Skip to main content
Sign inStart for free
Pricing
Product
BlogNotes on behavioral observability and Next.js routing.DocsInstall the parser, runtime SDK, and Deploy Action.ContactTalk to the TrueClara team.
Start for freeSign in

Legal

Acceptable use policy

What you must not do with TrueClara, and how we respond when the rules are broken.

Last updated April 25, 2026

Summary

TrueClara is built to monitor Next.js applications without re-identifying their end users. This Acceptable Use Policy describes the small set of things you must not do with the dashboard, the runtime SDK, the parser, deploy metadata integrations, and the ingestion API. It applies to every workspace, including the free tier, and it supplements the Terms of Service.

If you violate this policy, we may suspend or close your account, with notice where the situation allows.

1. Do not put sensitive data in monitored URL paths

The runtime SDK records the path of every request your application receives. You must not place the following in URL path segments, query strings, or fragments that TrueClara observes:

  • Government identifiers (national IDs, social security numbers, tax IDs, passport numbers, driver's license numbers).
  • Payment card numbers, bank account numbers, or routing numbers.
  • Account credentials, password reset tokens, or session tokens.
  • Protected health information (PHI) regulated by HIPAA or comparable statutes.
  • Special-category personal data under GDPR Article 9 (race, ethnicity, religion, political views, trade union membership, genetic data, biometric data, health data, sex life, sexual orientation).

If a route requires any of the above, exclude it from monitoring or strip the identifier before the request reaches the SDK.

2. Do not attempt to re-identify end users

The cookieless behavioral telemetry produced by the runtime SDK uses a daily salted session hash and minimal request metadata. Do not:

  • Attempt to reverse the daily salt rotation.
  • Combine TrueClara telemetry with external identifier sources to reconstruct stable end-user identity.
  • Submit personal identifiers as custom fields in the static graph or deploy metadata.

3. Do not abuse the ingestion API

Do not:

  • Send synthetic, fabricated, or replayed events designed to manipulate observation detection.
  • Exceed your plan's rate limits by sharding traffic across keys you do not own.
  • Reuse an ingestion key across customer applications you do not control.
  • Probe, fuzz, or attempt to bypass the ingestion API outside of your own workspace and a coordinated disclosure window.

4. Do not misuse the dashboard or the SDK

Do not:

  • Reverse-engineer, copy, or rebuild the proprietary parts of the product. The SDK, parser, install CLI, and uninstall CLI are Apache 2.0; the dashboard and ingestion service are not.
  • Bypass billing, plan caps, or workspace access controls.
  • Spam workspace invitations, notification destinations, or webhook receivers through TrueClara.
  • Use TrueClara to monitor an application you do not have authorization to instrument.
  • Use TrueClara to build a competing behavioral observability product.
  • Attack our systems. Testing inside your own workspace and against your own monitored application is fine and encouraged.

5. Do not break the law or other people's rights

Do not use TrueClara to violate applicable law, infringe intellectual property, defame, harass, threaten, or facilitate illegal activity. Do not use TrueClara from a country under comprehensive U.S., EU, UK, UN, or Korean sanctions.

6. Reporting and enforcement

If you believe a TrueClara workspace is being used to violate this policy, email security@trueclara.com.

When we receive a credible report, or detect a violation through our own monitoring, we may:

  • Contact the workspace owner and require remediation within a stated period.
  • Suspend ingestion for the affected project.
  • Suspend or close the entire workspace.
  • Cooperate with law enforcement where legally required.

We will give notice and a chance to remediate where the situation allows. Active attacks on our systems and clear-cut illegal activity are exceptions.

7. Changes

We may update this policy. We will post the updated version here and let you know about material changes by email. If you keep using TrueClara, you accept the new version.

Contact

Security and abuse reports: security@trueclara.com General legal questions: privacy@trueclara.com

trueclara.com

TermsAccount and service terms.PrivacyData collection and retention.SecuritySecurity posture and disclosure path.