WishEDA Inc. ("Company," "we," "our," or "us") builds and operates Trace. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our Service.
We collect the following categories of information: (a) Account information — your name, email address, and profile details when you sign up; (b) Authentication data — login credentials and tokens managed via Supabase, and information from third-party login providers (Google, GitHub) if you choose to use them; (c) Design data — PCB designs, schematics, project files, and related content you create or upload; (d) AI interaction data — conversations with our AI assistant, prompts, and generated outputs; (e) Usage analytics — page views, feature interactions, clicks, session duration, and API performance metrics, collected via PostHog and Amplitude; (f) Device and technical data — browser type, operating system, IP address, device identifiers, and general location (city/country level); (g) Payment information — billing details processed through our payment provider (we do not store full credit card numbers); and (h) Communications — support requests, feedback, and any correspondence with us.
We use your information to: (a) provide, operate, and maintain the Service; (b) process transactions and manage your subscription; (c) improve and personalize the Service based on usage patterns; (d) train and improve our AI models using anonymized design data (subject to your opt-out right); (e) send transactional communications (account verification, password resets, billing notices); (f) send product updates and announcements (you may unsubscribe at any time); (g) analyze usage trends and generate aggregate statistics to improve the Service; (h) detect, prevent, and address fraud, abuse, security issues, and technical problems; (i) comply with legal obligations; and (j) respond to your support requests and feedback.
If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data on the following legal bases: (a) Contract — processing necessary to provide the Service under our agreement with you; (b) Legitimate interests — analytics, security, fraud prevention, and product improvement, where our interests do not override your rights; (c) Consent — AI training data collection (which you can withdraw at any time via your dashboard settings); and (d) Legal obligation — where processing is required by applicable law.
We implement industry-standard security measures to protect your data, including: encryption in transit (TLS/SSL) and at rest; secure authentication via Supabase with support for multi-factor authentication; role-based access controls; regular security assessments; and secure cloud infrastructure. Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security vulnerabilities that are discovered.
We retain your personal data for as long as your account is active or as needed to provide you with the Service. Specifically: (a) Account data is retained until you delete your account; (b) Design data is retained while your account is active and for 30 days after account deletion to allow recovery; (c) Analytics data is retained in anonymized/aggregated form indefinitely; (d) AI training data (if you opted in) is anonymized and cannot be traced back to individual users; (e) Payment records are retained as required by tax and accounting laws (typically 7 years); and (f) Support correspondence is retained for up to 3 years after resolution. After the applicable retention period, data is securely deleted or irreversibly anonymized.
Depending on your location, you may have the following rights regarding your personal data: (a) Access — request a copy of the personal data we hold about you; (b) Correction — request correction of inaccurate or incomplete data; (c) Deletion — request deletion of your personal data (subject to legal retention requirements); (d) Export/Portability — receive your data in a structured, machine-readable format; (e) Restriction — request that we limit processing of your data in certain circumstances; (f) Objection — object to processing based on legitimate interests; (g) Withdraw consent — withdraw consent for AI training data collection at any time via your dashboard settings; and (h) Lodge a complaint — file a complaint with your local data protection authority. To exercise these rights, contact us at hello@buildwithtrace.com. We will respond within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing certain requests.
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA): (a) Right to know — you may request details about the categories and specific pieces of personal information we collect, the purposes for collection, and the categories of third parties with whom we share it; (b) Right to delete — you may request deletion of your personal information, subject to certain exceptions; (c) Right to correct — you may request correction of inaccurate personal information; (d) Right to opt-out — we do not sell or share your personal information for cross-context behavioral advertising; and (e) Non-discrimination — we will not discriminate against you for exercising your privacy rights. To make a request, email hello@buildwithtrace.com with the subject line "California Privacy Request." We will verify your identity and respond within 45 days.
WishEDA Inc. is based in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction. For transfers from the EEA/UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms, to ensure an adequate level of data protection. By using the Service, you consent to the transfer of your information to the United States and other countries where we or our service providers operate.
The Service integrates with or relies on the following third-party services, each with their own privacy policies: Google and GitHub (authentication), Supabase (database and authentication), cloud infrastructure providers (hosting and compute), PostHog and Amplitude (product analytics), Microsoft Clarity (session analytics), payment processors (subscription billing), and Nexar (component sourcing data). We encourage you to review the privacy policies of these third-party services. We are not responsible for the privacy practices of third-party services.
You have the following choices regarding your data: (a) AI training data — board writes, tab completions, and routing data used for AI training are opt-out; you can disable training data sharing at any time from the settings page in your dashboard; (b) Product updates — you may unsubscribe from non-transactional emails at any time using the unsubscribe link in those emails; (c) Account deletion — you may delete your account at any time, which will trigger deletion of your personal data in accordance with our retention policy; and (d) Business analytics — PostHog, Amplitude, and Clarity analytics are essential for operating and improving Trace and cannot be disabled.
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will: (a) notify affected users via email within 72 hours of becoming aware of the breach (or as soon as reasonably practicable); (b) notify the relevant supervisory authority where required by law; (c) provide details of the breach, including the nature of the data affected, the likely consequences, and the measures taken or proposed to address the breach; and (d) take immediate steps to contain and remediate the breach.
Trace is not intended for children under the age of 13 (or 16 in the EEA/UK). We do not knowingly collect personal information from children under these ages. If we learn that we have collected personal information from a child under the applicable age, we will take steps to promptly delete that information. If you believe a child has provided us with personal information, please contact us at hello@buildwithtrace.com.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date and, where required by law, by sending you an email notification. Your continued use of the Service after the updated policy becomes effective constitutes your acceptance of the changes. We encourage you to review this policy periodically.