Legal
Privacy Policy
1. Summary in one paragraph
CarveTrace is built so that personal data does not need to flow to us. Our marketing site has no analytics and no third-party trackers. Our independent verifier at verify.carvetrace.com runs entirely in your browser and never sends your evidence files anywhere. Our commercial product is self-hosted on your own infrastructure — we never touch your AI decisions or your subjects' data. The only personal data we process is what you voluntarily send us by email (your name, organization, and whatever you put in the message). This policy explains all of that in detail, the legal bases under the GDPR, and how to exercise your rights.
2. What this policy covers
- The marketing website carvetrace.com (and its French version /fr).
- The independent in-browser verifier at verify.carvetrace.com.
- Direct commercial interactions with Aryamind SARL — pre-sales emails, demo sessions, contracts, ongoing support of CarveTrace deployments.
This policy does not cover the personal data that you, as a CarveTrace customer, process inside your own self-hosted CarveTrace deployment. Under the GDPR you are the controller for that processing ; Aryamind SARL only acts as your processor when explicitly contracted to do so under our Data Processing Agreement (DPA — see /legal/dpa).
3. The marketing site — what we collect
We deliberately operate the marketing site without analytics. Specifically :
- No cookies are set beyond what your browser's language preference does automatically. We do not set any persistent identifier.
- No analytics or tag managers — no Google Analytics, no Plausible, no Fathom, no Hotjar, no Meta Pixel, no LinkedIn Insight Tag, no internal counters.
- No third-party scripts — the page-level Content-Security-Policy enforces this technically (script-src 'self').
- No embedded social widgets, fonts loaded from CDNs, or pixel trackers. The fonts ship self-hosted.
Our hosting provider — Cloudflare, Inc. — necessarily processes your IP address to deliver the page to you. Cloudflare's processing is governed by their own privacy policy. We have a Data Processing Addendum in place with Cloudflare ; they act as our processor under the GDPR for hosting, and their EU-Customer Data Protection Addendum applies. We selected the EU jurisdiction option where available. We do not receive your IP address from Cloudflare and we do not consult Cloudflare's access logs.
4. The independent verifier — what we collect
The verifier at verify.carvetrace.com is a static page that loads a WebAssembly module into your browser. When you drop an evidence bundle onto the page, the file is read, parsed, and verified locally in your browser. The bundle, your verdict, and any of its contents never leave your machine. The page is enforced as zero-network-after-load by a strict Content-Security-Policy (connect-src 'none').
As with the marketing site, we operate the verifier without analytics. Cloudflare delivers the static assets and necessarily processes your IP address for delivery ; we do not consume those logs.
5. Commercial interactions — what we collect and why
When you contact us through the email address shown on our contact page, send us an RFP response, sign a pilot or commercial agreement, or open a support ticket, we process :
- Your professional contact details (name, business email, job title, organization, country) — provided directly by you.
- The content of your message and any attachments you choose to include.
- Contract metadata for executed agreements (signature date, signatory, scope, term, fee schedule).
- Support-session details when you grant us screen-sharing or log-sharing access to triage a deployment issue — strictly time-bounded to the session, deleted after resolution unless you ask us to retain them for follow-up.
Legal basis (Art. 6 GDPR) :
- Contract performance (Art. 6(1)(b)) — to provide pre-sales, contracting, and support to your organization.
- Legitimate interest (Art. 6(1)(f)) — to respond to your inbound inquiry, maintain commercial records, and protect Aryamind SARL's contractual rights. We balanced this against your privacy by collecting only the minimum necessary fields.
- Legal obligation (Art. 6(1)(c)) — to retain executed contracts and invoices for the periods required by French commercial and tax law.
We do not engage in profiling, do not run marketing automation, and do not enrich your contact details from third-party data brokers.
6. Sub-processors
We use the following sub-processors for the activities described above. We maintain executed Data Processing Addenda (or equivalent contractual safeguards) with each. The list is the authoritative one — there are no others.
| Sub-processor | Purpose | Data location |
|---|---|---|
| Cloudflare, Inc. | Static hosting of carvetrace.com and verify.carvetrace.com (Pages + CDN) | Global edge ; EU-resident processing where available |
| OVHcloud SAS | Inbound business email (contact@, privacy@, security@, legal@, licensing@ aryamind.com) | France |
| GitHub, Inc. | Source-code hosting and CI for the open-source verifier components ; commercial code held in private repositories | US ; SCCs Module 2 in place |
If we add a sub-processor, customers with an active CarveTrace agreement receive notice at least 30 days in advance per the DPA, with a right to object.
7. International transfers
Aryamind SARL is established in the European Union. We host the marketing site and verifier on EU edge nodes where supported by the underlying CDN, and process business email on EU-located servers (OVHcloud, France). Where a sub-processor necessarily processes data outside the EU — at this writing, GitHub for source hosting — we rely on the European Commission's 2021 Standard Contractual Clauses (Module 2, controller-to-processor) and conduct a Transfer Impact Assessment consistent with the EDPB's Schrems II guidance. We do not transfer personal data to jurisdictions without an adequacy decision unless covered by appropriate safeguards.
8. Retention
- Inbound emails with no contractual follow-up : up to 18 months from last response, then deleted.
- Pre-sales records of qualified opportunities : up to 36 months from last contact, then deleted, to comply with French commercial-record obligations and to honor reasonable post-engagement support questions.
- Executed contracts, invoices, and other accounting records : 10 years per French Commercial Code Art. L123-22 / Tax Code Art. L102 B.
- Support session recordings or shared logs : deleted after issue closure unless you ask us to retain them.
9. Your rights under the GDPR
You have the right to access your personal data, to request rectification or erasure, to restrict or object to processing, to data portability, and to lodge a complaint with your local supervisory authority — for French residents that is the CNIL. Send any request to privacy@aryamind.com. We answer within one month of receipt (Art. 12(3) GDPR).
Where you are also a Customer's data subject and CarveTrace is acting as Aryamind SARL's processor on behalf of your employer or service provider, the Customer is your primary point of contact ; we will forward your request to them within 5 business days per our DPA.
10. Security
We describe our security posture, cryptographic choices, and active certifications on the Security page. Vulnerability reports go to security@aryamind.com.
11. Changes to this policy
We post material changes here with an updated Last updated date and notify customers with an active CarveTrace agreement by email at least 30 days before the change takes effect. The current version is always the one published at this URL.