GainTrace Privacy Policy

Who this policy covers

GainTrace plays two different roles with personal data, and it helps to separate them.

When we are the controller. For some personal data, we decide why and how it is processed, so we are the controller. This policy is about that data. It covers people who:

• visit or interact with our website at gaintrace.com;
• give us their details through a form, or book a demo;
• create or are invited to a GainTrace account, and use the product as an Authorized User (typically our customer's own staff);
• contact us for support or sales; or
• receive our marketing.

When we are the processor. When a customer connects their systems and loads data into GainTrace, that data (we call it Customer Data in our Terms) often includes personal data about the customer's own customers, prospects, and contacts. For that data, the customer is the controller and we are the processor: we process it only on the customer's instructions. How we handle Customer Data is set out in our Data Processing Agreement ("DPA") and in Sections 5 and 6 of our Terms of Service, not in this policy.

If you are an individual whose data sits inside a customer's GainTrace account (for example, you are a contact in their CRM) and you want to exercise your rights, please contact that business directly, since they control that data. If you reach us instead, we will forward your request to them and help them respond, as described in our DPA.

The information we collect

We collect personal data that you give us, that we generate as you use GainTrace, and, in a few cases, that we receive from services you sign in with. We have grouped it by where it happens.

On our website (gaintrace.com)

• Details you submit. When you fill in a form or join a waitlist, we collect your email address and anything else you choose to add, such as your name or company. We use it to reply, set up your demo or trial, and send product updates you can unsubscribe from at any time. We keep these details in our customer relationship management system (Attio), and our email is sent through Resend (see Section 6).
• Demo bookings. When you book a session through Cal.com, we receive your name, email, the time you pick, and anything you enter in the booking form.
• Website analytics. With your consent, we use Google Analytics, loaded through Google Tag Manager, to understand how visitors use the site, such as pages viewed, links clicked, approximate location (from a truncated IP address), and device and browser type. Analytics are off by default and only run after you accept them in our cookie banner (see Section 5).
• A/B testing. We set our own first-party cookie called gb_uid, a random identifier, so that you see a consistent version of a page while we test different headlines. It holds no personal information and is not shared with anyone.

In the product (the GainTrace app)

• Account and sign-in. To create and secure your account, we collect your name, email address, a securely hashed password, and your authentication activity (sessions, multi-factor authentication, and passkeys), handled through Better Auth. If you sign in with Google or Microsoft, or through your company's single sign-on, we receive basic profile information from that provider. Enterprise customers can provision users automatically through SCIM.
• Workspace and team. We store your workspace and organisation details, the members in it, invitations you send (including the invitee's email), and each person's role and permissions.
• Usage and product analytics. We record how the product is used, such as the features and pages you interact with and errors the app runs into, using PostHog hosted in the European Union. This includes session replay, which reconstructs a session to help us diagnose issues and improve the product. We mask text and input fields by default, so the content you type is not captured, and we do not use this to track you across other websites.
• Support and communication. When you contact us, we keep your messages and the context we need to help, and we send service and account emails through Resend.
• Operational records. To run the service securely, we keep records such as audit logs (who did what), the API keys and connection tokens you create, and webhook delivery logs.
• Voice and meeting features. If you use features that transcribe calls or meetings, the audio is transcribed by Deepgram, and the resulting transcript is part of your Customer Data.

When a piece of information is required to use GainTrace (for example, an email address to create an account), we will tell you at the point we ask. If you do not provide it, we may not be able to give you that part of the service.

How we use your information

We use the personal data described above to:

• Provide the service. Create and run your account, sign you in, deliver the product's features, and respond to your requests. For Authorized Users and account holders, this is necessary to perform our contract with you.
• Support you. Answer your questions, troubleshoot, and keep you informed about service issues. Service and security messages are part of the product, not marketing, and we always send them.
• Improve and secure GainTrace. Understand how the product is used, fix bugs, prevent fraud and abuse, and protect the security and integrity of the service. We do this on the basis of our legitimate interest in running a reliable, safe product, weighed against your rights.
• Market the product, with your choice. Send you product updates and offers. For people who are already our customers, we rely on our legitimate interest (a soft opt-in), and you can unsubscribe at any time. For everyone else, we rely on your consent. See Section 10.
• Meet our legal obligations. Comply with our legal, tax, and accounting duties, and respond to lawful requests.

Where we rely on consent (for example, for non-essential cookies), you can withdraw it at any time. Withdrawing consent does not affect processing we already did lawfully.

We may also create de-identified and aggregated data from how the service is used, and keep and use it to analyse, benchmark, and improve GainTrace. We do not try to re-identify it, and we do not sell it.

How we use AI

GainTrace is an AI product, so we want to be clear about how it works.

• Predictions, such as churn risk and expansion signals, are produced by our own machine-learning models. Where we train or tune a model on a customer's data, that model is bound to that customer's account and is used only to serve them. We never use one customer's data to train a model that benefits another.
• Generative features, such as summaries and drafted recommendations in our Trace AI assistant, are powered by third-party large language model providers (listed on our Sub-processors page). We use them under enterprise or API terms that prohibit them from training on data sent through GainTrace, and that provide for zero or limited retention.
• Cross-customer improvement only ever uses de-identified and aggregated data, never one customer's identifiable data to benefit another.

These predictions and generative outputs are about business accounts, and they are produced from Customer Data in our role as a processor. They are advisory, a human stays in the loop, and they are covered in Section 6 of our Terms of Service and in our DPA, not in this policy.

For the controller-side data this policy covers (your account and website activity), we do not make decisions about you that are based solely on automated processing and that produce legal or similarly significant effects.

Cookies and similar technologies

We use cookies and similar technologies for a few clearly separated purposes. When you first visit, our banner blocks all non-essential cookies until you choose. You can accept them, or open Preferences to turn individual categories on or reject the non-essential ones, and nothing is pre-ticked. You can change your choice at any time using the cookie preferences button on the site. For visitors in the EEA and the UK, Google Consent Mode keeps analytics and advertising storage switched off until you accept.

• Strictly necessary (no consent needed). These keep the site and app working and remember your consent choice. They include your authentication and session cookies and the cookie that stores your cookie preferences.
• Analytics (consent required). Google Analytics, through Google Tag Manager, helps us understand site usage. Typical cookies include _ga and _ga_<id> (about two years) and _gid (about a day).
• Product analytics and session replay (consent required). In the app, PostHog sets a first-party cookie (about a year) to measure product usage and, with masking, to record sessions so we can fix issues.
• A/B testing (functional). The first-party gb_uid cookie (a random identifier, about a year) keeps page variants stable. It holds no personal information.

You can also clear or block cookies in your browser settings. If you clear cookies for gaintrace.com, our banner will appear again on your next visit.

Who we share your information with

We do not sell your personal data, and we have not done so. We do not share it for cross-context behavioral advertising, and we do not profile our own users for advertising. We share personal data only in these situations:

• Service providers (sub-processors). We use a focused set of vendors to host, secure, and run GainTrace, covering cloud hosting, CRM, analytics, email, authentication, payments, transcription, and AI. Each is bound by terms that require it to protect the data and use it only to provide its service to us. Our current list, with each vendor's purpose and location, is on our Sub-processors page, which we keep up to date.
• Payments. When you buy a paid subscription, payment is handled by Paddle, acting as our merchant of record (the authorised reseller and seller of record). You provide your payment and billing details directly to Paddle under Paddle's own terms and privacy policy, and we receive limited billing information, such as your name, billing email, country, and a record of the transaction, to manage your subscription. We do not receive or store your full card number.
• Legal and safety. We may disclose data where we reasonably need to in order to comply with the law or a lawful request, enforce our agreements, or protect the rights, safety, and security of GainTrace, our customers, or others.
• Business transfers. If we are involved in a merger, acquisition, financing, or sale of assets, personal data may be transferred as part of that deal. We will require the recipient to honour this policy, and we will tell you about any change in who controls your data.

Sharing of Customer Data with sub-processors in our processor role is governed by our DPA, including the advance-notice commitment for new sub-processors.

Where your data lives, and international transfers

We host and store Customer Data at rest in the European Union, using Amazon Web Services data centres in the Ireland region. Our website runs on Cloudflare Pages.

Storing data in the EU is not the same as never transferring it. Because Girasol Technologies LLP is established in India, our team may access data from India, and some of our service providers (including some AI providers) are outside the European Economic Area, often in the United States. When this involves a restricted transfer, we rely on appropriate safeguards:

• the EU Standard Contractual Clauses (the clauses adopted by the European Commission in 2021), with GainTrace as the data importer;
• the UK International Data Transfer Agreement or Addendum for data from the United Kingdom; and
• additional technical and organisational measures, with a transfer assessment, as described in our DPA.

There is currently no EU adequacy decision for India, so we rely on these clauses rather than on adequacy, and we do not rely on the EU-US Data Privacy Framework. You can ask us for a copy of the relevant safeguards using the contact details in Section 15.

How long we keep your information

We keep personal data only for as long as we need it, and then delete or anonymise it. As a guide:

• Account data is kept for as long as your account is active. After your subscription ends, you have 30 days to export your data, after which we delete it, with backups cleared on our regular cycle and in any event within 90 days, as set out in Section 11.6 of our Terms.
• Leads and marketing data is kept until you unsubscribe or ask us to delete it, and in any event no longer than 24 months after your last interaction with us, unless you are an active customer.
• Website analytics is kept for around 14 months.
• Security and audit logs are kept for a limited period appropriate to their purpose.
• Invoices and tax records are kept for as long as the law requires us to keep them.
• De-identified and aggregated data, which cannot identify you, may be kept indefinitely.

Your privacy rights

You have rights over your personal data, and we will not treat you differently for using them. To make a request, email [email protected]. We may need to verify your identity first, and we will respond within 30 days, telling you if we ever need a little longer.

If you are in the EU, the UK, or another GDPR region, you can ask us to:

• give you access to your data, and a copy of it;
• correct it if it is wrong, or complete it if it is incomplete;
• delete it;
• restrict or object to how we use it, including the right to object at any time to processing based on our legitimate interests, and an absolute right to object to direct marketing;
• receive it in a portable, machine-readable format; and
• withdraw any consent you have given, at any time.

You can also complain to your data protection authority. Because we host in Ireland, the lead EU authority is the Irish Data Protection Commission; in the UK it is the Information Commissioner's Office.

If you are a California resident, you can ask us to tell you what personal information we collect and how we use and disclose it, to give you a copy, to delete it, and to correct it, and you may use an authorised agent. We do not sell or share personal information (including for cross-context behavioral advertising), and have not done so in the past 12 months, so there is no "Do Not Sell or Share" choice to make. We do not use sensitive personal information to infer characteristics about you, so the right to limit its use does not apply. We will not discriminate against you for exercising your rights.

If you are in India, you can ask us for a summary of the personal data we process and how we process it, ask us to correct or erase it, nominate someone to exercise your rights on your behalf, and raise a grievance with us. We handle grievances at [email protected].

If your request is about data inside a customer's GainTrace account, where we act as a processor, we will refer it to that customer and help them respond.

Marketing and your choices

We send two kinds of email. Service messages, about your account, security, and important changes, are part of providing GainTrace, and you cannot opt out of them while you have an account. Marketing messages, about product news and offers, are different: every one has an easy unsubscribe link, and using it stops them. For people who are already our customers we rely on a soft opt-in (our legitimate interest), and for everyone else we rely on your consent. You can change your mind at any time.

How we protect your information

We maintain administrative, technical, and physical safeguards suited to the data and the risks, including: encryption in transit (TLS 1.2 or higher) and at rest (AES-256 or a comparable standard); multi-factor authentication for access to production systems; role-based, least-privilege access; logical separation (tenant isolation) of each customer's data; vulnerability scanning and periodic independent penetration testing; logging and monitoring; backups and disaster recovery; and a documented incident-response plan. If a security incident affects your personal data, we will notify you without undue delay, as described in Section 8 of our Terms and in our DPA.

No method of storage or transmission is ever perfectly secure, and you play a part too: keep your credentials safe, and configure your account securely.

Children

GainTrace is built for businesses and is not directed to consumers or to anyone under 18. We do not knowingly collect personal data from children, and we do not track or target children. If you believe a child has given us personal data, contact us at [email protected] and we will delete it.

How these documents fit together

This Privacy Policy sits alongside our Terms of Service and, where we process personal data on a customer's behalf, our Data Processing Agreement. If there is ever a conflict on a data-protection matter, the DPA controls, then the Terms, as set out in Section 14 of the Terms.

Changes to this policy

We may update this policy from time to time. When we do, we will change the "Last updated" date above, and for material changes we will give clearer notice, such as a note on this page or a message to you. We review this policy at least once a year. Continuing to use GainTrace after a change takes effect means you accept the updated policy.

Who we are and how to reach us

GainTrace is operated by Girasol Technologies LLP, a limited liability partnership organised under the laws of India (LLPIN ACZ-1487), with its registered office at C-502, Pushkar Hill, Near Dharmvatika Flat, Hathijan, Ahmedabad 382445, Gujarat, India. For the data this policy covers, Girasol Technologies LLP is the controller.

• Privacy and data requests: [email protected]
• Legal notices: [email protected]
• Product and account support: [email protected]

We do not have a separately appointed Data Protection Officer. All privacy questions, rights requests, and grievances go to [email protected], which we monitor. If you need this policy in a different format, let us know.

This Privacy Policy explains how we handle personal data we are responsible for. Our Terms of Service govern your use of GainTrace, and our Data Processing Agreement governs the personal data we process on a customer's behalf.