New aggregated insights just released Learn more →

Legal

GDPR

How Trace is compliant with the EU General Data Protection Regulation · Last updated: April 2026

GDPR at Trace, in plain English

Trace was built to be GDPR-compliant by default. That means you do not need to add bolt-on tools to make it work legally in the EU. The architecture itself respects the regulation. Here is how.

  • We track journeys, not identities. End users are not personally identified by Trace.
  • Our processing happens server-side, so no personal data leaves our customers' control via browser JavaScript.
  • We use first-party data only. No third-party cookies, no cross-site tracking.
  • We offer EU data residency for customers who need it.
  • We publish sub-processor information and update it when anything changes.

Our role under GDPR

Under GDPR, Trace acts as a data processor. Our customers, the businesses using Trace on their own websites, are the data controllers. They decide what to collect and why. We process that data on their behalf, according to the instructions in our DPA.

Lawful basis for processing

Our customers choose their lawful basis for processing end-user data. Most rely on legitimate interests for analytics, or explicit consent where required. Trace supports both and handles consent signals correctly so your reporting reflects only data you have permission to use.

Data subject rights

End users can exercise their GDPR rights (access, correction, deletion, portability, objection) through the controller (our customer). Trace provides the tools to fulfil these requests quickly, including:

  • Data export by user identifier
  • Right-to-erasure endpoints in our API
  • Full audit logs for regulator-facing evidence

Data transfers

Trace offers EU-only data residency for customers who require it. Where data is transferred outside the EEA, we rely on Standard Contractual Clauses and UK IDTA as appropriate, plus supplementary technical measures (encryption, access controls).

Sub-processors

We use a small number of sub-processors for infrastructure, email, and payments. The current list is maintained at usetrace.io/subprocessors. We notify customers of changes before they take effect, so you always have time to object.

Data breach notification

In the unlikely event of a personal data breach, we will notify affected controllers without undue delay, and always within 72 hours. Our notification includes scope, cause, mitigation steps, and contact details for the response team.

Questions

If your DPO or legal team has questions, get in touch at privacy@usetrace.io. We respond to GDPR-specific questions within one working day.

Stop guessing. Start knowing.

Join the marketers already using Trace to defend marketing budgets with evidence, not instinct. Get started for free today.

Start for free Request a demo →