Privacy Policy
Version 1.2 · last updated 3 May 2026
1. Introduction and scope
This policy explains how Altanest SAS (hereafter "we", "us", or the "Controller") processes personal data in connection with the website go-trace.com, including its sub-pages (the "Site").
It is drafted under Regulation (EU) 2016/679 (the "GDPR") and French Law No. 78-17 of 6 January 1978 as amended (the "Loi Informatique et Libertés"). Where national consumer or sectoral law provides stronger protection, that law prevails.
This policy does not cover the separate Teachable platform on which our online courses are delivered. When you enrol in a course, Teachable Inc. acts as an independent controller for the data you provide to it; please consult the Teachable Privacy Policy.
2. Identity of the Controller
Altanest SAS20 rue Guillaume Fichet
74000 Annecy, France
SIREN: 877 916 916 · RCS Annecy 877 916 916
Intra-EU VAT: FR67877916916
Email: contact@go-trace.com
"GO TRACE" is a trade name and trademark of Altanest SAS. We have not designated a Data Protection Officer; our processing activities do not meet the criteria of GDPR Article 37(1). You may nevertheless direct any data-protection query to the email address above, which is monitored by the Controller.
3. Categories of personal data we process
We collect personal data only when you actively provide it or when it is generated by routine site operation:
| Category | Examples | Source |
|---|---|---|
| Identification & contact data | Name, email, company, role, country (optional), referral source (optional), package of interest (optional) | You: via the contact form at /contact or by direct email |
| Message content | The free-text message you submit and any attachments you send by email | You: via the contact form or direct email |
| Server-log technical data | IP address, user-agent string, requested URL, timestamp, HTTP referrer | Automatic: recorded in the web-server access log |
| Analytics-derived data | Page views, referrer, browser, OS, viewport size, country derived from IP geolocation, session-bucket hash (rotated daily, no individual identifier retained) | Automatic: collected by our self-hosted Umami instance (see §5) |
The Site sets no cookies and uses no client-side storage. We do not knowingly collect special-category data (GDPR Article 9) or data relating to children under the age of 16. If you share such data with us unsolicited, we will delete it on becoming aware.
4. Purposes and legal bases
Each processing activity has a specific purpose and a single lawful basis under GDPR Article 6(1):
| Activity | Purpose | Legal basis |
|---|---|---|
| Handling contact-form submissions and direct email | Replying to your enquiry; preparing a potential engagement | Art. 6(1)(b): pre-contractual measures at your request; alternatively Art. 6(1)(f): legitimate interest in responding to correspondence |
| Server access logging | Security, diagnostics, abuse prevention | Art. 6(1)(f): our legitimate interest in keeping the Site secure and functioning |
| Analytics (Umami) | Producing aggregated statistics on Site usage so we can improve content and structure. No cross-referencing with other processing, no profiling, no advertising. | Art. 6(1)(f): our legitimate interest in understanding and improving the Site. The processing qualifies for the consent exemption under CNIL Délibération No. 2020-092 §2.5 (cookieless analytics confined to anonymous aggregate statistics, no cross-referencing, EU-resident infrastructure). |
| Compliance with legal obligations | E.g. responding to valid requests from public authorities or retaining commercial records | Art. 6(1)(c): legal obligation |
We do not carry out any processing subject to Article 22 (fully automated decision-making with legal or similarly significant effects), nor any profiling.
5. Recipients and processors
We share personal data with the third parties listed below. We work with processors that contractually commit to GDPR-compliant data handling, with written Data Processing Agreements (DPAs) under GDPR Article 28 in place where required by law and by the nature of the processing.
A standalone, machine-readable copy of this list is also published at /sub-processors; we commit to giving 30 days' advance notice of any material change to the list, by updating that page and noting the change in this Privacy Policy's version history.
| Recipient | Role | Location | Transfer mechanism |
|---|---|---|---|
| Hetzner Online GmbH | Web hosting and server infrastructure for both go-trace.com and our self-hosted Umami analytics endpoint | Nuremberg, Germany (EU) | Within the EEA: no transfer mechanism required |
| Self-hosted Umami (operated by Altanest under the Conclavik brand) | Cookieless web analytics. Runs on the same Hetzner box as go-trace.com at analytics.conclavik.com. Receives request metadata, computes a daily-rotating session-bucket hash from IP and user-agent without retaining the raw IP, stores aggregated counts and country derived from IP geolocation. No data leaves the EU. Because Altanest operates the Umami instance directly, no separate third-party processor is involved. | Nuremberg, Germany (EU) | Within the EEA: no transfer mechanism required |
| Web3Forms (operated by Statichunt) | Contact-form forwarding. When you submit the contact form, your entries POST as JSON to the Web3Forms API, which retains the submission on its own infrastructure for up to 30 days for delivery retry and audit, then auto-deletes. Web3Forms relays the submission to our inbox by SMTP. | India | European Commission's 2021 Standard Contractual Clauses (SCCs). A signed DPA is on file [Catherine: pending counter-signature; Web3Forms publishes a free-tier DPA template available on request from support@web3forms.com]. |
| Google Ireland Ltd. (Google Workspace) | Email service for @go-trace.com addresses. Receives the body of your email correspondence with us. | Dublin, Ireland (EU); sub-processors may be in the United States | EU–US Data Privacy Framework certification and/or Standard Contractual Clauses |
| Teachable Inc. | Course delivery platform (acts as an independent controller, not our processor). Engaged only when you enrol in a course on the separate Teachable subdomain. | United States | EU–US Data Privacy Framework certification and/or Standard Contractual Clauses; governed by Teachable's own privacy policy |
We do not use Brevo or MailerLite for any processing of your data, even though DKIM records for those providers exist on the go-trace.com domain (legacy configuration). If we activate either in the future, we will update this Privacy Policy and §5 of this list before any data is processed.
We may disclose personal data to professional advisors (accountants, legal counsel) under a duty of confidentiality, or to public authorities where legally compelled. We do not sell personal data and do not share it with third parties for their own marketing purposes.
6. International data transfers
Most of your data remains within the European Economic Area. Where a processor relies on sub-processors in third countries (in particular India for Web3Forms and the United States for Google sub-processors and Teachable), the transfer is covered by one of the mechanisms listed in Chapter V of the GDPR: an adequacy decision (including the EU–US Data Privacy Framework where applicable), the European Commission's 2021 Standard Contractual Clauses, or, failing those, explicit informed consent.
You may request a copy of the safeguards in place by emailing us.
7. Retention
We apply the following default retention periods, extended only where a specific legal obligation or live dispute requires us to:
- Contact-form and email correspondence: three (3) years from the last exchange with you. This period aligns with the general commercial prescription under French Code de commerce Art. L110-4.
- Web3Forms-side submission cache: up to thirty (30) days on Web3Forms infrastructure, after which Web3Forms auto-deletes. Our copy in our inbox follows the contact-form-correspondence retention period above.
- Client files and invoicing data: ten (10) years, as required by French Code de commerce Art. L123-22.
- Server access logs: at most thirty (30) days, then deleted. Logs relating to a specific security incident may be preserved longer under Art. 6(1)(f).
- Umami analytics: aggregated counts retained for up to thirteen (13) months, in line with CNIL guidance for analytics. The session-bucket hash rotates daily and no individual identifier is preserved.
8. Security
We apply technical and organisational measures appropriate to the risk (GDPR Article 32), including: HTTPS/TLS for all public traffic, access control on hosting infrastructure, up-to-date operating systems and software, encrypted backups, and a policy restricting access to personal data to persons who need it to perform their duties. No system is perfectly secure, but we will notify you and the CNIL, where required by Articles 33 and 34, of any personal-data breach likely to result in a risk to your rights.
9. Your rights
Under the GDPR you have the right to:
- Access your personal data and obtain a copy (Art. 15);
- Rectify inaccurate or incomplete data (Art. 16);
- Erasure ("right to be forgotten") subject to the exceptions in Art. 17(3);
- Restrict processing in the cases listed in Art. 18;
- Data portability for data you provided to us and which we process on the basis of consent or contract (Art. 20);
- Object to processing based on legitimate interest (Art. 21), including the analytics processing described in §4;
- Withdraw consent at any time (Art. 7(3)), without affecting the lawfulness of prior processing;
- Define directives on the fate of your personal data after your death (Loi Informatique et Libertés, Art. 85).
To exercise any of these rights, email contact@go-trace.com with enough detail for us to identify you and the right concerned. We will respond without undue delay, and in any event within one month of receipt of your request (Art. 12(3)). Where the request is complex or we receive numerous requests, we may extend this period by up to two further months, notifying you within the first month of the extension and the reasons.
We may ask you for additional information reasonably necessary to confirm your identity (Art. 12(6)). Exercising your rights is free of charge; we reserve the right to refuse manifestly unfounded or excessive requests, or to charge a reasonable fee based on administrative costs, as permitted by Art. 12(5).
If you wish to opt out of the Umami analytics specifically, you can do so by enabling your browser's "Do Not Track" header (which Umami honours), by using a content blocker that blocks analytics.conclavik.com, or by emailing us to ask for a server-side exclusion.
10. Right to lodge a complaint
If you believe our processing infringes the applicable data-protection rules, you may lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or the alleged infringement. In France, this is the Commission nationale de l'informatique et des libertés (CNIL):
CNIL3 place de Fontenoy, TSA 80715
75334 PARIS CEDEX 07, France
Telephone: +33 (0)1 53 73 22 22
Web: www.cnil.fr
We encourage you to contact us first so we can try to resolve the matter directly.
11. Cookies and similar technologies
The Site sets no cookies and uses no localStorage, sessionStorage, pixels, fingerprinting, or third-party tracker. Analytics is handled by a self-hosted Umami instance that operates without cookies and without storing individual identifiers. The contact form submits over an authenticated HTTPS API call without setting any client-side identifier. Full details are in our Cookie Policy.
12. Changes to this policy
We may update this policy to reflect legal, technical, or operational changes. The date and version at the top always identify the current edition. Material changes will be announced on the Site (typically via a banner on the home page or a note on the changed legal page) for a reasonable period before they take effect.
13. Contact
For any question about this policy or about our handling of personal data: contact@go-trace.com.