Privacy Policy
01 Who We Are
TRAXE is operated by Youruncommonbrand, registered in the Netherlands. For the purposes of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), Youruncommonbrand is the data controller for personal data processed through the TRAXE platform.
For all privacy-related enquiries, data subject requests, or to contact our data controller, please write to: legal@traxe.co
02 What Data We Collect
TRAXE collects and processes the following categories of personal data:
Account Data
- Email address (required for account creation)
- Company or studio name (provided during onboarding)
- Country of residence and role/industry
- Subscription plan and billing status
- Usage history (scan counts, registration counts, login activity)
Content & Submission Data
- Uploaded files (images, video) — processed for scanning and stored in our cloud infrastructure
- SHA-256 cryptographic hash of each uploaded file
- Perceptual hash (pHash) fingerprint
- EXIF metadata embedded in uploaded files (where available), including device model, capture date, GPS coordinates, and software information
- User-declared origin information (e.g. AI-generated, human-made, hybrid)
- Creator identity and tool used, as declared by the user
AI Detection & Scan Data
- AI-generated likelihood scores from our detection engines
- Individual engine scores (where dual engine analysis is performed)
- Scan result classification and confidence label
Technical & Device Data
- IP address and browser type (collected automatically on platform access)
- Session data and authentication tokens
Payment Data
- Payment processing is handled entirely by Stripe, Inc. TRAXE does not store, process, or have access to payment card details. Stripe's privacy policy applies to all payment transactions.
03 Legal Basis for Processing
TRAXE processes personal data on the following legal bases under Article 6 GDPR:
- Contract performance (Art. 6(1)(b)): Processing necessary to provide the TRAXE service, including account management, content registration, scanning, and billing
- Legitimate interests (Art. 6(1)(f)): Retention of cryptographic hashes, metadata, and Verification Records indefinitely, to maintain the integrity, immutability, and public auditability of the verification registry. This processing supports the core purpose of TRAXE and the legitimate interests of registered users in maintaining a permanent record of their submissions.
- Legal obligation (Art. 6(1)(c)): Processing required to comply with applicable tax, financial reporting, or regulatory obligations
- Consent (Art. 6(1)(a)): Where we request consent for specific processing activities (e.g. marketing communications), this will be obtained separately and can be withdrawn at any time
04 How We Use Your Data
TRAXE uses collected data solely for the following purposes:
- Providing, operating, and improving the TRAXE platform and its features
- Processing content registrations and issuing Verification Records
- Performing AI content detection scans
- Managing subscriptions, billing, and account administration
- Providing publicly accessible verification pages linked to registered content
- Detecting and preventing fraud, abuse, or misuse of the platform
- Complying with legal and regulatory obligations
- Communicating service updates, material changes to terms, and billing notifications
TRAXE does not use your data for advertising, profiling for marketing purposes, or sale to third parties.
05 Data Retention
TRAXE retains personal data for the following periods:
- Account data: Retained for the duration of your account and for up to 24 months following account deletion, to handle any post-deletion queries or disputes
- Registered content (hashes, metadata, Verification Records): Retained indefinitely on the basis of legitimate interest. The cryptographic hash and TRAXE ID form part of an immutable public registry and cannot be deleted without compromising the integrity of the verification system. Users may request removal of personal data within a record (such as creator name or EXIF data); the hash and TRAXE ID will remain.
- AI scan results and engine scores: Retained indefinitely as part of each Verification Record
- Technical logs and session data: Retained for up to 90 days
- Payment records: Retained by Stripe in accordance with Stripe's data retention policy and applicable financial regulations
06 Data Sharing & Third Parties
TRAXE shares personal data only with the following categories of third parties, solely to the extent necessary to provide the service:
- Supabase, Inc.: Cloud database and file storage infrastructure. Files and records are stored on Supabase servers. Supabase acts as a data processor under a Data Processing Agreement.
- Stripe, Inc.: Payment processing. Stripe independently processes payment data as a data controller under its own privacy policy.
- AI detection API providers: Images and video submitted for scanning are transmitted to third-party AI detection APIs for analysis. Files are not permanently stored by these providers and are processed solely for detection purposes.
- Render (hosting provider): TRAXE's backend API is hosted on Render infrastructure.
TRAXE does not sell, rent, or trade personal data with any third party for commercial purposes. All third-party processors are subject to appropriate data processing agreements.
07 International Data Transfers
TRAXE's infrastructure providers (Supabase, Stripe, Render) may process data outside the European Economic Area. Where such transfers occur, TRAXE ensures appropriate safeguards are in place in accordance with Chapter V of the GDPR, including Standard Contractual Clauses (SCCs) where applicable.
08 Your Rights
As a data subject under the GDPR, you have the following rights in relation to your personal data:
To exercise any of these rights, contact legal@traxe.co. We will respond within 30 days.
09 Cookies & Tracking
TRAXE uses only essential session cookies necessary for authentication and platform functionality. We do not use advertising cookies, cross-site tracking, or third-party analytics that process personal data without consent.
If this changes in future, we will update this policy and obtain appropriate consent in advance.
10 Security
TRAXE implements appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or disclosure. These include:
- Cryptographic signing of all Verification Records
- SHA-256 hashing of all registered files
- Encrypted storage via Supabase infrastructure
- Authentication via Supabase Auth with secure session management
- HTTPS encryption for all data in transit
No system is entirely secure. In the event of a personal data breach that poses a risk to your rights and freedoms, TRAXE will notify the relevant supervisory authority within 72 hours and affected users without undue delay, in accordance with Articles 33–34 GDPR.
11 Children
TRAXE is not directed at persons under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has submitted data through our platform, please contact legal@traxe.co and we will take appropriate action.
12 Changes to This Policy
TRAXE may update this Privacy Policy from time to time. Material changes will be communicated to registered users via email no less than 14 calendar days before taking effect. Continued use of the platform following the effective date constitutes acceptance of the revised policy.
13 Contact & Supervisory Authority
For all privacy enquiries, data subject requests, or complaints:
Data Controller: TRAXE / Youruncommonbrand, Netherlands
Email: legal@traxe.co
Platform: www.traxe.co
You also have the right to lodge a complaint with the Dutch supervisory authority:
Autoriteit Persoonsgegevens
Hoge Nieuwstraat 8, 2514 EL Den Haag
www.autoriteitpersoonsgegevens.nl