Privacy Policy
Version 1.11 · last updated 4 June 2026
1. Introduction and scope
This policy explains how Altanest SAS (hereafter "we", "us", or the "Controller") processes personal data in connection with the website go-trace.com, including its sub-pages (the "Site").
It is drafted under Regulation (EU) 2016/679 (the "GDPR") and French Law No. 78-17 of 6 January 1978 as amended (the "Loi Informatique et Libertés"). Where national consumer or sectoral law provides stronger protection, that law prevails.
This policy does not cover the separate Teachable platform on which our online courses are delivered. When you enrol in a course, Teachable Inc. acts as an independent controller for the data you provide to it; please consult the Teachable Privacy Policy.
2. Identity of the Controller
Altanest SAS20 rue Guillaume Fichet
74000 Annecy, France
SIREN: 877 916 916 · RCS Annecy 877 916 916
Intra-EU VAT: FR67877916916
Email: contact@go-trace.com
"GO TRACE" is a trade name and trademark of Altanest SAS. We have not designated a Data Protection Officer; our processing activities do not meet the criteria of GDPR Article 37(1). You may nevertheless direct any data-protection query to the email address above, which is monitored by the Controller.
3. Categories of personal data we process
We collect personal data only when you actively provide it or when it is generated by routine site operation:
| Category | Examples | Source |
|---|---|---|
| Identification & contact data | Name, email, company, role, country (optional), referral source (optional), package of interest (optional) | You: via the contact form at /contact, the questionnaire at /find-dpp-providers, or by direct email |
| DPP Data Map lead data | Email; optional name and company | You: via the request form at /resources/dpp-data-map-for-textiles when you ask us to send the Data Map |
| Message content | The free-text message you submit and any attachments you send by email | You: via the contact form or direct email |
| DPP Provider Finder questionnaire responses | Your answers to the 17 questions on the questionnaire (your role in the supply chain, primary product category, company size, SKU volume, primary materials, supplier base and visibility, the systems you use for product data, your current identification and labelling, your environmental-footprint setup, the capabilities you need to add or improve, your most immediate priority, your authentication needs, your post-sale plans, your platform preference, and your DPP implementation status), together with the “Other (please specify)” free-text values where you provide them, and the computed category result. The questionnaire content is primarily about your company, but once associated with the contact details you provide it becomes personal data within the meaning of GDPR Article 4(1). | You: via the questionnaire at /find-dpp-providers |
| Assessment and audit intake data (including saved drafts) | Your responses to our paid assessments and audits (such as the DPP Readiness Assessment and the Green Claims Audit): for the Readiness Assessment, your answers to the structured questionnaire plus a short company profile and any notes; for the Green Claims Audit, your company profile and, for each environmental claim, its wording, where it appears, the products it covers, and the supporting evidence you describe — together with the contact name, role and email you provide. If you choose “Save & continue later” on the Green Claims Audit or the DPP Readiness Assessment, we also store your partial entries, your email, your company name, and a random resume token, so you can return via a link we email you. This content is primarily about your company, but once associated with your contact details it is personal data within the meaning of GDPR Article 4(1). | You: via the intake at /dpp-readiness-assessment or /green-claims-audit/begin (drafts: by using “Save & continue later”) |
| Payment metadata (paid orders) | Stripe payment session reference, transaction status (paid / cancelled), timestamp. We do not see or store card numbers, CVC, expiry, or billing address; these are handled exclusively by Stripe on Stripe's domain (see §5). | Returned to us by Stripe after you complete payment |
| Server-log technical data | IP address, user-agent string, requested URL, timestamp, HTTP referrer | Automatic: recorded in the web-server access log |
| Analytics-derived data | Page views, referrer, browser, OS, viewport size, country derived from IP geolocation, session-bucket hash (rotated daily, no individual identifier retained) | Automatic: collected by our self-hosted Umami instance (see §5) |
The Site sets no cookies and uses no client-side storage. We do not knowingly collect special-category data (GDPR Article 9) or data relating to children under the age of 16. If you share such data with us unsolicited, we will delete it on becoming aware.
4. Purposes and legal bases
Each processing activity has a specific purpose and a single lawful basis under GDPR Article 6(1):
| Activity | Purpose | Legal basis |
|---|---|---|
| Handling contact-form submissions and direct email | Replying to your enquiry; preparing a potential engagement | Art. 6(1)(b): pre-contractual measures at your request; alternatively Art. 6(1)(f): legitimate interest in responding to correspondence |
| Sending the DPP Data Map and occasional updates | Emailing you the DPP Data Map you requested, and occasional updates about it. Consent-based; the email is used only to send the DPP Data Map and occasional updates; you can unsubscribe at any time. | Art. 6(1)(a): consent |
| DPP Provider Finder: generating and delivering your free DPP Provider Finder from your questionnaire responses | Producing the free DPP Provider Finder you receive after submitting the questionnaire, displaying them on screen, and sending you a copy by email to the address you provided on the contact step; storing the submission so you can revisit it via a link in that email and so we can prepare your Personalised DPP Provider Shortlist if you order one. | Art. 6(1)(b): pre-contractual measures at your request |
| Retaining a completed assessment, or an intake you saved for later, as a prospect record (even if you never purchase) | When you submit the contact form (just before seeing your free results), we store your 17 questionnaire responses, computed DPP Provider Finder, and the contact details you provided (name, role, email, optional notes), and notify Catherine Lomonaco internally. The same internal notification is sent if you use “Save & continue later” on the Green Claims Audit or DPP Readiness Assessment (your email, company, and progress so far). This lets her see who engaged regardless of whether you go on to purchase, and follow up where she judges it relevant. You may object to this processing at any time under Art. 21 (see §9). | Art. 6(1)(f): our legitimate interest in maintaining a prospect record of users who completed an assessment or began a paid intake, balanced against your interest in privacy (the data is provided in the context of a clearly commercial enquiry, retained for a limited period, never shared with third parties beyond our normal sub-processors, and you can object). |
| Delivering and invoicing our paid assessments, audits and shortlists | Producing and emailing the report or analysis you ordered within the stated working-day window of payment; processing payment via Stripe; issuing the invoice. | Art. 6(1)(b): performance of the contract you entered into by paying |
| Saving an assessment or audit intake as a draft so you can resume | When you choose “Save & continue later”, storing your partial responses and emailing you a private link so you can finish the intake on any device. The draft is automatically deleted after the period set out in §7, or earlier if you ask. | Art. 6(1)(b): pre-contractual measures at your request |
| Server access logging | Security, diagnostics, abuse prevention | Art. 6(1)(f): our legitimate interest in keeping the Site secure and functioning |
| Analytics (Umami) | Producing aggregated statistics on Site usage so we can improve content and structure. No cross-referencing with other processing, no profiling, no advertising. | Art. 6(1)(f): our legitimate interest in understanding and improving the Site. The processing qualifies for the consent exemption under CNIL Délibération No. 2020-092 §2.5 (cookieless analytics confined to anonymous aggregate statistics, no cross-referencing, EU-resident infrastructure). |
| Compliance with legal obligations | E.g. responding to valid requests from public authorities or retaining commercial records | Art. 6(1)(c): legal obligation |
We do not carry out any processing subject to Article 22 (fully automated decision-making with legal or similarly significant effects), nor any profiling.
5. Recipients and processors
We share personal data with the third parties listed below. We work with processors that contractually commit to GDPR-compliant data handling, with written Data Processing Agreements (DPAs) under GDPR Article 28 in place where required by law and by the nature of the processing.
A standalone, machine-readable copy of this list is also published at /sub-processors; that page is updated alongside this section whenever a sub-processor is added, removed, or materially changed.
| Recipient | Role | Location | Transfer mechanism |
|---|---|---|---|
| Hetzner Online GmbH | Web hosting and server infrastructure for both go-trace.com and our self-hosted Umami analytics endpoint | Nuremberg, Germany (EU) | Within the EEA: no transfer mechanism required |
| Self-hosted Umami (operated by Altanest under the Conclavik brand) | Cookieless web analytics. Runs on the same Hetzner box as go-trace.com at analytics.conclavik.com. Receives request metadata, computes a daily-rotating session-bucket hash from IP and user-agent without retaining the raw IP, stores aggregated counts and country derived from IP geolocation. No data leaves the EU. Because Altanest operates the Umami instance directly, no separate third-party processor is involved. | Nuremberg, Germany (EU) | Within the EEA: no transfer mechanism required |
| Web3Forms (operated by Statichunt) | Contact-form forwarding. When you submit the contact form, your entries POST as JSON to the Web3Forms API, which retains the submission on its own infrastructure for up to 30 days for delivery retry and audit, then auto-deletes. Web3Forms relays the submission to our inbox by SMTP. | India | European Commission's 2021 Standard Contractual Clauses (SCCs). A signed DPA is on file [Catherine: pending counter-signature; Web3Forms publishes a free-tier DPA template available on request from support@web3forms.com]. |
| Google Ireland Ltd. (Google Workspace) | Email service for @go-trace.com addresses. Receives the body of your email correspondence with us. | Dublin, Ireland (EU); sub-processors may be in the United States | EU–US Data Privacy Framework certification and/or Standard Contractual Clauses |
| Teachable Inc. | Course delivery platform (acts as an independent controller, not our processor). Engaged only when you enrol in a course on the separate Teachable subdomain. | United States | EU–US Data Privacy Framework certification and/or Standard Contractual Clauses; governed by Teachable's own privacy policy |
| Stripe Payments Europe, Ltd. | Payment processing for our paid products (the Personalised DPP Provider Shortlist, the DPP Readiness Assessment, and the Green Claims Audit). You are redirected to Stripe Checkout on a Stripe-operated domain; Stripe collects your card details, name, billing address, and email and processes the transaction. Stripe returns the user to go-trace.com with a session reference; we never see or store card details. Stripe processes the payment data both as our processor (for the contract you place with us) and on its own behalf as a controller for fraud prevention and regulatory obligations. | Dublin, Ireland (EU); onward transfers to Stripe Inc. in the United States | Within the EEA primary; for onward US transfers: EU–US Data Privacy Framework certification and the European Commission's 2021 Standard Contractual Clauses. Stripe's DPA at stripe.com/legal/dpa applies to processing on our behalf. |
| Sendinblue SAS (Brevo) | Transactional email relay for our questionnaires, assessments and audits: customer-facing emails (your DPP Provider Finder results; buyer confirmations for the DPP Readiness Assessment and the Green Claims Audit; and the Green Claims Audit and DPP Readiness Assessment “resume your intake” links), and internal owner-notification emails to contact@go-trace.com when a submission is completed, saved for later, or paid. Brevo receives the recipient address, the subject, and the body of the message (which may include your name, computed result, and a submission or draft reference). Brevo retains the message for delivery and bounce-management purposes, then auto-deletes per its standard retention. | Paris, France (EU) | Within the EEA: no transfer mechanism required. Brevo's DPA at brevo.com/legal/termsofuse/dpa applies to processing on our behalf. |
Our submission database itself is first-party: it lives in a SQLite file on the same Hetzner box as the Site, at /var/lib/go-trace/solution-map.db, holds the Provider Finder, DPP Readiness Assessment and Green Claims Audit submissions (and any saved assessment or audit drafts), and is not shared with any third party. The full sub-processor map is published at /sub-processors.
We do not currently use MailerLite for any processing of your data, even though a DKIM record for it exists on the go-trace.com domain (legacy configuration). If we activate it in the future, we will update this Privacy Policy and §5 of this list before any data is processed.
We may disclose personal data to professional advisors (accountants, legal counsel) under a duty of confidentiality, or to public authorities where legally compelled. We do not sell personal data and do not share it with third parties for their own marketing purposes.
6. International data transfers
Most of your data remains within the European Economic Area. Where a processor relies on sub-processors in third countries (in particular India for Web3Forms and the United States for Google sub-processors and Teachable), the transfer is covered by one of the mechanisms listed in Chapter V of the GDPR: an adequacy decision (including the EU–US Data Privacy Framework where applicable), the European Commission's 2021 Standard Contractual Clauses, or, failing those, explicit informed consent.
You may request a copy of the safeguards in place by emailing us.
7. Retention
We apply the following default retention periods, extended only where a specific legal obligation or live dispute requires us to:
- Contact-form and email correspondence: three (3) years from the last exchange with you. This period aligns with the general commercial prescription under French Code de commerce Art. L110-4.
- DPP Data Map leads: retained until you unsubscribe, after which the record is deleted.
- Web3Forms-side submission cache: up to thirty (30) days on Web3Forms infrastructure, after which Web3Forms auto-deletes. Our copy in our inbox follows the contact-form-correspondence retention period above.
- DPP Provider Finder submissions (unpaid): three (3) years from submission, after which the database row is purged. You may request earlier erasure at any time (see §9).
- Paid assessment, audit and shortlist submissions: the submission, any computed result, and the delivered report or analysis are retained for the duration of the contract plus the general commercial prescription, i.e. three (3) years after delivery; the underlying invoicing data falls under the ten-year rule below.
- Saved assessment and audit drafts (not submitted): sixty (60) days from your last save, after which the draft is automatically purged. You may request earlier erasure at any time (see §9).
- Stripe transaction records: Stripe retains card-transaction records on its own infrastructure for the periods set by applicable tax and anti-money-laundering law (typically up to ten years). We retain only the Stripe session reference and the paid/cancelled status, alongside the corresponding submission, under the rules above.
- Client files and invoicing data: ten (10) years, as required by French Code de commerce Art. L123-22. This applies to invoices issued for any paid order.
- Server access logs: at most thirty (30) days, then deleted. Logs relating to a specific security incident may be preserved longer under Art. 6(1)(f).
- Umami analytics: aggregated counts retained for up to thirteen (13) months, in line with CNIL guidance for analytics. The session-bucket hash rotates daily and no individual identifier is preserved.
8. Security
We apply technical and organisational measures appropriate to the risk (GDPR Article 32), including: HTTPS/TLS for all public traffic, access control on hosting infrastructure, up-to-date operating systems and software, encrypted backups, and a policy restricting access to personal data to persons who need it to perform their duties. No system is perfectly secure, but we will notify you and the CNIL, where required by Articles 33 and 34, of any personal-data breach likely to result in a risk to your rights.
9. Your rights
Under the GDPR you have the right to:
- Access your personal data and obtain a copy (Art. 15);
- Rectify inaccurate or incomplete data (Art. 16);
- Erasure ("right to be forgotten") subject to the exceptions in Art. 17(3);
- Restrict processing in the cases listed in Art. 18;
- Data portability for data you provided to us and which we process on the basis of consent or contract (Art. 20);
- Object to processing based on legitimate interest (Art. 21), including the analytics processing described in §4;
- Withdraw consent at any time (Art. 7(3)), without affecting the lawfulness of prior processing;
- Define directives on the fate of your personal data after your death (Loi Informatique et Libertés, Art. 85).
To exercise any of these rights, email contact@go-trace.com with enough detail for us to identify you and the right concerned. We will respond without undue delay, and in any event within one month of receipt of your request (Art. 12(3)). Where the request is complex or we receive numerous requests, we may extend this period by up to two further months, notifying you within the first month of the extension and the reasons.
We may ask you for additional information reasonably necessary to confirm your identity (Art. 12(6)). Exercising your rights is free of charge; we reserve the right to refuse manifestly unfounded or excessive requests, or to charge a reasonable fee based on administrative costs, as permitted by Art. 12(5).
If you wish to opt out of the Umami analytics specifically, you can do so by enabling your browser's "Do Not Track" header (which Umami honours), by using a content blocker that blocks analytics.conclavik.com, or by emailing us to ask for a server-side exclusion.
10. Right to lodge a complaint
If you believe our processing infringes the applicable data-protection rules, you may lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or the alleged infringement. In France, this is the Commission nationale de l'informatique et des libertés (CNIL):
CNIL3 place de Fontenoy, TSA 80715
75334 PARIS CEDEX 07, France
Telephone: +33 (0)1 53 73 22 22
Web: www.cnil.fr
We encourage you to contact us first so we can try to resolve the matter directly.
11. Cookies and similar technologies
The Site sets no cookies and uses no localStorage, sessionStorage, pixels, fingerprinting, or third-party tracker. Analytics is handled by a self-hosted Umami instance that operates without cookies and without storing individual identifiers. The contact form submits over an authenticated HTTPS API call without setting any client-side identifier. Full details are in our Cookie Policy.
12. Changes to this policy
We may update this policy to reflect legal, technical, or operational changes. The date and version at the top always identify the current edition. Material changes will be announced on the Site (typically via a banner on the home page or a note on the changed legal page) for a reasonable period before they take effect.
13. Contact
For any question about this policy or about our handling of personal data: contact@go-trace.com.