Privacy Policy

1. Data Controller

Quantamix Solutions BV ("TraceGov", "we", "us") is the data controller for personal data processed through tracegov.ai and app.tracegov.ai.

• Registered Address: Amsterdam, The Netherlands
• Chamber of Commerce (KVK): [To be added]
• Contact: privacy@tracegov.ai

2. What Data We Collect

We collect the minimum data necessary to provide our AI governance platform:

2.1 Account Data

• Email address (required for account creation)
• Full name (optional)
• Organization name (optional)
• Password (hashed, never stored in plaintext)

2.2 Usage Data

• TRACE query content and responses
• Governance library interactions
• Workspace configuration
• Audit trail logs (TRACE scores, timestamps)

2.3 Technical Data

• IP address (for security and abuse prevention)
• Browser type and version
• Device information
• Access timestamps

3. Legal Basis for Processing (GDPR Art. 6)

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the TraceGov platform services you requested.
• Legitimate interest (Art. 6(1)(f)): Security monitoring, fraud prevention, and service improvement.
• Consent (Art. 6(1)(a)): Analytics cookies and marketing communications (only with your explicit opt-in).
• Legal obligation (Art. 6(1)(c)): Tax, accounting, and regulatory record-keeping.

4. Data Residency & Transfer

All data is processed and stored exclusively in the European Union.

• Primary data center: Frankfurt, Germany (AWS eu-central-1)
• Zero data transfer to the United States or any non-EU country
• No CLOUD Act exposure
• This is an architectural guarantee enforced at the infrastructure level, not merely contractual

5. Data Retention

• Account data: Retained while your account is active, deleted within 30 days of account closure
• TRACE audit trails: Configurable by plan tier — Business and Enterprise include full audit trail with custom retention
• Technical logs: 90 days for security purposes
• Billing records: 7 years (Dutch tax law)

6. Your Rights (GDPR Articles 15-22)

You have the right to:

• Access (Art. 15): Request a copy of your personal data
• Rectification (Art. 16): Correct inaccurate data
• Erasure (Art. 17): Request deletion of your data ("right to be forgotten")
• Restriction (Art. 18): Restrict processing in certain circumstances
• Portability (Art. 20): Receive your data in a machine-readable format
• Object (Art. 21): Object to processing based on legitimate interest
• Withdraw consent (Art. 7): Withdraw consent at any time without affecting prior processing

To exercise any of these rights, contact us at privacy@tracegov.ai. We will respond within 30 days.

7. Sub-Processors

• Amazon Web Services (AWS): Infrastructure hosting (eu-central-1 only)
• AWS Cognito: Authentication (eu-central-1 only)
• AWS Bedrock: AI model inference (EU regions only)

All sub-processors are contractually bound to process data exclusively within the EU.

8. Cookies

We use only essential cookies required for the platform to function. Analytics and marketing cookies are loaded only after your explicit consent. See our cookie consent banner for granular control.

• Essential cookies: Session management, authentication, CSRF protection
• Analytics cookies (opt-in): Anonymous usage statistics to improve the platform
• Marketing cookies (opt-in): Currently none

9. Security Measures

• All data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Merkle-chain audit trail for cryptographic proof of operations
• Regular security assessments and penetration testing
• Access controls and principle of least privilege

10. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens):

• Website: autoriteitpersoonsgegevens.nl

11. Changes to This Policy

We may update this privacy policy to reflect changes in our practices or legal requirements. We will notify you of material changes via email or a prominent notice on our platform.