WishEDA Inc. ("Company," "we," "our," or "us") builds and operates Trace. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our Service.
We collect the following categories of information: (a) Account information — your name, email address, and profile details when you sign up; (b) Authentication data — login credentials and tokens managed via Supabase, and information from third-party login providers (Google, GitHub) if you choose to use them; (c) Design data — PCB designs, schematics, project files, and related content you create or upload; (d) AI interaction data — conversations with our AI assistant, prompts, and generated outputs; (e) Usage analytics — page views, feature interactions, clicks, session duration, and API performance metrics, collected via PostHog and Amplitude; (f) Device and technical data — browser type, operating system, IP address, device identifiers, and general location (city/country level); (g) Payment information — billing details processed through Stripe (we do not store full credit card numbers); (h) Communications — support requests, feedback, and any correspondence with us; (i) Crash reports — when the desktop application crashes, system information (OS version, hardware specs), application logs, and stack traces may be automatically uploaded to help us diagnose issues (crash reports may be submitted with or without authentication); (j) Login history — each sign-in event records your IP address (resolved to approximate city and country), device fingerprint, timestamp, and authentication provider; (k) Download activity — when you download the application, we may record the download event, platform, version, and your user ID if you are authenticated; (l) Education program data — if you apply to our education program, we collect your full name, university name, institutional email address, and expected graduation year; and (m) Career application data — if you apply for a position, we collect your name, email, school, qualifications, cover letter, and resume (PDF) via our token-gated application system (no Trace account required).
We use your information to: (a) provide, operate, and maintain the Service; (b) process transactions and manage your subscription; (c) improve and personalize the Service based on usage patterns; (d) train and improve our AI models using anonymized design data (subject to your opt-out right); (e) send transactional communications (account verification, password resets, billing notices); (f) send product updates and announcements (you may unsubscribe at any time); (g) analyze usage trends and generate aggregate statistics to improve the Service; (h) detect, prevent, and address fraud, abuse, security issues, and technical problems; (i) comply with legal obligations; and (j) respond to your support requests and feedback.
If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data on the following legal bases: (a) Contract — processing necessary to provide the Service under our agreement with you; (b) Legitimate interests — analytics, security, fraud prevention, and product improvement, where our interests do not override your rights; (c) Consent — AI training data collection (which you can withdraw at any time via your dashboard settings); and (d) Legal obligation — where processing is required by applicable law.
We implement industry-standard security measures to protect your data, including: encryption in transit (TLS/SSL) and at rest; secure authentication via Supabase with support for multi-factor authentication; role-based access controls; regular security assessments; and secure cloud infrastructure. Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security vulnerabilities that are discovered.
We retain your personal data for as long as your account is active or as needed to provide you with the Service. Specifically: (a) Account data is retained until you delete your account; (b) Design data is retained while your account is active and for 30 days after account deletion to allow recovery; (c) Analytics data is retained in anonymized/aggregated form indefinitely; (d) AI training data (if you opted in) is anonymized and cannot be traced back to individual users; (e) Payment records are retained as required by tax and accounting laws (typically 7 years); and (f) Support correspondence is retained for up to 3 years after resolution. After the applicable retention period, data is securely deleted or irreversibly anonymized. We will not attempt to reidentify any de-identified or aggregated data, except to verify that our de-identification processes satisfy applicable legal requirements.
Depending on your location, you may have the following rights regarding your personal data: (a) Access — request a copy of the personal data we hold about you; (b) Correction — request correction of inaccurate or incomplete data; (c) Deletion — request deletion of your personal data (subject to legal retention requirements); (d) Export/Portability — receive your data in a structured, machine-readable format; (e) Restriction — request that we limit processing of your data in certain circumstances; (f) Objection — object to processing based on legitimate interests; (g) Withdraw consent — withdraw consent for AI training data collection at any time via your dashboard settings; and (h) Lodge a complaint — file a complaint with your local data protection authority. To exercise these rights, contact us at hello@buildwithtrace.com with a request that (1) provides enough information for us to verify that you are the person whose data we have collected (or an authorized agent acting on their behalf), and (2) describes your request in enough detail for us to understand and respond to it. We will respond within 30 days (or within the timeframe required by applicable law), and we may need to verify your identity before processing certain requests. We will not charge a fee for responding to a valid request unless it is manifestly unfounded, excessive, or repetitive, in which case we will notify you of the fee and the reason for it before proceeding.
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA): (a) Right to know — you may request details about the categories and specific pieces of personal information we collect, the purposes for collection, and the categories of third parties with whom we share it; (b) Right to delete — you may request deletion of your personal information, subject to certain exceptions; (c) Right to correct — you may request correction of inaccurate personal information; (d) Right to opt-out — we do not sell or share your personal information for cross-context behavioral advertising; and (e) Non-discrimination — we will not discriminate against you for exercising your privacy rights. To make a request, email hello@buildwithtrace.com with the subject line "California Privacy Request." We will verify your identity and respond within 45 days. You may also authorize an agent to exercise these rights on your behalf. To do so, you must provide your authorized agent with signed, written permission to act on your behalf, and we may require a copy of that permission along with verification of your own identity before processing the request.
WishEDA Inc. is based in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction. For transfers from the EEA/UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms, to ensure an adequate level of data protection. By using the Service, you consent to the transfer of your information to the United States and other countries where we or our service providers operate.
The Service integrates with or relies on the following third-party services, each with their own privacy policies: (a) Google and GitHub — social login authentication; (b) Supabase — database, authentication, and file storage; (c) AWS (Amazon Web Services) — cloud infrastructure hosting and AI model inference via Bedrock (Anthropic Claude processes all AI conversations and design data); (d) Google Gemini — generates visual thumbnails from conversation summaries; (e) OpenAI — converts text to vector embeddings for search and retrieval functionality; (f) Stripe — payment processing for subscriptions, manufacturing orders, and promotional codes; (g) PostHog — product analytics (web); (h) Amplitude — product analytics (desktop application telemetry including feature usage, session events, and errors); (i) Microsoft Clarity — session recording and heatmap analytics (web); (j) Sentry — crash reporting and error monitoring (desktop application sends crash data including stack traces, OS info, and breadcrumbs); (k) Resend — transactional and notification email delivery; (l) Tavily — web search queries executed on behalf of users during AI conversations; (m) LlamaParse — PDF datasheet text extraction (user-uploaded datasheets are sent for processing); (n) Nexar, Digi-Key, and Mouser — electronic component search and sourcing data; (o) Pinecone and Qdrant — cloud vector databases for semantic search of components and symbols (design data is vectorized and stored); (p) PCBWay, Pikkolo, and other manufacturing partners — PCB fabrication and assembly fulfillment (design files transferred for production; additional partners may be added over time); and (q) Redis — ephemeral session state, tool execution results, and rate limit counters (TTL-based, auto-expires). We encourage you to review the privacy policies of these third-party services. We are not responsible for the privacy practices of third-party services.
To provide AI-powered design assistance, your data is processed as follows: (a) Conversations and prompts — all text you send to the AI assistant, including design descriptions, questions, and instructions, is transmitted to AWS Bedrock (Anthropic Claude) for inference; (b) Design files — when the AI reads or modifies your design files, their content is transmitted to the AI model for processing; (c) Tool results — outputs from design rule checks, file reads, and other tool executions are included in the AI context; (d) Vector embeddings — text from your designs may be converted into numerical vectors (via OpenAI) and stored in cloud vector databases (Pinecone/Qdrant) to enable semantic search of components and symbols; (e) Datasheet parsing — PDF datasheets you provide may be sent to LlamaParse for text extraction before being processed by the AI; (f) Web search — the AI may execute web searches (via Tavily) on your behalf, where search queries may reflect your project context; and (g) Thumbnail generation — conversation summaries may be sent to Google Gemini to generate visual project thumbnails. We do not use your personal conversations or identifiable design data to train AI foundation models. Anonymized and aggregated usage patterns may be used to improve our prompt engineering and system performance.
When you submit a PCB manufacturing order through the Service, the following data is shared with our manufacturing partners (currently PCBWay and Pikkolo, with additional partners to be integrated over time): Gerber files, drill files, pick-and-place data, bill of materials, board specifications (layers, dimensions, materials, surface finish), shipping address, and contact information for delivery. Manufacturing partners may retain copies of design files for production purposes, quality assurance, and regulatory compliance. Order status, tracking information, and payment data are synchronized between Trace and the manufacturing partner to provide real-time order updates. As we add new manufacturing partners, this policy applies equally to all of them; we will update the list of named partners in this Privacy Policy when new integrations go live.
You have the following choices regarding your data: (a) AI training data — board writes, tab completions, and routing data used for AI training are opt-out; you can disable training data sharing at any time from the settings page in your dashboard; (b) Product updates — you may unsubscribe from non-transactional emails at any time using the unsubscribe link in those emails; (c) Account deletion — you may delete your account at any time, which will trigger deletion of your personal data in accordance with our retention policy; and (d) Business analytics — PostHog, Amplitude, and Clarity analytics are essential for operating and improving Trace and cannot be disabled.
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will: (a) notify affected users via email within 72 hours of becoming aware of the breach (or as soon as reasonably practicable); (b) notify the relevant supervisory authority where required by law; (c) provide details of the breach, including the nature of the data affected, the likely consequences, and the measures taken or proposed to address the breach; and (d) take immediate steps to contain and remediate the breach.
Trace is not intended for children under the age of 13 (or 16 in the EEA/UK). We do not knowingly collect personal information from children under these ages. If we learn that we have collected personal information from a child under the applicable age, we will take steps to promptly delete that information. If you believe a child has provided us with personal information, please contact us at hello@buildwithtrace.com.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date and, where required by law, by sending you an email notification. Your continued use of the Service after the updated policy becomes effective constitutes your acceptance of the changes. We encourage you to review this policy periodically.