Legal
Privacy Policy
Last Updated: May 15, 2026
Before you continue: Traced is not a law firm and does not provide legal advice. This Privacy Policy explains how we collect, use, and protect your personal information. Questions? Email support@traced.com.
Section 01
Who We Are
Traced, Inc. ("Traced," "we," "us," or "our") operates the Traced platform, including our website at www.Tracedusa.com, our mobile applications, and all related services (collectively, the "Services"). We are incorporated in the State of Delaware and operate in the United States.
Traced is a technology platform that provides AI-powered informational guidance about tenant rights. We are not a law firm, we do not practice law, and we do not provide legal advice. Nothing in our Services or this Privacy Policy creates an attorney-client relationship.
As the operator of the Services, Traced is the "data controller" for purposes of applicable privacy laws including the GDPR and the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).
Data Controller Contact:
Traced, Inc.
Attn: Privacy Officer
1000 Brickell Ave
Ste 715 PMB 1918
Miami, FL 33131
Email: support@traced.com
Website: www.Tracedusa.com/privacy-policy
Section 02
Definitions
- Personal Data
- Any information that identifies or could identify a natural person, directly or indirectly, including name, email address, location data, or online identifiers.
- Sensitive Personal Data
- A subset of personal data including: precise geolocation, racial or ethnic origin, religious beliefs, health data, financial account details, contents of communications, and data about sexual orientation or immigration status.
- Processing
- Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
- ADMT
- Automated Decision-Making Technology โ computational processes that substantially replace human decision-making, as defined under California's CCPA regulations effective January 1, 2026.
- Services
- All Traced products, features, websites, mobile applications, APIs, and customer support channels.
- User / You
- Any individual who accesses or uses the Traced Services, whether or not they have created an account.
- Case Data
- Information you provide describing a landlord dispute, including property addresses, landlord names, dispute descriptions, uploaded documents, and timeline events.
- AI Analysis
- Informational output generated by our AI system in response to your input. AI Analysis is not legal advice and does not constitute a legal opinion.
Section 03
Information We Collect
3.1 Information You Provide Directly
- Account Information: First name, last name, email address, password (stored as a one-way bcrypt hash โ we cannot read your password), state of residence, and city.
- Case Data: Descriptions of landlord disputes, property addresses, landlord names and contact information, incident dates, and case notes you choose to enter.
- Documents: Files you upload to the platform including leases, eviction notices, letters, photographs, and other documents. Uploaded documents are stored securely and used only to provide you with AI-powered analysis.
- Communications: Messages you send to our AI assistant, support team, or through any chat feature. These are stored to provide continuity of service and improve our AI responses.
- Payment Information:We do not store your payment card details. All payment processing is handled by Stripe, Inc. We receive and store a Stripe Customer ID and subscription status only. Stripe's privacy policy governs their processing of your payment data.
- Profile Preferences: Settings, state preferences, and notification choices you configure within your account.
3.2 Information We Collect Automatically
- Usage Data: Pages and features accessed, search queries, features used, time spent on features, and interaction patterns within the platform.
- Device Information: Browser type, operating system, device type, screen resolution, and language settings.
- Log Data: IP address, access timestamps, referring URLs, error logs, and API request data. IP addresses are pseudonymized within 30 days.
- Cookies and Similar Technologies: Session cookies, authentication tokens, and analytics identifiers. See Section 13 for full cookie details.
3.3 Information We Do NOT Collect
Traced does not collect: Social Security Numbers, government-issued ID numbers, biometric data, financial account numbers, credit scores, health or medical information, racial or ethnic origin (unless you voluntarily include it in case descriptions), or precise real-time geolocation. We do not track your location beyond the state-level information you choose to provide.
3.4 Information from Third Parties
If you connect third-party accounts or services, we may receive limited profile information as authorized by you. We do not purchase personal data from data brokers. If we ever receive referrals from partners, we receive only the information necessary to create your account and attribute the referral.
Section 04
How We Use Your Information
We use your personal data only for the following specific, disclosed purposes. We do not use your data for any purpose not listed here without obtaining your explicit prior consent.
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Providing the Services | Account info, Case Data, Documents, AI chat history | Contract performance |
| AI Analysis & Responses | Case descriptions, documents, state, chat messages | Contract performance + Consent |
| Account Authentication | Email, password hash, session tokens | Contract performance |
| Payment Processing | Email, Stripe Customer ID, subscription status | Contract performance |
| Security & Fraud Prevention | IP address, usage patterns, device info | Legitimate interests |
| Service Improvement | Anonymized/aggregated usage data only | Legitimate interests |
| Customer Support | Account info, case descriptions, support messages | Contract performance |
| Legal Compliance | Minimum necessary data as required by law | Legal obligation |
| Transactional Emails | Email address, subscription status | Contract performance |
| Marketing Emails | Email address only | Consent (opt-in only) |
We will NEVER: Sell your personal data to any third party. Share your individual case details, documents, or dispute information with landlords, property managers, courts, employers, or any adverse party in your dispute. Use your case data for targeted advertising. Train AI models on your identifiable personal data without your explicit opt-in consent.
Section 05
AI & Automated Processing Disclosures
Required Disclosure under California CCPA ADMT Regulations (Effective January 1, 2026): Traced uses AI-powered automated processing to generate informational analyses of tenant situations, documents, and legal questions. This section explains how that processing works, what data it uses, and your rights regarding it.
5.1 How Our AI Works
Traced uses Google's Gemini API to process your inputs and generate informational responses. When you submit a case description, upload a document, or ask a question, the following occurs:
- Your input (text or document content) is transmitted to Google's Gemini API via an encrypted connection.
- The API generates a response based on your input and a system prompt that instructs it to provide tenant rights information relevant to your state.
- The response is returned to you and stored in our database associated with your account.
- A "case strength score" (0โ100%) is generated as a general informational indicator โ it is not a legal assessment, prediction, or guarantee of any outcome.
5.2 What Our AI Does NOT Do
- Our AI does not make legal decisions. It provides information, not legal advice.
- Our AI does not determine your eligibility for housing, benefits, employment, or any government program.
- Our AI does not access court databases, landlord records, credit files, eviction records, or any external databases about you or your landlord.
- Our AI output does not have legal effect and cannot be relied upon as a substitute for advice from a licensed attorney.
5.3 Your Rights Regarding Automated Processing
Under California's ADMT regulations and GDPR Article 22, you have the following rights regarding our automated processing:
- Right to Access: You can request a plain-language explanation of how our AI generated a specific analysis for you.
- Right to Opt Out: You may opt out of AI-powered analysis at any time. If you do so, you will receive only static informational content. Contact support@traced.com to opt out.
- Right to Human Review: If you believe an AI-generated analysis has materially harmed you, you may request a human review of that output. Submit requests to support@traced.comwith the subject line "ADMT Human Review Request."
- Right to Correction: If an AI analysis contains factual errors about your situation that you reported to us, you may request correction of your case record.
5.4 AI Training Data
Traced does not use your personally identifiable case data, documents, or communications to train AI models without your explicit opt-in consent. We may use fully anonymized, aggregated, and de-identified data to improve our system prompts and response quality. Individual users cannot be re-identified from this aggregated data.
5.5 Google Gemini Data Processing
When you use our AI features, your input is processed by Google LLC through the Gemini API pursuant to our agreement with Google. Google processes API requests to generate responses and does not use your Traced inputs to train Gemini models for other customers under Google's standard API terms. You can review Google's privacy policy at policies.google.com/privacy and the Gemini API terms at ai.google.dev/gemini-api/terms.
Section 06
How We Share Your Information
6.1 We Do Not Sell Your Data
Traced does not sell, rent, lease, or otherwise transfer your personal data to third parties for monetary or other valuable consideration. This applies to all categories of personal data including names, email addresses, case information, documents, and behavioral data.
6.2 Service Providers (Data Processors)
We share limited personal data with trusted service providers who process data on our behalf under binding data processing agreements. These providers are prohibited from using your data for any purpose other than providing services to Traced:
- Google (Gemini API)
- AI API provider. Receives your text and document inputs to generate informational responses via Google Gemini models (e.g., Gemini 2.5 Flash and Gemini 2.5 Pro). Governed by Google's API and privacy terms. Privacy: policies.google.com/privacy
- Stripe, Inc.
- Payment processing. Receives your payment card information directly โ we never see or store it. Governs its own data. Privacy: stripe.com/privacy
- Cloud Infrastructure
- Servers and database hosting. All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Located in the United States.
- SendGrid / Email
- Transactional email delivery (account confirmations, password resets). Receives your email address only.
6.3 Legal Disclosures
We may disclose your personal data if required to do so by law, regulation, legal process, or governmental request, including valid subpoenas, court orders, or law enforcement requests. We will notify you of such requests to the extent permitted by law and challenge overbroad or unclear demands.
6.4 Business Transfers
If Traced is involved in a merger, acquisition, asset sale, or bankruptcy proceeding, your personal data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Services at least 30 days before your personal data becomes subject to a different privacy policy. You will have the right to request deletion of your data prior to any such transfer.
6.5 Aggregated & De-Identified Data
We may share aggregated, anonymized, and de-identified data โ such as general usage statistics or aggregate trends across our user base โ for research, business development, or public interest purposes. This data cannot reasonably be used to identify you individually.
6.6 Landlord Report Card (Future Feature)
When we launch the Landlord Report Card feature, ratings you submit will be displayed publicly in association with the property address and landlord name you provide. Your personal identity will not be publicly associated with any rating. You will be informed of these specific terms at the time you submit a rating, and you will have the ability to delete your rating at any time.
Section 07
Data Retention
We retain your personal data only as long as necessary for the purposes described in this policy, or as required by law. Our specific retention periods are:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account Information | Duration of account + 90 days after deletion request | Service provision; 90-day recovery window |
| Case Data & Analysis | Duration of account + 90 days | User access to their dispute history |
| Uploaded Documents | Duration of account + 30 days after deletion | User-controlled; promptly deleted on request |
| AI Chat History | 24 months from last interaction | Continuity of service; user reference |
| Payment Records | 7 years | Legal/tax compliance requirements |
| Security Logs | 12 months | Fraud detection and security investigations |
| IP Addresses | 30 days (then pseudonymized) | Security; pseudonymized for analytics |
| Backup Data | 90 days rolling | Disaster recovery; overwritten automatically |
| Deleted Account Data | 30 days in backups, then permanently purged | Backup recovery window |
When data reaches the end of its retention period, we permanently delete or irreversibly anonymize it. You may request earlier deletion of your data as described in Section 9.
Section 08
Security
We implement industry-standard technical and organizational security measures to protect your personal data against unauthorized access, disclosure, alteration, or destruction. Our security practices include:
- Encryption in Transit: All data transmitted between your device and our servers uses TLS 1.3 encryption.
- Encryption at Rest: All databases and file storage are encrypted using AES-256.
- Password Security: Passwords are hashed using bcrypt with a cost factor of 12. We cannot read your password.
- Authentication: JWT-based authentication with short-lived access tokens (15-minute expiry) and refresh token rotation.
- Access Controls: Strict role-based access controls. Only authorized personnel can access personal data, and only when necessary for their job function.
- Vulnerability Management: Regular security assessments and prompt patching of known vulnerabilities.
- Payment Security: We are PCI-compliant by using Stripe. We never transmit or store raw payment card data on our servers.
Data Breach Notification: In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and applicable regulatory authorities within 72 hours of discovering the breach, to the extent required by applicable law. Notification will be sent to the email address associated with your account.
No security system is impenetrable. We cannot guarantee absolute security of your data, but we continuously work to protect it using best practices and promptly investigate and address any security incidents.
Section 09
Your Rights โ All Users
Regardless of where you are located, Traced provides the following rights to all users:
| Right | What It Means | How to Exercise |
|---|---|---|
| Access | Request a copy of all personal data we hold about you in a portable format | Email support@traced.com ยท Respond within 30 days |
| Correction | Request correction of inaccurate or incomplete personal data | Update in account settings or email us |
| Deletion | Request deletion of your account and all associated personal data | Settings โ Delete Account, or email us |
| Portability | Receive your data in a machine-readable format (JSON or CSV) | Email support@traced.com |
| Restriction | Request we stop processing your data while a dispute is pending | Email support@traced.com |
| Objection | Object to processing based on legitimate interests | Email support@traced.com |
| Withdraw Consent | Withdraw consent for marketing emails or AI opt-in features at any time | Unsubscribe link in emails or account settings |
| Non-Discrimination | We will not deny services, charge different prices, or provide lower quality service because you exercised any privacy right | N/A โ this protection is automatic |
We will respond to all verified requests within 30 days (extendable to 60 days for complex requests with notice). We may need to verify your identity before fulfilling requests. We will not charge a fee for reasonable requests.
Section 10
California Residents โ CCPA / CPRA
This section applies to California residentsand describes your rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and California's Automated Decision-Making Technology (ADMT) regulations effective January 1, 2026.
10.1 Categories of Personal Information Collected
In the preceding 12 months, Traced has collected the following categories of personal information as defined by the CCPA:
- Identifiers: Name, email address, IP address, account ID
- Personal information categories under Cal. Civ. Code ยง1798.80(e): Name, email address
- Commercial information: Subscription tier, purchase history
- Internet/electronic activity: Browsing activity within our Services, features accessed
- Geolocation data: State-level only (as provided by you) โ we do not collect precise geolocation
- Inferences: Account preferences drawn from usage patterns
We do not collect: Sensitive personal information as defined by CPRA (including Social Security numbers, financial account data, precise geolocation, racial/ethnic origin, religious beliefs, biometric data, health data, or contents of private communications) unless you voluntarily include such information in your case descriptions.
10.2 California Privacy Rights
California residents have all rights listed in Section 9, plus the following additional rights:
- Right to Know: The specific pieces of personal information collected about you; the categories of sources; the business purpose for collection; and the categories of third parties with whom we share information.
- Right to Opt Out of Sale/Sharing:We do not sell or share personal information as defined by CCPA. If this changes, we will provide a "Do Not Sell or Share My Personal Information" link prominently on our homepage.
- Right to Limit Use of Sensitive Personal Information: If we ever process sensitive personal information beyond what is necessary to provide Services, you may limit such use.
- Right to Non-Discrimination: Explicitly protected under CCPA ยง 1798.125.
10.3 California ADMT Rights (Effective January 1, 2026)
Under California's finalized CCPA ADMT regulations, because Traced uses automated technology to generate analyses that may constitute "significant decisions" in the housing context, we provide:
- Pre-Use Notice: You are hereby informed that our AI processes your inputs to generate informational tenant rights analyses. This notice constitutes our pre-use disclosure as required by ADMT regulations.
- Opt-Out Right: You may opt out of AI-powered analysis at any time by contacting support@traced.com. Note that opting out significantly limits the functionality available to you.
- Access Right: You may request access to the logic used to generate a specific AI analysis about your situation.
10.4 Submitting Requests
Submit California privacy requests to: support@traced.comwith subject line "CCPA Request โ [Type of Request]." You may also use our in-app request form. We will verify your identity using your account credentials and respond within 45 days (extendable to 90 days with notice). You may designate an authorized agent to make requests on your behalf by providing written authorization.
Section 11
EU & UK Residents โ GDPR
This section applies to residents of the European Union, European Economic Area, and United Kingdom whose personal data is processed by Traced. We process your data in compliance with the General Data Protection Regulation (GDPR) and UK GDPR.
11.1 Legal Bases for Processing
- Contract Performance (Art. 6(1)(b)): Processing necessary to provide the Services you signed up for.
- Legitimate Interests (Art. 6(1)(f)): Security, fraud prevention, service improvement using anonymized data. We have conducted legitimate interest assessments for each use.
- Legal Obligation (Art. 6(1)(c)): Processing required by applicable law.
- Consent (Art. 6(1)(a)): Marketing emails and AI training (if applicable). You may withdraw consent at any time without affecting prior processing.
11.2 International Data Transfers
Traced is based in the United States. If you are in the EU/EEA/UK, your personal data is transferred to and processed in the United States. We implement appropriate safeguards for such transfers including Standard Contractual Clauses (SCCs) approved by the European Commission. A copy of our SCCs is available upon request.
11.3 Data Protection Officer
You may contact our data protection representative at support@traced.com. EU residents also have the right to lodge a complaint with your local data protection supervisory authority.
11.4 Automated Decision-Making Rights (Art. 22)
Our AI analysis does not produce legally binding decisions that significantly affect you in a legal sense. It provides informational guidance only. However, you have the right to request human review of any AI-generated output, object to automated processing, and obtain an explanation of the logic behind any specific analysis.
Section 12
Children's Privacy
Traced's Services are intended for individuals who are 18 years of age or older. We do not knowingly collect personal information from anyone under the age of 18. If you are under 18, please do not use our Services or provide any personal information to us.
If we discover that we have inadvertently collected personal information from a child under 18, we will promptly delete that information from our systems. If you believe we may have collected information from a child under 18, please contact us immediately at support@traced.com.
Section 13
Cookies & Tracking Technologies
13.1 Types of Cookies We Use
- Essential Cookies
- Required for the Services to function. Includes authentication tokens and session management. Cannot be disabled without breaking core functionality.
- Functional Cookies
- Remember your preferences, state selection, and UI settings. Improve your experience across sessions.
- Analytics Cookies
- Anonymized usage data to understand feature adoption and improve the platform. IP addresses are not stored. You may opt out.
13.2 What We Do NOT Use
We do not use advertising cookies, cross-site tracking cookies, third-party behavioral tracking, or cookies that share your data with advertisers. Traced is ad-free and we do not allow any advertising network to place cookies on our Services.
13.3 Managing Cookies
You can control cookies through your browser settings. Disabling essential cookies will impair your ability to log in and use the Services. You may opt out of analytics cookies at any time via account Settings โ Privacy.
13.4 Do Not Track
We respect browser-level "Do Not Track" signals and global privacy controls (GPC) as required by California law. When we detect a GPC signal, we treat it as a request to opt out of any data sharing for purposes beyond service provision.
Section 14
Third-Party Services & Links
Our Services may contain links to third-party websites, attorney referral services, or external legal resources. These third-party sites have their own privacy policies, and we have no control over and assume no responsibility for their content, privacy practices, or data handling.
If we implement an attorney referral marketplace feature, we will clearly disclose when you are being connected to a third-party service provider and what information is shared for that referral. You will have the opportunity to review and consent before any referral information is shared.
Section 15
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last Updated" date at the top of this policy
- Send an email notification to all registered users at least 30 days before the changes take effect
- Display a prominent notice within the platform
- For material changes affecting how we process existing data, request fresh consent where required by law
Your continued use of the Services after the effective date of any updated policy constitutes acceptance of the updated policy. If you disagree with the changes, you may close your account before the effective date.
Section 16
Contact Us
Privacy Inquiries & Rights Requests
Email: support@traced.com
Subject line format: "[Right/Request Type] โ [Your Name]"
Response time: Within 30 days
Mailing: Traced, Inc., Attn: Privacy Officer
1000 Brickell Ave
Ste 715 PMB 1918
Miami, FL 33131