Skip to content
TraceWeave logoTraceWeave
Legal

Privacy Policy

How TraceWeave collects, uses and protects your personal information

Version 2.1 · May 2026

Your privacy is our priority

This Privacy Policy describes how TraceWeave collects, uses and protects your personal information. We comply with the GDPR, the LOPD-GDD (Spanish Data Protection Act) and the CCPA. If you have questions about the processing of your data, write to us at hola@traceweave.eu.

1. Data controller

TraceWeave is the controller of your personal data. We are committed to protecting your privacy and complying with all applicable regulations.

Controller details

  • Company name: TraceWeave S.L. (registration in progress)
  • Trading name: TraceWeave
  • Legal representative: Rafael Rodriguez (Sole Director)
  • Registered office: Seville, Spain
  • Email: hola@traceweave.eu
  • Privacy contact: hola@traceweave.eu

2. Information we collect

We collect different categories of personal data depending on the purpose and the legal basis:

Data categoryExamplesPurpose
IdentificationFirst name, surname, email, phoneAccount management
BusinessCompany, role, sector, tax IDBilling, contract
BrowsingIP, cookies, user agent, pages visitedAnalytics, security
Service useProducts created, API queries, uploaded filesService provision
CommunicationsMessages, support tickets, feedbackCustomer support
ESPR Iberia Brief newsletterEmail + consent metadata (country by IP, browser, origin URL, policy version, email provider type)Monthly newsletter delivery + legal audit (see section 14)

3. Purpose of processing

We use your personal data to:

  • Provide, operate and improve our services
  • Process payments and manage billing
  • Respond to your queries and support requests
  • Send commercial communications (only with your consent)
  • Send the monthly ESPR Iberia Brief newsletter and deliver the initial downloadable resource (only with confirmed double opt-in — see section 14)
  • Comply with legal and regulatory obligations
  • Detect and prevent fraud, abuse and security issues
  • Carry out statistical analysis to improve the service

5. Sharing information with third parties

We do not sell, rent or share your personal data with third parties for commercial purposes. We share data only with the following categories of recipients (Art. 13.1.e GDPR):

  • Infrastructure and operations subprocessors: providers of hosting, managed database, object storage, transactional email, error monitoring, aggregated usage analytics and, where applicable, payment gateway. All operate under Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework.
  • Legal compliance: competent authorities where legally required.
  • Corporate operations: in the event of a merger, acquisition or sale of assets, with prior notice to the data subject.
  • With your consent: where you expressly authorise sharing data with specific third parties.

The categories of subprocessors and their safeguards are detailed at /legal/subprocesadores. The named list and the operational details of the processing are made available to data controllers who have signed a DPA, upon reasoned request.

6. International data transfers

Some of our providers are located outside the European Economic Area (EEA). We ensure the protection of your data through:

Safeguards implemented

  • ✓ Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914)
  • ✓ EU-US Data Privacy Framework for transfers to certified subprocessors in the USA
  • ✓ Transfer Impact Assessment (TIA) documented for subprocessors outside the EEA
  • ✓ Data processing agreements (DPAs) with all subprocessors

The main database and file storage are hosted in the European Union (Frankfurt, Germany). Certain operational subprocessors (transactional email, payment gateway where applicable, multi-region hosting) process data occasionally in the USA under SCCs and, where applicable, the EU-US Data Privacy Framework. The categories and safeguards are detailed at /legal/subprocesadores.

7. Data security

We implement technical and organisational measures in line with the state of the art:

Technical measures

  • ✓ TLS/SSL encryption in transit
  • ✓ AES-256 encryption at rest
  • ✓ Multi-factor authentication (MFA)
  • ✓ 24/7 monitoring
  • ✓ Automatic daily backups

Organisational measures

  • ✓ Role-based access control
  • ✓ Regular security audits
  • ✓ Staff training
  • ✓ Incident response plan
  • ✓ Data minimisation policy

8. Your rights (GDPR)

Under the GDPR, you have the following rights over your personal data:

Right of access

Obtain confirmation and a copy of your personal data

Right of rectification

Correct inaccurate or incomplete data

Right of erasure

Request the deletion of your data ("right to be forgotten")

Right of restriction

Restrict processing in certain circumstances

Right of portability

Receive your data in a structured format and transfer it to another controller

Right to object

Object to processing based on legitimate interest or direct marketing

Right to withdraw consent

Revoke consent at any time

How to exercise your rights?

You can exercise your rights by sending an email to hola@traceweave.eu with the subject "Ejercicio de derechos RGPD" or from your user dashboard.

For the newsletter, you also have one-click unsubscribe via the link included at the foot of every email sent (see section 14.4).

We will respond within a maximum of 1 month from receipt of your request. You also have the right to lodge a complaint with the AEPD (Spanish DPA) (www.aepd.es).

Automated decisions (Art. 22 GDPR)

We do not apply automated decisions with significant legal effects on the subscriber or visitor of this website. Public automated processing is limited to technical operations (sending emails, scheduled data retention) without individual profiling.

In the context of TraceWeave's B2B platform, the deterministic engines DPP Readiness Engine, Risk Scanner and Impact Engine produce aggregated scores and prioritised recommendations. These results are designed to support the human decision of the service customer (typically sustainability, compliance or supply chain departments): they never replace the user's final decision about a specific supplier. The service customer, as the controller of its suppliers' data, ensures meaningful human intervention before any decision with legal effect or significant impact, in accordance with Art. 22 GDPR.

9. Data retention

We retain your personal data for as long as necessary depending on the purpose:

Data typeRetention period
Active account dataWhile the account is active
Billing data10 years (legal tax obligation)
Security logs2 years
Marketing data (with consent)Until consent is withdrawn
Cancelled account90 days (unless legally required)
Newsletter — pending unconfirmed30 days from sending the confirmation email
Newsletter — confirmed activeUntil the subscriber unsubscribes
Newsletter — after unsubscribe30 additional days (audit grace period) → deleted
Newsletter — audit record (hash)6 years (Commercial Code + GDPR Art. 5.1.f), without plain email

For the full detail of the lifecycle of data associated with the newsletter, see .

10. Cookies and similar technologies

We use cookies and similar technologies. For more information, see our Cookie Policy.

11. Rights under the CCPA (California)

If you reside in California, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to know: What personal data we collect, use, disclose and sell
  • Right to delete: Request the deletion of your personal data
  • Right to opt-out: Object to the sale of data (we do not sell data)
  • Right to non-discrimination: No discrimination for exercising CCPA rights

To exercise these rights: hola@traceweave.eu with the subject "[CCPA] Su consulta".

12. Data protection contact

TraceWeave SL is not required to appoint a Data Protection Officer under Article 37 of the GDPR or Article 34 of the LOPDGDD, as its activity does not fall within any of the exhaustive cases set out therein. For any query regarding the processing of your personal data or the exercise of your rights you may contact us at:

Email: hola@traceweave.eu

Postal address: TraceWeave SL · Seville, Spain

We will address your query without undue delay and, in any case, within the maximum period of one month provided for in Article 12.3 of the GDPR.

13. Subprocessors

TraceWeave works with a set of subprocessors grouped by functional category (hosting and CDN, managed database, object storage, transactional email, error monitoring, aggregated usage analytics and, where applicable, payment gateway).

The categories, locations and safeguards of each are published at /legal/subprocesadores.

The named list with the specific identity of each subprocessor, its registered office and the operational details of the processing are documented internally in the Record of Processing Activities (Art. 30 GDPR) and are made available to data controllers who have signed a DPA, upon reasoned request by email to hola@traceweave.eu with the subject [Subprocesadores] Solicitud de listado detallado.

14. Newsletter — Specific processing

This section describes the operational detail of the data processing associated with subscribing to the monthly ESPR Iberia Brief newsletter. The general measures (security, rights, subprocessors, international transfers) are governed by sections 7, 8, 13 and 6 respectively.

14.1 Specific data and informed consent

When you subscribe to the newsletter we collect:

  • Email (mandatory): to send the newsletter and the initial downloadable resource.
  • Consent snapshot (automatic): we record technical information from the moment you accept the subscription in order to demonstrate the validity of the consent in the event of an inspection by the AEPD (Spanish DPA). It includes: country detected by IP (without storing the full IP), browser family (without fingerprint), origin URL, version of this policy accepted, timestamp, result of the anti-bot field, and email provider type (corporate or free such as gmail/outlook).

Minimum age: the newsletter is aimed at adult professionals in the textile sector. We do not accept subscriptions from persons under 14 years of age in accordance with Art. 7 of the LOPD-GDD.

14.2 Double opt-in: how you confirm your subscription

After submitting the form, you receive a confirmation email. The subscription is only activated when you click the confirmation link. If you do not confirm within 30 days, the record is automatically deleted and no further email is sent. Legal basis: explicit consent (Art. 6.1.a GDPR + Art. 21 LSSI-CE (Spanish e-commerce law)).

14.3 Specific retention periods

  • Pending unconfirmed: 30 days from sending the confirmation email → automatically deleted.
  • Confirmed active: until you unsubscribe.
  • After unsubscribe: 30 additional days (audit grace period) → deleted.
  • Immutable audit record: 6 years retaining only a SHA-256 cryptographic hash of the email (without plain data), in accordance with Commercial Code Art. 30 and the GDPR accountability principle (Art. 5.1.f).

14.4 Cancellation and unsubscribe

Each newsletter email includes an unsubscribe link in the footer. Cancellation is immediate and does not require additional authentication. We also implement the RFC 8058 standard (List-Unsubscribe-Post), which activates a native "Unsubscribe" button in the header of Gmail, Outlook and other compatible clients. The unsubscribe is processed in less than 72 hours.

14.5 Filters applied when receiving subscriptions

  • Blocking of disposable emails: we reject addresses from providers such as Mailinator or 10minutemail. Those services generate inboxes that exist for 10 minutes: they do not represent a real person and degrade the quality of the service.
  • Deduplication of plus aliases: we treat "carol+x@ecoalf.com" and "carol@ecoalf.com" as the same real subscription. We keep the original email exactly as you provided it for sending, but we unify uniqueness by the base address.
  • Typo suggestions without blocking: if we detect a frequent error in the domain (for example "gmial.com" instead of "gmail.com"), we offer you a one-click correction. We never block your submission. We do not store the typos.

14.6 Internal analysis and NO individual profiling

We classify the email provider type (corporate vs free provider such as gmail/outlook) only for anonymised aggregated statistical analysis of the composition of the subscriber base (for example, "60% of our subscribers are corporate"). We do NOT segment individual content per subscriber, we do NOT apply automated decisions with significant legal effects (Art. 22 GDPR), and we do NOT share this classification with third parties.

← Back to the subscription form

15. Applications — recruitment process

This section details the processing of the personal data that TraceWeave collects when a person submits a spontaneous application or one directed to an open track through /careers/apply. The general policy above (sections 1-13) also applies, with this section prevailing on specific matters.

15.1 Data we collect

  • Identifying: first name and surname, email.
  • Professional: LinkedIn URL (optional), CV in PDF.
  • Motivation: free text "Why TraceWeave?" (50–2000 characters).
  • Pronouns (optional): free-text for respectful treatment. We do NOT collect gender, orientation, disability or other data under Art. 9 GDPR.
  • Technical metadata: country detected by IP (ISO 3166-1 alpha-2), browser family, origin URL (referrer). We do NOT store the full IP (minimisation Art. 5.1.c GDPR).
  • Policy version accepted and timestamp of submission.

15.2 Legal basis

We process your data on the basis of pre-contractual measures taken at your request (Art. 6.1.b GDPR), supplemented by our legitimate interest in evaluating talent (Art. 6.1.f). The act of clicking "Submit application" constitutes your explicit consent to the processing described in this section.

15.3 Purpose

  • Evaluate the application submitted and contact the data subject to proceed or reject.
  • Maintain two-way communication during the recruitment process.
  • Retain the application for future vacancies only with explicit re-consent at 6 months (see §15.4).

15.4 Retention periods

  • 6 months after the last activity if the application does not progress, unless you request erasure earlier.
  • 24 months with your explicit re-consent, if you wish to remain in the pool for future vacancies.
  • Indefinite if you are hired, in which case it becomes an employment file with the legal basis of performance of the contract (Art. 6.1.b).

15.5 Recipients

Only the internal TraceWeave team responsible for the process. As subprocessors, the categories of providers listed in section 13 are involved. All infrastructure is hosted in the European Union (Frankfurt, Dublin). There are NO international transfers outside the EEA.

15.6 Automated decisions (Art. 22 GDPR)

TraceWeave does NOT use automated scoring systems or artificial intelligence to evaluate applications. Each application is reviewed manually by a member of the team. There is NO profiling of the candidate.

15.7 Security measures

  • The CV is stored in a private bucket in Supabase (Frankfurt, EU) with no public access. The signed URLs used internally expire in 7 days.
  • The file name is a random UUID containing no email or identifying data.
  • Mandatory validation of the file content (signature %PDF) on the server.
  • Logs without PII: only a SHA-256 hash of the email and a human-readable reference code are recorded (see §15.8).

15.8 Your rights

You may exercise at any time the rights of access, rectification, erasure, restriction, portability and objection (Art. 15-22 GDPR). After your application we provide you with a reference code in the format TW-AAAA-XXXX that makes it easier to locate your file.

To exercise any right: hola@traceweave.eu with the subject [Candidaturas] Su solicitud, indicating your reference code if you keep it. We address the request within a maximum period of 30 days.

15.9 Minimum age

We only accept applications from persons over 16 years of age, in compliance with Article 7 of the LOPDGDD and the Spanish employment framework (Workers' Statute, Art. 6). The form includes an express confirmation that the data subject must check.

15.10 Policy version accepted

At the time of submission we persist the exact version of this policy accepted by the data subject (GDPR Art. 7.1, proof of consent). If this policy changes subsequently, your application remains governed by the version accepted at the time of submission unless you are expressly notified otherwise.

← Back to the application form

16. Changes to this policy

This policy is identified by a version number (currently 2.1) that is recorded at the time of each newsletter subscription or each application to ensure legal traceability of the version accepted by each data subject.

We may update this policy occasionally. Significant changes will be notified by email to active newsletter subscribers and by means of a prominent notice on the website at least 30 days in advance. Changes affecting the processing of applications do not require prior notification to past applications: each application remains governed by the version accepted at the time of submission.

Version history

  • 2.1 (May 2026) — adds section 15: processing of applications for recruitment processes. Documents purpose, legal basis (Art. 6.1.b pre-contractual), retention periods (6 months base, 24 months with re-consent), absence of automated decisions (Art. 22), minimum age 16 years (LOPDGDD Art. 7) and the process for exercising rights.
  • 2.0 (May 2026) — comprehensive legal-defensive audit. Replaces provider names with categories of recipients (Art. 13.1.e GDPR); replaces the reference to Privacy Shield with the EU-US Data Privacy Framework; consolidates the specific newsletter policy as section 14; refines the automated decisions clause (Art. 22 GDPR) to clarify the role of the deterministic engines as support for the human decision of the service customer; unifies the contact into a single mailbox with canonical subjects. This version replaces and supersedes versions 1.x.
  • 1.1 (May 2026) — added the email provider type to the consent metadata.
  • 1.0 (May 2026) — initial version with specific newsletter processing in a separate document.

17. Contact

If you have any question about this Privacy Policy or wish to exercise your rights:

Single privacy contact

Email: hola@traceweave.eu
Recommended subject: [Privacy] Your enquiry
Postal address: TraceWeave SL · Seville, Spain

Indicating the recommended subject allows us to prioritise and respond within the legal GDPR timeframe.

Questions?

Do you have questions about privacy?

Our data protection team is available to resolve any query about how we process your personal information.

Contact the privacy team