AI Trace

Privacy Policy

Last updated April 2026

AI Trace is operated by Trace Foundation, Inc., a Massachusetts nonprofit corporation. This policy describes what information we collect, why we collect it, how we use it, and your rights regarding that information.

We collect only what we need to operate the platform. We do not sell your data. We do not show advertising.

What we collect

We collect different information depending on how you use AI Trace:

Browsing the site (no account required)

  • IP address (for rate limiting and abuse prevention)
  • Pages visited (Analytics, anonymized)
  • Browser type and device information (Analytics)
  • Cookie consent preference (stored in browser localStorage)

We do not track individual users across sessions unless you create an account.

Submitting a report

  • Description of the AI practice you observed
  • Company name
  • Evidence URL (optional)
  • Screenshot (optional, stored securely)
  • Email address (optional, used only to notify you of review decisions)

Submissions are reviewed by a human moderator. Your email is never published or shared.

Creating an account

  • Email address (used for authentication)
  • Display name (optional)

Your password is never stored because we use passwordless authentication.

Following a company

  • Email address (to receive update notifications)

Follows require email confirmation (double opt-in). You can unfollow at any time via the link in any notification email.

Making a donation

  • Payment information is processed by Stripe. We never see or store your credit card number.
  • Stripe may collect: card number, billing address, email
  • We store: donation amount, frequency, date, and email (for tax receipts)

Using the API

  • API key (hashed before storage; the raw key is shown once)
  • Name, email, and organization (from the API key request form)
  • API usage logs (endpoint, timestamp, response time)

Using the browser extension

  • The extension reads only the current tab URL when you click the extension icon
  • No browsing history is collected or transmitted
  • API responses are cached locally in your browser for 24 hours
  • No personal data is sent to our servers beyond the company slug lookup

How we use your information

We use your information to:

  • Operate and maintain the AI Trace platform
  • Review and publish community submissions
  • Send email notifications you have opted into
  • Process donations
  • Prevent abuse (rate limiting, spam detection)
  • Improve the site (anonymous usage analytics)

We do not use your information to:

  • Show advertising
  • Build advertising profiles
  • Sell to third parties
  • Send unsolicited marketing emails

Third-party services

We use the following third-party services to operate AI Trace. Each has its own privacy policy:

ServiceWhat it doesPrivacy policy
SupabaseDatabase hosting, authentication, file storagesupabase.com/privacy
StripePayment processing for donationsstripe.com/privacy
ResendTransactional email deliveryresend.com/legal/privacy-policy
VercelWebsite hosting and anonymous analyticsvercel.com/legal/privacy-policy
AnthropicAI-assisted submission processing (moderator tool only; your submissions are not sent to train AI models)anthropic.com/privacy
OpenAISearch embeddings (text is converted to numerical vectors for search relevance, not stored by OpenAI)openai.com/privacy

We select services that respect user privacy. We do not use Google Analytics, Facebook Pixel, or any advertising trackers.

Cookies and local storage

AI Trace uses minimal cookies and browser storage:

WhatPurposeDuration
Supabase auth tokenKeeps you signed inSession (cleared on logout)
Consent preferenceRemembers your cookie consent choicePermanent (localStorage)
Extension banner dismissalRemembers you closed the extension bannerPermanent (localStorage)
Extension API cacheCaches company data in the browser extension24 hours (extension storage)

We do not use tracking cookies, advertising cookies, or cross-site cookies.

Data retention

  • Submissions: retained indefinitely as part of the public record (email addresses are not published)
  • Account data: retained until you delete your account
  • Follow subscriptions: retained until you unsubscribe
  • Donation records: retained for 7 years (nonprofit financial reporting requirements)
  • API usage logs: retained for 90 days
  • Analytics data: anonymized and aggregated by Vercel

To request deletion of your data, email hello@aitrace.org.

Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Withdraw consent for email communications
  • Export your data in a portable format
  • Object to processing of your data

To exercise any of these rights, email hello@aitrace.org. We will respond within 30 days.

For users in the European Union (GDPR)

If you are located in the EU or EEA:

Legal basis for processing: We process your data based on consent (email opt-in, account creation), contractual necessity (processing donations), and legitimate interest (abuse prevention, platform operation).

Data transfers: Your data may be transferred to and processed in the United States, where our servers and service providers are located.

Data protection officer: For GDPR-related inquiries, contact hello@aitrace.org.

You have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.

For users in California (CCPA)

Trace Foundation is a nonprofit corporation and is generally exempt from the California Consumer Privacy Act. However, we voluntarily extend the following rights to California residents:

  • Right to know what personal information we collect
  • Right to request deletion of personal information
  • Right to non-discrimination for exercising privacy rights

We do not sell personal information.

Email communications (CAN-SPAM)

All email communications from AI Trace:

  • Include an unsubscribe mechanism in every email
  • Are sent from hello@aitrace.org or notifications@aitrace.org
  • Accurately identify AI Trace as the sender
  • Include our mailing address:

Trace Foundation, Inc.

2020 Bridge Street, PO Box #44

Three Rivers, MA 01080-9998

You can unsubscribe from notification emails at any time using the link at the bottom of each email. Account-related emails (password resets, security alerts) cannot be unsubscribed from while your account is active.

Children's privacy

AI Trace is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, contact hello@aitrace.org and we will delete it.

Security

We protect your data through:

  • Encryption in transit (HTTPS/TLS on all connections)
  • Encryption at rest (Supabase encrypts stored data)
  • Row-level security policies on all database tables
  • API key hashing (raw keys are never stored)
  • Rate limiting on all public endpoints
  • Regular security audits

No system is perfectly secure. If you discover a security vulnerability, please report it to trent@aitrace.org.

Changes to this policy

We may update this policy to reflect changes in our practices or legal requirements. The “last updated” date at the top of this page indicates when it was last revised. We will not reduce your rights under this policy without your consent.

Contact

For privacy-related questions or requests:

Email: hello@aitrace.org

Mail: Trace Foundation, Inc.

2020 Bridge Street, PO Box #44

Three Rivers, MA 01080-9998

See also our Terms of Use.