Privacy Policy

Last updated: May 14, 2026

This policy describes how Tracelight ("we", "us") collects, uses, and protects information when you use our investigative intelligence platform.

1. Data we collect

• Account data — name, work email, workspace name, role.
• Billing data — handled by Stripe; we store only customer IDs and plan tier.
• Investigation data — subjects you create, evidence ingested, reports generated, monitor configurations.
• Operational data — IP, user-agent, audit logs of admin actions (workspace-scoped).

2. Data we do NOT collect

• We do not sell or share investigation data with third parties.
• We do not run advertising trackers across the dashboard.
• We do not retain raw page content from OSINT lookups beyond the retention window you configure (default 90 days).

3. How investigation data is stored

All evidence, subjects, and reports are stored in Supabase (PostgreSQL, US region) with Row-Level Security enforced per workspace. Data at rest is encrypted via AES-256. Data in transit uses TLS 1.3.

4. Retention & deletion

You can configure per-subject retention windows. When a subject reaches its scheduled purge date, all related evidence, reports, monitors, and alerts are hard-deleted via FK cascade. We do not retain backups beyond 30 days.

5. FCRA & GDPR posture

Tracelight is FCRA-aware: consent capture is required for any subject before generating a court-defensible report. GDPR data-subject access requests (DSAR) can be exported per subject in JSON. Contact privacy@trytracelight.com.

6. Subprocessors

• Supabase (database + auth, US)
• Stripe (billing)
• Anthropic (AI analysis; Claude API does not retain Tracelight prompts)
• Resend (transactional email)
• Vercel (hosting)

7. Contact

Questions or DSAR requests: privacy@trytracelight.com.