Legal

Acceptable Use Policy

What you must not do with TrueClara, and how we respond when the rules are broken.

Last updated: June 1, 2026

Summary

Use TrueClara only for applications you are authorized to monitor. Do not put sensitive data or secrets in monitored URL paths, mobile funnel nodes, revenue/funnel events, or metadata. Do not try to re-identify end users from cookieless or pseudonymous telemetry. Do not attack the Service, bypass limits, or use TrueClara to break the law.

This policy supplements the Terms of Service. If this policy conflicts with the Terms, the Terms control.

1. Scope

This Acceptable Use Policy applies to all use of TrueClara, including:

the dashboard;
runtime SDK;
mobile SDK;
build-time parser;
install and uninstall tools;
ingestion API;
deploy API;
CI workflows;
public observation links;
notifications; and
free-tier, paid, and enterprise workspaces.

2. Do not put sensitive data in monitored paths or metadata

TrueClara may process route paths, referrer paths, query strings if configured, mobile funnel nodes, revenue/funnel events, user_ref values, deploy metadata, notification content, webhook payloads, and public observation content. You must not submit or expose the following through TrueClara unless we have separately agreed in writing and appropriate safeguards are in place:

government identifiers, tax IDs, passport numbers, driver’s license numbers, or national IDs;
payment card numbers, bank account numbers, routing numbers, wallet keys, or financial account credentials;
passwords, password reset tokens, API tokens, session tokens, OAuth tokens, private keys, or secrets;
protected health information or medical records;
special-category personal data under GDPR Article 9, including data about race, ethnicity, religion, political opinions, trade union membership, genetic data, biometric data, health, sex life, or sexual orientation;
precise geolocation;
data about children;
confidential third-party information that you are not authorized to process; or
content that violates law or third-party rights.

Exclude sensitive routes and mobile nodes from monitoring or strip sensitive values before they reach the SDK, ingestion API, revenue-event API, or notification destinations.

3. Do not attempt to re-identify end users

TrueClara’s telemetry is designed to minimize stable identifiers. You must not:

attempt to reverse, reconstruct, or defeat daily salt rotation;
combine TrueClara telemetry with external datasets to identify end users unless you have a lawful basis and the feature is expressly intended for that purpose;
submit personal identifiers as custom fields, route labels, deploy metadata, or notification content where they are not needed;
use TrueClara telemetry for cross-context behavioral advertising; or
use TrueClara to create user profiles unrelated to observing application regressions.

4. Do not abuse the ingestion API or plan limits

Do not:

send fabricated, replayed, or synthetic events designed to manipulate observations, limits, or metrics;
exceed rate limits by sharding across accounts, projects, or keys;
reuse ingestion keys across applications or customer environments you do not control;
flood the Service with malformed payloads;
bypass billing, usage limits, authentication, authorization, or retention controls;
create multiple free accounts to avoid limits; or
use automation to create artificial usage or stress the Service outside an approved test.

5. Do not misuse revenue/funnel events or mobile telemetry

Do not:

submit manual revenue or funnel events unless you are authorized to process and transmit that data;
submit directly identifying personal data in user_ref, device references, authenticated references, product identifiers, funnel-node names, or event attributes unless we have separately agreed in writing;
submit payment card numbers, bank details, app-store credentials, purchase tokens, or payment instrument data through the SDK or revenue-event API;
use the mobile SDK for cross-app tracking, advertising, or profiling unrelated to observing application regressions;
deploy the mobile SDK without required end-user notices, consents, app-store privacy labels, or Google Play Data Safety disclosures; or
use the SDK to collect data beyond the documented funnel/navigation and delivery-reliability scope.

6. Do not misuse the dashboard, SDK, parser, or proprietary systems

Do not:

reverse engineer, copy, scrape, or rebuild proprietary parts of the hosted Service except as applicable law allows;
use non-public Service functionality to build a competing revenue-regression detection product;
interfere with other customers’ access to the Service;
upload malware or destructive code;
scan, probe, or test our systems without authorization, except for good-faith vulnerability research conducted under Section 10;
remove attribution, notices, or license terms from open-source packages where required by their licenses; or
imply endorsement by TrueClara without permission.

Open-source components are governed by their published licenses. This policy does not reduce rights granted under those licenses.

7. Do not break the law or third-party rights

Do not use TrueClara to:

violate privacy, consumer-protection, export-control, sanctions, intellectual-property, or cybersecurity laws;
infringe copyrights, trademarks, trade secrets, privacy rights, or publicity rights;
harass, threaten, defame, or harm people;
facilitate fraud, phishing, malware, credential theft, or unauthorized access;
process or publish illegal content;
monitor applications you do not own, control, or have authorization to instrument; or
use the Service from a country or by a person subject to comprehensive U.S., EU, UK, UN, Korean, or other applicable sanctions.

8. Public observation links

If you enable or share public observation links, you are responsible for what appears on those pages. Do not publish:

secrets or credentials;
sensitive personal data;
confidential business information without authorization;
third-party copyrighted or proprietary material without rights;
illegal content; or
content that could mislead viewers about ownership, authorization, or source.

Reports about public observation links may be submitted under the Content Reporting and Takedown Policy.

9. Notification destinations and integrations

Do not use email, Slack, webhook, GitHub, or other integrations to send spam, harassment, malware, illegal content, or data that violates this policy. You are responsible for configuring destinations securely and ensuring recipients are authorized to receive the content.

10. Good-faith security research

We welcome responsible vulnerability reports. To stay within this policy:

test only accounts, projects, and applications you control;
do not access, modify, delete, or exfiltrate other customers’ data;
do not degrade or disrupt the Service;
do not publicly disclose vulnerabilities before we have had a reasonable opportunity to fix them;
report findings to security@trueclara.com.

Good-faith research that follows this section will not trigger enforcement under this policy.

11. Enforcement

If we believe you violated this policy, we may:

warn you;
require remediation;
disable an integration, key, public link, or project;
suspend ingestion;
suspend or terminate your workspace;
remove or restrict content;
preserve evidence;
notify affected parties or authorities where required; or
take other action allowed under the Terms or law.

We usually provide notice and an opportunity to fix curable issues. We may act immediately for urgent security risk, active abuse, illegal content, sanctions risk, or harm to others.

12. Changes

We may update this policy. We will provide at least 30 days’ notice for material changes where practical, except where faster changes are needed for security, legal compliance, abuse prevention, or platform requirements.

13. Contact

Security and abuse reports: security@trueclara.com Legal questions: legal@trueclara.com Privacy questions: privacy@trueclara.com

trueclara.com