Privacy Policy
Version 1.0 · last updated 18 April 2026
1. Introduction and scope
This policy explains how Altanest SAS (hereafter "we", "us", or the "Controller") processes personal data in connection with the website go-trace.com, including its sub-pages (the "Site").
It is drafted under Regulation (EU) 2016/679 (the "GDPR") and French Law No. 78-17 of 6 January 1978 as amended (the "Loi Informatique et Libertés"). Where national consumer or sectoral law provides stronger protection, that law prevails.
This policy does not cover the separate Teachable platform on which our online courses are delivered. When you enrol in a course, Teachable Inc. acts as an independent controller for the data you provide to it; please consult the Teachable Privacy Policy.
2. Identity of the Controller
Altanest SAS20 rue Guillaume Fichet
74000 Annecy, France
SIREN: 877 916 916 · RCS Annecy 877 916 916
Intra-EU VAT: FR67877916916
Email: contact@go-trace.com
We have not designated a Data Protection Officer. Our processing activities do not meet the criteria of GDPR Article 37(1). You may nevertheless direct any data-protection query to the email address above, which is monitored by the Controller.
3. Categories of personal data we process
We collect personal data only when you actively provide it or when it is generated by routine site operation:
| Category | Examples | Source |
|---|---|---|
| Identification & contact data | Name, email address, organisation, role | You — via the contact form, newsletter form, or direct email |
| Message content | Text of your enquiry and any attachments you send | You — via the contact form or direct email |
| Technical data | IP address, user-agent string, requested URL, timestamp, HTTP referrer | Automatic — recorded in the web-server access log |
| Consent data | The record of your cookie-banner choice (accepted/declined, timestamp, version) | Automatic — stored in your browser's localStorage |
We do not knowingly collect special-category data (GDPR Article 9) or data relating to children under the age of 16. If you share such data with us unsolicited, we will delete it on becoming aware.
4. Purposes and legal bases
Each processing activity has a specific purpose and a single lawful basis under GDPR Article 6(1):
| Activity | Purpose | Legal basis |
|---|---|---|
| Handling contact-form submissions and direct email | Replying to your enquiry; preparing a potential engagement | Art. 6(1)(b) — pre-contractual measures at your request; alternatively Art. 6(1)(f) — legitimate interest in responding to correspondence |
| Newsletter subscription | Sending you occasional updates on DPP regulation and our work | Art. 6(1)(a) — your consent, given by submitting the form |
| Server access logging | Security, diagnostics, abuse prevention | Art. 6(1)(f) — our legitimate interest in keeping the Site secure and functioning |
| Cookie-consent storage | Remembering your cookie choice so we don't ask again | Article 82 of the Loi Informatique et Libertés — storage strictly necessary to provide the service you requested (the choice itself) |
| Loading the Typeform embed (only after you accept cookies) | Enabling the embedded contact/newsletter form to function | Art. 6(1)(a) — your consent, given via the banner |
| Compliance with legal obligations | E.g. responding to valid requests from public authorities or retaining commercial records | Art. 6(1)(c) — legal obligation |
We do not carry out any processing subject to Article 22 (fully automated decision-making with legal or similarly significant effects), nor any profiling.
5. Recipients and processors
We share personal data only with the following processors, each bound by a written data-processing agreement under GDPR Article 28. None of them processes your data for their own purposes.
| Processor | Role | Location | Transfer mechanism |
|---|---|---|---|
| Hetzner Online GmbH | Web hosting and server infrastructure | Nuremberg, Germany (EU) | Within the EEA — no transfer mechanism required |
| Typeform S.L. | Embedded contact and newsletter forms (loaded only after your consent) | Barcelona, Spain (EU); sub-processors may be outside the EEA | Within the EEA; any onward transfer covered by the European Commission's Standard Contractual Clauses |
| Google Ireland Ltd. (Google Workspace) | Email service for @go-trace.com addresses | Dublin, Ireland (EU); sub-processors may be in the United States | EU–US Data Privacy Framework certification and/or Standard Contractual Clauses |
| Teachable Inc. | Course delivery platform (acts as independent controller, not our processor) | United States | EU–US Data Privacy Framework certification and/or Standard Contractual Clauses; governed by Teachable's own privacy policy |
We may disclose personal data to professional advisors (accountants, legal counsel) under a duty of confidentiality, or to public authorities where legally compelled. We do not sell personal data and do not share it with third parties for their own marketing purposes.
6. International data transfers
Most of your data remains within the European Economic Area. Where a processor relies on sub-processors in third countries (in particular the United States), the transfer is covered by one of the mechanisms listed in Chapter V of the GDPR: an adequacy decision (including the EU–US Data Privacy Framework where applicable), the European Commission's 2021 Standard Contractual Clauses, or, failing those, explicit informed consent.
You may request a copy of the safeguards in place by emailing us.
7. Retention
We apply the following default retention periods, extended only where a specific legal obligation or live dispute requires us to:
- Contact-form and email correspondence: three (3) years from the last exchange with you. This period aligns with the general commercial prescription under French Code de commerce Art. L110-4.
- Client files and invoicing data: ten (10) years, as required by French Code de commerce Art. L123-22.
- Newsletter subscriber list: until you unsubscribe. Your email is then deleted within 30 days of the unsubscribe request, retaining only a hashed suppression token to honour your opt-out.
- Server access logs: at most thirty (30) days, then deleted. Logs relating to a specific security incident may be preserved longer under Art. 6(1)(f).
- Cookie-consent record: thirteen (13) months from the date of collection, per CNIL guidelines (Délibération No. 2020-091).
8. Security
We apply technical and organisational measures appropriate to the risk (GDPR Article 32), including: HTTPS/TLS for all public traffic, access control on hosting infrastructure, up-to-date operating systems and software, encrypted backups, and a policy restricting access to personal data to persons who need it to perform their duties. No system is perfectly secure, but we will notify you and the CNIL, where required by Articles 33 and 34, of any personal-data breach likely to result in a risk to your rights.
9. Your rights
Under the GDPR you have the right to:
- Access your personal data and obtain a copy (Art. 15);
- Rectify inaccurate or incomplete data (Art. 16);
- Erasure ("right to be forgotten") subject to the exceptions in Art. 17(3);
- Restrict processing in the cases listed in Art. 18;
- Data portability for data you provided to us and which we process on the basis of consent or contract (Art. 20);
- Object to processing based on legitimate interest (Art. 21);
- Withdraw consent at any time (Art. 7(3)), without affecting the lawfulness of prior processing;
- Define directives on the fate of your personal data after your death (Loi Informatique et Libertés, Art. 85).
To exercise any of these rights, email contact@go-trace.com with enough detail for us to identify you and the right concerned. We will respond without undue delay, and in any event within one month of receipt of your request (Art. 12(3)). Where the request is complex or we receive numerous requests, we may extend this period by up to two further months, notifying you within the first month of the extension and the reasons.
We may ask you for additional information reasonably necessary to confirm your identity (Art. 12(6)). Exercising your rights is free of charge; we reserve the right to refuse manifestly unfounded or excessive requests, or to charge a reasonable fee based on administrative costs, as permitted by Art. 12(5).
10. Right to lodge a complaint
If you believe our processing infringes the applicable data-protection rules, you may lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or the alleged infringement. In France, this is the Commission nationale de l'informatique et des libertés (CNIL):
CNIL3 place de Fontenoy – TSA 80715
75334 PARIS CEDEX 07, France
Telephone: +33 (0)1 53 73 22 22
Web: www.cnil.fr
We encourage you to contact us first so we can try to resolve the matter directly.
11. Cookies and similar technologies
The Site uses a single first-party record to store your cookie choice, and — only after you accept via our banner — loads a Typeform embed that sets technical cookies. Full details are set out in our Cookie Policy.
12. Changes to this policy
We may update this policy to reflect legal, technical, or operational changes. The date and version at the top always identify the current edition. Where the change materially affects how we process your personal data, we will notify active newsletter subscribers by email and, where your consent is required, obtain it afresh.
13. Contact
For any question about this policy or about our handling of personal data: contact@go-trace.com.