Skip to main content
Sign inStart for free
Pricing
Product
BlogNotes on behavioral observability and Next.js routing.DocsInstall the parser, runtime SDK, and Deploy Action.ContactTalk to the TrueClara team.
Start for freeSign in

Legal

Privacy policy

How TrueClara collects, uses, retains, and protects information across the marketing site, the dashboard, and the runtime SDK that monitors customer Next.js applications.

Last updated April 25, 2026

Summary

TrueClara is behavioral observability for Next.js apps. We collect what we need to detect broken URLs, route regressions, and edge regressions in customer applications, and nothing more. We do not sell personal data. We do not use it to train AI. We host in the United States. The third parties that materially participate in delivering the service are listed at trueclara.com/legal/subprocessors. To exercise privacy rights, email privacy@trueclara.com. The privacy lead at TrueClara is Jake Kim, founder and CEO.

1. Who we are

TrueClara is operated by The Plain Works Co., Ltd. (주식회사 더플레인웍스), a Korean company. This Privacy Policy describes how we handle personal information for visitors to our marketing site, signed-up customers of the TrueClara dashboard, and end users of the customer Next.js applications that the runtime SDK monitors.

When we process telemetry produced by an end user of a customer's Next.js application, the customer is the controller and TrueClara is the processor. Our Data Processing Agreement governs that processing and overrides this Privacy Policy where they conflict.

2. What we collect

When you sign up for the dashboard, we collect your name, email, profile image (if you provide one), authentication data (password hashes, session tokens), and the names of your workspaces and projects. Paddle handles your payment details — we only see the country, plan, transaction reference, and last four of your card.

When you use the dashboard, we automatically collect your IP address, browser and device info, what pages you visited, what features you used, error events, and performance metrics.

When the TrueClara runtime SDK monitors a customer's Next.js application, it produces cookieless aggregate telemetry by default: route path, referrer path, load duration, timestamp, and deploy attribution. The SDK does not set cookies and does not write localStorage in any consent state. Aggregate mode does not store tab IDs or client-persisted identifiers. After analytics consent, the SDK adds tab identity in memory, stores the analytics override in sessionStorage, and the ingestion edge may derive a daily salted session hash that resets every 24 hours.

When the build-time parser extracts a route graph from a customer application, it uploads the static graph (route patterns, layout boundaries, value-route declarations) to the ingestion API. No end-user data is included in the static graph.

When a deploy is attributed through the deploy API or beta CI integration, we receive the commit SHA, branch, deploy target, and deploy URL.

When you contact us, we keep the messages.

When you sign up for product announcements, we keep your email and a record of your opt-in. Unsubscribe via the link in every email.

Cookies: the runtime SDK sets none. The TrueClara dashboard uses a small set of authentication and security cookies, listed in Section 9. We do not run advertising cookies, retargeting, fingerprinting, or third-party trackers.

3. What we do with it

We use information to provide and operate TrueClara, detect regressions in monitored Next.js applications, attribute observations to specific deploys, bill you (through Paddle), communicate with you, send marketing where you have opted in or where the law allows, improve and secure the product, comply with legal obligations, and defend ourselves in disputes. For EEA, UK, and Swiss users, the GDPR Article 6 lawful bases we rely on are contract performance, legitimate interests, consent where required, and legal obligation.

We do not sell personal data. We do not use it to train AI. We do not share it with advertisers.

4. Our role

We are the controller for your dashboard account info, how you use the dashboard, your communications with us, and our marketing.

We are a processor for the runtime telemetry, deploy metadata, and route graphs we receive from a customer's Next.js application — that data is governed by our DPA.

Paddle acts as an independent controller for the billing data it collects when handling your payments. Their privacy notice is at paddle.com/legal/privacy.

5. Public observation pages

If a workspace member shares a public observation link, the contents of that observation become accessible at a URL we generate. Anyone with the link can see it. We strongly recommend not enabling public sharing on observations whose route paths or session hashes could be sensitive.

6. Who we share with

We share personal data only with:

  • Subprocessors — third parties that help us run TrueClara, listed at trueclara.com/legal/subprocessors. Each one is bound by a written contract that limits what they can do with the data.
  • Paddle, our merchant of record, for billing.
  • Authorities, when we are legally required (court order, regulator, law enforcement). We will tell you if we are legally allowed to.
  • A successor if we get acquired or reorganized — we will let you know first.
  • Anyone else you tell us to share with.

We do not sell, rent, or trade personal data.

7. Where the data lives

TrueClara runs on Vercel and Supabase in the United States. The analytics warehouse runs on Tinybird in the United States. Edge infrastructure (Vercel, Cloudflare) operates globally. Some subprocessors are in other countries, listed on the Subprocessors page.

For people in the EEA, UK, or Switzerland: when we transfer data outside those regions, we rely on the EU Standard Contractual Clauses, the UK Addendum, and equivalent Swiss safeguards. The DPA spells this out. Email legal@trueclara.com for a copy.

For people in Korea: we transfer your data to the United States and other places where our subprocessors operate, with the safeguards described above.

8. Cookieless behavioral monitoring

Behavioral monitoring of customer Next.js applications is designed to work without cookies and without persistent end-user identifiers. Aggregate mode records route and edge counters without session reconstruction. Analytics mode uses a daily salted session hash, route paths, coarse user-agent family, and deploy attribution. The salt rotates daily, which means older analytics telemetry cannot be linked back to a specific end user. A data-subject deletion request can purge events still linkable to a supplied session hash within the current 24-hour window; older data is already de-linked from that end user.

9. Cookies on the dashboard

The dashboard uses a small set:

  • Authentication tokens (Supabase) — required to log you in.
  • UI preferences (browser localStorage) — remembers your theme and layout.
  • PostHog product analytics (browser localStorage) — pseudonymous analytics on the TrueClara dashboard only. We do not run PostHog on customer Next.js applications.
  • Cloudflare bot management (__cf_bm) — security, set automatically on some requests.
  • Sentry diagnostics — error and performance debugging when enabled.

No advertising cookies. No retargeting. No fingerprinting. No third-party trackers.

We honor the Global Privacy Control (GPC) signal — we treat it as opt-out of analytics and as a "do not sell or share" signal under CCPA.

10. How long we keep things

  • Account info: as long as your account is active, plus up to 90 days after deletion to allow recovery.
  • Dashboard usage data: as long as we need it for the purposes in Section 3, typically not more than 24 months.
  • Customer telemetry (events, observations, deploys, route graphs): retained according to the customer's plan tier. Aggregates may be retained longer for service history and trend reporting.
  • Support and communications: typically up to 36 months after your last interaction.
  • Billing records: as long as Korean tax and accounting law requires (typically 5 to 10 years).

When the period is up, we delete or anonymize. Aggregated, anonymized data we may keep indefinitely.

11. Security

We use TLS 1.2 or higher in transit, encryption at rest via Supabase, multi-factor authentication for our admin access, and Cloudflare for edge protection. We are a small team with least-privilege access controls.

No system is fully secure. If something goes wrong, we will tell affected customers without undue delay and cooperate with their notification obligations under the DPA.

12. Your rights

You can ask us to show you, correct, delete, restrict, or export your personal information, or to stop processing it. EEA, UK, Swiss, and Korean residents have rights under GDPR, UK GDPR, Swiss FADP, and PIPA respectively. California residents have CCPA rights — we do not sell or share personal data, and we honor "do not sell or share" requests. If your data is in TrueClara because one of our customers' applications produced it, we will route your request to that customer (we are the processor, they are the controller).

To exercise any right, email privacy@trueclara.com. GDPR rights include Article 15 access, Article 17 erasure, Article 18 restriction, and Article 20 portability. We will respond within the time the law requires (roughly 30 days for GDPR, 45 for CCPA, 10 for PIPA).

13. Children

TrueClara is for businesses run by adults (18+). We do not knowingly collect personal information from anyone under 16. If you think we have, email legal@trueclara.com and we will delete it.

14. Korean PIPA notices

We are subject to Korean PIPA. Specific PIPA disclosures:

  • Personal Information Protection Manager (개인정보 보호책임자): Jake Kim, Founder and CEO. Contact: privacy@trueclara.com.
  • What we collect, why, and for how long: Sections 2, 3, and 10.
  • Cross-border transfers: Section 7.
  • Right to complain: in addition to contacting us, Korean residents can contact the Personal Information Protection Commission (privacy.go.kr) or the KISA Personal Information Infringement Report Center (privacy.kisa.or.kr, tel 118).

15. EEA, UK, Switzerland

Our primary contact for privacy matters in those regions is Jake Kim, founder and CEO, at privacy@trueclara.com. If we are ever required to formally appoint a representative under GDPR Article 27 or UK GDPR Article 27, we will name them on this page.

16. Changes

We may update this Privacy Policy. We will post the updated version here and let you know about material changes by email at least 30 days before they take effect, except where the law requires faster.

17. Contact

The Plain Works Co., Ltd. (주식회사 더플레인웍스)

Personal Information Protection Manager: Jake Kim, Founder and CEO

General and billing: hello@trueclara.com Privacy, legal, and security: privacy@trueclara.com

trueclara.com

Terms of ServiceCommercial terms and account responsibilities.Data Processing AgreementGDPR Article 28 processing terms.SubprocessorsCurrent vendor footprint for service delivery.