Trace — Privacy Policy

This Privacy Policy explains how Ulookup Technologies LLP (“we”, “us”, “our”) collects, uses, stores, and shares information when you use the Trace mobile application (the “App”) and related services. By using Trace, you agree to the practices described here.

If anything here is unclear or you’d like to exercise your rights, contact us at rushil@ulookup.ai.

1. Who we are

Ulookup Technologies LLP is the controller of personal data processed in connection with Trace. Our website is ulookup.ai. The App is published under the package identifiers com.ulookup.trace (Android) and com.ulookup.trace (iOS).

2. What Trace does

Trace is a voice-first personal assistant. You can record audio (either ambient or directly), and Trace transcribes it and uses large language models to turn it into notes, reminders, meeting summaries, and reflective insights. You can also chat with Trace via text or short voice messages. Over time, Trace builds a private long-term memory of you so it can be more helpful in future conversations.

The features above only function with the data described in this policy. Where feasible, we minimize what we collect and isolate it per user.

3. Information we collect

3.1 Information you provide

• Account information: email address, display name, and a password (which we never store in plain text — passwords are hashed by our authentication library, Better Auth).
• Audio recordings that you initiate within the App.
• Chat messages you send to Trace.
• Anything else you choose to enter in the App, such as edits to notes or reminders.

3.2 Information generated from your use of Trace

• Transcripts of your audio recordings (produced by our speech-to-text sub-processor, ElevenLabs).
• Content generated about you by language models — for example notes, reminders, meeting summaries, and insights — as well as Trace’s private long-term memory of you, stored as structured records scoped to your account.
• Your timezone, used to schedule reminders and reflective passes correctly.
• Push notification tokens issued by Apple or Google so we can deliver notifications.

3.3 Information collected automatically

• Standard server logs, including IP address, request timestamps, and user agent strings. We use these for security, debugging, and abuse prevention.

We do not currently use any third-party analytics, advertising, or crash-reporting SDKs in the App. If we add them in the future (for example, to detect crashes or measure feature usage), we will update this policy and notify users in-app or by email before they take effect.

4. How we use your information

We use the information described above to:

• Provide the core features of Trace — recording, transcription, generating notes / reminders / insights, chat, push notifications, and long-term memory.
• Authenticate you and keep your account secure.
• Send transactional emails such as verification messages and important account notices. We do not send marketing emails.
• Operate, maintain, and improve our infrastructure (debugging errors, capacity planning, security monitoring).
• Comply with legal obligations and enforce our Terms of Service.

We do not sell your personal information. We do not use your data to serve ads, build advertising profiles, or share with third-party advertisers or marketers.

5. Audio recordings and other people’s voices

Audio recordings made through Trace may incidentally capture the voices of people other than you. You are responsible for understanding and complying with the laws that apply to you concerning recording other people — in some jurisdictions and contexts, recording requires the consent of all parties involved.

Trace does not perform speaker identification — we do not attempt to recognize or distinguish individual people’s voices.

6. How and where we store your information

• Account information, transcripts, generated content, Trace’s long-term memory of you, and metadata are stored in our managed backend and database (Convex), scoped per user.
• Audio files are stored in Convex’s managed file storage and are referenced only from your account.
• Session tokens on your device are kept in iOS Keychain / the equivalent secure storage on Android.
• All communication between the App and our backend is encrypted in transit using TLS / HTTPS.

7. Sub-processors and third parties

Trace relies on third-party AI providers to function. Your recordings, transcripts, and chat messages are sent to the AI sub-processors listed below so the App can transcribe your audio and generate responses. By using Trace, you consent to this processing. We do not share your data with any third-party AI for advertising, profiling, or any purpose other than delivering the features you request.

We use the following sub-processors to operate Trace. Each is contractually bound to handle data only as instructed by us, and to provide the same or equal level of data protection as set out in this policy:

• Convex — backend hosting, database, managed file storage (including audio), and background job orchestration (e.g. processing recordings, scheduling reflective passes).
• ElevenLabs — speech-to-text transcription. We send the audio you record so it can be turned into text. ElevenLabs acts solely as a data processor on our behalf and does not use your data to train its models.
• OpenRouter and downstream model providers (such as OpenAI) — large language model inference for generating notes, reminders, summaries, insights, and chat replies. We send the relevant text (your transcripts, chat messages, and the parts of your long-term memory needed to answer you) so a model can generate a response. These providers act solely as data processors on our behalf; we have configured our account so that your data is not used to train their models.
• Resend — transactional email delivery (verification emails only).
• Expo Push Service, Apple Push Notification service (APNs), and Google Firebase Cloud Messaging (FCM) — delivering push notifications.
• Google Play and Apple App Store — distribution of the App. These platforms apply their own privacy policies and may collect standard platform telemetry independently of us.

We aim to keep this list current. If we add or replace a sub-processor in a way that materially affects how your data is handled, we will update this policy.

8. International data transfers

Trace is offered globally, and our sub-processors may operate in countries different from your own — most commonly, the United States. By using Trace, you understand that your information may be transferred to, processed in, and stored in countries whose data-protection laws may differ from those in your country. Where required by law (for example for transfers from the European Economic Area or the United Kingdom), we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses.

9. How long we keep your information

• We retain your account data and the content you create in Trace for as long as your account is active.
• When you ask us to delete your account, we permanently delete your account data within 30 days, except where we are legally required to retain it for longer (for example, to comply with tax or fraud-prevention obligations).
• Backups are purged on a rolling cycle of up to 90 days; deleted data may persist in encrypted backups during that window before being overwritten.
• Server logs are retained for a limited operational period, typically not longer than 90 days.

10. Your rights

Depending on where you live, you may have the following rights with respect to your personal data:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate or incomplete data.
• Deletion (the “right to be forgotten”) — ask us to delete your data.
• Portability — receive your data in a structured, machine-readable format.
• Withdraw consent — where we rely on your consent, you may withdraw it at any time, without affecting the lawfulness of processing carried out before withdrawal.
• Object to or restrict processing (under the GDPR / UK GDPR).
• Opt out of the “sale” or “sharing” of your data (under the CCPA / CPRA). For clarity, we do not sell your data, but California residents may still submit a formal request to confirm this.
• Nominate a representative to exercise rights on your behalf in the event of death or incapacity (under India’s Digital Personal Data Protection Act, 2023).
• Lodge a complaint with your local data-protection authority if you believe we have not handled your data properly.

To exercise any of these rights, email rushil@ulookup.ai. We will respond within the timeframes required by applicable law (typically within 30 days).

11. Children

Trace is intended for users 16 years of age and older. We do not knowingly collect personal data from anyone under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at rushil@ulookup.ai and we will delete that information promptly.

12. Security

We use a combination of technical and organizational measures to protect your data, including encrypted transport (TLS / HTTPS), per-user isolation of long-term memory data, hashed password storage, secure on-device session storage (iOS Keychain / Android equivalent), and access controls on our infrastructure. No system is perfectly secure; if we ever discover a breach affecting your data, we will notify you and the relevant authorities as required by law.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you in advance by email or through an in-app notification, and we will update the effective date at the top of this document. Your continued use of Trace after the new policy takes effect constitutes acceptance of the updated terms.

14. Contact

Privacy questions, requests to exercise your rights, or any other concerns about your data should be sent to rushil@ulookup.ai. Our company website is ulookup.ai.