer’s account, plus 30 days
  • Billing records (subscriptions, invoices): 7 years, to comply with US tax law
  • Account data: deleted within 30 days of account closure

7. Your rights

Depending on where you live, you may have rights to access, correct, delete, or export your personal data, and to object to or restrict certain processing. To exercise any of these rights, email support@tracerev.com from the address on your account. We will respond within 30 days.

California residents have additional rights under the CCPA, including the right to know what personal information we have collected and the right to deletion. We do not sell personal information.

EU/UK/Swiss residents: our lawful basis for processing is performance of a contract (account data) and legitimate interest (analytics on behalf of customers). You may lodge a complaint with your local data-protection authority.

8. Security

We use industry-standard safeguards: TLS in transit, encryption at rest in our database, scoped access tokens, principle-of-least-privilege for service accounts, and rate limiting on public endpoints. No system is perfectly secure; if we discover a breach affecting your data, we will notify affected customers without undue delay.

9. Children

The Service is not directed to children under 16. We do not knowingly collect data from children. If you believe we have, contact support@tracerev.com and we will delete it.

10. International transfers

Trace is operated from the United States. If you access the Service from outside the US, your information may be transferred to and processed in the US. By using the Service, you consent to this transfer.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email and by updating the effective date at the top of this page. Continued use of the Service after changes constitutes acceptance.

12. Contact

Questions, concerns, or rights requests: support@tracerev.com.