Loading…
Effective: 2026-04-11 · Last reviewed: 2026-04-11
This Privacy Policy explains how notraced (“notraced”, “we”, “us”) collects, uses, and protects personal data when you visit notraced.com, read its articles, or use its interactive tools. It is written to satisfy the transparency obligations in Article 13 of the EU General Data Protection Regulation (“GDPR”) and the UK GDPR, and to provide the disclosures that United States consumer privacy laws may require even where those laws do not formally apply to a site of this size.
Short version: we collect the minimum amount of data needed to run the site, we do not sell it, we do not set tracking cookies, the interactive tools run entirely in your browser so your answers never reach our servers, and there is no newsletter or user account so there is no mailing list.
The data controller for the processing described in this policy is Sam Shephard, a natural person publishing notraced at notraced.com as a personal, non-commercial editorial project.
For privacy questions and data subject requests, use the contact page and select the Privacycategory. A substantive electronic contact method is explicitly accepted under the European Data Protection Board's Transparency Guidelines (WP260 rev.01) and the UK ICO's guide to privacy notices. We read contact submissions and respond within one calendar month, as GDPR Article 12(3) requires. If your request is complex we may extend by up to two further months and will tell you within the first month.
If you need to send us postal correspondence, submit a request through the contact page first and we will provide a suitable address by reply. We do not routinely publish a postal address to protect the privacy of the operator.
We have not appointed a statutory Data Protection Officer because we do not meet the thresholds in GDPR Article 37(1). The contact page is the functional equivalent and is the correct first point of contact for any question about your personal data.
We process personal data in two narrow contexts, both tied to the contact form. Each is described below with the categories of data, the purpose, the legal basis under Article 6 GDPR, and the retention period. There is no analytics platform and no third-party tracking of any kind.
If you send us a message through the contact page, we collect the fields you fill in: the reply-to email address you provide, the category you pick (Privacy, Legal, Editorial, or Other), the subject line, and the message body. We do not ask for your name or any other identifier.
When you submit the contact form we read the IP address from the inbound HTTP request and check it against an in-memory rate limiter (5 requests per minute per IP). The IP address is held only in the memory of the currently running server process, is never written to disk, is never sent to a third party, and is discarded when the process restarts or after a short window of inactivity.
The interactive tools on this site — AI Data Flow Checker, AI Act Obligation Scanner, and Privacy Policy Generator — run entirely in your browser. The answers you give to the wizards and the documents the Privacy Policy Generator produces are never sent to our servers. Shareable URLs encode your wizard state in the URL query string itself, which is handled client-side; we do not read, log, or store those URLs. If you do not want your tool state in the URL bar, do not click the share button.
We do not run a newsletter or any mailing list. We do not offer user accounts. We do not run any analytics platform — not Google Analytics, not Plausible, not Fathom, not PostHog, not Umami, not any other. We do not use Meta Pixel, LinkedIn Insight Tag, TikTok Pixel, or any other cross-site advertising or retargeting technology. We do not run affiliate or retargeting pixels. We do not sell, rent, or trade personal data, and we have not done so in the preceding twelve months.
This site sets no cookies of its own. It does not store anything in your browser's localStorage or sessionStorage. The interactive tools encode their state in the URL query string only, which lives in the address bar and nowhere else.
There are no third-party JavaScript requests.The site loads its own code from its own origin, and that is it. No analytics beacons, no font CDN, no tag manager, no embedded social widgets. You can verify this with your browser's developer tools Network tab — the only requests you will see are to notraced.com itself.
| Data category | Retention |
|---|---|
| Contact form message body | Until your request is resolved plus a short audit window (typically six months). |
| Contact reply-to address | Kept with the message while the request is open; deleted with it. |
| Rate-limit IP hit-count | In memory only; discarded within minutes or on process restart. |
| Server access logs from our host (Vercel) | Retained by Vercel under its standard retention (typically a short window) for operational security. We do not read or analyse these logs routinely. |
We share personal data only with the following processors, each under a Data Processing Addendum and each strictly for the purposes described above:
We do not share personal data with any advertiser, data broker, or marketing partner. We do not fund the site through data monetisation.
Some of the processors above are headquartered outside the European Economic Area. Transfers rely on a combination of:
If you are in the United Kingdom, the equivalent UK transfer mechanisms (UK IDTA or the UK Addendum to the EU SCCs) apply.
If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under GDPR and UK GDPR in relation to your personal data:
To exercise any of these rights, use the contact page and pick the Privacy category. We will respond within one month. There is no charge. We may ask for minimal information to verify your identity so we do not disclose your data to the wrong person.
As of the effective date above, notraced does not meet the thresholds for direct applicability of the California Consumer Privacy Act (CCPA/CPRA), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, or the Texas Data Privacy and Security Act. We mention these laws anyway because the substance of the rights they grant is something we are comfortable honouring for any US reader who asks:
To exercise any of these rights, use the contact page and state which right you are exercising. An authorised agent may submit a request on your behalf with signed written proof of authorisation.
This site is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has submitted a contact form on our site, use the contact page (Privacy category) and we will delete the record.
We do not carry out any automated decision-making, including profiling, that produces legal or similarly significant effects. The interactive tools produce general assessments based on the answers you give them and run on your own device; they do not make decisions about you.
We apply appropriate technical and organisational measures under Article 32 GDPR, including HTTPS across the whole site (with HSTS preload), a strict Content Security Policy, minimised data collection by design, and contractual data-protection terms with every processor. No system is perfectly secure; in the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the supervisory authority within 72 hours as Article 33 requires, and if the risk is high we will notify affected individuals as Article 34 requires.
We may update this policy from time to time. The effective date at the top of the page shows when the current version took effect. Substantive changes will be posted at the top of this page for at least 30 days before they take effect. Continued use of the site after a change takes effect means you have read the new version.
All privacy questions, data subject requests, and other correspondence about this policy go through the contact page. Pick the Privacy category so we can route your message correctly.