Privacy Policy

1. Who controls the data.

ProofTrace is operated by SToFU Systems S.L., Spain, unless a signed customer agreement names a different contracting entity. In this policy, "ProofTrace", "we", "us" and "our" refer to the operator of the ProofTrace website, API and related public-source review services.

Privacy questions and data-rights requests can be sent to midgard@stofu.io. We may ask for information needed to verify the request and route it to the proper operational or legal owner.

2. What this policy covers.

This policy applies to personal data processed through:

• the public ProofTrace website and documentation pages;
• lookup forms for email, username, nickname and phone identifiers;
• account login, profile, search history and deletion-request features;
• the ProofTrace API, OpenAPI documentation and integration workflows;
• monitoring features that follow approved public-source signals;
• support, commercial, legal and security communications;
• cookies, local storage, security logs and abuse-prevention controls.

Separate written agreements, data processing addenda, statements of work or enterprise terms may apply to a paid customer relationship. Where a signed agreement conflicts with this public policy for that relationship, the signed agreement controls the relevant engagement.

3. Data we may process.

Identifiers and trace inputs

You may provide email addresses, usernames, nicknames, phone numbers, country-code selections and related lookup metadata. ProofTrace uses these inputs to create public-source review jobs and display results.

Account and profile data

If you use the personal cabinet, we may process login credentials, account name, email address, role, balance, transaction placeholders, saved history, deletion-request status and profile metadata.

Results, archives and monitoring data

Trace jobs may generate status records, progress data, matched public identifiers, source references, confidence information, summaries and downloadable report archives. Monitoring can create change notices or review events for identifiers you have approved.

Technical and security data

We may process IP address, request time, browser and device metadata, locale and country hints, API headers, rate-limit counters, failed login attempts, blocked traffic logs, session protection events and diagnostic data needed to keep the service stable.

Communications

If you contact us, we may process your name, email, organization, message content, attachments you choose to send and notes needed to answer, qualify or document the conversation.

4. How data is collected.

We collect data when you provide it directly, when the service creates it while operating, when security systems record abuse signals, when your browser stores preferences and when integrations send authorized API requests.

ProofTrace may also read public web pages and public-source context related to the identifiers submitted for review. The service is not designed to access private accounts, private messages, paywalled personal accounts, hidden communications or non-public systems.

5. Why we use data.

Depending on the context, we process data for these purposes:

• to run public-source traces and return readable review results;
• to maintain accounts, login sessions, history and user-requested account actions;
• to provide API access, documentation, integrations and monitoring features;
• to confirm permitted-use, privacy and non-FCRA acknowledgements;
• to secure the site, throttle abuse, investigate suspicious activity and protect availability;
• to respond to support, business, legal and compliance requests;
• to improve usability, reliability and performance;
• to keep records needed for contracts, accounting, disputes, compliance and legal defense.

Legal bases may include consent, performance of a contract, steps taken before a contract, legitimate interests in operating and securing the service, and compliance with legal obligations. Where law requires consent, we rely on consent and allow it to be withdrawn for future processing.

We do not sell personal data. We do not position submitted identifiers as an advertising asset or a data-brokerage product.

6. Cookies, storage and consent.

ProofTrace uses essential cookies or local browser storage where needed to operate the site, remember consent preferences, protect sessions, support login and preserve safe behavior. Optional analytics, if enabled, should load only after acceptance through the cookie notice or a similar consent interface.

You may decline optional cookies. Browser settings can also block or remove cookies and local storage, but doing so may require you to repeat preferences or may affect account functionality.

7. When data may be shared.

We share data only where reasonably needed for the service or required by law. Recipients may include:

• hosting, infrastructure, database, logging and deployment providers;
• email, support and business communication providers;
• public-source search, browser automation or signal-processing providers used to complete a trace;
• payment, billing or accounting providers if paid features are enabled;
• security vendors, auditors and professional advisers;
• courts, regulators, law enforcement or public authorities when legally required or necessary to protect rights and safety;
• successors in a merger, acquisition, financing, restructuring or transfer of the relevant business.

Service providers that process data for us are expected to use it only for authorized purposes and to maintain appropriate confidentiality and security obligations.

8. International processing.

Internet services, infrastructure vendors and support operations may process data in more than one country, including outside your country of residence. Where required, we aim to use suitable safeguards such as contractual commitments, standard contractual clauses, access controls, vendor privacy terms and technical protection measures.

9. Retention.

We keep data only as long as reasonably needed for the purpose collected, unless a longer period is required for security, legal, accounting, dispute, compliance or operational reasons.

• Account data is generally kept while the account remains active or while deletion is pending.
• Search history may be kept for the account experience until cleared or deleted according to the available controls.
• Trace job records and archives may be kept for operational review, reporting, troubleshooting and customer access.
• Security logs may be kept long enough to detect patterns, investigate abuse and enforce protective controls.
• Consent preferences may remain in browser storage so the site does not repeatedly ask the same question.

When data is no longer needed, we aim to delete it, anonymize it or make it unusable, subject to system backups and legal constraints.

10. Security.

We use technical and organizational safeguards designed to reduce unauthorized access, misuse, alteration, disclosure or loss. These may include access restrictions, encrypted transport, authentication controls, rate limits, security logging, abuse detection, server hardening and operational review.

No internet service can guarantee perfect security. Do not send secrets, credentials, payment card data, government identifiers, regulated health data or unnecessary sensitive material through public forms or support channels unless a secure process has been agreed.

11. Your rights.

Depending on your location and applicable law, you may have rights to access, correct, delete, restrict, object to processing, receive a portable copy of eligible data, withdraw consent and complain to a supervisory authority.

We may need to verify your identity before acting on a request. We may also limit or refuse a request where law allows or requires it, including where the request would expose another person's data, interfere with security, be excessive or conflict with legal retention obligations.

12. Children, sensitive data and third-party data.

ProofTrace is intended for adults, businesses and authorized users. It is not directed to children, and we do not knowingly collect children's data through the public site.

If you submit identifiers or other data about another person, you are responsible for having a lawful basis, authority and permitted purpose. ProofTrace must not be used for stalking, harassment, unlawful surveillance or regulated eligibility decisions.

13. Updates.

We may revise this policy when the service, law, vendors, risk posture or operational model changes. The updated version will be posted on this page with a new date. Continued use after an update means the latest version applies to future interactions, where permitted by law.

14. Contact.

Questions, privacy requests and complaints can be sent to midgard@stofu.io.

Operator: SToFU Systems S.L., Spain.