Privacy Policy — Traciqo

Plain-language summary. Traciqo provides QR-based product authentication, dynamic QR codes, and warranty management to businesses. For data that our business customers collect about their own end users (e.g. people scanning a product QR code), the business is the data controller and Traciqo acts as their data processor. For account, billing, and platform data, Traciqo is the controller. We do not sell personal data.

Contents

Who we are
Controller and processor roles
Data we collect
How we use data
Legal bases (UK/EU GDPR)
Location & device data
Cookies
Sub-processors
International transfers
Retention
Your rights
Security
Children
Changes
Contact

1. Who we are

Traciqo ("Traciqo", "we", "us") operates the platform available at traciqo.com and its tenant sub-domains and connected custom domains. Traciqo is being incorporated as a company in the United Kingdom; this policy will be updated with the registered company name, number, and registered office once incorporation is complete.

For privacy matters you can reach us at [email protected].

2. Controller and processor roles

Traciqo serves two kinds of people, and our role under data protection law differs accordingly:

Business customers (controllers): When a business uses Traciqo to authenticate products, manage warranties, capture leads, or collect feedback, that business decides what end-user data is collected and why. The business is the data controller and Traciqo is its data processor, acting on the business's documented instructions. Our processing for customers is governed by our Terms of Service and, where applicable, a Data Processing Agreement.
Account, billing, and platform data (Traciqo as controller): For the personal data of our business customers themselves (account holders, billing contacts, support communications) and for data we process to run, secure, and improve the platform, Traciqo is the data controller.

This policy describes both. Where a business is the controller, end users should also consult that business's own privacy notice.

3. Data we collect

3.1 Account & business data (Traciqo as controller)

Business name, owner/account email, contact name, phone, and support contact details.
Subscription plan, billing cycle, and trial status.
Payment-related identifiers held by our payment provider (we do not store full card numbers — see Sub-processors).
API keys and secrets, webhook configuration, and (optionally) custom SMTP credentials that you choose to store for sending your own emails.
Custom domain and branding configuration.

3.2 End-user data processed on behalf of business customers (Traciqo as processor)

Feature	Data collected
QR / product scan logs	Timestamp, IP address, user agent, browser, operating system, device type, a device fingerprint and confidence score, referrer, approximate country/city, and anomaly-detection signals.
Precise location (optional)	GPS latitude/longitude and accuracy — only when the business enables precise scan location and the end user's browser grants permission. See section 6.
Warranty registration	Customer name, email, phone, product/serial details, purchase and manufacture dates, uploaded invoices, and any custom registration fields configured by the business.
Lead capture	Name, email, IP address, and the timestamp of the scan that generated the lead.
Feedback	Rating, free-text comment, IP address, and timestamp.

4. How we use data

To provide product authentication, dynamic/static QR redirection, warranty management, lead capture, and feedback collection as configured by the business.
To detect counterfeit activity and scan anomalies (e.g. the same code appearing across many locations or devices).
To create, bill, and manage subscriptions, trials, and overage usage.
To send transactional and notification emails (e.g. warranty activation and expiry reminders).
To secure, monitor, troubleshoot, back up, and improve the platform.
To comply with legal obligations and enforce our Terms.

We do not sell personal data, and we do not use end-user scan or warranty data for our own advertising.

5. Legal bases (UK GDPR / EU GDPR)

Where Traciqo is the controller, we rely on:

Performance of a contract — to provide the service and manage your account and billing.
Legitimate interests — to secure the platform, prevent fraud and counterfeiting, and improve our services, balanced against your rights.
Consent — for precise device geolocation and any optional communications that require it.
Legal obligation — for tax, accounting, and lawful requests.

Where Traciqo is a processor, the relevant legal basis is determined by the business customer (the controller).

6. Location & device data

Approximate location (country/city) is derived from IP address for security and analytics. Precise GPS location is only collected when a business explicitly enables it and the end user grants browser location permission. End users can decline the browser prompt, in which case only approximate IP-based location is used. Device fingerprints are used to recognise repeat scans and to flag anomalies that may indicate counterfeiting; they are not used to track individuals across unrelated third-party websites.

7. Cookies

We use strictly necessary cookies for session management, security (CSRF protection), and login. We do not use third-party advertising cookies. Public scan and verification pages function without requiring login.

8. Sub-processors

We use a limited set of trusted providers to operate Traciqo:

Provider	Purpose	Data involved
Oracle Cloud Infrastructure	Cloud hosting and storage	All platform data
Stripe	Subscription payments and billing	Billing contact, payment tokens (Stripe stores card data; we do not)
Email / SMTP provider	Transactional & notification email	Recipient email and message content. Businesses may configure their own SMTP.
WhatsApp messaging	Optional customer notifications	Phone number and message content (when enabled by the business)
Apple Wallet / Google Wallet	Optional digital warranty passes	Pass content issued at the business's request

We will keep this list current as our providers change. A more detailed sub-processor list is available on request to business customers.

9. International transfers

Traciqo and some of its sub-processors may process data outside your country, including outside the UK/EEA. Where we transfer personal data internationally, we rely on appropriate safeguards such as the UK International Data Transfer Agreement / Addendum or EU Standard Contractual Clauses where required.

10. Retention

We retain account and billing data for the life of the account and as required for tax and legal purposes. End-user data (scans, warranties, leads, feedback) is retained for as long as the business customer maintains the data in their workspace or until they instruct us to delete it. When a subscription ends, data may be retained for a limited grace period before deletion, and backups are rotated on a defined schedule.

11. Your rights

Subject to applicable law (including the UK GDPR and Data Protection Act 2018), you have the right to access, correct, delete, port, restrict, or object to the processing of your personal data, and to withdraw consent where processing is based on consent.

If Traciqo is the controller, contact us at [email protected] and we will respond within the timeframes required by law.
If your data was provided to a business using Traciqo (e.g. you registered a warranty), that business is the controller — please contact them directly. We will assist them in responding to your request.

You also have the right to lodge a complaint with a supervisory authority, such as the UK Information Commissioner's Office (ICO).

12. Security

We apply technical and organisational measures including per-tenant data isolation, encryption in transit, encryption of stored secrets, access controls, and regular backups. See our Security page for details.

13. Children

Traciqo is a business-to-business platform and is not directed at children. We do not knowingly collect personal data from children. If you believe a child has provided data through a feature built on Traciqo, contact the relevant business or us at [email protected].

14. Changes to this policy

We may update this policy from time to time. Material changes will be reflected by updating the "Last updated" date above and, where appropriate, by notifying account holders.

15. Contact

Privacy enquiries and data-rights requests: [email protected].