Privacy Policy
Last updated: 27 May 2026
This Privacy Policy explains how TraceComp ("we", "us") processes personal data when you use our website and when we publish company-intelligence profiles. We take data protection seriously and process personal data in line with the EU General Data Protection Regulation (GDPR), the UK GDPR, and the Brazilian General Data Protection Law (LGPD, Lei nº 13.709/2018).
1. Who is the controller
TraceComp is the data controller for the processing described here. For any privacy request, contact [email protected].
2. What data we process
- Company information from public registries. Names, registration numbers, addresses, legal form, status, incorporation dates, industry codes, and filed financial statements of companies.
- Personal data of company officers, directors and partners — limited to name, role, and appointment/cessation dates, as published in official public company registers. These officer/director details may be shown on the public website, because they relate to people acting in a professional/public capacity and are already public in the register. We apply data minimisation: we do not publish a person's date of birth, nationality, tax/national identifier (e.g. CPF), or home/residential address. (The registered company address — which is company data — may be shown.)
- Beneficial-owner (UBO) data. Where official beneficial-ownership registers are available, this person-level ownership data is treated more restrictively and is not published as open public content (reflecting CJEU case C-37/20); it is gated and made available only to verified business customers under contract for anti-money-laundering and due-diligence purposes.
- Sanctions / PEP screening results — matches of company and (for business customers) officer/owner names against official sanctions and politically-exposed-persons lists (OFAC, EU, UN, UK and equivalents). The public website indicates only whether a company itself appears on a sanctions list; person-level matches and politically-exposed-person flags are gated and provided only via our authenticated business API.
- Account & usage data — if you create an account: email and authentication data; basic analytics and server logs.
- Payment data — processed by our payment provider (Stripe). We do not store card details.
3. Where the data comes from
All company and officer data is sourced from official public registries and government open-data portals (e.g. Companies House, INPI, the Brazilian Receita Federal, ASIC, and the national business registers of the countries we cover). A full per-source list and licence is on our Data Sources page.
4. Lawful basis for processing (Art. 6 GDPR / Art. 7 LGPD)
- Legitimate interests (GDPR Art. 6(1)(f); LGPD Art. 7, IX / legítimo interesse). Publishing structured company information, and publishing the minimised officer/director data (name, role, appointment/cessation dates) that already appears in public registers, for the purposes of corporate transparency, due diligence, anti-fraud, credit-risk and sanctions/KYC compliance. We have carried out a legitimate-interest assessment and concluded that these interests — which serve businesses conducting legitimate due diligence and the public interest in transparency — are not overridden by the interests or fundamental rights of the data subjects, because: (a) the data is already lawfully public; (b) it relates to people in their professional/business capacity, not their private life; (c) we limit it to identification and role data, do not process special categories, and do not publish dates of birth, nationality, tax/national identifiers (e.g. CPF) or home addresses; (d) more sensitive person-level data (beneficial ownership, PEP flags) is gated and not published as open content; and (e) we honour objections and erasure requests (section 7).
- Contract (GDPR Art. 6(1)(b); LGPD Art. 7, V). Creating and operating your account and delivering a purchased report.
- Consent (GDPR Art. 6(1)(a); LGPD Art. 7, I). Non-essential cookies and any marketing communications.
5. Transparency where data is not collected from you (Art. 14 GDPR)
Most of the personal data we process is not collected directly from the data subject — it is obtained from official public company registers and government open-data sources (section 3). Where this is the case, GDPR Art. 14 requires us to inform data subjects about the processing; this Privacy Policy provides that information, including the source of the data, the categories of personal data concerned (section 2), the lawful basis (section 4), the retention period (section 8) and your rights and how to exercise them (section 7). The categories we process are limited to officer/director name, role and appointment/cessation dates as described above.
6. How we use the data
To build and display company profiles and the TraceComp risk score; to provide search, due-diligence and sanctions-screening features; to operate accounts and process report purchases; to secure and improve the service; and to comply with legal obligations.
7. Your rights — including how to object or be removed
Under the GDPR (and the equivalent LGPD rights) you have the right to access, rectify, erase, restrict and port your personal data, and to object to processing based on legitimate interests.
If you are an officer, director or beneficial owner and wish to object to or request removal of your personal data from TraceComp, use our data correction / removal page or email [email protected] with the company and your name. On a verified request we add the record to an internal suppression list so it is removed from the public site and is not re-published when we next refresh from source. We will action verified requests without undue delay (within one month) unless we are required to retain the data for a legal obligation or an overriding legitimate ground, which we will explain. Note that the underlying public registry is the authoritative source; removal from TraceComp does not change the official register.
8. Retention
Company and officer data is retained while it remains relevant for due-diligence and transparency purposes and is refreshed from source. Account data is kept while your account is active. Payment records are kept as required by tax/accounting law.
9. Sharing & international transfers
We share data with infrastructure and payment providers (e.g. hosting, Stripe) acting as processors under appropriate agreements. Where data is transferred outside the EEA/UK, we rely on adequacy decisions or Standard Contractual Clauses.
10. Cookies
We use a small number of essential cookies (e.g. to remember a report you have unlocked, and session/security). Non-essential/analytics or advertising cookies are only set with your consent. See our cookie notice for details.
11. Security
We apply appropriate technical and organisational measures to protect personal data. Report access is bound to a signed, time-limited token; payment is handled entirely by our PCI-compliant provider.
12. Complaints
You can lodge a complaint with your local data-protection supervisory authority at any time (in Brazil, the ANPD).
13. Changes
We may update this policy; the "last updated" date above reflects the latest version.