Privacy Policy
Last updated: April 2026
This Privacy Policy explains how retraceable. ("we", "us", "our") collects, uses, and protects information when you use our website and services at retraceable.io.
1. Information we collect
We collect the following information when you use retraceable:
- Account information: your name and email address when you create an account.
- Product and ingredient data: ingredient lists and product details you submit for verification.
- Supplier documents: declarations and supporting documents you upload in connection with dual-origin ingredients.
- Usage data: pages visited, features used, and basic technical information such as browser type and IP address.
- Communications: messages you send us via email or contact forms.
We do not collect payment card details directly. Payments are handled by third-party processors.
2. How we use your information
We use the information we collect to:
- provide and operate the retraceable. service, including ingredient verification and report generation;
- send transactional emails such as verification reports and account notifications;
- improve and develop our services;
- comply with legal obligations.
We do not sell your personal data. We do not use your data for advertising.
3. Verification reports and public data
When a verification report is generated, a public page is created at a permanent URL (e.g. retraceable.io/verify/VV-2025-XXXXXX). This page contains the product name, the brand name, the verification result, and the date of issue. It does not contain personal contact details.
The retraceable. ingredient database - ingredient names, classifications, and descriptions - is publicly accessible. This data is not personal data.
4. Data storage and security
Your data is stored on Supabase infrastructure hosted in the European Union. We use industry-standard security measures including encrypted connections (HTTPS), authentication tokens stored in httpOnly cookies, and access controls.
Supplier documents are stored in private, access-controlled storage and are not publicly accessible.
5. Third-party services
We use the following third-party services to operate retraceable:
- Supabase: database, authentication, and file storage.
- Mailgun: transactional email delivery.
- Anthropic: AI-powered ingredient normalisation. Ingredient data submitted for analysis may be processed by Anthropic's API. We do not submit personal data to this service.
Each of these providers has their own privacy policy and processes data in accordance with applicable data protection law.
6. Cookies
We use the following cookies:
- token / refresh_token: httpOnly session cookies used to keep you logged in. These are essential for the service to function.
- locale: stores your preferred language (English or German). Not personally identifiable.
We do not use advertising cookies or third-party tracking cookies.
7. Your rights
If you are based in the European Economic Area or the UK, you have the following rights regarding your personal data:
- the right to access the personal data we hold about you;
- the right to correct inaccurate data;
- the right to request deletion of your data;
- the right to object to or restrict processing;
- the right to data portability.
To exercise any of these rights, contact us at support@retraceable.io
8. Data retention
We retain account data for as long as your account is active. Verification reports are retained indefinitely to support the permanent public verification record. You may request deletion of your account and associated data at any time.
9. Changes to this policy
We may update this policy from time to time. Material changes will be communicated via email to registered users. The date at the top of this page shows when it was last updated.