Now accepting organization applications. Get started

Privacy Policy

Effective date: April 2, 2026

This Privacy Policy explains how TraceReach LLC ("TraceReach," "we," "us," or "our") collects, uses, and shares information when you use tracereach.org, Campaign Studio, and the TraceReach field app.

If you have questions about this Privacy Policy or our data practices, contact us at privacy@tracereach.org.

1. Who we are

TraceReach is operated by TraceReach LLC, located at 8 The Green STE B, Dover, DE 19901, United States.

2. Information we collect

We may collect:

  • Account and contact information, such as name, email address, organization name, and role
  • Organization and campaign information you provide through Campaign Studio
  • QR code, link, and scan activity connected to campaigns and materials
  • Field data submitted through the TraceReach field app, including GPS location, timestamps, and photos tied to drops
  • Device, browser, and app usage information used to operate, secure, and improve the service
  • Support communications and attachments you send us

3. How we use information

We use information to:

  • Provide and operate TraceReach
  • Link scans, drops, campaigns, materials, and locations
  • Display reporting and performance insights
  • Coordinate users, spots, and access within organizations
  • Respond to support requests
  • Secure the service, prevent misuse, and troubleshoot issues
  • Improve the product

4. How we share information

We may share information:

  • Within your organization, based on account permissions
  • With service providers that help us host, secure, support, and operate TraceReach
  • When required by law or to protect rights, safety, or the service
  • In connection with a merger, acquisition, financing, or sale of assets

5. Data retention

We retain information for as long as needed to provide the service, comply with legal obligations, resolve disputes, enforce agreements, and maintain security and operational records. Retention periods may vary depending on the type of data and the customer relationship.

6. Account deletion and data deletion

If you request deletion of an account, we will delete or de-identify personal data associated with that account, subject to any legal, security, fraud-prevention, backup, or operational retention needs. To request account or data deletion, visit https://tracereach.org/delete-account or email privacy@tracereach.org.

7. Security

We use reasonable administrative, technical, and organizational measures to protect information. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

8. Data sovereignty

Zero API calls or data flowing to Google, Amazon, Microsoft, Apple, or Meta. TraceReach is built entirely on infrastructure we own and operate. We do not use cloud services from any of these companies to store, process, or transmit your data. This applies to every layer of the platform — not just the database.

Specifically:

  • Hosting: All data is stored on a dedicated server hosted by Hetzner in Germany, a European infrastructure provider subject to EU data protection law. Not AWS, not Google Cloud, not Azure.
  • Database: Self-hosted PostgreSQL. Not a managed cloud database.
  • Authentication: Self-hosted authentication system. Not Firebase, Cognito, Auth0, or any third-party identity platform.
  • Analytics: Self-hosted analytics with a first-party domain. Not Google Analytics.
  • Maps: OpenStreetMap for all geolocation and mapping. Not Google Maps or Apple Maps.
  • File storage: Photos stored on our own server filesystem. Not S3, Google Cloud Storage, Azure Blob, or any cloud storage bucket.
  • URL redirects: Our own redirect server on our own hardware. Not Bitly or any third-party redirect service.
  • Fonts and assets: Even the fonts on our website are self-hosted. No requests to Google Fonts or any big tech CDN.
  • No advertising or tracking networks: We do not use any big tech advertising, tracking, or data-brokering services.

Most software platforms — including most privacy-focused ones — still depend on AWS, Google Cloud, or Azure for hosting, storage, or managed services. TraceReach does not. When you upload a photo, record a drop, or view a dashboard, that data goes to hardware we control in a known location. It does not pass through infrastructure owned by a company that also operates an advertising network or consumer data marketplace.

We built it this way on purpose. The organizations that use TraceReach run field operations in sensitive contexts. Their data should stay where they expect it to stay.

9. Your choices and rights

Depending on where you are located, you may have rights to access, correct, delete, or restrict certain personal information. To make a request, contact privacy@tracereach.org.

10. Children's privacy

TraceReach is not directed to children under 13, and we do not knowingly collect personal information from children under 13.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will post the updated version on this page and update the effective date above.

12. Contact

Privacy questions, data requests, and account deletion:

TraceReach LLC
8 The Green STE B
Dover, DE 19901
United States
privacy@tracereach.org
+1 (339) 221-7920

Account deletion: /delete-account