GDPR & data overview
Traceable operates as both a data controller and a data processor within the EU under the General Data Protection Regulation (GDPR, Regulation 2016/679). This page explains the data roles relevant to integration developers who send personal data to Traceable via the API.
Data roles
Traceable as data controller: Traceable acts as a data controller in respect of platform user account data (names, email addresses), platform usage data, and support communications. As a controller, Traceable determines the purpose and means of processing this data and is responsible for responding to data subject requests (access, rectification, erasure, portability) made by Traceable platform users.
Traceable as data processor: Traceable acts as a data processor in respect of product data that operator customers upload — the DPP product content, documents, and supplier information entered by an operator to create their Digital Product Passports.
In this role, Traceable processes data on behalf of the operator (the controller). The operator determines what data is entered and for what purpose. The operator is responsible for ensuring they have a lawful basis for processing any personal data within their product data — for example, if a document uploaded to Traceable contains individual names.
The data processing agreement between Traceable and operators is incorporated into the Terms of Service.
Data subjects in the Traceable context
The following categories of individuals may have data subject rights in relation to Traceable:
| Data subject | Their data | Controller | Where to direct requests |
|---|---|---|---|
| Traceable platform users | Account data, email, login activity | Traceable | privacy@traceable.digital |
| Signatories named in uploaded documents | Name, job title | Operator customer | The operator organisation |
| Supplier contacts in supply chain data | Name, email, company | Operator customer | The operator organisation |
Data residency
All Traceable infrastructure is hosted within the EU. For full details, request the Data Processing Agreement from privacy@traceable.digital.
Guidance for integration developers
If your integration sends personal data to Traceable via the API — for example, if your PoLI access request includes a named individual's contact email, or if you embed personal data in a field not intended for it — you should ensure:
- You have a lawful basis for transferring that personal data to Traceable (typically contract performance or legitimate interest)
- Data minimisation — only send the personal data actually required by the API field. The
contactEmailin a PoLI request should be a team or role address (e.g.,dpp-access@acm.nl) rather than an individual's personal email where possible. - Your privacy notice informs affected individuals that their data may be processed by Traceable as part of your service
- Data subject requests — if an individual asks you to delete their data, remember to also contact Traceable support to remove any data you shared with Traceable on their behalf
For questions about data processing and integration-specific GDPR obligations, contact privacy@traceable.digital.
AI processing and consent
Traceable's Document AI feature (which extracts structured data from uploaded compliance documents) involves sending document content to a third-party AI provider for processing. This feature requires explicit consent from each operator account and is controlled in Settings → Privacy & Consent within the Operator Portal.
This consent setting has no effect on the public API. API calls to GET /api/dpp/{slug} and the PoLI endpoints do not involve AI processing. DPP data returned by the API is the data entered and published by the operator — no AI transformation is applied to API responses.
If you are building a platform integration that uses Traceable's Document AI capabilities, note:
- Document AI is a platform UI feature and is not available as a standalone API endpoint.
- AI processing consent is granted or revoked at account level by an Admin user in the Operator Portal.
- Documents submitted for AI processing are not used to train AI models.