Privacy Policy

1. Introduction

Retrace ("we", "us", "our"), operated by Yash Bogam, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your information when you use our execution replay engine for AI agents, including our website, dashboard, SDKs, API, and related services.

2. Information We Collect

2.1 Account Information

When you create an account via Clerk (our authentication provider), we receive: name, email address, profile picture, and authentication identifiers. We do not store passwords — authentication is handled entirely by Clerk.

2.2 Trace Data

When you use our SDKs to record agent executions, we collect: function inputs and outputs, LLM prompts and responses, tool call parameters and results, error messages and stack traces, timing data (start time, end time, duration), token counts and cost calculations, model names and provider information. This data is submitted by your code via our SDK — we only collect what your instrumented functions produce.

2.3 Usage Data

We automatically collect: number of traces, spans, tapes, and forks created; API request counts for rate limiting; subscription plan and billing status; IP addresses for rate limiting (not stored long-term).

2.4 Payment Information

Payment processing is handled by Stripe. We do not store credit card numbers, CVVs, or full payment details. We receive only: subscription status, plan type, and transaction history references.

2.5 Embeddings

We generate vector embeddings from your trace data using Google's text-embedding-004 model for semantic search functionality. Embeddings are numerical representations stored in our database — they cannot be reversed into original text.

3. How We Use Your Information

• Provide, maintain, and improve the Service
• Display your traces, tapes, and analytics in the dashboard
• Enable semantic search across your spans and memories
• Process payments and manage subscriptions
• Enforce rate limits and usage quotas
• Send transactional emails (account verification, billing receipts)
• Detect and prevent abuse, fraud, and security threats
• Comply with legal obligations

We do NOT:

• Use your trace data to train AI models
• Sell your data to third parties
• Access your trace content without your explicit permission
• Share your data with advertisers

4. Data Storage and Security

Database: Your data is stored in PostgreSQL (hosted on Neon) with pgvector for embeddings. All connections use TLS encryption.

API Keys: Hashed with SHA-256 before storage. The plaintext key is shown only once at creation and never stored.

Encryption: All data is encrypted in transit (TLS 1.3). Sensitive fields are encrypted at rest using AES-256.

Infrastructure: Hosted on Render (API) and Vercel (Web) with automatic security patches and isolated environments.

Access Control: All API endpoints require authentication via Clerk JWT or API key. Data is scoped to the authenticated user — you cannot access other users' traces.

5. Data Retention

After the retention period, trace data is automatically and permanently deleted. Account data (email, name) is retained until account deletion. Rate limiting data (IP-based counters) expires after 60 seconds.

6. Data Sharing

We share data only with the following service providers, solely to operate the Service:

• Clerk — Authentication and user management
• Stripe — Payment processing
• Neon — Database hosting (PostgreSQL)
• Upstash — Redis for rate limiting and caching
• Google AI — Embedding generation (text-embedding-004)
• Render / Vercel — Application hosting

We do not sell, rent, or trade your personal information. We may disclose data if required by law, court order, or to protect our rights and safety.

7. Shared Tapes (Public Data)

When you publish a trace as a tape with "public" or "unlisted" visibility, the trace content becomes accessible to anyone with the URL. This includes all span data, inputs, outputs, and timing information in that trace. You control visibility and can unpublish at any time. We recommend reviewing tape content before sharing to ensure no sensitive data is exposed.

8. Your Rights (GDPR & CCPA)

Depending on your jurisdiction, you have the right to:

• Access — Request a copy of all data we hold about you
• Rectification — Correct inaccurate personal information
• Deletion — Request permanent deletion of your account and all associated data
• Portability — Export your data in a machine-readable format (JSON)
• Restriction — Request we limit processing of your data
• Objection — Object to processing based on legitimate interests
• Opt-out of sale — We do not sell data, but you may exercise this right under CCPA

To exercise any of these rights, contact hello@yashbogam.me. We will respond within 30 days.

9. Cookies and Tracking

We use only essential cookies required for authentication (Clerk session cookies). We do not use analytics cookies, advertising trackers, or third-party tracking pixels. We do not participate in cross-site tracking or behavioral advertising.

10. Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect data from minors. If we discover we have collected data from a minor, we will delete it immediately.

11. International Data Transfers

Your data may be processed in the United States (where our infrastructure providers operate). By using the Service, you consent to this transfer. For EU users, transfers are protected by Standard Contractual Clauses (SCCs) implemented by our service providers. Enterprise customers may request data residency in specific regions.

12. Data Breach Notification

In the event of a data breach affecting your personal information, we will notify affected users via email within 72 hours of discovery, as required by GDPR. We will also notify relevant supervisory authorities where required by law.

13. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email at least 14 days before taking effect. The "Last updated" date at the top reflects the most recent revision.

14. Contact Us

For privacy-related questions, data requests, or concerns: