TracerResearch Security
Back

Last updated: March 2026

Privacy Policy

1. Who we are

Tracer Research Security ("Tracer," "we," "us," or "our") is a Canadian company providing research security intelligence services to universities, research institutions, and other organizations. Our platform helps institutions screen research partnership candidates against sanctions lists, open-source intelligence, and network affiliation data.

Our Privacy Officer can be reached at: privacy@tracersecurity.ca

2. Scope of this policy

This policy applies to:

  • Visitors to our website (tracersecurity.ca)
  • Individuals who submit our early access or contact forms
  • Clients and users of the Tracer platform

This policy does not apply to personal information that Tracer processes on behalf of its institutional clients as a service provider. In that context, the client institution is the organization responsible for the personal information and Tracer acts as a mandatary processing that information according to the client's instructions and our data processing agreement.

3. What personal information we collect

Website visitors

We collect standard server logs including IP addresses, browser type, pages visited, and timestamps. We do not use advertising trackers or third-party analytics that share your data with advertisers.

Early access and contact form submissions

When you submit a form on our website, we collect: name, institutional email address, institution name, role or title, and any message you choose to include.

Platform users (clients)

For users of the Tracer platform, we collect: name, professional email address, institution, role, login credentials (stored in hashed form), and usage logs necessary for security, audit, and service improvement purposes.

Screening subjects

The individuals and organizations screened through the Tracer platform are not our clients or website visitors — they are third parties whose publicly available professional information is processed as part of a research security review. This processing is described in Section 6 below.

4. How we use personal information

We use the personal information we collect to:

  • Respond to inquiries and manage early access requests
  • Provide, maintain, and improve the Tracer platform
  • Authenticate users and maintain account security
  • Produce audit logs required for institutional compliance
  • Communicate with clients about their accounts and our services
  • Comply with our legal obligations

We do not sell personal information. We do not use personal information for advertising purposes.

5. Legal basis for processing

For clients and users in Quebec, we process personal information on the following bases under the Act respecting the protection of personal information in the private sector (Law 25):

  • Contractual necessityprocessing required to perform our service agreement with client institutions
  • Legitimate interestmaintaining security logs, fraud prevention, and service improvement
  • Legal obligationcompliance with applicable law

For early access inquiries, we process your information on the basis of your consent, which you provide by submitting the form.

6. Processing of publicly available professional information

When Tracer screens a research partner candidate on behalf of a client institution, it queries publicly available sources including sanctions databases, open-source intelligence sources, academic publication records, and corporate registries. The names and institutional affiliations of researchers and organizations submitted to these queries are information that those individuals and organizations have made public in their professional capacity.

It is our considered legal position, documented in our privacy architecture, that querying publicly available information about professionals acting in their professional capacity does not constitute a communication of personal information to third-party API providers requiring a data processing agreement, as the alternative interpretation would make routine professional research legally untenable. This position is documented and available upon request.

All data processed through the Tracer platform is stored on Canadian servers located in Montreal, Quebec (AWS Canada Central region). No personal information is transferred outside Canada in the course of normal platform operation.

7. Data sharing and third parties

We do not share personal information with third parties except in the following circumstances:

  • Service providerswe use a limited number of service providers who process personal information on our behalf under contractual obligations consistent with this policy and applicable law
  • Legal requirementswe may disclose information when required by law, court order, or government authority
  • Business transfersin the event of a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction, subject to equivalent privacy protections

We do not share personal information with advertisers or data brokers.

8. Data retention

We retain personal information only as long as necessary for the purposes for which it was collected:

  • Early access and contact inquiries: 24 months from last contact, or until you request deletion
  • Platform user accounts: for the duration of the client contract plus 12 months, or as required by law
  • Server logs: 90 days
  • Screening case records: as specified in the data processing agreement with each client institution

9. Your rights

If you are a Quebec resident, you have the following rights under Law 25:

  • Right of accessto request a copy of the personal information we hold about you
  • Right of rectificationto correct inaccurate or incomplete information
  • Right of erasure or de-identificationto request deletion of your information where we have no legal basis to retain it
  • Right of portabilityto receive your information in a structured, commonly used format
  • Right to object to automated decision-makingto request human review of any decision made exclusively through automated processing

To exercise these rights, contact our Privacy Officer at privacy@tracersecurity.ca. We will respond within 30 days.

If you are a screening subject and believe you have been incorrectly identified in a research security review, please contact us with your name and institution. We will work with the client institution to correct any inaccurate information.

10. Security

We implement security measures appropriate to the sensitivity of the information we hold, including:

  • Encryption of personal information in transit (TLS) and at rest
  • Role-based access controls limiting access to authorized personnel
  • Audit logging of all access to personal information
  • Canadian data residency — all data stored in Quebec, Canada

11. Breach notification

In the event of a confidentiality incident involving personal information that presents a risk of serious harm, we will notify affected individuals and the Commission d'accès à l'information du Québec (CAI) as soon as reasonably possible following discovery of the incident. We maintain a register of all security incidents as required by Law 25.

12. Cookies and tracking

Our website uses only essential cookies necessary for the site to function. We do not use advertising cookies, retargeting pixels, or third-party analytics that share your data. No cookie consent is required for essential cookies under applicable law, but we disclose their use here for transparency.

13. Changes to this policy

We may update this policy from time to time. We will post the updated policy on our website with a revised date. For material changes, we will notify active platform users by email.

14. Contact

For any privacy-related questions or to exercise your rights:

Privacy Officer, Tracer Research Security privacy@tracersecurity.ca tracersecurity.ca