Privacy Policy

Last updated: May 10, 2026

Summary

TrueClara collects information needed to operate behavioral observability for Next.js applications. The runtime SDK is designed to be cookieless and minimally identifying. We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not use Customer Content or Customer Personal Data to train AI models. Subprocessors are listed at trueclara.com/legal/subprocessors. To exercise privacy rights, email privacy@trueclara.com.

This summary is for convenience only. The sections below are the legally binding policy.

1. Who we are

TrueClara is operated by The Plain Works Co., Ltd. (주식회사 더플레인웍스), a Korean company.

This Privacy Policy explains how we handle personal information for:

• visitors to trueclara.com;
• users of the TrueClara dashboard;
• workspace members;
• people who contact us;
• customers who buy paid plans; and
• end users of customer Next.js applications monitored by the TrueClara runtime SDK, where their data is included in telemetry.

When we process telemetry, route graphs, deploy metadata, notification settings, or related data on behalf of a customer, the customer is the controller and we are the processor. Our Data Processing Agreement governs that processing and overrides this Privacy Policy if there is a conflict.

2. Roles

We act as a controller for Account Data, billing relationship data, marketing data, dashboard usage data, support communications, security logs, and our own business operations.

We act as a processor for Customer Personal Data submitted to or generated through the Service on a customer’s behalf, including runtime telemetry from monitored applications where that telemetry contains personal data.

Paddle acts as an independent controller for buyer, payment, tax, and transaction data it collects as merchant of record. Paddle’s own privacy notice applies to that payment transaction.

3. Information we collect

Account Data

When you create an account or join a workspace, we collect information such as name, email address, profile image if provided, authentication identifiers, workspace names, project names, roles, seat assignments, and login/session metadata.

We do not store complete payment card numbers or bank details.

Dashboard usage and device data

When you use the website or dashboard, we may collect IP address, browser type, device type, operating system, pages visited, features used, timestamps, referral pages, error events, performance metrics, and security-relevant logs.

Customer Content and project data

Customers may submit or configure project names, workspace settings, API keys, route graph data, route patterns, layout boundaries, value-route declarations, deploy metadata, notification destinations, webhook URLs, observation notes, and exported files.

Runtime SDK telemetry

When the TrueClara runtime SDK monitors a customer Next.js application, it may produce telemetry such as:

• route path;
• referrer path;
• timestamp;
• response or load duration;
• deploy attribution;
• project and environment identifiers;
• observation type;
• coarse user-agent family, if analytics mode is enabled; and
• daily salted session hash, if analytics mode is enabled.

The runtime SDK is designed not to set cookies and not to write localStorage. In aggregate mode, it does not store tab IDs or client-persisted identifiers. If analytics mode is enabled after appropriate opt-in, the SDK may store an analytics override in sessionStorage and the ingestion edge may derive a daily salted session hash that resets every 24 hours.

Static route graph

When the build-time parser extracts a route graph, it uploads route patterns, layout boundaries, value-route declarations, and related build metadata. The static graph is not intended to include end-user personal data.

Deploy metadata

When deploy attribution is configured, we may receive commit SHA, branch, deploy target, deploy URL, CI workflow metadata, and similar technical identifiers. You are responsible for ensuring deploy metadata does not contain secrets or sensitive personal data.

Notification data

If you configure Slack, email, webhook, or other notifications, we process the destination address, webhook endpoint, workspace/project identifiers, observation details, and message content needed to deliver the notification.

Public observation links

If you share a public observation link, the content shown on that page may be visible to anyone with access to the link and may include route paths, observation details, deploy metadata, project names, or other Customer Content.

Payment data

If you purchase a paid plan through Paddle, Paddle collects buyer, billing, tax, payment, and transaction information. We receive limited transaction metadata such as customer identifier, subscription status, plan, amount, currency, tax jurisdiction, invoice or transaction ID, and refund/chargeback status.

Communications

If you contact us, subscribe to updates, report abuse, request support, or submit a security report, we process the information you provide and related metadata.

4. Information we do not intentionally collect

TrueClara is not designed to collect:

• government identifiers;
• payment card numbers or bank account numbers in telemetry;
• account credentials, password reset tokens, or session tokens in monitored paths;
• protected health information;
• special-category personal data under GDPR Article 9;
• precise geolocation;
• biometric identifiers; or
• data from children.

Customers must not put these categories in monitored URL paths, query strings, fragments, deploy metadata, notification payloads, webhook payloads, public observation links, or Customer Content unless there is a separate written agreement and appropriate safeguards.

5. How we use information

We use information to:

• provide, operate, secure, and support the Service;
• authenticate users and manage workspaces;
• ingest telemetry, route graphs, and deploy metadata;
• detect broken URLs, route regressions, edge regressions, and related observations;
• display dashboards, retention windows, exports, and public observation links;
• deliver notifications and transactional emails;
• process billing through Paddle;
• enforce plan limits, rate limits, and acceptable-use rules;
• prevent fraud, abuse, security incidents, and misuse;
• debug errors and improve reliability;
• analyze dashboard usage and product performance;
• communicate about service updates, security notices, support, and administrative matters;
• send marketing only where permitted by law or consented to;
• comply with legal, tax, accounting, and regulatory obligations; and
• establish, exercise, and defend legal claims.

For EEA, UK, and Swiss users, our lawful bases may include contract performance, legitimate interests, consent, legal obligation, and, where applicable, processing on behalf of a customer under that customer’s lawful basis.

6. Product analytics and improvement

We may use Account Data, dashboard usage data, and de-identified or aggregated Service Data to understand product usage, improve reliability, identify broken workflows, and develop the Service.

We do not use Customer Personal Data or Customer Content to train AI models. We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

7. Cookies and similar technologies

The runtime SDK is designed not to set cookies and not to write localStorage.

The TrueClara website and dashboard use cookies and similar technologies for authentication, security, preferences, product analytics, and error diagnostics. Details are in the Cookie Policy.

We honor Global Privacy Control (GPC) signals where required by applicable law. We do not respond to browser “Do Not Track” signals because there is no consistent legal standard for them.

8. How we share information

We share information with:

• subprocessors that help us host, store, secure, monitor, email, cache, and analyze the Service;
• Paddle, our merchant of record, for billing and payment transactions;
• customer-selected integrations such as Slack, GitHub, or webhook receivers when you configure them;
• professional advisers such as lawyers, accountants, auditors, and insurers;
• authorities where required by law, legal process, or valid government request;
• successors in connection with a merger, acquisition, financing, reorganization, or sale of assets; and
• others at your direction or with your consent.

The current subprocessor and provider list is maintained at trueclara.com/legal/subprocessors.

9. International transfers

We are based in Korea. The Service uses infrastructure and providers in Korea, the United States, the European Union, and other locations listed on the Subprocessors page.

For transfers from the EEA or UK to Korea, we rely on adequacy decisions where they apply. For transfers from the EEA, UK, or Switzerland to countries without an adequacy decision, we rely on safeguards such as the EU Standard Contractual Clauses, the UK Addendum or IDTA, Swiss adaptations, data processing agreements, transfer assessments, and technical and organizational measures. The DPA explains transfer terms for Customer Personal Data.

10. Retention

We retain information only as long as needed for the purposes described in this Privacy Policy, unless a longer period is required by law.

Data category	Typical retention
Account Data	While the account is active, then up to 90 days for recovery, security, and administration unless deletion is required sooner
Customer telemetry, observations, route graphs, and deploy metadata	According to the customer’s plan retention window and subscription term, plus the export/deletion period described in the Terms and DPA
Public observation links	Until disabled, deleted, expired, or otherwise removed by the customer or by us under the Terms
Dashboard usage analytics	Up to 24 months, then deleted or aggregated
Server and security logs	Typically up to 90 days, longer if needed for security, fraud, abuse, or legal investigation
Support communications	Up to 36 months after the last interaction, unless needed longer for legal or business records
Billing and tax records	As required by Paddle and applicable tax/accounting law; our own transaction records are typically retained for up to 7 years
Backups	Typically purged within 35 days after underlying deletion, unless legal holds apply

Aggregated or de-identified data may be retained indefinitely if it cannot reasonably identify you, your customers, or any individual.

11. Your privacy rights

Depending on your location, you may have rights to access, correct, delete, export, restrict, object to, or withdraw consent for processing of personal information.

To exercise rights for information we control, email privacy@trueclara.com. We may ask you to verify your identity.

If your request relates to Customer Personal Data that we process on behalf of a customer, we will direct the request to that customer or assist the customer as required by the DPA.

We will not discriminate against you for exercising privacy rights.

12. EEA, UK, and Switzerland

If you are in the EEA, UK, or Switzerland, you may have GDPR, UK GDPR, or Swiss FADP rights. You may also lodge a complaint with your local data protection authority.

Our primary privacy contact is privacy@trueclara.com. If we are required to appoint a representative under GDPR Article 27 or UK GDPR Article 27, we will identify that representative on this page.

13. California and other U.S. state privacy notices

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We honor legally recognized opt-out preference signals, including Global Privacy Control, where required.

For California residents, the categories of personal information we may collect include identifiers, internet or network activity, commercial information, professional or employment-related information if you provide it, and inferences from dashboard usage. We collect these categories for the purposes described in Section 5 and disclose them to the categories of recipients described in Section 8.

We do not knowingly collect, sell, or share personal information of minors.

14. Korean PIPA notices

We are subject to Korean personal information protection requirements.

• Personal Information Protection Manager (개인정보 보호책임자): Jake Kim (김진용)
• Contact: privacy@trueclara.com
• Collected items, purposes, and retention: Sections 3, 5, and 10
• Cross-border processing and transfers: Sections 8 and 9 and the Subprocessors page
• Data subject rights: Section 11

Korean residents may also contact the Personal Information Protection Commission or the KISA Personal Information Infringement Report Center. If a breach affects Korean data subjects and notification/reporting is required, we will notify affected parties and/or report to the competent authority within the legally required timeframe.

15. Security

We use technical and organizational measures designed to protect information, including encryption in transit, encryption at rest through infrastructure providers, access controls, multi-factor authentication for administrative systems, logging, monitoring, vulnerability management, backup practices, and incident response procedures.

No system is perfectly secure. If you discover a vulnerability, email security@trueclara.com.

16. Children

The Service is intended for business use by adults. We do not knowingly collect personal information from children under 16, and the Service is not intended for users under 18. If you believe a child has provided personal information to us, contact privacy@trueclara.com.

17. Changes

We may update this Privacy Policy. We will provide at least 30 days’ notice of material changes by email, in-product notice, or prominent website notice, except where law, security, or operational requirements require a faster change.

18. Contact

The Plain Works Co., Ltd. (주식회사 더플레인웍스)

Privacy: privacy@trueclara.com Legal: legal@trueclara.com General and billing: hello@trueclara.com Security: security@trueclara.com

trueclara.com