Skip to content
Pricing
Log InStart Free TrialBook a Demo
Privacy & Compliance

GDPR

GDPR (General Data Protection Regulation) is the European Union's comprehensive data protection law, in force since May 2018, that governs how organizations collect, process, and store the personal data of individuals in the EU and EEA.

How it works

How GDPR works

The GDPR replaced the 1995 Data Protection Directive and applies to any organization that processes the personal data of people in the European Union and European Economic Area, regardless of where the organization itself is located. This extraterritorial reach means a company anywhere in the world can fall under the regulation if it targets or monitors EU residents.

At its core, the regulation requires that every act of processing personal data rests on one of six lawful bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests. It also enshrines principles such as purpose limitation, data minimization, storage limitation, accuracy, and accountability, and grants individuals rights including access, rectification, erasure, portability, and objection.

Enforcement is handled by national supervisory authorities (data protection authorities), coordinated through the European Data Protection Board. Penalties for serious infringements can reach up to 20 million euros or 4 percent of a company's total worldwide annual turnover, whichever is higher, which is why compliance has become a board-level concern for global businesses.

For techniques such as device fingerprinting and analytics, the GDPR interacts with the ePrivacy Directive (the so-called 'cookie law'). Reading or writing information on a user's device generally requires consent unless it is strictly necessary for a service the user requested, while the downstream processing of any resulting personal data must still meet GDPR's lawful-basis and transparency requirements.

Why it matters

Why GDPR matters for fraud prevention

GDPR shapes how any fraud-prevention system may operate in Europe. Device intelligence and fingerprinting can process personal data, so operators must identify a valid lawful basis (frequently legitimate interests for security and fraud prevention, which the regulation explicitly recognizes as a legitimate purpose), document a balancing assessment, and be transparent with users. Getting this right protects both the business from regulatory penalties and individuals from disproportionate or hidden surveillance, making GDPR the central reference point for privacy-conscious data handling in the region.

With TRACIO

How TRACIO handles it

TRACIO is designed for GDPR-conscious deployment: it operates as a first-party device intelligence service focused on security and fraud prevention, minimizes the signals it retains, and gives customers the controls they need to document their own lawful basis and data-handling policies. TRACIO does not, however, make any customer automatically compliant. Compliance depends on how each customer configures purposes, notices, retention, and consent in their specific context, and legal responsibility for that assessment remains with the customer. TRACIO supports this work rather than replacing the customer's own legal judgment.

FAQ

Frequently asked questions

Identify every device with confidence

Start with a free plan of 2,500 API calls per month. No credit card required.