Privacy Policy

Last updated: 23 April 2026

🔒 At a glance – How we handle your data

Nametrace helps you organise your professional network, rediscover contacts and keep relevant information clearly at hand.

In doing so, we process personal and partly confidential information. That is why we want to explain transparently what happens with your data, why certain processing steps are necessary, and how we protect your data.

What we store

We store the contacts, notes, meeting entries and other information that you record yourself in Nametrace or transfer via a contact synchronisation you have activated.

We use this data exclusively to provide you with the features of Nametrace.

We do not sell or rent your data. We also do not use it for personalised advertising.

Why Nametrace needs to be able to process your data

So that Nametrace can intelligently search, structure and synchronise your contacts, notes and conversation content across multiple devices, this information has to be processable on the server side.

That is why the content is not end-to-end encrypted.

With end-to-end encryption, only your device would be able to read the stored information. Nametrace itself would have no access to the content. Core features such as natural-language search, automatic structuring, synchronisation and AI-supported processing would therefore not work, or would work only in a very limited way.

That does not mean your data is stored without protection. Among other things, we protect it through:

encrypted transmission between your device and Nametrace,
encrypted backups,
protected technical infrastructure,
strictly limited internal access rights,
additional safeguards for administrative access,
data minimisation with external providers,
clear deletion and access controls.

Our team does not routinely access your contacts or notes. Access only takes place when this is necessary for technical operations, security, or a support case you have requested.

Nametrace is not an encrypted vault. It is an application that processes your data on your behalf so that your network becomes usable for you.

How we use AI

Nametrace uses artificial intelligence to understand search queries, structure information and suggest matching contacts from your own network.

We only transmit the information that is necessary for the respective function.

Direct identifiers and content-related information are processed separately. Notes about contacts are sent to the AI service anonymised – without being directly linked to the contact's name.

Data processed through our interfaces is not used to train generally available AI models.

You stay in control

You decide for yourself whether you want to:

synchronise contacts,
store notes and meeting information,
start a web research,
use AI features,
enable reminders or notifications.

You can add to, edit or delete your data at any time. You can remove individual contacts and content, or delete your account entirely.

When you delete your account in full, we also remove the associated contacts, notes, research results and AI derivatives. Data that we are legally required to retain — for example invoicing records — is stored under access restrictions for the prescribed period.

Technical providers

To operate Nametrace, we use selected technical providers, for example for hosting, AI processing, email delivery, payments, push notifications and contact synchronisation.

These providers only receive the data that is necessary for the respective function.

We do not sell or rent your data to third parties.

You will find a complete overview of the providers used, the data processed and the respective purposes in the full Privacy Policy.

This is what we personally stand for

Privacy is not created by legal wording alone. What matters is whether the people behind a company take their promises seriously and act accordingly day to day.

Behind Nametrace, that is us: Philipp Etter and Andreas Berger.

Since 2008 we have been developing and operating digital solutions. These include, among other things, the Swiss matchmaking platform top-offerten.ch, through which more than 300,000 projects have already been brokered.

We are aware that a professional network is built on trust. Anyone who uses Nametrace is not simply handing us data records, but a part of the relationships they have built up over many years.

We take that responsibility personally.

We do not promise absolute security – no serious provider can guarantee that. But we do promise transparency, careful handling of your data, and that we will not put our business interests above the protection of your network.

Philipp Etter and Andreas Berger – founders of Nametrace

👉 You will find the full legal and technical details below in the complete Privacy Policy.

CONTROLLER

We — top-offerten GmbH ("we", "us") — registered in Donzhausen (Switzerland), operate the Nametrace platform (website, iOS and Android apps) and are the controller responsible for processing the personal data generated when you use Nametrace. This Privacy Policy explains which data we collect, for which purposes, on what legal basis, and which third-party providers we share it with. It applies whenever you

visit our website at https://nametrace.app (or any subdomain),
download and use our mobile app,
otherwise interact with us (support, email, events).

By using our services you confirm that you have read, understood, and accepted this Privacy Policy. For any questions, reach us at info@nametrace.app.

Data we collect
How we process your data
Legal bases
Third-party providers and recipients
International data transfers
Data about your contacts
Subscriptions and in-app purchases
Cookies and session data
Retention
Data security
Your rights
Account deletion
Minors
Changes to this policy
Contact

1. DATA WE COLLECT

a) Data you provide

Account and profile: first and last name, email address, password (hashed), optionally phone number, profile picture, and professional details (company, role).
Contacts: name, email, phone number, company, address, notes and meeting points for the people you record in Nametrace.
Meeting journal: date, location, participants, notes, and follow-ups for your meetings.
Insights: structured, searchable knowledge fragments you record about contacts (e.g. "looking for investors in field X").
Communications: the content of support requests, contact forms, and emails.

b) Data collected automatically

Log and usage data: IP address, device type, operating system, browser/app version, date and time, pages visited, click paths, error messages, language preferences.
Device data: device ID, screen resolution, OS version.
Push token: when push notifications are enabled, a pseudonymous token issued by Apple (APNs) or Google (FCM).
Session cookies: for login state and CSRF protection (see section 8).

c) Data from publicly accessible sources (optional research feature)

When you run research on a contact, Nametrace processes only publicly accessible, work-related information.

Processing is strictly limited to information that can objectively be attributed to a professional or business context and that serves to maintain, supplement, or update existing professional contacts.

This includes in particular:

information on companies, functions, and professional roles,
career stations and publicly accessible profile descriptions,
other content clearly situated in a professional context.

We do not process:

information from the private sphere,
sensitive personal data,
or data that is not necessary for professional contact management.

The research feature may not be used to collect or process private or non-work-related information.

The content we use comes exclusively from sources retrievable on the open web without login, paywall, or other access restriction, in particular:

company websites, team, profile, press, and legal-notice pages,
public search engine results,
publicly accessible work-related profile information.

To support this feature we use, in addition to direct web research, specialised data providers that supply structured work-related information. These providers are contractually bound to data protection and confidentiality and warrant that they process data from publicly accessible sources. We limit their use to work-related information and review these warranties on a risk-based approach.

What we explicitly do not do:

We do not ourselves access protected areas, closed networks, or paywalled content.
We do not use methods intended to circumvent access restrictions.
We do not commission data collection from sources that, to our knowledge, are not publicly accessible.

d) Data from optional contact synchronisation

If you enable synchronisation with Apple Contacts, Google Contacts, or Microsoft 365/Outlook, Nametrace — with your explicit consent — accesses the contacts stored there to reconcile them bidirectionally with Nametrace. The synchronised contact data is processed and stored on our servers, not only locally on your device.

2. HOW WE PROCESS YOUR DATA

Registration and authentication of your account.
Provision of app features: contact management, meeting journal, insight capture, network search, vCard export.
AI-assisted processing: structuring your insights (extraction of topics, industries, roles), semantic embedding (vector representation) for network search, normalisation of terms.
Web research: locating publicly available information about your contacts, analysing and structuring the content found. This research serves exclusively to supplement, update, and improve the findability of existing professional contact profiles. Research results are made available to you and can be reviewed, adjusted, or deleted by you at any time.
Contact synchronisation: reconciliation with Apple Contacts, Google Contacts, Microsoft 365.
Payment and subscription handling (Stripe, Apple, Google — see section 7).
Push notifications for follow-ups and updates (Apple APNs, Google FCM).
Customer service and responding to your inquiries.
Security and fraud prevention.
Aggregated analytics for product improvement.

3. LEGAL BASES

We process personal data on the following legal bases (Swiss revFADP Art. 31 / EU GDPR Art. 6):

Performance of contract: to provide the core features of Nametrace.
Consent: for optional features such as web research, contact synchronisation, push notifications.
Legitimate interests: product improvement, IT security, fraud prevention, logging.
Legal obligations: accounting, tax law, lawful requests from authorities.

4. THIRD-PARTY PROVIDERS AND RECIPIENTS

We work with carefully selected processors and infrastructure and technology providers. They receive personal data only to the extent necessary to provide and operate Nametrace. Where required, these providers are contractually bound to confidentiality, data security, and data-protection-compliant processing.

The categories of recipients described below receive data only to the extent necessary and only in connection with the features you use.

Not every recipient listed below processes personal data in every case. Which providers are used depends on which features you use (e.g. research, payment processing, push notifications, or contact synchronisation).

Where research providers are used, we limit their engagement to publicly accessible, work-related information and select such providers carefully.

OpenAI (USA)

Purpose: AI-assisted processing of content within Nametrace features, in particular for structuring insights, semantic processing of search queries, and processing and structuring of publicly researched content.
Data categories: insight texts, search queries, text content you release or that is processed through the research feature.
Note: Note content about your contacts is submitted to AI services without personal identifiers — i.e. without an association to the name of the person in the contact profile. Under our agreement, API data is not used to train general-purpose models.

Search engine and research providers (USA)

Purpose: execution of the optional research feature, in particular to locate publicly accessible work-related information on the open web.
Data categories: name, company, and professional context of a contact, plus public URLs and content extracted from them.

Specialised data providers for work-related information from publicly accessible sources (USA and possibly other third countries)

Purpose: supply of structured work-related profile information to supplement and update contact profiles in the context of the optional research feature.
Data categories: name, company, position, professional context, and publicly accessible work-related profile data.
Note: we restrict the use of these services to work-related information from publicly accessible sources and select such providers carefully.

Stripe (USA / Switzerland)

Purpose: payment processing for web subscriptions and one-off purchases.
Data categories: payment, billing, and transaction data.
Note: we do not store full credit-card details.

Apple Inc. (USA)

Purpose: App Store Billing for iOS subscriptions and in-app purchases, push notifications via APNs, and — where activated — synchronisation with Apple Contacts.
Data categories: transaction and subscription status data, push tokens, and contact data when synchronisation is enabled.

Google LLC (USA)

Purpose: Play Billing for Android subscriptions and in-app purchases, Firebase Cloud Messaging (FCM) for push notifications, and — where activated — synchronisation with Google Contacts.
Data categories: transaction and subscription status data, push tokens, and contact data when synchronisation is enabled.

Microsoft Corporation (USA)

Purpose: synchronisation with Outlook / Microsoft 365 contacts via Microsoft Graph, and OAuth authentication when activated.
Data categories: contacts, basic profile data, and authentication / access tokens.

Hosttech (Switzerland)

Purpose: hosting of the platform, database operation, storage, infrastructure, and system security.
Data categories: user, account, contact, journal, insight, and system data, to the extent necessary for hosting and operation.
Note: productive data processing takes place exclusively in data centres located in Switzerland.

Amazon Web Services (AWS) — mail delivery

Purpose: sending transactional emails (e.g. confirmations, 2FA codes, notifications) via Amazon Simple Email Service (SES).
Data categories: recipient email address, sender, subject, and mail body.
Note: we use AWS exclusively for mail delivery, not for hosting your content data.

Authorities, courts, and other legally authorised bodies

Purpose: compliance with statutory obligations or the pursuit or defence of legal claims.
Data categories: data only to the extent legally required in the specific case.

What we explicitly do not do: we do not sell your data. We do not rent your data. We do not use your data for third-party personalised advertising. Contacts, meeting notes, and insights are processed exclusively to provide the Nametrace features and via the technical providers described above.

5. INTERNATIONAL DATA TRANSFERS

Several of the providers listed above process data in the USA or are US companies. For such transfers we rely on:

EU Standard Contractual Clauses (SCC) in their current version when the recipient is not covered by an adequacy decision;
EU–U.S. Data Privacy Framework or the Swiss–U.S. variant, where the recipient is certified;
your explicit consent, if we were to perform a transfer without the above safeguards (requested transparently in that case).

You may request a copy of the concluded Standard Contractual Clauses at any time from info@nametrace.app.

6. DATA ABOUT YOUR CONTACTS (PEOPLE YOU RECORD IN NAMETRACE)

On behalf of users, Nametrace also stores data about third parties — the people you record as contacts.

Legal responsibility for the collection and maintenance of this contact data rests, in principle, with the respective user.

Where, within the optional research feature, we process publicly accessible work-related information about contacts, we do so to provide that feature and within the purposes described in this Privacy Policy.

What we do to protect these third parties:

we process contact data exclusively on behalf of the respective user, not for our own purposes beyond service delivery;
we limit the research feature to publicly accessible sources;
we provide a channel for data subjects to assert their rights — see section 11;
if a contact requests deletion, we forward the request to the user concerned and delete on our side where legally required.

7. SUBSCRIPTIONS AND IN-APP PURCHASES

Nametrace offers annual subscriptions and, optionally, credit packs as one-off purchases for additional research quota. The payment path depends on the platform:

iOS app: Apple StoreKit (in-app purchase). Manage your subscriptions through your Apple ID under "Settings → Apple ID → Subscriptions".
Android app: Google Play Billing. Manage through "Play Store → Subscriptions".
Website: Stripe. Manage inside your Nametrace account.

We receive from Apple and Google only the transaction and subscription status information we need to unlock the purchased features — no payment instrument details.

8. COOKIES AND SESSION DATA

Our website uses only technically necessary cookies:

Session cookie: keeps you signed in. Stored server-side in encrypted form (Redis).
CSRF token: protects forms against cross-site request forgery.
Preferences cookies: store your language or UI preferences.

We use no tracking or advertising cookies, and we embed no analytics pixels from third-party ad networks.

9. RETENTION

Account and profile data: until you delete your account.
Contacts, insights, meeting journal: until you delete them or until account deletion.
Research results (public web data about contacts): as long as the associated contact exists; deleted together with the contact.
Payment and invoice data: 10 years (statutory accounting obligations).
Logs and security events: up to 2 years.
Backups: rolling, cryptographically encrypted, maximum 90 days.

10. DATA SECURITY

TLS encryption of all data transfers (HTTPS, push channels, API connections).
Passwords stored as Argon2/bcrypt hashes — never in clear text.
Internal access strictly on a "need-to-know" basis, with two-factor authentication for admin access.
Regular security updates, automated backups, monitoring for anomalies.
Database backups are cryptographically encrypted.

11. YOUR RIGHTS

Depending on your residence, you have the following rights:

Access to stored data and processing purposes.
Rectification of inaccurate data.
Erasure of your data (see section 12).
Data portability: export of your data in a structured format (e.g. vCard for contacts, JSON export via the web UI).
Restriction of processing.
Objection to processing based on legitimate interests.
Withdrawal of consent (e.g. for web research, contact sync, push notifications).
Complaint to a supervisory authority — in Switzerland the FDPIC, in the EU your respective national data protection authority.

To exercise your rights, contact info@nametrace.app. We will respond within 30 days.

For people whose data has been recorded by a Nametrace user: if you believe your data is being processed unlawfully by a Nametrace user, contact us at the same address — we will forward and review your request.

Data subjects may in particular request access to the work-related data stored about them and request its rectification or erasure.

12. ACCOUNT DELETION

You can delete your account at any time directly in the app under Settings → Account → Delete account, or from your profile settings on the website. Deletion covers:

all account data, contacts, insights, and meeting-journal entries,
research results linked to your contacts,
AI embeddings and derivations from your data.

Data subject to statutory retention (e.g. invoices for 10 years) is blocked instead of deleted and permanently removed after the period expires.

13. MINORS

Nametrace is intended for adults (at least 18 years old). We do not knowingly collect data from persons under 18. If you are a parent or legal guardian and realise that a child has submitted data to us, please notify us — we will delete the data promptly.

14. CHANGES TO THIS POLICY

We will update this Privacy Policy to reflect new features, providers, or legal requirements. The current version is always available at https://nametrace.app/privacy. Material changes will be announced in the app or by email.

15. CONTACT

top-offerten GmbH — Data Protection
8583 Donzhausen
Switzerland
Email: info@nametrace.app