Legal

Privacy Policy

Effective: 25 May 2026 · Last updated: 25 May 2026

This policy explains how Guided Intelligence Pty Ltd (the operator of TraceHumanity) handles personal information under the Australian Privacy Act 1988 (Cth), the European Union General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA) as amended by the CPRA. Jurisdiction-specific rights and disclosures appear in the dedicated sections at the end.

1. Who we are

TraceHumanity is operated by Guided Intelligence Pty Ltd(“Guided Intelligence,” “we,” “us,” or “our”), a company registered in Australia. For the purposes of the GDPR we act as a data controllerfor personal information we collect through tracehumanity.com and its subdomains. For the purposes of the CCPA we are a business that determines the purposes and means of processing personal information about California residents.

You can contact us at any time at hello@guidedintelligence.com.au or by writing to Guided Intelligence Pty Ltd, Australia.

2. Information we collect

We collect the categories of information described below. Where required by law, we identify the lawful basis for processing in the GDPR section.

2.1 Information you provide

Account details — email address, password (stored only as a salted hash by our authentication provider), display name, and optional profile fields you choose to add (full name, organisation, location, website, bio, social links).
Creative works submitted for certification — the files you upload (images, video, audio, documents) together with any title, description, and metadata you supply. We store these in encrypted, access-controlled storage and treat them as sensitive material.
Evidence files — RAW source files, edit histories, capture recordings, identity documents (if you submit them), and other materials you upload in support of your certification claim.
Identity-verification submissions — name, photograph, biography, and external links you submit to upgrade your verification tier. Reviewer notes about your submission are stored alongside the decision.
Communications — emails, support requests, and any other correspondence you send us.

2.2 Information we generate

Certificate records — certificate number, certification level, issuance timestamp, ECDSA digital signature, perceptual hash, embedded watermark identifier, and any revocation event. Certificate metadata is intended to be publicly verifiable; see Section 3.
Audit log entries— tamper-evident records of significant actions (asset created, submitted, reviewed, certified, revoked) with timestamps, the acting user’s identifier, and a SHA-256 hash that chains to the previous entry.
B2B API key records — a salted hash of each key you create, a non-secret display prefix, the tier, creation and revocation timestamps, and per-day request counters.

2.3 Information collected automatically

Technical data — IP address, user-agent string, device type, language preference, referring URL, and approximate location (derived from IP). We collect this for security, abuse prevention, and aggregate analytics.
Session and authentication cookies — short-lived tokens issued by our authentication provider so you stay signed in between page loads. See Section 9 (Cookies).
Error and performance data — when something breaks we may capture the URL, stack trace, and the surrounding interaction so we can fix it. We avoid sending personal information into these reports, but a request URL or username occasionally appears in a stack frame.

2.4 Information we do not collect

We do not collect government-issued identity documents unless you voluntarily submit them for the highest verification tier. We do not collect payment card details directly — paid plans (when launched) will be billed through a PCI-compliant payment processor. We do not perform behavioural advertising tracking and we do not sell or share personal information with advertising networks.

3. What we deliberately make public

TraceHumanity is a public certification authority. The following information is published deliberately and cannot be made private without revoking the certificate:

Certificate number, level, classification, and issuance date
Cryptographic signature, watermark identifier, and content fingerprint
The display name or full name you choose to associate with the certificate
Asset title (but not the asset file itself unless you opt to make it public)

Your profileappears in the public Creators directory only if you opt in via the “Public listing” toggle in your profile settings. You can switch this off at any time. Disabling the directory listing does not retroactively remove your name from already-issued certificates, because doing so would defeat the point of a tamper-evident certification record. You may instead request revocation of a specific certificate (see Section 8).

4. How we use information

We use the categories of information above to:

Create and manage your account, authenticate you, and recover access
Carry out the certification workflow — receiving submissions, performing reviews, computing fingerprints, embedding watermarks, and issuing or revoking certificates
Send service emails — submission receipts, review outcomes, certificate issuance, certificate revocation, security alerts
Operate the B2B API, including rate-limiting and abuse mitigation
Maintain the tamper-evident audit log required for the integrity of our service
Investigate suspected abuse, fraud, and violations of our Terms of Service
Aggregate usage statistics (e.g. “X certificates issued this month”) where the data is no longer personal information
Comply with legal obligations and respond to lawful requests

5. Legal bases for processing (GDPR)

Where the GDPR applies, we rely on the following lawful bases under Article 6:

Contract (Art 6(1)(b)) — to provide the certification, verification, and API services you sign up for.
Legitimate interests (Art 6(1)(f)) — to operate, secure, and improve the service; to maintain the audit log; to prevent abuse. We have balanced these interests against your rights and are satisfied that they do not override your fundamental rights and freedoms.
Legal obligation (Art 6(1)(c)) — to respond to subpoenas and preserve records where required.
Consent (Art 6(1)(a)) — only where required (e.g. marketing emails, optional public profile listing). You may withdraw consent at any time.

We do not deliberately collect special category data under Article 9. If you submit identity documents containing such data (e.g. visible religious symbols on an ID), they are processed solely on the basis of your explicit consent (Art 9(2)(a)) and deleted as soon as the verification decision is recorded.

6. Retention

We retain personal information only for as long as we need it:

Account profile — for as long as your account is active, then until 90 days after you request deletion. Some elements (e.g. your display name attached to issued certificates) persist longer; see Section 3.
Uploaded works and evidence — retained for the lifetime of the certificate, plus 7 years after revocation or account closure, to allow downstream verification disputes to be resolved.
Audit log — retained indefinitely. The audit log is the integrity mechanism of the service; deleting entries would break the chain. Audit entries contain identifiers but no file content.
API key records and usage counts — retained for 24 months after key revocation, then deleted.
Email logs (delivery metadata) — 30 days at our email provider.
Error/performance reports — 90 days, then deleted.

We never sell personal information. We share it only with service providers (acting as processors under the GDPR / service providers under the CCPA), with public recipients where you have deliberately published information, and where required by law.

7.1 Service providers (sub-processors)

Supabase, Inc. (US) — authentication, database, file storage. Hosted in AWS us-east-1.
Vercel, Inc. (US) — application hosting, edge compute, error instrumentation.
Modal Labs, Inc. (US) — GPU compute for watermark embedding and detection.
Resend, Inc. (US) — transactional email delivery.
Cloudflare, Inc. (US, when enabled) — CAPTCHA and abuse mitigation on signup.
Sentry (Functional Software, Inc.) (US, when enabled) — error and performance monitoring.

Each provider is bound by a data processing addendum that restricts use of personal information to the purposes we direct. We review their security posture annually.

7.2 Public recipients

Certificate metadata and the public verification API are open by design. When you choose to make a certificate public, the corresponding metadata in Section 3 becomes visible to anyone with a network connection.

7.3 Legal disclosure

We may disclose personal information where required by a court order, statutory notice, or other binding legal process; to enforce our Terms; or to prevent fraud, serious harm, or imminent danger to life. We will notify affected users unless the law forbids us from doing so.

8. International transfers

We are based in Australia. Our service providers are based primarily in the United States. When we transfer personal information from Australia or the EU/UK to the US or other third countries, we rely on the following safeguards:

EU/UK Standard Contractual Clauses (SCCs) in our data processing agreements with each US-based sub-processor;
Australian Privacy Principle 8.2 exceptions (your consent to the transfer, or our reasonable belief that the recipient is subject to a binding scheme of equivalent protection);
Encryption in transit (TLS 1.2+) and at rest for all stored personal information.

9. Security

We use industry-standard measures to protect personal information, including:

TLS 1.2+ for all network traffic
Row-level security policies on every table containing personal information
Service-role credentials isolated to server-side code; never exposed to browsers
ECDSA P-256 signing of certificates with private keys held in environment-scoped secrets
A tamper-evident hash-chained audit log of all significant actions
CAPTCHA on signup and rate-limiting on the public API
Annual third-party review of provider security practices

No security measure is perfect. If we become aware of a personal data breach that poses a risk to your rights, we will notify you and the relevant regulators within 72 hours (GDPR), as soon as practicable (AU NDB scheme), or as required by California Civil Code §1798.82.

10. Cookies and similar technologies

We use a small number of strictly necessary cookies and short-lived tokens:

Authentication tokens — issued by Supabase Auth, used to keep you signed in. Removed on sign-out.
CSRF protection — short-lived values that bind a request to its origin.
CAPTCHA — Cloudflare Turnstile sets a single cookie limited to the signup form. It does not track you across other sites.

We do not use analytics or advertising cookies. We do not honor the “Do Not Track” browser header because no industry consensus exists on its meaning; however, we treat the spirit of the request seriously and avoid tracking that the header is intended to prevent.

11. Your rights and choices

Subject to the laws of your jurisdiction, you have the following rights:

Access — request a copy of the personal information we hold about you.
Correction — ask us to correct inaccurate or incomplete information.
Deletion — ask us to delete your account and associated personal information, subject to the retention exceptions in Section 6 and the public-record nature of issued certificates (Section 3).
Restriction / objection — limit how we process information, or object to processing based on legitimate interests.
Portability — export your data in a structured, machine-readable format (JSON).
Withdraw consent — where processing relies on consent, withdraw it at any time without affecting the lawfulness of prior processing.
Complaint — lodge a complaint with the relevant regulator (see jurisdiction sections below).

To exercise any of these rights, email hello@guidedintelligence.com.au from the email address associated with your account. We respond within 30 days (or 45 days for complex CCPA requests, with notice).

12. Children

TraceHumanity is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us and we will delete it.

13. Australian Privacy Act notice

The Australian Privacy Principles (APPs) under Schedule 1 of the Privacy Act 1988 (Cth) apply to our handling of your personal information. Specifically:

APP 1 — this policy is our APP-compliant privacy policy.
APP 5 — at or before collection, we tell you what we collect and why; this policy serves that notice.
APP 6 — we use personal information only for the primary purpose collected, or a related secondary purpose you would reasonably expect.
APP 8 — overseas disclosures are governed by Section 8 above.
APP 11 — we take reasonable steps to protect information from misuse, interference, and loss; see Section 9.
APP 12 & 13 — you can access and correct your personal information by contacting us. We will not charge for access requests.

If you have a complaint about our handling of your personal information, please first raise it with us at hello@guidedintelligence.com.au. If we cannot resolve it, you may complain to the Office of the Australian Information Commissioner (OAIC): oaic.gov.au / 1300 363 992.

If you are in the European Economic Area, United Kingdom, or Switzerland, the GDPR (and equivalent UK and Swiss laws) apply to our processing of your personal information. We act as the controller for the purposes set out in this policy.

Lawful bases for processing are summarised in Section 5. Your rights are summarised in Section 11 and include the rights of access, rectification, erasure, restriction, objection, and portability (GDPR Articles 15-22). You also have the right to lodge a complaint with a supervisory authority in your member state — the full list is at edpb.europa.eu.

We are not currently required to appoint an EU representative under GDPR Article 27 because our offering to EU data subjects is limited and incidental. If our activities expand we will publish the name of our representative here.

15. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you the following rights, in addition to the rights in Section 11:

Categories of personal information collected in the prior 12 months

Identifiers (name, email, IP address) — collected directly from you and via automated technical means.
Customer records (account profile information) — collected directly from you.
Internet or network activity (request logs, session data) — collected via automated technical means.
Geolocation data (approximate, IP-derived) — collected via automated technical means.
Inferences (none used for profiling or behavioural prediction).
Sensitive personal information — only if you voluntarily submit identity documents; we use this solely to perform the verification you requested.

Sale / sharing

We do not sell personal information.We do not “share” personal information for cross-context behavioural advertising as that term is defined in the CPRA. We have not done so in the prior 12 months.

Your California rights

Right to know what personal information we collect, use, and disclose.
Right to delete personal information we hold about you, subject to retention exceptions.
Right to correct inaccurate personal information.
Right to limit the use of sensitive personal information.
Right of non-discrimination for exercising any of these rights.
Right to opt out of sale or share — not applicable because we do neither.

To exercise California rights, email us with “California Privacy Request” in the subject line. We may verify your identity by asking you to authenticate to your account. We respond within 45 days, extensible by another 45 with notice.

16. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top of the page reflects the most recent revision. If we make material changes we will notify you by email and/or by a prominent notice on the site at least 30 days before they take effect.

17. Contact

Guided Intelligence Pty Ltd
Australia
hello@guidedintelligence.com.au

Read our Terms of Service →