Last updated: June 9, 2026
Retrace ("we", "us", "our"), operated by Yash Bogam, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your information when you use our execution replay engine for AI agents, including our website, dashboard, SDKs, CLI, API, and related services. By creating an account, signing in, or using the Service, you acknowledge this Privacy Policy.
When you create an account via Clerk (our authentication provider), we receive: name, email address, profile picture, and authentication identifiers. We do not store passwords — authentication is handled entirely by Clerk.
When you use our SDKs to record agent executions, we collect: function inputs and outputs, LLM prompts and responses, tool call parameters and results, error messages and stack traces, timing data (start time, end time, duration), token counts and cost calculations, model names and provider information. This data is submitted by your code via our SDK — we only collect what your instrumented functions produce. This content is stored (not only as embeddings) so we can display, search, and replay your traces.
We automatically collect: number of traces, spans, tapes, and forks created; API request counts for rate limiting; subscription plan and billing status; IP addresses for rate limiting (not stored long-term).
Payment processing is handled by Dodo Payments. We do not store credit card numbers, CVVs, or full payment details. We receive only: subscription status, plan type, and transaction history references.
We generate vector embeddings from your trace data using a Google embedding model (gemini-embedding-001) to power semantic search. Embeddings are numerical representations stored alongside the underlying text; the original text you submit is also stored so we can display and replay your traces. Embeddings reduce, but do not eliminate, the ability to relate content.
To provide detection, the AI assistant, replay analysis, and related features, we transmit relevant trace content (such as prompts, responses, tool calls, and errors) to Google (the Gemini API) for processing. We use a Google API tier that does not use your inputs to train Google's models. We send only what is needed to deliver the feature you are using.
With your consent, we collect privacy-preserving, anonymous usage analytics to understand which features are most valuable and to improve Retrace. This is strictly limited to a random, browser-generated identifier that is not linked to your name, email, or account, together with the pages and features visited and the time of visit. It never includes trace content, prompts, responses, tool calls, or any personal information.
We ask for your choice through a cookie banner on first visit. Selecting "Reject non-essential" disables all analytics collection; only the strictly necessary cookies required to sign in and operate the Service are used. Selecting "Agree" enables the anonymous analytics described above. Your preference is stored in a first-party cookie so we do not ask again, and you may change it at any time by clearing the rt_consent cookie in your browser. We do not use third-party advertising or cross-site tracking cookies.
Your content is processed automatically to provide the Service — including detection, semantic search, replay analysis, and the AI assistant — which involves transmitting content to the subprocessors listed in Section 6.
We do NOT:
Database: Your data is stored in PostgreSQL with pgvector for embeddings. All connections use TLS encryption.
API Keys: Hashed with SHA-256 before storage. The plaintext key is shown only once at creation and never stored.
Encryption: All data is encrypted in transit (TLS 1.3). Data at rest is protected by the disk-level encryption provided by our hosting providers.
Infrastructure: Hosted on DigitalOcean (API and database, behind a Cloudflare tunnel) and Render (web). Tape snapshots are stored in DigitalOcean Spaces. Transactional email is sent via our email provider.
Access Control: All API endpoints require authentication via Clerk JWT or API key. Data is scoped to the authenticated user — you cannot access other users' traces.
| Plan | Retention Period |
|---|---|
| Free | 7 days |
| Pro | 90 days |
| Teams | 1 year |
| Enterprise | Configurable (up to unlimited) |
After the retention period, trace data is automatically and permanently deleted. Account data (email, name) is retained until account deletion. Rate limiting data (IP-based counters) expires after 60 seconds.
We share data only with the following service providers, solely to operate the Service:
We do not sell, rent, or trade your personal information. We may disclose data if required by law, court order, or to protect our rights and safety. We make a Data Processing Addendum (DPA) available to business and Enterprise customers on request.
When you publish a trace as a tape with "public" or "unlisted" visibility, the trace content becomes accessible to anyone with the URL. This includes all span data, inputs, outputs, and timing information in that trace. You control visibility and can unpublish at any time. We recommend reviewing tape content before sharing to ensure no sensitive data is exposed.
Depending on your jurisdiction, you have the right to:
To exercise any of these rights, contact hello@retraceai.tech. We will respond within 30 days. Where you upload data about third parties, you act as the data controller and we act as your processor; a DPA is available on request.
We use essential authentication cookies (Clerk) that are required for the Service to function. We also use a product-analytics tool (Amplitude), including session-replay sampling, to understand feature usage and improve the product. We do not use advertising trackers, sell behavioral data, or participate in cross-site advertising. If you are in the EU/UK, you may withhold consent to non-essential analytics; contact us at hello@retraceai.tech to opt out.
The Service is not intended for users under 18 years of age. We do not knowingly collect data from minors. If we discover we have collected data from a minor, we will delete it immediately.
Your data may be processed in the United States and other countries where our infrastructure and subprocessors operate. By using the Service, you consent to this transfer. For EU users, transfers are protected by Standard Contractual Clauses (SCCs) implemented by our service providers. Enterprise customers may request data residency in specific regions.
In the event of a data breach affecting your personal information, we will notify affected users and relevant supervisory authorities without undue delay, and within 72 hours of becoming aware where required by applicable law (such as GDPR).
We may update this Privacy Policy periodically. Material changes will be communicated via email at least 14 days before taking effect. The "Last updated" date at the top reflects the most recent revision.
For privacy-related questions, data requests, or concerns:
Email: hello@retraceai.tech
Data Controller: Yash Bogam
Response Time: Within 30 days for all data subject requests