Privacy Policy

The data controller for personal data processed through the RoboTrace website, web portal, admin console, REST and ingest APIs, and the robotrace Python SDK is [Company legal entity], located at [Registered address] (“RoboTrace”, “we”, “us”). You must not rely on these placeholders; we will list our real legal identity in the published version.

For personal data of third parties incidentally captured by a robot you operate (for example, a coworker walking past a robot’s camera, or audio of someone speaking near the robot during an episode), you are the data controller and RoboTrace is your processor. You are responsible for any consents, notices, signage, and lawful bases required in your jurisdiction before recording such individuals; we describe how we process that data on your behalf in this Policy and in our Terms.

1. Data protection contact and representatives

For privacy questions, requests, and complaints, contact us at privacy@robotrace.dev. Where required by applicable law we will appoint a data protection officer, an EU/UK representative, or another local contact and publish their details here. Until any such contact is listed, privacy@robotrace.dev is the primary channel for privacy requests. We will not list fake DPO or representative information; real contacts will appear here when they exist.

2. Scope

This Policy applies to personal data processed when you (a) visit our public website, (b) request access to or use the web portal or admin console, (c) install and use the robotrace Python SDK or call the REST / ingest APIs, (d) upload episodes (video, sensor logs, action vectors, metadata) from a real or simulated robot, or (e) correspond with us. It does not apply to third-party websites or repositories we link to.

3. What we collect

Account & identity data

Name, email, password hash, role (member / admin / owner on an org; admin / super_admin on the platform), and authentication metadata. A profiles row mirrors your Supabase auth record.

Organization & project data

Org name, project names, member roles, access requests, billing contact (when paid plans are introduced), and feature flag state.

API keys

We store hashes of your API keys, not the cleartext keys. We display the cleartext value once at creation time — after that, we cannot recover it. We log key usage (last-used timestamp, approximate region, ingest endpoint) for security and abuse prevention.

Episodes and User Content

The data your robot stack sends to RoboTrace via the SDK or REST API. This includes video frames, sensor streams (joint torques, wheel encoders, IMU samples, lidar / depth frames where configured), action vectors and probabilities, observation snapshots, dataset manifests, and reproducibility metadata such as policy_version, env_version, git_sha, and seed. Large binary objects are stored in object storage (Cloudflare R2 or your bring-your-own S3-compatible bucket) and the database holds only metadata and signed URL references.

Personal data incidentally captured by sensors

Episode video and audio may incidentally capture identifiable people (faces, voices, license plates, badges). Depending on jurisdiction this may qualify as biometric, sensitive, or high-risk personal data. We process such data on your behalf as a processor; your customers, coworkers, and bystanders are your data subjects, not ours. You must have a lawful basis to record them and to upload that recording to our Service.

Usage & technical data

Server log data such as IP address, browser/device identifiers, portal pages viewed, SDK version and OS, ingest endpoint hits, timestamps, error reports, and security signals.

Communications

Messages you send us (support, security reports, deletion or access requests, complaints) and our replies.

4. How we use it, and our lawful bases

We use personal data only for clearly defined purposes. The lawful bases below reference the EU/UK General Data Protection Regulation (GDPR); equivalent bases apply under other regimes (for example, the California Consumer Privacy Act).

• Provide the Service. To create and operate your account and organization, accept SDK ingest, store and serve episodes, run replays / re-rolls / evals, and deliver dashboards to you. Basis: performance of a contract with you (Art. 6(1)(b) GDPR).
• Process episode contents on your behalf. To store, encode, transcode, replay, and run evals or re-rolls against the episodes you upload — including any personal data of third parties incidentally captured. Basis: we act as your processor for that content; your processing of those individuals must rely on a lawful basis you determine and document.
• Security and abuse prevention. To detect and prevent fraud, key compromise, exfiltration, denial-of-service, and platform abuse. Basis: our legitimate interests in keeping the Service safe, balanced against your rights (Art. 6(1)(f) GDPR), and compliance with legal obligations.
• Service improvement. To understand how the Service is used and improve it. We use aggregated, non-identifying metrics wherever possible (e.g. ingest p99 latency, number of episodes per project, feature adoption). Basis: our legitimate interests (Art. 6(1)(f) GDPR).
• Legal & regulatory. To comply with applicable law, respond to lawful requests, and enforce our Terms of Service. Basis: legal obligation (Art. 6(1)(c) GDPR) and legitimate interests in establishing or defending legal claims.

We do not use your User Content — including episode video, sensor streams, policy weights, or evaluation outputs — to train publicly available or third-party general- purpose AI models for unrelated products, and we do not sell your User Content. We do not use your data for advertising or for marketing-purpose profiling.

5. The customer-as-controller relationship

When the data subject is you (an account holder, admin, or invited teammate), RoboTrace is the controller of that personal data and this Policy describes our processing. When the data subject is someone captured by your robot (a coworker, a bystander, a customer in your warehouse, etc.), you are the controller and RoboTrace is your processor under these Terms and any data processing addendum we sign with you. As your processor, we will:

• process episode contents only on your documented instructions (which include these Terms and the configuration you choose in-product);
• ensure that staff with access to such data are bound by confidentiality;
• implement appropriate technical and organisational measures (see Section 11);
• assist you in responding to data-subject requests and in your own breach-notification obligations, where reasonable;
• delete or return such data on termination (subject to backup rotation and legal retention).

6. Sensitive contexts and bystander capture

Robotics deployments often record people who have no contractual relationship with you and have not interacted with our Service directly. You agree that you will:

• not deliberately collect and upload episodes whose primary purpose is to surveil identifiable individuals without a lawful basis;
• configure data minimization where feasible (for example, masking faces, narrowing the field of view, redacting audio) where local law expects it;
• comply with any sectoral rules that apply to you — including workplace monitoring rules, healthcare confidentiality, or educational privacy laws — when training a robot in those environments.

We may refuse, restrict, or delete content that we reasonably believe was uploaded in violation of these obligations.

7. Who we share it with

We do not sell personal data and we do not “share” it for cross- context behavioural advertising (as those terms are defined under the CCPA). We disclose personal data only to:

• Sub-processors who help us run the Service, under written contracts (see Sections 8–9);
• Professional advisers (legal, accounting, insurance) under duties of confidentiality, where strictly necessary;
• Authorities and courts where required by valid legal process, after we have assessed the request;
• Successors in the event of a merger, acquisition, or asset sale, in which case we will give you prior notice and, where feasible, the option to delete your data before transfer.

8. Sub-processors we currently use

We use a small set of vetted vendors. The current list is:

• Vercel — application hosting and edge networking; processes request metadata (e.g. IP, headers, region) and may temporarily cache or route traffic. We do not use Vercel to store episode bytes.
• Supabase — managed PostgreSQL and authentication; processes account and organization data, episode metadata, hashed API keys, audit logs, signed- URL references, and authentication tokens. Episode binary contents (video, sensor blobs) are not stored in Postgres; we use object storage instead (next bullet).
• Cloudflare R2 — primary object storage for episode bytes (video, sensor logs, action arrays). Where you configure a bring-your-own bucket on R2 or another S3-compatible provider, those bytes go to your bucket under your contract with that provider, and you are responsible for its access controls, encryption, region, and retention.
• Resend — transactional email (recipients, message bodies, metadata needed to deliver and track delivery — access invitations, security alerts, password resets).
• Sentry — error and performance monitoring. We configure projects to avoid sending ingest payloads, episode contents, API key cleartext, or other sensitive material; you may still see technical data (stack traces, URLs, user IDs) that we treat as service telemetry.

We update this list when we add or remove a sub-processor and will give you reasonable notice of material changes. Some vendors are based in the United States; we rely on Standard Contractual Clauses or equivalent transfer mechanisms where required. We do not currently use a payment processor: the Service is invite-only and free during the pilot.

9. What we share with sub-processors in practice

As a general rule: we share only what is reasonably necessary for each provider to perform its function. Hosting and database providers process the categories of data needed to run the app. Object-storage providers receive the episode bytes you upload, encrypted in transit. Email providers process addresses and content needed to send mail. Error monitoring receives technical telemetry, configured to avoid raw episode payloads. We do not sell personal data to sub-processors and do not authorize them to use it for their own marketing or model training.

10. International data transfers

Some of our sub-processors operate outside your country, including in the United States. Where we transfer personal data internationally we use appropriate safeguards — typically the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, or another lawful transfer mechanism — and apply additional security measures where appropriate. If your project requires data to remain in a specific region, configure a bring-your-own bucket in that region and contact privacy@robotrace.dev for any additional commitments.

11. How we protect data; security incidents

We use technical and organisational safeguards appropriate to the sensitivity of the data, including encryption in transit (TLS) and at rest, role-based access controls, Supabase Row-Level Security on every multi-tenant table, scoped and hashed API keys, signed time-limited URLs for episode downloads, multi-factor authentication on administrative accounts, and an append-only audit log of sensitive admin actions (access requests, role changes, deletions). No system is perfectly secure.

If we become aware of a security incident that creates a risk to personal data, we will investigate, take steps to contain it, and notify affected users and regulators where required by applicable law. We do not commit to a specific number of hours for notification, because incident complexity and legal requirements vary; we will act without undue delay and in line with applicable breach- notification rules. Report suspected vulnerabilities to security@robotrace.dev.

12. How long we keep data

We keep personal data only as long as necessary for the purposes in this Policy. Indicative periods:

• Account & organization data: for the lifetime of your account, then deleted or anonymized within ninety (90) days of closure, except where we must retain certain records to respond to disputes or meet legal obligations.
• API keys: hashes are retained while the key is active; revoked or rotated keys are kept as security audit records for a limited period.
• Episodes (video, sensor logs, actions): retained per the retention window applicable to your plan as described in-product. You may delete episodes earlier at any time. On plan-window expiry, episodes are deleted from active systems on a rolling schedule.
• Episode metadata and reproducibility records (policy_version, git_sha, etc.): may be retained alongside the episode while it exists and may persist as anonymised aggregates after the episode itself is deleted, where doing so does not re-identify any person.
• Audit logs: append-only admin audit logs are retained for the period required for security and compliance, typically up to twenty-four (24) months unless a longer hold is required for an incident.
• Application & security logs: typically up to twenty-four (24) months, unless a longer hold is required for an incident.
• Backups: encrypted rotating backups; overwritten or aged out on a schedule (for example, within on the order of thirty-five (35) days in normal operation). A deletion in production may not instantly purge every copy in a backup; we do not restore deleted data for routine use.
• Bring-your-own buckets: bytes stored in your own R2 / S3 bucket are retained according to your bucket configuration. We do not extend RoboTrace’s retention policy to data in your bucket.

13. Deletion, backups, and when data may be retained

When you ask us to delete data, or we delete it on termination, we remove it from active systems within a reasonable period. Residual copies may persist in encrypted backups until those backups naturally expire; we do not use backups to resurrect deleted user content for routine operations. We may retain limited records where necessary to comply with law, prevent fraud or abuse, resolve disputes, or enforce our agreements — in each case, kept no longer than necessary.

14. AI processing and automated decisions

Some features use AI / ML to compute metrics, evals, or re-rolls from your episodes.

• Outputs are interpretive — they are not safety certifications, compliance approvals, or guarantees that any policy is fit to deploy on a real robot in any environment.
• They may be wrong or misleading, particularly out of distribution. They are not a substitute for testing on hardware in the conditions you intend to deploy in.
• We do not use User Content or generated outputs to train our own public models for unrelated products; third-party model training is excluded by sub-processor configuration where available.
• Where an automated process could significantly affect you, a human review may be available on request, subject to feasibility and law.

15. Risk assessments and new features

Because the Service may store sensitive episode contents and run evaluations whose outputs influence real-world deployment decisions, we treat privacy and safety seriously. We assess privacy and security risks before launching material new features. For features that significantly change how data is processed (for example, third-party model integrations, on-device inference uploads, or new sensor categories), we may perform additional review and will require renewed or feature-specific configuration where our policies or law require them.

16. Your rights

Depending on where you live, you may have: access, rectification, erasure (“right to be forgotten”), restriction, objection, portability, and the right to withdraw consent without affecting the lawfulness of prior processing. EU/UK residents may lodge a complaint with a supervisory authority. California residents have CCPA/CPRA rights (we do not sell or share personal data for cross-context advertising). If you are in the EEA, UK, or Switzerland, nothing in this Policy is intended to deprive you of non-waivable rights under your local law.

Where the data subject is a third party captured by your robot, their rights run against you as controller; we will help you respond to such requests as your processor where reasonable, consistent with our role and any data processing addendum we have signed with you.

To exercise a right against RoboTrace as controller, write to privacy@robotrace.dev. We respond within the time required by law (often about one month for GDPR/UK). We may verify your identity and may be unable to delete certain data we must keep by law.

17. Cookies and analytics

We use a minimum of cookies — mainly to keep you signed in and for security. We do not use third-party advertising cookies. We may use privacy-respecting, aggregated product analytics; where the law requires, we will ask for consent.

18. Children and teens

The Service is intended for professional and adult users (18+) building robotics products. Minors may not create their own account. You must not upload personal data about a child through episode video, audio, or sensor logs unless you have a clear lawful basis to do so under your jurisdiction’s rules. If we learn that we have collected a child’s personal data without proper authority, we will delete it as required by law.

19. Changes to this Policy

We may update this Policy as the Service evolves. Material changes will be communicated by email or in-product notice at least thirty (30) days in advance, unless a shorter period is required by law. The “Last updated” date at the top reflects the latest revision.

20. Related documents

See our Terms of Service, which govern your use of the Service and include commitments on acceptable use, the SDK contract, and decisions to deploy policies on physical robots.