Privacy & GDPR

Privacy by design

Trace is built with privacy as a core constraint, not an afterthought.

IP addresses are hashed on ingestion and never stored in plaintext
Fingerprint data is automatically anonymized after your retention window
GDPR erasure and data export endpoints are built in
Data is region-pinned — EU data stays in the EU

IP hashing

When the SDK sends a request, the server hashes the IP address immediately using SHA-256 with an app-specific salt:

hash = SHA-256(ip + ":" + appSalt + ":" + globalPepper)

The raw IP is never written to the database. The hash is used for:

Matching clicks to installs (fingerprint attribution)
Fraud detection (high-volume anomaly detection)
GDPR erasure (finding records to scrub)

After the retention window, the hash is anonymized (set to null) along with other fingerprint data.

Data retention

Each app has a retention window based on its tier:

Tier	Retention	What happens after
Free	7 days	Fingerprint data anonymized
Growth	90 days	Fingerprint data anonymized
Scale	365 days	Fingerprint data anonymized

A scheduled job runs every hour to anonymize expired records. Anonymization removes:

Table	Fields anonymized
Clicks	user agent, device model, OS version, fingerprint, IP hash
Installs	user agent, device model, screen dimensions, locale, timezone, IP hash
Events	user ID, properties
Open events	user agent, device model, locale, timezone, IP hash

After anonymization, records retain only structural data (IDs, timestamps, campaign IDs, attribution method) for aggregate analytics. This data cannot be linked back to an individual.

When a user exercises their right to erasure (Article 17), use the Privacy API to submit a request:

curl -X POST https://api.traceclick.io/v1/privacy/erase \
  -H "X-Api-Key: tr_live_xxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{"userId": "user_12345"}'

Trace processes erasure requests every 15 minutes. When processed:

All matching records are found via IP hash and/or user ID
Personal data fields are nullified (same fields as retention anonymization)
The IP hash itself is nullified (unlike retention, which keeps the hash until expiry)
The erasure request is marked as completed

You can check the status:

curl https://api.traceclick.io/v1/privacy/erase/{requestId} \
  -H "X-Api-Key: tr_live_xxxxxxxxxxxx"

Data export (DSAR)

For data subject access requests, use the export endpoint:

curl -X POST https://api.traceclick.io/v1/privacy/export \
  -H "X-Api-Key: tr_live_xxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{"userId": "user_12345"}'

This returns all clicks, installs, events, and open events associated with the user in a portable JSON format. Internal fields (IP hashes, internal IDs) are excluded from the export.

See the Privacy API reference for full request/response details.

Region pinning

Apps are created in either the US or EU region. Data for an app stays in the assigned region:

US apps route through api.traceclick.io
EU apps route through api-eu.traceclick.io

The SDK is configured with a region at initialization, and the server rejects requests from apps that don’t match the expected region.

What Trace collects

For full transparency, here’s exactly what the SDK sends to the server:

Data point	Purpose	Retained
IP address (hashed)	Fingerprint matching, fraud detection	Until retention window or erasure
User agent	Fingerprint matching	Until retention window or erasure
Platform (Android/iOS)	Routing, analytics	Indefinitely (not PII)
OS version	Fingerprint matching	Until retention window or erasure
Device model	Fingerprint matching	Until retention window or erasure
Screen dimensions	Fingerprint matching	Until retention window or erasure
Locale	Fingerprint matching	Until retention window or erasure
Timezone	Fingerprint matching	Until retention window or erasure
App version	Compatibility, analytics	Indefinitely (not PII)
SDK version	Compatibility	Indefinitely (not PII)