RetraceDocs

Privacy Policy

How Retrace Labs collects, uses, and protects your personal data.

Effective date: February 9, 2026 Last updated: February 9, 2026

This Privacy Policy explains how Retrace Labs Ltd ("Retrace", "we", "us", or "our") collects, uses, discloses, and protects your personal data when you use the Retrace Sandbox platform at retrace.cloud (the "Service").

We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller

The data controller responsible for your personal data is:

Retrace Labs Ltd Unit A282, 4-6 Greatorex Street, London, E1 5NF, United Kingdom Company Number: 17019667 Email: [email protected]

2. Data We Collect

2.1 Account Data

When you create an account, we collect:

  • Full name
  • Email address
  • Password (stored as a cryptographic hash — we never store plaintext passwords)
  • Organization name (if applicable)

2.2 Usage Data

When you use the Service, we automatically collect:

  • IP address
  • Browser type and version
  • Pages visited and features used
  • Timestamps of actions
  • Device and operating system information

2.3 Analysis Data

When you submit samples for analysis, we collect:

  • Uploaded file metadata (name, size, hash)
  • Analysis configuration (duration, platform)
  • Analysis results (events, network activity, process data, screenshots, detections)
  • File artifacts generated during analysis

2.4 Payment Data

If you subscribe to a paid plan, payment processing is handled by our third-party payment provider. We do not store your full credit card number. We may store:

  • Billing name and address
  • Last four digits of your card number
  • Payment transaction records

3. How We Use Your Data

We use your personal data for the following purposes:

PurposeLegal Basis (UK GDPR)
Providing and operating the ServicePerformance of contract (Art. 6(1)(b))
Authenticating your identityPerformance of contract (Art. 6(1)(b))
Processing paymentsPerformance of contract (Art. 6(1)(b))
Sending service notificationsPerformance of contract (Art. 6(1)(b))
Analyzing usage to improve the ServiceLegitimate interest (Art. 6(1)(f))
Detecting and preventing abuseLegitimate interest (Art. 6(1)(f))
Complying with legal obligationsLegal obligation (Art. 6(1)(c))
Sending marketing communicationsConsent (Art. 6(1)(a))

4. Data Sharing

We do not sell your personal data. We may share data with:

4.1 Service Providers

We use trusted third-party providers to help operate the Service, including cloud infrastructure, authentication, database hosting, and analytics. These providers process data on our behalf under strict contractual obligations and are not permitted to use your data for their own purposes.

4.2 Organization Members

If you belong to an Organization, other members of that Organization may see:

  • Your name and email address
  • Analyses you submit within the Organization
  • Your activity within shared workspaces

4.3 Public Analyses

If you mark an analysis as "public", the following data is visible to all users:

  • Sample name, hash, size, and type
  • Analysis results (events, detections, screenshots, behavioral data)
  • Threat score and verdict

Public analyses do not reveal your name, email, organization, or any other personal information.

4.4 Law Enforcement

We may disclose your data if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect the rights, property, or safety of Retrace, our users, or the public.

5. Data Retention

We retain your data for as long as necessary to provide the Service and fulfill the purposes described in this policy:

Data TypeRetention Period
Account dataUntil account deletion + 30 days
Analysis data (private)Until account deletion or upon request
Analysis data (public)Indefinitely (anonymized — not linked to your account)
Usage logs12 months
Payment records7 years (legal requirement)

After the retention period, data is permanently deleted or anonymized.

6. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption in transit — All data is transmitted over TLS/HTTPS
  • Encryption at rest — Sensitive data is encrypted in our database
  • Access controls — Role-based access with principle of least privilege
  • Infrastructure isolation — Sandbox environments are isolated virtual machines destroyed after each analysis
  • Regular security reviews — We conduct periodic security assessments of our infrastructure

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

7. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Right of access — Request a copy of your personal data
  • Right to rectification — Request correction of inaccurate data
  • Right to erasure — Request deletion of your data ("right to be forgotten")
  • Right to restrict processing — Request that we limit how we use your data
  • Right to data portability — Receive your data in a structured, machine-readable format
  • Right to object — Object to processing based on legitimate interests
  • Right to withdraw consent — Withdraw consent for marketing communications at any time

To exercise any of these rights, contact us at [email protected]. We will respond within one month.

8. International Transfers

Your data is primarily processed within the European Economic Area (EEA) and the United Kingdom.

If data is transferred outside the EEA/UK, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO).

9. Children's Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe we have collected data from a minor, please contact us immediately.

10. Cookies

We use cookies and similar technologies on the Service. For details, please see our Cookie Policy.

11. Marketing Communications

We may send you marketing emails about product updates, new features, or security research content. You can opt out at any time by:

  • Clicking the "unsubscribe" link in any marketing email
  • Contacting us at [email protected]

We will never send marketing emails without your prior consent.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy on this page
  • Updating the "Last updated" date
  • Sending an email notification for significant changes

Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.

13. Complaints

If you have concerns about how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Phone: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

We encourage you to contact us first at [email protected] so we can address your concerns directly.

14. Contact Us

If you have questions about this Privacy Policy, please contact us:

  • Email: [email protected]
  • Address: Retrace Labs Ltd, Unit A282, 4-6 Greatorex Street, London, E1 5NF, United Kingdom
  • Company Number: 17019667 (registered in England & Wales)

Terms of Service

Terms and conditions for using the Retrace Sandbox platform.

Cookie Policy

How Retrace Labs uses cookies and similar technologies on retrace.cloud.

On this page

1. Data Controller2. Data We Collect2.1 Account Data2.2 Usage Data2.3 Analysis Data2.4 Payment Data3. How We Use Your Data4. Data Sharing4.1 Service Providers4.2 Organization Members4.3 Public Analyses4.4 Law Enforcement5. Data Retention6. Data Security7. Your Rights8. International Transfers9. Children's Privacy10. Cookies11. Marketing Communications12. Changes to This Policy13. Complaints14. Contact Us