diff --git a/docs/privacy-policy.md b/docs/privacy-policy.md
index 9d65b6c..f855140 100644
--- a/docs/privacy-policy.md
+++ b/docs/privacy-policy.md
@@ -1,280 +1,367 @@
-# Privacy Policy
+# OpenTrace Privacy Statement
-**OpenTrace**
+Last updated: April 30, 2026 · Effective date: April 30, 2026
-**Effective Date:** February 6, 2026
+## 1. About this Privacy Statement
-**Last Updated:** February 6, 2026
+This Privacy Statement explains how OpenTrace, Inc. ("OpenTrace," "we," "us," or "our") collects, uses, discloses, and otherwise processes personal data in connection with our hosted code intelligence service, our website, the OpenTrace open-source tools when used in a manner that interacts with our infrastructure, and our related products and services (together, the "Service").
----
+### 1.1 Who we are and how to contact us
-## 1. Introduction
+OpenTrace, Inc. is a Delaware corporation with its principal place of business at 14205 N Mo Pac Expy, Ste 570, PMB 640435, Austin, Texas 78728-6529, USA. For privacy questions, you can reach us at privacy@opentrace.com.
-OpenTrace ("Company," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our application and services (collectively, the "Service").
+### 1.2 Our role under data protection law
-By accessing or using the Service, you agree to the terms of this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Service.
+When we provide the Service to a business customer, that customer typically determines what personal data is processed through the Service and for what purpose. In those cases, the customer is the "controller" (or "business," in U.S. terminology) and OpenTrace is the "processor" (or "service provider"). The customer's own privacy notice governs how the personal data of its end users is handled within that customer's environment.
----
+In addition to that processor role, OpenTrace acts as a controller for certain limited processing — for example, when we process information about visitors to our website, account administrators who interact with us directly, or when we process technical data to operate, secure, and improve the Service. This Privacy Statement describes our processing in that controller capacity. Where we act as a processor, our obligations are set out in our Data Processing Addendum.
-## 2. Information We Collect
+### 1.3 Scope
-### 2.1 Information You Provide Directly
+This Privacy Statement applies to:
-When you create an account with OpenTrace, we collect the following personal information:
+- visitors to opentrace.com and other OpenTrace-operated websites;
-- Email address
-- Full name
-- Profile picture or avatar URL (if provided through authentication provider)
-- Organization name and logo (if provided)
+- individuals who sign up for or administer an OpenTrace account, on free plans and paid plans alike;
-Additionally, when using the Service, you may provide:
+- users authorized by an OpenTrace customer to access the Service ("Authorized Users");
-- Investigation titles and descriptions
-- Chat and conversation messages
-- Custom labels and tags
-- Integration configuration names and descriptions
-- Service account names and descriptions
+- users of the OpenTrace open-source tools to the extent their use interacts with OpenTrace infrastructure (for example, when uploading derived artifacts to the Service); and
-### 2.2 Information Collected Automatically
+- individuals who contact OpenTrace, attend our events, or otherwise interact with us.
-When you access the Service, we may automatically collect certain information, including:
+This Statement does not apply to:
-- Device and browser information
-- IP address
-- Usage data and interaction patterns
-- Log data
+- use of the OpenTrace open-source tools that is purely local and does not interact with OpenTrace infrastructure — that use is governed exclusively by the applicable open-source license;
-### 2.3 Information from Third-Party Authentication
+- third-party services we integrate with, even when accessed through the Service — those services are governed by their own privacy notices; or
-If you choose to sign in using Google, we receive basic profile information (such as your name and email address) as authorized by your Google account settings.
+- AI providers you connect to using your own API keys — your direct API call to and from those providers is governed by your agreement with the AI provider. Where prompts, responses, saved chat history, or related content are saved to or processed by the OpenTrace Service, OpenTrace treats that content as Customer Data under this Statement.
-### 2.4 Customer-Connected Data Sources
+## 2. How OpenTrace processes data
-OpenTrace allows customers to connect external data sources, including GitHub, GitLab, Linear, Kubernetes, Slack, AWS, and observability platforms (such as Grafana, Datadog, and Jaeger).
+Because OpenTrace can be used in several configurations, the data we process — and where it goes — depends on how you use the product. This Section walks through each configuration so you can see exactly what reaches us and what does not.
-When you connect these services, OpenTrace stores **OAuth credentials and API tokens in encrypted form** and may access and process data from these platforms **solely to provide the Service**.
+### 2.1 Local-only use of the open-source tools
-This data may include:
+When you use the OpenTrace open-source tools entirely on your own machine, without connecting to OpenTrace infrastructure, no source code, derived artifacts, query content, or output content reaches OpenTrace. The open-source tools read your codebase, build the knowledge graph and indexes locally, and store everything on your own machine. Embeddings used by the open-source tools are computed by an open-source embedding model running on your machine; no third-party AI provider is involved.
-* Repository information and code metadata
-* Commit history, author information, and profile pictures
-* Code changes, file paths, and line numbers from diffs
-* Pull request and merge request data
-* Issue and ticket data, including comments and assignees
-* CI/CD pipeline execution data
-* Kubernetes cluster metadata and deployment information
-* Slack workspace identifiers and message content **when explicitly referenced or authorized**
+We may receive limited information from the open-source tools in two narrow cases:
-* Observability data such as logs, metrics, and traces
+- If the open-source tools include a web-based interface that connects to OpenTrace infrastructure for any reason (for example, account-linked features), the technical and usage data described in Section 3 may be collected during that connection.
-This data **may contain personal identifiers** such as usernames, email addresses, or profile images.
+- If you choose to install or upgrade the open-source tools through a delivery channel we operate, we may receive standard distribution telemetry such as version, platform, and download timestamps.
-**Role Clarification**
+### 2.2 Connected use of the hosted Service
-OpenTrace processes customer-connected data **as a data processor acting on your instructions**. You remain the data controller for any personal data contained in connected systems.
+When you use the hosted Service, some of your data is stored on OpenTrace infrastructure. The flows differ depending on configuration:
----
+**Locally-processed materials.** When you process source materials with the OpenTrace open-source tools on your own machine and upload the resulting derived artifacts (knowledge graph, indexes, embeddings) for a given repository, those derived artifacts are stored on OpenTrace infrastructure. The source materials themselves stay on your machine.
-## 3. How We Use Your Information
+**Integration-fetched data (Connected Data).** When you authorize the Service to connect to a third-party system and fetch data into the Service — for example, a code-repository integration that fetches source files, a Slack integration that fetches messages, a project-management integration that fetches tickets and comments, or an observability integration that fetches logs and metrics — the fetched content (Connected Data) is stored on OpenTrace infrastructure for the duration of your use and is accessible through the Service's API and interfaces. The Service produces derived artifacts from Connected Data on OpenTrace infrastructure; both are stored there.
-**AI and Machine Learning**
+In all hosted configurations:
-OpenTrace uses artificial intelligence and machine learning models, including Google Vertex AI (Gemini models), to assist in analyzing investigation data and connected system context.
-AI processing is used to:
+- derived artifacts may include identifiers such as function names, variable names, file paths, dependency relationships, log patterns, and similar metadata, and OpenTrace treats them as Customer Confidential Information;
-* Correlate signals across connected systems
-* Generate hypotheses, summaries, and explanations
-* Assist users in understanding system behavior
+- derived artifacts are not intended to contain complete source files or complete underlying documents unless you expressly enable a feature that produces such inclusion. Depending on configuration, derived artifacts may contain identifiers, names, paths, dependency relationships, log patterns, terms, tokens, snippets, embeddings, or other representations derived from the underlying materials, and where the underlying material is itself the input being processed (for example, a Slack message ingested as Connected Data) the content of that material is held as Connected Data on Service infrastructure;
-**Important AI Limitations and Safeguards**:
+- OpenTrace does not transmit Customer Code, Connected Data, derived artifacts, or query content to any AI provider or other machine learning Subprocessor in standard operation, as further described in Section 4.1; and
-* AI outputs are **informational and assistive only**
-* Outputs may be inaccurate, incomplete, or misleading
-* **Human review is required** before relying on AI outputs
-* OpenTrace does **not** perform automated decision-making that produces legal or similarly significant effects
+- account, billing, telemetry, and operational data described in Section 3 are also processed.
-**Model Training Assurance**
+### 2.3 Hybrid use
-Customer data and personal information are **not used to train public or third-party AI models**. AI providers process data under contractual terms that prohibit retention or reuse of customer data for model training.
+You may combine these configurations on a per-repository, per-project, or per-integration basis. For repositories or materials processed locally and not connected to the Service, the description in Section 2.1 applies. For repositories or integrations connected to the Service, the description in Section 2.2 applies. Account-level data is processed regardless of which repositories or integrations you connect.
----
+### 2.4 Connecting your own AI provider keys
-## 4. Third-Party Service Providers
+OpenTrace components that run in your own environment — including the OpenTrace command-line tools and the OpenTrace web interface running in your browser — include functionality that allows you to connect directly to AI providers (for example, to a large language model API) using your own API keys. When you use this configuration:
-**Subprocessor Use**
+- the network call to the AI provider is initiated from your machine or browser and does not pass through OpenTrace's server as a proxy;
-We engage third-party service providers (“Subprocessors”) to support delivery of the Service. These providers process personal data **only on our instructions** and are contractually obligated to protect it.
+- the AI provider is not engaged by OpenTrace as a Subprocessor; and
-We maintain an up-to-date list of Subprocessors, including their purpose and data location, available upon request or via our Privacy Policy page.
+- your relationship with the AI provider is governed by the AI provider's own terms and privacy policy, which you should review.
-We may update Subprocessors from time to time and will provide notice where required by applicable law.
+Responses received from the AI provider may be processed and stored by the Service in the ordinary course — for example, to render a chat response or to maintain saved chat history. Where stored on OpenTrace infrastructure, such content is treated as Customer Data with the same protections as other Customer Data.
----
+Where you configure an API key in our open-source tools or in the OpenTrace web interface running in your browser for direct calls to an AI provider from your environment, the API key is stored only in your local environment (for example, in the open-source tool's local configuration or in your browser local storage) and is not transmitted to or stored on our server. Where you instead choose to provide an API key to the hosted Service for use by Service infrastructure (for example, in a bring-your-own-key configuration of server-side AI functionality), the API key is stored on OpenTrace infrastructure as Customer Data, encrypted at rest, and used only to make calls to the AI provider as you configure.
-## 5. Cookies and Tracking Technologies
+If OpenTrace introduces functionality in which the Service makes calls to an AI provider on your behalf from Service infrastructure — whether under OpenTrace's own contracts with the AI provider or using API keys you supply — the procedure in Section 4.1 applies (advance notice, description of the data flow, Subprocessor list update where applicable, no-training contractual protections, and opt-in consent).
-OpenTrace uses the following technologies to enhance your experience:
+### 2.5 Telemetry from our web interface
-### 5.1 Cookies
+Our web interface uses error monitoring and analytics tools to help us identify and fix problems. Specifically, we use Sentry to capture error reports and crash data, and we collect product usage and feature analytics. Error reports may incidentally include diagnostic context — such as the URL being accessed, the parameters of the failing request, the call stack of the error, and similar information. We have configured these tools to scrub common categories of sensitive content, but we cannot guarantee that no identifier or fragment of context originating from your use of the Service is ever captured in an error report.
-Small text files stored on your device that help us recognize you and remember your preferences.
+We do not intentionally transmit derived-artifact content, query content, or other Customer Data to error monitoring or analytics tools, and we do not use error monitoring data for purposes other than diagnosing, fixing, and improving the Service. (Session replay, which records the user's interaction with the web interface, is described separately in Section 2.6.)
-### 5.2 Session IDs
+### 2.6 Session replay
-Temporary identifiers that maintain your session while you use the Service.
+Our web interface uses Sentry session replay to diagnose errors, investigate user-reported issues, and improve service reliability. Session replay records interactions with the web interface, such as clicks, navigation, UI events, and limited technical metadata. Because replay captures what is rendered in the interface, it may incidentally include Customer Data visible on screen. We configure replay to mask text and input fields, exclude media elements, and filter sensitive headers and request and response bodies. We do not use session replay for advertising, profiling, or AI model training.
-### 5.3 Local Storage
+Session replay recordings are retained for no more than 30 days unless needed to investigate a specific support, reliability, or security issue. Session replay cannot be disabled by individual users while using the Service. Enterprise customers may request that session replay be disabled for their organization, and OpenTrace will support this through enterprise configuration or the applicable Order Form.
-Browser-based storage used to save application state and preferences locally on your device.
+## 3. Information we collect
-### 5.4 Session Replay
+We collect information in three ways: information you provide to us directly, information collected automatically when you use the Service, and information we receive from third parties.
-We use session replay technology (via Sentry) to diagnose errors, improve service reliability, and investigate user-reported issues. Session replay may capture:
+### 3.1 Categories of personal data we collect
-* Screen interactions and navigation
-* Clicks and UI events
-* Network request metadata (with sensitive data filtered)
+| | | |
+| ----------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ |
+| **Category** | **Examples** | **Purposes for which we use it** |
+| Identity & contact data | Name, email address, employer, job title, country, password (stored hashed). | Account creation and administration; communication with you; security; legal compliance. |
+| Account & usage data | Service plan, account settings, repositories connected, features used, frequency and patterns of use, query and output metadata. | Operating the Service; billing where applicable; security; product analytics; service improvement. |
+| Customer Data stored in the Service | Derived Artifacts you upload from local processing (graph, indexes, embeddings) for each connected repository, and Connected Data the Service fetches from third-party integrations you authorize (which may include source code, configuration, messages, tickets, telemetry, and similar content depending on the integration). Both include identifiers such as function and variable names, paths, and similar metadata. | Operating the Service for you; responding to your queries; security and access control; meeting your contractual instructions. |
+| Billing data | Billing contact, address, tax identifiers. Payment card data is collected and processed by our payment processor and is not stored by OpenTrace. | Processing payments; tax and accounting compliance; collections. |
+| Device & connection data | IP address, device identifiers, operating system, browser type, language, timestamps, log data. | Operating and securing the Service; debugging; analytics. |
+| Communications data | Content of support requests, sales inquiries, survey responses, feedback. | Responding to you; supporting the relationship; improving the Service. |
+| Integration credentials | OAuth tokens, installation tokens, webhook secrets, and similar credentials authorizing the Service to access connected third-party systems on your behalf. Stored encrypted at rest. | Operating integrations; authentication and authorization; security and access control. |
+| Marketing data | Event registrations, content preferences, marketing-list status. | Sending marketing communications where permitted by law and subject to your right to opt out. |
-**Privacy Controls:**
+### 3.2 Information from connected systems and third parties (Connected Data)
-* Text content is masked by default
-* Input fields are masked
-* Media elements are excluded
-* Sensitive headers and parameters are filtered
+When you connect a third-party system to the Service — such as a code-hosting platform, project management tool, communication platform, observability platform, or identity provider — the Service receives information from that system as authorized by you. We refer to this fetched content as Connected Data. Depending on the integration and your configuration, Connected Data may include:
-You cannot opt out of session replay while using the Service.
-**Session replay is enabled only where necessary for service reliability and security.**
-**Enterprise customers may request alternative arrangements, subject to technical feasibility.**
+- source code, configuration, and other repository content from code-hosting platforms (where you have authorized the integration to fetch source contents);
-### 5.5 Managing Your Preferences
+- identity, authentication, and authorization information from your identity provider;
-Most web browsers allow you to control cookies through their settings. However, disabling cookies may limit your ability to use certain features of the Service.
+- workflow, ticket, document, comment, and message content from connected tools, to the extent you choose to connect them;
----
+- logs, metrics, traces, error reports, and similar telemetry from observability platforms.
-## 6. Data Storage and Security
+Connected Data is stored on OpenTrace infrastructure for the duration of your use, accessible to you through the Service's API and interfaces, and is treated with the same confidentiality, security, and retention commitments as other Customer Data.
-### 6.1 Data Location
+### 3.3 Personal data within source materials and Connected Data
-Personal information is stored and processed using OpenTrace systems and approved Subprocessors. Data locations and residency details are described in our Privacy Policy and Subprocessor documentation and may change over time with appropriate safeguards.
+Source code repositories and other source materials typically contain personal data — for example, author names and email addresses on commits, code review comments, identifiers in configuration files, references to individuals in documentation, names and identifiers in messages and tickets, and personal information in logs or telemetry. Whether your source materials reach OpenTrace as Connected Data fetched via an integration or only as derived artifacts produced from local processing, the data we hold may contain identifiers that relate to or identify natural persons. We treat all such embedded personal data with the same care as other Customer Data, and we process it only as needed to provide the Service.
-### 6.2 Security Measures
+## 4. How we use information
-We implement appropriate technical measures to protect your personal information, including:
+We use the information described above to:
-- Encryption of data in transit using industry-standard protocols (TLS/SSL)
-- Encryption of data at rest via Firebase/Firestore and Google Cloud Platform
-- OAuth credentials and API tokens stored in encrypted Firestore collections using Google Cloud Key Management Service (KMS)
-- Service account tokens stored as cryptographic hashes
-- JWT-based authentication with token expiration
-- Role-based access control (RBAC) for organizational data
+- provide, operate, maintain, and secure the Service, including authenticating users, authorizing access, processing requests, and generating Outputs;
-While we strive to protect your information, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security.
+- build and operate on the knowledge graph and indexes that the Service is designed to query;
-### 6.3 Security Incident Notification
+- communicate with you, including service announcements, security notifications, support responses, and administrative messages;
-In the event of a confirmed personal data breach, OpenTrace will notify affected customers **without undue delay** and in accordance with applicable law. Notifications will include, where reasonably available, information about the nature of the incident and mitigation steps taken.
+- monitor, troubleshoot, and improve the Service, including identifying and fixing bugs, analyzing performance, and developing new features;
----
+- protect the Service, our customers, and the public, including detecting and preventing fraud, abuse, and security incidents, and enforcing our Terms of Service;
-## 7. Data Retention
+- process payments and manage our commercial relationships, including invoicing, collections, and account management;
-We retain personal information **only for as long as necessary** to provide the Service or as required by law. Retention periods may be configured at the organization level and include:
+- send marketing communications about OpenTrace products and offerings, where permitted by law and subject to your right to opt out at any time; and
-* Account data: retained until account deletion
-* Investigation data: retained per organization configuration
-* Integration credentials: deleted upon disconnection
-* Audit and security logs: retained for limited periods for compliance
+- comply with legal obligations, respond to lawful requests from public authorities, and establish, exercise, or defend legal claims.
-Following account termination, data is deleted or anonymized within a reasonable timeframe unless retention is legally required.
+### 4.1 What we do not do with your data
----
+To make our position completely clear:
-## 8. Your Rights and Choices
+- We do not sell your personal data.
-Depending on your location, you may have the following rights regarding your personal information:
+- We do not share your personal data for cross-context behavioral advertising.
-### 8.1 All Users
+- We do not use Customer Code, Connected Data, Derived Artifacts, Customer Data, or Outputs to train, fine-tune, or improve the weights of any foundation model or other generally-available machine learning model — neither our own nor any third party's, on free plans or paid plans alike.
-- **Access:** Request a copy of your personal information
-- **Correction:** Request correction of inaccurate information
-- **Deletion:** Request deletion of your personal information
-- **Data Portability:** Request your data in a portable format
+- As of the date of this Statement, our server-side infrastructure does not transmit your data to any large language model provider, embedding model provider, or other machine learning service. Today, where the Service involves LLM functionality, the LLM call happens from your environment with an API key you control, and responses saved to OpenTrace infrastructure (for example, as chat history) are treated as Customer Data with the same protections. We plan to introduce functionality in which the Service will make LLM calls on your behalf from Service infrastructure — using either LLM providers we engage directly (as Subprocessors of OpenTrace) or your own API keys used by the Service. Before that applies to your configuration, we will provide advance notice, describe the functionality and data flow, update our Subprocessor list where applicable, require contractual no-training protections, and obtain your opt-in consent.
-To exercise any of these rights, please contact us at support@opentrace.com.
+## 5. Legal bases for processing (EEA, UK, and Switzerland)
-### 8.2 European Economic Area (EEA) Residents
+If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under Article 6 of the GDPR (and its UK and Swiss equivalents):
-If you are located in the EEA, you have additional rights under the General Data Protection Regulation (GDPR), including:
+| | |
+| ------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Legal basis** | **When we rely on it** |
+| Performance of a contract | To provide the Service to you or to the customer that authorized your access, including to authenticate users, deliver requested features, and process payments. |
+| Legitimate interests | To secure the Service, prevent fraud and abuse, debug and improve our products, run our business, conduct B2B marketing, and communicate with users about non-core matters. We balance these interests against your rights and interests, and you may object to processing as described in Section 9. |
+| Consent | Where required by law, for example for certain cookies and electronic marketing. You may withdraw consent at any time. |
+| Legal obligation | To comply with applicable laws, including tax, accounting, and lawful requests from public authorities. |
-- The right to object to processing
-- The right to restrict processing
-- The right to withdraw consent (where processing is based on consent)
-- The right to lodge a complaint with a supervisory authority
+## 6. Sharing and disclosure
-**Legal Basis for Processing:** We process your personal information based on the following legal grounds:
+We do not sell personal data, and we do not share personal data for cross-context behavioral advertising. We disclose personal data only as described below.
-- **Contract Performance:** Processing necessary to provide the Service you requested
-- **Legitimate Interests:** Processing necessary for our legitimate business interests, such as improving our Service and ensuring security
-- **Legal Obligation:** Processing necessary to comply with applicable laws
+### 6.1 Subprocessors and service providers
-**Automated Decision-Making:** OpenTrace does **not** engage in automated decision-making or profiling that produces legal or similarly significant effects within the meaning of GDPR Article 22.
+We engage third parties to perform services on our behalf. As of the date of this Statement, the categories of Subprocessors we use include:
-### 8.3 California Residents
+- cloud hosting and infrastructure;
-If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA), including:
+- graph database services;
-- The right to know what personal information is collected
-- The right to know whether personal information is sold or disclosed and to whom
-- The right to opt out of the sale of personal information
-- The right to request deletion of personal information
-- The right to non-discrimination for exercising your rights
+- authentication, single sign-on, and session management;
-**We do not sell your personal information.**
+- error monitoring, crash reporting, and session replay (including Sentry, as described in Sections 2.5 and 2.6);
----
+- product analytics;
-## 9. International Data Transfers
+- feature-flag management;
-Your information may be processed in countries other than your country of residence, including the United States and the European Union.
+- observability and monitoring;
-Where required, OpenTrace relies on appropriate safeguards for international transfers, such as **Standard Contractual Clauses (SCCs)** or equivalent mechanisms, in accordance with applicable data protection laws.
+- payment processing.
----
+We may engage additional Subprocessors in the future — for example, customer support and ticketing platforms, communication and email delivery providers, or customer relationship management tools. We will update our Subprocessor List at docs.opentrace.com/subprocessor-list/ before any new Subprocessor begins processing Customer Data.
-## 10. Customer Data Processing
+Note: as of the Effective Date of this Statement, we do not use any third-party large language model provider or third-party embedding model provider as a Subprocessor for processing Customer Code, Connected Data, Derived Artifacts, or query content. If that changes, we will update our Subprocessor list and notify customers in advance.
-OpenTrace processes customer-connected data solely to provide the Service. AI processing does not involve training or improving foundation models unless explicitly agreed in writing.
+Our current list of named Subprocessors is published at docs.opentrace.com/subprocessor-list/. We require these parties to use personal data only as needed to perform their services for us, in line with appropriate data protection terms.
-Customers remain responsible for determining whether their use of OpenTrace complies with applicable data protection obligations.
+### 6.2 OpenTrace customers and Authorized Users
----
+When you use the Service as part of an organization that has an account with OpenTrace, certain personal data — such as your name, email address, account activity, and Outputs you have generated — may be visible to your organization's administrators and to other Authorized Users in your organization, in accordance with your organization's configuration of the Service.
-## 11. Children's Privacy
+### 6.3 Connected third-party systems
-The Service is not intended for individuals under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@opentrace.com, and we will take steps to delete such information.
+When you authorize the Service to connect to a third-party system, the Service exchanges data with that system as required to perform the integration. The processing of personal data within that third-party system is governed by the third party's own privacy notice and your agreements with that third party.
----
+### 6.4 Direct connections to AI providers
-## 12. Changes to This Privacy Policy
+When you configure OpenTrace components running in your own environment to connect directly to an AI provider using your own API key, the network call to the AI provider is initiated from your environment and is not proxied through OpenTrace's server. The AI provider's own privacy notice governs the AI provider's processing of that direct call. Where prompts, responses, saved chat history, or related content are saved to or processed by the OpenTrace Service, OpenTrace treats that content as Customer Data under this Statement.
-We may update this Privacy Policy from time to time. When we make changes, we will update the "Last Updated" date at the top of this policy. We encourage you to review this Privacy Policy periodically.
+### 6.5 Corporate transactions
-For material changes, we will provide notice through the Service or by other means as required by applicable law.
+If we are involved in a merger, acquisition, financing, restructuring, sale of assets, bankruptcy, or similar transaction, personal data may be transferred to the counterparty as part of that transaction, subject to standard confidentiality and data protection obligations.
----
+### 6.6 Legal and safety disclosures
-## 13. Contact Us
+We may disclose personal data when we believe in good faith that disclosure is necessary to: (a) comply with applicable law or a binding order; (b) enforce our agreements; (c) protect the rights, property, or safety of OpenTrace, our customers, or others; or (d) detect, prevent, or address fraud, security, or technical issues. Where legally permitted, we will provide affected customers with notice before disclosing their data.
-If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:
+## 7. International data transfers
-**OpenTrace**
-14205 N MO PAC EXPY, STE 570, PMB 640435
-Austin, TX 78728, USA
-Email: support@opentrace.com
+OpenTrace is established in the United States, and our Subprocessors are located in various countries. Personal data we collect may therefore be transferred to, stored in, and processed in countries other than the country in which it was originally collected, including countries that may not be assessed as providing the same level of data protection as your country of residence.
-We will respond to your inquiry within a reasonable timeframe and in accordance with applicable law.
+Where we transfer personal data from the European Economic Area, the United Kingdom, or Switzerland to countries that have not been recognized as providing an adequate level of protection, we rely on appropriate safeguards as required by applicable law, including the European Commission's Standard Contractual Clauses, the UK International Data Transfer Agreement or Addendum, and equivalent Swiss mechanisms. Where we rely on these mechanisms with our Subprocessors, we will, on request, provide you with information about the safeguards in place.
----
+## 8. How long we keep information
-*This Privacy Policy is provided for informational purposes and does not constitute legal advice. We recommend consulting with a qualified legal professional to ensure compliance with all applicable laws and regulations.*
+We keep personal data for as long as needed for the purposes described in this Statement, unless a longer retention period is required or permitted by law. Specifically:
+
+- account information is retained for as long as the account is active, and for a reasonable period thereafter to allow account recovery, dispute resolution, and legal compliance;
+
+- Derived Artifacts, Connected Data, and other Customer Data stored in the Service are retained as set out in our Terms of Service and your account configuration; on termination or repository deletion, we provide a thirty-day export window, then delete from production systems within sixty days, after which the data is overwritten in routine backups within ninety days;
+
+- session replay recordings are retained for no more than 30 days unless needed to investigate a specific support, reliability, or security issue;
+
+- error monitoring data and application diagnostic logs are retained for no more than 90 days, except for security or compliance-related entries which may be retained for up to one year;
+
+- product usage and web analytics data are retained for up to 14 months;
+
+- billing records are retained as required by tax and accounting laws;
+
+- marketing data is retained until you opt out, and for a short period thereafter to suppress further communications.
+
+When personal data is no longer needed, we delete it or anonymize it so that it can no longer be associated with you.
+
+## 9. Your rights
+
+### 9.1 Rights under the GDPR (EEA, UK, Switzerland)
+
+If you are located in the European Economic Area, the United Kingdom, or Switzerland, subject to applicable law, you have the right to:
+
+- access the personal data we hold about you and receive a copy of it;
+
+- request correction of inaccurate or incomplete personal data;
+
+- request deletion of your personal data, subject to applicable exceptions;
+
+- request restriction of processing in certain circumstances;
+
+- object to processing based on our legitimate interests;
+
+- request portability of personal data you provided to us, in a structured, commonly used, and machine-readable format;
+
+- withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing; and
+
+- lodge a complaint with a supervisory authority in the country where you live, work, or believe a violation has occurred.
+
+### 9.2 Rights under U.S. state privacy laws
+
+If you are a resident of a U.S. state with a comprehensive privacy law — including California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia — you have the rights described below. Specific rights vary by state; the rights below are presented in their cumulative form, and any limits applicable in your state will be applied automatically when you exercise them.
+
+#### 9.2.1 Common rights across covered states
+
+- Right to know / access: confirm whether we are processing your personal data, and access the data and supporting information.
+
+- Right to a copy / portability: receive a copy of your personal data in a portable, machine-readable format where technically feasible.
+
+- Right to delete: request deletion of personal data we have collected from you or about you, subject to applicable exceptions.
+
+- Right to correct: request correction of inaccuracies in your personal data, subject to certain conditions.
+
+- Right to opt out of sale or sharing: we do not sell your personal data and do not share it for cross-context behavioral advertising. You retain the right to direct us not to do so in the future.
+
+- Right to opt out of targeted advertising: we do not engage in targeted advertising as defined in the state laws.
+
+- Right to opt out of profiling: we do not engage in profiling that produces legal or similarly significant effects on you.
+
+- Right to non-discrimination: we will not discriminate against you for exercising your rights.
+
+#### 9.2.2 Additional California rights
+
+Under California Civil Code §§ 1798.83-1798.84 ("Shine the Light"), California residents may request information about disclosures of personal data to third parties for those third parties' direct marketing purposes. To make such a request, contact us at privacy@opentrace.com.
+
+We do not knowingly sell or share for cross-context behavioral advertising the personal data of consumers under 16 years of age.
+
+We do not collect or use sensitive personal information for purposes that would require an opt-out under California Civil Code § 1798.121.
+
+#### 9.2.3 Right to appeal a denied request
+
+In a number of states, including Colorado, Connecticut, Delaware, Indiana, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, and Virginia, if we deny your request, you may appeal our decision. To appeal, send a written appeal to privacy@opentrace.com identifying yourself, the original request, and the basis for your appeal. We will respond to your appeal within the time period required under applicable law. If we deny your appeal, you may contact your state’s Attorney General. California, Iowa, and Utah do not provide a parallel statutory right to appeal a denied request and so are not listed above; if you are a resident of one of those states, you may still contact us about a denied request and we will respond on the same basis.
+
+#### 9.2.4 Authorized agents
+
+Where permitted by your state's law, you may authorize an agent to exercise your rights on your behalf. To do this, you must provide your agent with written permission to exercise your rights, and we may request a copy of that permission and verify your identity directly before completing the request.
+
+### 9.3 How to exercise your rights
+
+To exercise any of these rights, contact us at privacy@opentrace.com. Where you use the Service through an OpenTrace customer that is acting as a controller, we may direct your request to that customer, who is responsible for responding under its own privacy notice. We will respond to verifiable requests within the time required by applicable law. We may need to verify your identity before processing a request, and we will not respond to requests that are excessive, repetitive, or manifestly unfounded without explanation.
+
+## 10. Cookies and similar technologies
+
+We and our service providers use cookies, local storage, pixels, and similar technologies on our website and in the Service. These technologies allow us to recognize your device, remember your preferences, secure the Service, and understand how it is used. Where required by law, we obtain your consent before placing non-essential cookies; you can manage your preferences through our cookie banner or through your browser settings.
+
+We use the following categories of cookies and similar technologies:
+
+- **Essential.** Required to provide features you request, including authentication and session management, security features such as cross-site request forgery protection, and recording your cookie consent choice. Disabling these will prevent core functionality from working.
+
+- **Functional.** Record your settings and preferences (for example, your interface choices and feature-flag context) so that the Service recognizes you on return visits.
+
+- **Performance / Analytical.** Help us understand aggregate usage of our website and the Service so that we can improve them. For example, Google Analytics uses cookies to measure visitor traffic and interactions on opentrace.com; you can opt out of Google Analytics specifically through the browser add-on at https://tools.google.com/dlpage/gaoptout.
+
+You can also manage cookies through your browser settings, including blocking new cookies or deleting existing ones. Doing so may require you to re-enter preferences on each visit and may prevent some features from working. To learn more about cookies generally, you can visit https://www.allaboutcookies.org.
+
+### 10.1 "Do Not Track" and Global Privacy Control
+
+There is no industry-standard interpretation of "Do Not Track" browser signals, so our Service does not currently respond to them. Where the Global Privacy Control signal is legally recognized as an opt-out — for example, under California law — we treat it as an opt-out of any sale or sharing of personal information.
+
+## 11. Security
+
+We implement administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, use, disclosure, alteration, and destruction. These safeguards include encryption in transit and at rest, role-based access controls, network and endpoint security, logging and monitoring, secure development practices, and routine testing.
+
+No system can be guaranteed to be entirely secure. If we become aware of a security incident affecting your personal data, we will notify you and any affected customer in accordance with applicable law and our contractual obligations.
+
+## 12. Children
+
+The Service is not directed to children under the age of 13, and we do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact us at privacy@opentrace.com and we will take appropriate steps to delete it.
+
+## 13. Changes to this Statement
+
+We may update this Privacy Statement from time to time. When we make material changes, we will provide notice through the Service or by email, and we will update the "Last updated" date at the top of this Statement. We encourage you to review this Statement periodically.
+
+## 14. Contact us
+
+If you have questions, comments, or requests regarding this Privacy Statement or our processing of personal data, please contact us at:
+
+OpenTrace, Inc.
+
+14205 N Mo Pac Expy, Ste 570, PMB 640435, Austin, Texas 78728-6529, USA
+
+Email: privacy@opentrace.com
+
+_— End of Privacy Statement —_
diff --git a/docs/subprocessor-list.md b/docs/subprocessor-list.md
new file mode 100644
index 0000000..a24d4e3
--- /dev/null
+++ b/docs/subprocessor-list.md
@@ -0,0 +1,57 @@
+# OpenTrace Subprocessor List
+
+Last updated: April 30, 2026 · Effective date: April 30, 2026
+
+## 1. Purpose of this list
+
+This list identifies the third parties ("Subprocessors") that OpenTrace, Inc. ("OpenTrace") engages to assist in providing the OpenTrace hosted Service. It is published at docs.opentrace.com/subprocessor-list/ and is incorporated by reference into the OpenTrace Terms of Service and Data Processing Addendum (DPA).
+
+OpenTrace publishes this list to give Customers visibility into who has access to Customer Data, what they do with it, where they process it, and what cross-border transfer mechanism applies. OpenTrace will provide notice of any new Subprocessor before that Subprocessor begins processing Customer Data, by updating this list and, where Customer has provided an email address for such notifications, by email.
+
+## 2. Current Subprocessors
+
+The following Subprocessors are engaged as of the Effective Date of this list. Categories of personal data are described at the level relevant to a privacy assessment; specific records and fields are processed only as necessary to deliver the function described.
+
+Google Cloud Platform and Neo4j AuraDB are the Subprocessors used to store Customer Data as part of the core Service data layer (including Connected Data, Derived Artifacts, queries, prompts, Outputs, saved chat history, account data, and integration credentials). Stripe stores billing contact data and tokenizes payment card data for paid Service Plans, but does not have access to other Customer Data. The remaining Subprocessors process operational, telemetry, diagnostic, or interface-observation data only and are not intended to contain Customer Data, but diagnostic tools — in particular Sentry session replay — may incidentally capture rendered Customer Data visible in the web interface, subject to the masking, retention, and disablement controls described in Section 2.6 of the OpenTrace Privacy Statement.
+
+| | | | | |
+| ------------------------------------------------------------------ | ---------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------- | ------------------------------------------------------- |
+| **Subprocessor** | **Role / Purpose** | **Categories of personal data processed** | **Processing location(s)** | **Cross-border transfer mechanism** |
+| Google Cloud Platform (including Firebase) | Cloud hosting; application infrastructure; database services | Customer Data, including Connected Data, Derived Artifacts, queries, prompts, Outputs, saved chat history, account data, integration credentials, application logs, and operational telemetry | United States; other Google Cloud regions as configured by OpenTrace | EU SCCs (Module 2) where applicable; UK IDTA / Addendum |
+| Google Analytics (Google LLC) | Web analytics for opentrace.com | Device and connection data, page views, referrer, anonymised IP, usage events | United States | EU SCCs (Module 2); UK IDTA / Addendum |
+| Sentry (Functional Software, Inc.) | Error monitoring, crash reporting, and session replay | Diagnostic context (URL, request parameters, stack traces) which may incidentally include identifiers, subject to scrubbing rules; session replay recordings that may capture rendered UI content including Connected Data, Derived Artifacts, queries, query results, and chat content, subject to masking and filtering as described in the Privacy Statement | United States; EU region available | EU SCCs (Module 2); UK IDTA / Addendum |
+| LaunchDarkly, Inc. | Feature flag management and progressive delivery | Account identifier, environment metadata, feature flag evaluation context | United States | EU SCCs (Module 2); UK IDTA / Addendum |
+| Clerk, Inc. | Identity, authentication, and session management | Identity and contact data, authentication credentials (hashed), session tokens | United States | EU SCCs (Module 2); UK IDTA / Addendum |
+| Grafana Cloud (Grafana Labs, Inc.) | Observability, metrics, logs, and tracing for Service operations | Operational telemetry, performance metrics, application logs | United States; EU region available | EU SCCs (Module 2); UK IDTA / Addendum |
+| Neo4j, Inc. (Neo4j AuraDB) | Managed graph database | Derived Artifacts (knowledge graph) and structural representations of Connected Data, including identifiers such as function and variable names, log patterns, and similar metadata | United States; other AuraDB regions as configured by OpenTrace | EU SCCs (Module 2); UK IDTA / Addendum |
+| Stripe, Inc. (and Stripe Payments Europe Limited for EU customers) | Payment processing for paid Service Plans | Billing contact data (name, billing address, email, tax identifiers); payment card data is collected and tokenized by Stripe directly and is not stored by OpenTrace | United States; Ireland | EU SCCs (Module 2); UK IDTA / Addendum |
+
+## 3. AI / model providers
+
+As of the Effective Date of this list, OpenTrace does not engage any third-party large language model provider, embedding model provider, or other machine learning service as a Subprocessor, and OpenTrace's server-side infrastructure does not transmit Customer Code, Connected Data, Derived Artifacts, query content, or Outputs to any such service. This reflects the commitment in Section 4.6 of the OpenTrace Terms of Service. OpenTrace anticipates introducing functionality in which the Service will make LLM calls on Customer's behalf from Service infrastructure, using either OpenTrace's own contracts with an LLM provider or Customer-supplied API keys. Before such functionality applies to Customer's configuration, OpenTrace will update this list where applicable and obtain Customer's prior opt-in consent in accordance with the Terms of Service.
+
+## 4. Customer-supplied AI provider keys
+
+OpenTrace's open-source command-line tools and the OpenTrace web interface running in Customer's browser may permit Customer to configure direct connections to AI providers (for example, Anthropic, OpenAI, Google) using Customer-supplied API keys. Where Customer uses this configuration, the AI provider is not engaged by OpenTrace as a Subprocessor: the network call to the AI provider is initiated from Customer's environment (the local component or the browser) and is not proxied through OpenTrace's server. Customer's relationship with the AI provider is governed by Customer's agreement with that provider. Responses received from the AI provider may be processed and stored by the Service when integrated with Service features such as saved chat history; where stored on Service infrastructure, those responses are treated as Customer Data and are processed by the Subprocessors listed above. Customer-supplied AI providers are intentionally not listed above because OpenTrace does not engage them as Subprocessors.
+
+## 5. Affiliates
+
+OpenTrace may use its own Affiliates (entities under common control) to provide internal support, security, and operational services. Affiliates are bound by confidentiality and data protection terms no less protective than those that apply to third-party Subprocessors. As of the Effective Date, OpenTrace has no Affiliates engaged in this capacity.
+
+## 6. Notice of changes
+
+OpenTrace will provide notice of any new Subprocessor, or any change in the role of an existing Subprocessor that materially expands the categories of Customer Data processed, before that change takes effect. To subscribe to email notifications, contact privacy@opentrace.com. Customer's right to object to a new Subprocessor and the consequences of objection are set out in the OpenTrace DPA.
+
+## 7. Contact
+
+Questions about this list, the role of a particular Subprocessor, or the cross-border transfer mechanism applicable to your data may be sent to:
+
+OpenTrace, Inc.
+
+14205 N Mo Pac Expy, Ste 570, PMB 640435
+
+Austin, Texas 78728-6529, USA
+
+Email: privacy@opentrace.com
+
+_— End of Subprocessor List —_
diff --git a/docs/terms-of-service.md b/docs/terms-of-service.md
index aa21b8b..3a321b7 100644
--- a/docs/terms-of-service.md
+++ b/docs/terms-of-service.md
@@ -1,652 +1,431 @@
# OpenTrace Terms of Service
-**Last Updated:** February 11, 2026
+Last updated: April 30, 2026 · Effective date: April 30, 2026
----
+These Terms of Service ("Terms") govern your access to and use of the OpenTrace hosted code intelligence service, the OpenTrace website, the application programming interfaces, and the related services (together, the "Service") made available by OpenTrace, Inc., a Delaware corporation ("OpenTrace," "we," "us," or "our").
-## 1. Introduction and Acceptance of Terms
+By clicking to accept these Terms, by signing an Order Form that incorporates these Terms by reference, or by accessing or using any part of the Service, you agree to be bound by these Terms. If you are entering into these Terms on behalf of a company or other legal entity, you represent that you have the authority to bind that entity, in which case "you," "your," and "Customer" refer to that entity. If you do not have such authority, or if you do not agree with these Terms, you must not accept these Terms and you may not use the Service.
-These Terms of Service ("Terms") govern your access to and use of OpenTrace Insight Platform ("OpenTrace," "Service," "Platform," or "we"), an AI-powered system for investigating operational incidents, analyzing system architecture, and understanding complex distributed systems.
+OpenTrace also publishes open-source software, including the OpenTrace command-line tools, available at github.com/opentrace. Your use of those open-source components, when used purely locally and without connecting to the hosted Service, is governed exclusively by the open-source license that applies to the relevant repository, not by these Terms. These Terms govern your use of the hosted Service and any other functionality OpenTrace provides through opentrace.com, app.opentrace.ai, or other OpenTrace properties.
-By accessing or using OpenTrace, you agree to be bound by these Terms. If you are using OpenTrace on behalf of an organization, you represent and warrant that you have the authority to bind that organization to these Terms.
+## 1. Definitions
-**If you do not agree to these Terms, do not use the Service.**
+In these Terms, capitalized terms have the meanings set out below. Other capitalized terms are defined in the body of these Terms.
----
+**"Affiliate"** means, with respect to a party, any entity that directly or indirectly controls, is controlled by, or is under common control with such party, where "control" means ownership of more than 50% of the voting interests of an entity.
-## 2. Service Description
+**"Agreement"** means these Terms together with any Order Form, Data Processing Addendum, Service Level Agreement, and other documents incorporated by reference.
-### 2.1 Platform Overview
+**"Authorized User"** means an employee, contractor, agent, or AI agent operated on behalf of Customer or its Affiliates that has been authorized by Customer to access the Service under Customer's account.
-OpenTrace Insight is a cloud-based Software-as-a-Service (SaaS) platform that provides AI-assisted system investigation and understanding for modern distributed systems, including:
+**"Connected Data"** means data the Service fetches from third-party systems and integrations Customer has authorized, including code repository platforms, project management tools, communication platforms, observability platforms, and similar systems. Connected Data may include source code (where Customer has authorized a code-repository integration to fetch source contents — in which case it is also Customer Code), configuration, messages, tickets, telemetry, error reports, and other content depending on the integration. Connected Data is stored on Service infrastructure for the duration of Customer's use and is accessible to Customer through the Service's interfaces and APIs.
-- **Automated Incident Investigation**: AI-assisted investigation of production incidents and operational anomalies
-- **Root Cause Analysis Support**: AI-powered analysis and hypothesis generation for system failures and operational issues
-- **System Architecture Intelligence**: Knowledge-graph-based representation of code, runtime telemetry, and infrastructure relationships
-- **Investigation Timeline**: A continuously updated timeline of investigation steps, findings, and evidence
-- **Evidence Collection**: Centralized organization of investigation artifacts and references
-- **Integration Hub**: Connections to monitoring, observability, error tracking, infrastructure, and code repository platforms
+**"Customer Code"** means source code, configuration files, build artifacts, dependency manifests, and related software materials that belong to or are controlled by Customer or its Authorized Users. Customer Code processed locally by the OpenTrace Open-Source Components on Customer's infrastructure is not transmitted to or stored by the Service. Customer Code that Customer has authorized to be fetched into the Service via a third-party integration is stored on Service infrastructure as Connected Data, subject to the protections that apply to Customer Data generally.
-### 2.2 Technical Architecture
+**"Customer Data"** means all data and content submitted to, fetched into, or generated within the Service by or on behalf of Customer, including Connected Data, Derived Artifacts, account information, queries, prompts, and Outputs. Customer Data does not include Customer Code that remains on Customer's own infrastructure and is not transmitted to the Service.
-The Service operates on Google Cloud Platform infrastructure and includes:
+**"Derived Artifacts"** means the structural and metadata representations that the OpenTrace Open-Source Components or the Service produce by processing Customer Code, Connected Data, or other source materials Customer submits or authorizes the Service to fetch, whether processed on Customer's own infrastructure or on Service infrastructure. Derived Artifacts include knowledge graphs, full-text search indexes, semantic indexes, embeddings, and similar artifacts, and may include identifiers, names, paths, dependency relationships, log patterns, terms, tokens, snippets, embeddings, and other representations or metadata derived from the underlying materials. Derived Artifacts are not intended to contain complete source files or complete underlying documents unless Customer expressly enables a feature that produces such inclusion.
-- **Insight API**: RESTful HTTP and gRPC API endpoints hosted on Google Cloud Run
-- **Insight Agent**: Multi-agent investigation system powered by Google Vertex AI (Gemini models)
-- **Insight UI**: Web-based interface for managing investigations
-- **MCP Protocol**: Model Context Protocol for external tool and data source integration
-- **Storage Systems**: Google Firestore, Neo4j, PostgreSQL, and Firebase Storage
+**"Documentation"** means the user guides, API references, and other technical materials made available by OpenTrace describing the operation and use of the Service.
-### 2.3 AI and Machine Learning
+**"OpenTrace Open-Source Components"** means the OpenTrace command-line tools and any other software that OpenTrace publishes under an open-source license. Use of OpenTrace Open-Source Components, when used purely locally and without connecting to the Service, is governed exclusively by the applicable open-source license.
-OpenTrace uses artificial intelligence and large language models (LLMs), specifically Google Vertex AI with Gemini models, to assist users in:
+**"Order Form"** means an ordering document signed or otherwise accepted by both parties that references these Terms and specifies the Service plan, fees, term, and other commercial terms.
-- Analyze system behavior and operational signals
-- Generating investigation hypotheses and explanatory summaries
-- Correlating data across connected tools and services
-- Producing natural language descriptions of observed system behavior
+**"Output"** means analyses, summaries, code-intelligence responses, and other materials generated by the Service in response to queries against Customer's Derived Artifacts, Connected Data, or other Customer Data.
-**Important Limitations and Disclaimers**:
+**"Personal Data"** has the meaning given in applicable Data Protection Laws, and includes information that identifies or is reasonably capable of identifying a natural person.
-* AI-generated outputs are **informational suggestions only**, not guarantees or determinations of fact
-* Outputs may be inaccurate, incomplete, or misleading
-* **Human review and validation is required** before acting on any AI-generated output
-* OpenTrace does **not** perform automated decision-making producing legal, financial, medical, or similarly significant effects
-* OpenTrace is a diagnostic and analysis tool and **must not be used as the sole basis for operational decisions**
+**"Service Plan"** means the tier, package, or edition of the Service that Customer has subscribed to or signed up for, as set out in the applicable Order Form or self-service signup, including free plans.
----
+**"Subprocessor"** means a third party engaged by OpenTrace to process Customer Data as part of providing the Service.
-## 3. Account Terms
+**"Third-Party Service"** means any product, service, or system not provided by OpenTrace that Customer chooses to connect to the Service or to use alongside OpenTrace Open-Source Components, including code-hosting platforms, identity providers, communication tools, and large language model providers accessed via Customer-supplied API keys.
-### 3.1 Account Registration
+## 2. The Service
-To use OpenTrace, you must:
+### 2.1 What the Service does
-- Create an account with accurate and complete information
-- Provide a valid email address
-- Create a secure password
-- Be at least 18 years of age (or the age of majority in your jurisdiction)
-- Comply with all applicable laws and regulations
+The Service hosts and operates on Customer's Derived Artifacts, Connected Data, and other Customer Data to provide code intelligence and related capabilities, including the ability to query the knowledge graph and indexes, retrieve structural information about Customer's codebase and connected systems, generate Outputs in response to programmatic and human queries, and integrate with Customer's broader development and operational workflow. The Service is intended to be consumed both by humans and by automated systems acting on Customer's behalf.
-### 3.2 Organization Accounts
+### 2.2 Local, hosted, and hybrid use
-OpenTrace supports organization-based multi-tenant access:
+The Service supports the following deployment configurations:
-- Organizations can have multiple users and teams
-- Users belong to one or more organizations
-- Investigation data is isolated by organization
-- Organization administrators can manage users, permissions, and settings
-- Each organization is responsible for the actions of its users
+- **Local use**: Customer uses OpenTrace Open-Source Components entirely on Customer's own infrastructure, without connecting to the Service. In this configuration, the Open-Source Components ingest Customer Code and other source materials locally, build Derived Artifacts locally, and store Derived Artifacts locally. No Customer Code, source materials, or Derived Artifacts are transmitted to OpenTrace.
-### 3.3 Authentication
+- **Hosted use with locally-processed materials**: Customer uses the OpenTrace Open-Source Components on Customer's own infrastructure to process source materials and uploads the resulting Derived Artifacts to the Service. In this configuration, Customer Code and other source materials processed locally remain on Customer's infrastructure; only the Derived Artifacts produced from them are stored on Service infrastructure.
-Account authentication is provided through:
+- **Hosted use with integration-fetched data**: Customer authorizes the Service to connect to third-party systems (such as code repository platforms, project management tools, communication platforms, or observability platforms) and fetch data from those systems into the Service. Fetched content — which may include source code (from code-repository integrations Customer has authorized), configuration, messages, tickets, telemetry, error reports, and other content depending on the integration — is stored on Service infrastructure as Connected Data. The Service may produce Derived Artifacts from Connected Data on Service infrastructure; both Connected Data and the Derived Artifacts produced from it are stored on Service infrastructure for the duration of Customer's use.
-- **Firebase Authentication**: Primary authentication system using JWT bearer tokens
-- **Clerk**: Organization and team management with OAuth support
-- **Third-Party OAuth**: Google, GitHub, GitLab authentication options
+- **Hybrid use**: Customer may combine these configurations on a per-repository, per-project, or per-integration basis. The Service supports configuration to indicate the path each input takes.
-You are responsible for:
-- Maintaining the confidentiality of your account credentials
-- All activities that occur under your account
-- Immediately notifying us of any unauthorized use
+### 2.3 OpenTrace Open-Source Components
-### 3.4 Account Responsibilities
+OpenTrace publishes the OpenTrace command-line tools and certain other components as open-source software, available at github.com/opentrace. Use of those components, when used purely locally and without connecting to the Service, is governed exclusively by the open-source license that applies to the relevant repository, and not by these Terms. These Terms apply to the Service and to any use of OpenTrace Open-Source Components that connects to or otherwise interacts with the Service.
-You agree to:
+### 2.4 Customer-supplied keys for Third-Party Services
-- Keep your contact information current
-- Not share your account with others
-- Not create multiple accounts to evade restrictions
-- Not use automated means to create accounts
-- Not sell, transfer, or sublicense your account
+OpenTrace components that run in Customer's own environment — including the OpenTrace command-line tools and the OpenTrace web interface running in Customer's browser — may include functionality that allows Customer or its Authorized Users to configure direct connections to Third-Party Services using Customer-supplied API keys, including connections to large language model providers. Where Customer uses such a configuration:
----
+- the network call to the Third-Party Service is initiated from Customer's environment (the local component or the browser) and does not pass through OpenTrace's server as a proxy;
-## 4. Acceptable Use Policy
+- the Third-Party Service is not engaged by OpenTrace as a Subprocessor;
-### 4.1 Permitted Use
+- Customer's relationship with the Third-Party Service is governed by Customer's agreement with that provider; and
-You may use OpenTrace only for lawful purposes and in accordance with these Terms. Specifically, you may:
+- Customer is responsible for ensuring that its use of the Third-Party Service complies with the provider's terms.
-- Investigate incidents in systems you own or have authorization to monitor
-- Analyze your own infrastructure and application architecture
-- Integrate with third-party services you have authorization to access
-- Share investigation results with authorized team members
+Responses received from the Third-Party Service may be processed and stored by the Service in the ordinary course — for example, to render a chat response, to associate it with Customer's session or saved chat history, or to integrate it into the Service's interfaces. Where stored on Service infrastructure, such content is treated as Customer Data and is governed by the same confidentiality, security, retention, and no-training commitments as other Customer Data.
-### 4.2 Prohibited Conduct
+Where Customer configures an API key in OpenTrace's open-source components or in the OpenTrace web interface running in Customer's browser for direct calls to a Third-Party Service from Customer's environment, that API key is stored only in Customer's local environment (for example, in the open-source component's local configuration or in Customer's browser local storage) and is not transmitted to or stored on OpenTrace's server. Where Customer instead chooses to provide an API key to the hosted Service for use by Service infrastructure (for example, in a bring-your-own-key configuration of server-side functionality), the API key is stored on Service infrastructure as Customer Data, encrypted at rest, and used only to make calls to the Third-Party Service as configured by Customer.
-You may not:
+If OpenTrace introduces functionality that would have the Service make calls to a Third-Party Service from Service infrastructure on Customer's behalf — whether under OpenTrace's own contracts with that Third-Party Service or using Customer-supplied API keys — the procedure in Section 4.6 applies.
-- Use the Service to access systems, data, or resources without authorization
-- Attempt to circumvent security measures or access controls
-- Reverse engineer, decompile, or disassemble any part of the Service
-- Use the Service to transmit malware, viruses, or malicious code
-- Perform load testing or penetration testing without prior written consent
-- Scrape, crawl, or spider the Service
-- Interfere with or disrupt the Service or its infrastructure
-- Use the Service in violation of any applicable law or regulation
-- Impersonate any person or entity
-- Collect or harvest personal information without consent
-- Use the Service for competitive analysis or to build a competitive product
+### 2.5 Programmatic and AI-agent access
-### 4.3 Third-Party Integration Compliance
+The Service is designed to be consumed by software systems acting on Customer's behalf, including AI coding agents, build systems, internal automation, and developer tooling. Customer is expressly permitted to access the Service programmatically through OpenTrace's APIs and integration points, and to operate AI agents and automated systems that consume Outputs, in each case subject to the Documentation, applicable rate limits, and these Terms. No additional consent or authorization beyond Customer's acceptance of these Terms is required for such use.
-When using OpenTrace's integration features (GitHub, GitLab, Slack, Grafana, Jaeger, AWS, etc.), you agree to:
+### 2.6 Updates and changes to the Service
-- Comply with the terms of service of each integrated platform
-- Only integrate systems and data sources you have authorization to access
-- Not exceed rate limits or usage restrictions of integrated services
-- Maintain valid credentials and API keys for your integrations
+OpenTrace continuously develops the Service and may add, modify, deprecate, or remove features at its discretion. OpenTrace will use reasonable efforts to provide advance notice of material adverse changes affecting paid Service Plans. OpenTrace may release the Service or specific features as alpha, beta, preview, or experimental, in which case those features are provided "as is" and may be changed or withdrawn without notice.
----
+### 2.7 Documentation
-## 5. Data and Privacy
+OpenTrace makes Documentation available describing the Service. Customer's use of the Service must materially conform to the Documentation. To the extent of any conflict, these Terms prevail over the Documentation.
-### 5.1 Data You Provide
+### 2.8 Maintenance and downtime
-When using OpenTrace, you may provide or the Service may collect:
+OpenTrace may perform scheduled maintenance on reasonable advance notice through the Service or by email, perform emergency maintenance without prior notice where reasonably required to address security, integrity, or operational issues, and temporarily suspend access to all or part of the Service where necessary for technical, security, or legal reasons. OpenTrace will use commercially reasonable efforts to minimise the duration and impact of any such interruption.
-- **Account Information**: Email, name, organization details, authentication credentials
-- **Investigation Data**: Incident descriptions, hypotheses, notes, comments
-- **System Data**: Logs, metrics, traces, error reports, code repository information
-- **Integration Credentials**: OAuth tokens, API keys, webhooks for third-party services
-- **File Uploads**: Evidence files, screenshots, configuration files
+## 3. Accounts and Authorized Users
-### 5.2 Data We Collect
+### 3.1 Registration
-OpenTrace automatically collects:
+To use the Service, Customer must register an account and provide accurate, current, and complete information. Customer is responsible for maintaining the confidentiality of account credentials and for all activity that occurs under its account.
-- **Usage Data**: API requests, feature usage, session duration
-- **Technical Data**: IP addresses, browser information, device information
-- **Timeline Events**: Investigation progress, agent actions, evidence collection
-- **Observability Data**: Platform telemetry via OpenTelemetry tracing
+### 3.2 Authorized Users
-### 5.3 Data Storage and Processing
+Customer may permit its Authorized Users — including AI agents acting on Customer's behalf — to access the Service. Customer is responsible for the acts and omissions of its Authorized Users as if they were Customer's own. Customer must promptly disable access for any Authorized User who is no longer entitled to use the Service.
-Your data is stored and processed using OpenTrace-managed systems and approved subprocessors, including:
+### 3.3 Security of credentials
-* **Google Firestore** (investigation metadata and events)
-* **Neo4j** (system and context graphs)
-* **PostgreSQL** (activity streams and audit logs)
-* **Firebase Storage** (file uploads and evidence)
-* **Google Vertex** AI (LLM-based analysis)
+Customer must use commercially reasonable measures to safeguard authentication credentials, API keys, and tokens. Customer must notify OpenTrace promptly of any suspected unauthorized access to or compromise of its account.
-**Data Location and Subprocessors**
-Data storage locations and subprocessors are described in our **Privacy Policy and Subprocessor List**, which may be updated from time to time with reasonable notice. OpenTrace does not guarantee that data will be processed exclusively in a single geographic region unless expressly agreed in writing.
+## 4. Customer Code, Derived Artifacts, and Outputs
-### 5.4 AI Processing of Your Data
+### 4.1 Customer ownership
-When you use OpenTrace:
+As between the parties, Customer retains all right, title, and interest in and to Customer Code, Derived Artifacts, and Customer Data, including all intellectual property rights therein. OpenTrace acquires no ownership interest in Customer Code, Derived Artifacts, or Customer Data under these Terms.
-* Investigation data may be transmitted to Google Vertex AI for real-time analysis
-* **Model inputs and outputs may be temporarily processed and logged by OpenTrace solely for service operation, debugging, and security purposes**
+### 4.2 Where data lives
-**Content logging is subject to access controls, retention limits, and masking of sensitive fields where supported**
+Where Customer processes source materials locally with the OpenTrace Open-Source Components, those source materials — including Customer Code — remain on Customer's infrastructure. Locally-processed source materials are not transmitted to or stored by the Service. The Service stores and operates on the Derived Artifacts that Customer chooses to upload from local processing.
-* AI processing is performed to provide the Service and **is not used to train or fine-tune underlying AI models**
+Where Customer authorizes the Service to fetch data from third-party integrations, the fetched content is stored on Service infrastructure as Connected Data for the duration of Customer's use. Connected Data may include source code (where Customer has authorized a code-repository integration to fetch source contents), configuration, messages, tickets, telemetry, and similar content depending on the integration. Connected Data and any Derived Artifacts produced from it are governed by the same confidentiality, security, retention, no-training, no-sale, and no-LLM-Subprocessor commitments as other Customer Data.
-**Enterprise Controls**
+Connected Data and Derived Artifacts may include identifiers, structural information, and metadata that reveal substantial information about Customer's codebase, infrastructure, and operations. OpenTrace treats Connected Data and Derived Artifacts stored on Service infrastructure with the same confidentiality, security, and retention commitments as other Customer Data.
-Enterprise customers may be eligible for configuration options to limit or disable content-level logging, subject to technical feasibility and support agreements.
+### 4.3 License to OpenTrace
-**Sensitive Data Obligation**
+Customer grants OpenTrace a worldwide, non-exclusive, royalty-free license, during the Term and for a limited period thereafter as reasonably required for wind-down, to host, copy, transmit, process, analyze, index, and display Derived Artifacts, Connected Data, and other Customer Data submitted to, fetched into, generated within, or otherwise processed by the Service, solely as necessary to: (a) provide, secure, maintain, and improve the Service for Customer; (b) prevent or address technical or security issues; (c) enforce these Terms; and (d) comply with applicable law.
-You agree **not to submit secrets, credentials, cryptographic keys, or unnecessary personally identifiable information** to the Service. You are responsible for implementing reasonable filtering, redaction, and access controls prior to submitting data for analysis.
+For the avoidance of doubt, "improve the Service" as used in this Section 4.3 does not include training, fine-tuning, or improving the weights of any machine learning model (which is governed by Section 4.6), and does not include any use of customer-specific Derived Artifacts, Customer Code, or Customer Data except as expressly permitted in Section 4.5.
-### 5.5 Data Retention
+### 4.4 Outputs
-Data retention is governed by **organization-level configuration settings** and our Privacy Policy.
-Unless otherwise configured or required by law:
+Subject to Customer's payment of fees and ongoing compliance with these Terms, OpenTrace assigns to Customer all of OpenTrace's right, title, and interest, if any, in Outputs that are specific to Customer's Derived Artifacts, Connected Data, or other Customer Data, and grants Customer a perpetual, irrevocable, worldwide license to use such Outputs for any lawful purpose.
-* Investigation data is retained while your account is active
-* Deleted investigations are retained for a limited recovery period, then permanently deleted
-* Account data is deleted within a reasonable period following account termination
-* Security and audit logs may be retained for compliance and integrity purposes
+Customer acknowledges that, due to the nature of code intelligence and machine learning, Outputs may not be unique. Other customers may receive similar Outputs from independent inputs. OpenTrace and its other customers retain rights in such independent outputs, and OpenTrace's assignment under this Section does not extend to outputs generated for other customers from independent inputs.
-### 5.6 Data Access and Deletion
+### 4.5 Service improvement and aggregated data
-You have the right to:
+OpenTrace may collect and use technical, performance, and usage data about the Service, and may create aggregated and de-identified data, in each case in a form that does not identify Customer, Customer's Authorized Users, or any individual, and does not contain Customer's identifiers, structural information about Customer's codebase or operations, or any material that could reasonably be used to reconstruct Customer's code, Connected Data, or Derived Artifacts. OpenTrace may use such aggregated and de-identified data to operate, analyze, secure, and improve the Service and OpenTrace's business.
-- Access your investigation data via the UI or API
-- Export your investigation data in JSON format
-- Delete individual investigations
-- Request deletion of your account and all associated data
+Queries, prompts, and Outputs may also be temporarily processed and logged by OpenTrace solely to operate, support, debug, and secure the Service. Such processing is subject to access controls, retention proportionate to those purposes, and scrubbing of sensitive fields where supported. It is not used to train AI models (see Section 4.6) and is not shared with third parties except with Subprocessors performing these functions on OpenTrace's behalf.
-To exercise these rights, contact us at support@opentrace.com.
+### 4.6 No training of AI models on Customer Code, Connected Data, or Derived Artifacts
-### 5.7 Privacy Policy
+OpenTrace will not use Customer Code, Connected Data, Derived Artifacts, Customer Data, or Outputs to train, fine-tune, or otherwise improve the weights of any foundation model or other generally-available machine learning model, whether owned by OpenTrace or by a third party. This restriction applies across all Service Plans, including free plans, and is not contingent on Customer's payment of fees.
-Our collection, use, and protection of your personal information is governed by our Privacy Policy at [docs.opentrace.com/privacy-policy](https://docs.opentrace.com/privacy-policy/). The Privacy Policy is incorporated into these Terms by reference.
+As of the Effective Date of these Terms, OpenTrace does not engage any large language model provider, embedding model provider, or other machine learning service as a Subprocessor, and OpenTrace's server-side infrastructure does not transmit Customer Code, Connected Data, Derived Artifacts, or other Customer Data to any such service. Where the Service involves LLM functionality today, the LLM call is initiated by Customer through OpenTrace components running in Customer's environment, using API keys Customer has configured; the response, where stored on Service infrastructure (for example, as part of saved chat history), is treated as Customer Data and is subject to the protections in this Section 4.
-### 5.8 Security Measures
+OpenTrace anticipates introducing functionality in which the Service will make LLM calls on Customer's behalf from Service infrastructure. Such functionality may use either (i) LLM providers that OpenTrace engages under its own contracts (in which case the LLM provider would be engaged as a Subprocessor of OpenTrace) or (ii) Customer-supplied API keys that the Service uses to call an LLM provider on Customer's behalf. In either case, before any such functionality applies to Customer's configuration, OpenTrace will: (a) provide advance notice through the Service or by email; (b) describe the functionality, the categories of data that would be transmitted, and the LLM provider involved; (c) where applicable, update the Subprocessor list and require by contract that the LLM provider not use Customer's data for its own model training purposes; and (d) obtain Customer's prior opt-in consent before such functionality is enabled for Customer.
-We implement industry-standard security measures including:
+### 4.7 Customer responsibility for inputs
-- Encryption in transit (TLS/HTTPS)
-- Encryption at rest (Google Cloud encryption)
-- Organization-based data isolation
-- JWT bearer token authentication
-- Regular security audits and monitoring
-- OpenTelemetry tracing for security event detection
+Customer represents and warrants that: (a) it has all rights, licenses, and permissions necessary to provide Customer Code, to authorize the Service to fetch Connected Data from third-party integrations, to upload Derived Artifacts and other Customer Data, and to grant the licenses set out in this Section 4; (b) the provision, fetching, and processing of Customer Code, Connected Data, Derived Artifacts, and Customer Data through the Service does not and will not violate any applicable law, regulation, or third-party right; (c) Customer Code, Connected Data, Derived Artifacts, and Customer Data do not contain any item that Customer is not authorized to share with a cloud service provider, including under any agreement with a third party; and (d) Customer has implemented reasonable filtering, redaction, and access controls to avoid submitting (or authorizing the Service to fetch) secrets, credentials, cryptographic keys, access tokens, or sensitive personal data not strictly necessary for the function Customer is performing.
-However, no method of transmission or storage is 100% secure. You use the Service at your own risk.
+## 5. Acceptable Use
----
+Customer must not, and must not permit any Authorized User or other third party to:
-## 6. Third-Party Integrations
+- use the Service in violation of any applicable law, regulation, or third-party right;
-### 6.1 Integration Authorization
+- submit to the Service any content that is unlawful, infringing, defamatory, obscene, or that contains malware, viruses, or other harmful code, except for samples submitted in good faith for legitimate security research within a Service Plan that expressly permits such use;
-OpenTrace integrates with external services using:
+- attempt to gain unauthorized access to the Service, other customers' accounts or data, or any underlying systems or networks;
-- **OAuth 2.0**: GitHub, GitLab, Slack, Google authentication
-- **API Keys**: Grafana, Bugsnag, Sentry, FusionReactor, OpenSearch
-- **Webhooks**: Slack events, GitHub events, GitLab events
-- **MCP Protocol**: Standardized tool integration for logs, metrics, traces
+- reverse engineer, decompile, or disassemble the Service, or attempt to derive its source code, except (i) to the extent applicable law expressly permits despite this limitation, or (ii) for OpenTrace Open-Source Components, in accordance with their open-source license;
-You grant OpenTrace permission to:
+- use the Service or any Output to train, fine-tune, or otherwise develop any artificial intelligence model, code intelligence platform, or similar service that competes with the Service;
-- Access integrated services on your behalf
-- Query data from integrated services during investigations
-- Store integration credentials securely (encrypted)
-- Use webhooks to trigger investigations automatically
+- use the Service to build a competing product or service, or to benchmark the Service for the purpose of publishing comparisons, without OpenTrace's prior written consent;
-### 6.2 Integration Data Access
+- circumvent or disable any usage limits, rate limits, security features, or access controls of the Service;
-When you connect integrations, OpenTrace may access:
+- remove, obscure, or alter any proprietary notices contained in the Service, the Documentation, or Outputs;
-- **GitHub/GitLab**: Repository files, commit history, issues, pull requests, webhook events
-- **Slack**: Message content (when mentioned), channel information, user information
-- **Grafana**: Dashboards, Prometheus metrics, Loki logs, Tempo traces, alerts
-- **Jaeger**: Distributed traces and spans
-- **AWS**: EKS cluster metadata, infrastructure information
-- **Bugsnag/Sentry**: Error reports, stack traces, occurrence data
-- **OpenSearch**: Log data and search results
+- submit Personal Data of categories prohibited by applicable law for the Service's data classification, or sensitive data such as government-issued identifiers, payment card data, or protected health information, unless the parties have agreed in writing that the Service is configured for such data;
-### 6.3 Your Responsibilities
+- submit to the Service or authorize the Service to fetch any secrets, credentials, cryptographic keys, access tokens, or other authentication material, except as expressly required for an integration or feature documented to receive such material;
-You are responsible for:
+- use the Service to make decisions that produce legal or similarly significant effects on individuals without meaningful human review.
-- Ensuring you have authorization to integrate third-party services
-- Maintaining valid credentials for integrations
-- Complying with third-party terms of service
-- Revoking access when no longer needed
-- Monitoring integration usage and costs
+OpenTrace may, but is not obligated to, monitor use of the Service for compliance with these Terms and may investigate suspected violations.
-### 6.4 Third-Party Terms
+## 6. Third-Party Services and Integrations
-Your use of integrated services is subject to their respective terms of service. OpenTrace is not responsible for:
+### 6.1 Customer-enabled integrations
-- Availability or performance of third-party services
-- Changes to third-party APIs or terms
-- Data loss or corruption in third-party services
-- Violations of third-party terms by you or your users
+The Service supports integrations with Third-Party Services, including code-hosting platforms, identity providers, issue trackers, communication tools, observability platforms, and AI agents and tools. By enabling an integration, Customer authorizes OpenTrace to access, fetch, transmit, and process data through that integration on Customer's behalf in accordance with the integration's configuration. Data fetched into the Service through such integrations is treated as Connected Data (as defined in Section 1) and is governed by the same confidentiality, security, retention, no-training, no-sale, and no-LLM-Subprocessor commitments as other Customer Data. Deleting or modifying data in a connected Third-Party Service may not automatically delete or modify the corresponding Connected Data already stored on Service infrastructure, unless the integration or Customer's configuration supports that behavior. Customer may delete integration-fetched datasets through the Service as described in Section 8.6.
-### 6.5 Integration Limits
+### 6.2 Customer-supplied keys for AI providers
-We may impose limits on:
+OpenTrace components running in Customer's own environment may permit Customer to configure direct connections to AI providers using Customer-supplied API keys, as further described in Section 2.4. The AI provider is not engaged by OpenTrace as a Subprocessor, and Customer's relationship with the AI provider is governed by Customer's agreement with that provider. Responses received by the Service from the AI provider are treated as Customer Data when stored on Service infrastructure, as described in Section 2.4. OpenTrace is not responsible for the AI provider's availability, security, or terms of use.
-- Number of integrations per organization
-- API call volume to integrated services
-- Data retrieval from integrated services
-- Webhook frequency and payload size
+### 6.3 Customer responsibility for Third-Party Services
----
+Customer's use of any Third-Party Service is governed by Customer's agreement with that third party. OpenTrace is not responsible for Third-Party Services and makes no warranty regarding their availability, security, or performance. If a Third-Party Service ceases to be available or changes its interface, OpenTrace may suspend or modify the corresponding integration.
-## 7. Intellectual Property Rights
+## 7. Service Plans, Fees, and Payment
-### 7.1 OpenTrace IP
+### 7.1 Free Service Plans
-OpenTrace and all related technology, including:
+OpenTrace offers free Service Plans. Free plans may have feature, capacity, support, and availability limitations, which OpenTrace may modify at its discretion on reasonable notice. Free plans do not carry the warranties or service-level commitments applicable to paid Service Plans, and OpenTrace may discontinue free plans on reasonable notice. The commitments set out in Section 4.6 (No training of AI models) apply equally to free plans.
-- Source code, algorithms, and software
-- User interface design and branding
-- Documentation and training materials
-- AI models, prompts, and workflows (excluding underlying Google models)
-- MCP server implementations
+### 7.2 Paid Service Plans
-...are owned by OpenTrace or our licensors and protected by copyright, trademark, and other intellectual property laws.
+Paid Service Plans are subject to fees specified in the applicable Order Form or self-service signup. Except as expressly stated in these Terms or required by applicable law, all fees are non-refundable and all payment obligations are non-cancellable.
-**License Grant to You**: Subject to these Terms, we grant you a limited, non-exclusive, non-transferable, revocable license to access and use the Service for your internal business purposes.
+### 7.3 Invoicing and payment terms
-### 7.2 Your Data and Content
+Unless otherwise stated, fees for Paid Service Plans paid by invoice are due within thirty (30) days of the invoice date. Fees for self-service Paid Service Plans are charged in advance to the payment method on file. Late amounts accrue interest at the lower of 1.5% per month or the maximum rate permitted by law.
-You retain all ownership rights to Customer Data, including investigation data, files, evidence, comments, and system information submitted to or processed by the Service.
+### 7.4 Auto-renewal
-**License Grant to OpenTrace**
+**AUTO-RENEWAL NOTICE.** Paid Service Plans with a term of one month or longer renew automatically for successive periods of equal length unless either party gives written notice of non-renewal at least thirty (30) days before the end of the then-current term, or as otherwise specified in the Order Form. By subscribing to a recurring Paid Service Plan, Customer authorizes OpenTrace, directly or through its payment processor, to charge Customer's payment method on file for each renewal period until Customer cancels. Customer may cancel a self-service subscription at any time through the account settings page; cancellation takes effect at the end of the then-current term.
-You grant OpenTrace a limited, worldwide, non-exclusive, royalty-free license to **host, process, transmit, and display Customer Data solely to provide, secure, and support the Service**.
+### 7.5 Taxes
-**No Training by Default**
+Fees are exclusive of all taxes, levies, and duties (including value-added tax, sales tax, and goods and services tax) other than taxes based on OpenTrace's net income. Customer is responsible for paying all such taxes.
-OpenTrace **does not use Customer Data to train, fine-tune, or improve AI models** unless a **separate written agreement** is executed with you that expressly permits such use.
+### 7.6 Suspension for non-payment
-**Aggregated and De-Identified Data**
+OpenTrace may suspend access to a Paid Service Plan if any undisputed amount is more than thirty (30) days overdue, after providing at least seven (7) days' prior written notice.
-OpenTrace may generate and use aggregated, de-identified data derived from Service usage for analytics and service improvement, provided that such data:
+## 8. Term, Termination, and Suspension
-* Does not identify you or any individual
-* Cannot reasonably be re-identified
-* Is not shared in customer-identifiable form
+### 8.1 Term
-### 7.3 AI-Generated Content
+These Terms commence on the Effective Date and continue until terminated. Each Order Form has its own subscription term as specified therein. Self-service Service Plans continue until cancelled by Customer or terminated by OpenTrace in accordance with these Terms.
-Content generated by OpenTrace’s AI features:
+### 8.2 Termination for cause
-* Is provided “as-is” and without warranties
-* May be inaccurate, incomplete, or misleading
-* Requires human review and validation prior to use
-* Does not constitute professional advice
+Either party may terminate the Agreement for cause: (a) on thirty (30) days' written notice of a material breach by the other party that remains uncured at the end of that period; or (b) immediately if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, or liquidation.
-Ownership and usage rights in AI-generated content follow the same terms as Customer Data.
+### 8.3 Termination for convenience
-### 7.4 Feedback and Suggestions
+Customer may terminate any free Service Plan at any time. Customer may terminate a Paid Service Plan in accordance with the cancellation procedures applicable to that plan. OpenTrace may terminate a free Service Plan at any time on reasonable notice.
-If you provide feedback, suggestions, or ideas about OpenTrace:
+### 8.4 Suspension
-- We may use them without restriction or compensation
-- You waive any intellectual property rights in such feedback
-- We have no obligation to implement or respond to feedback
+OpenTrace may suspend Customer's access to all or part of the Service immediately if (a) OpenTrace reasonably believes that continued access poses a security or legal risk to OpenTrace, the Service, or any third party; (b) Customer's use violates Section 5 (Acceptable Use); or (c) suspension is required to comply with applicable law or a binding order. OpenTrace will notify Customer as soon as reasonably practicable.
----
+### 8.5 Effect of termination
-## 8. Payment Terms
+On expiration or termination of the Agreement: (a) Customer's right to access and use the Service ceases; (b) each party returns or destroys the other party's Confidential Information in its possession, except to the extent retention is required by law or by routine backup procedures; and (c) Customer remains liable for any fees accrued before termination.
-### 8.1 Billing
+### 8.6 Data export and deletion
-- Subscription fees are billed monthly in advance
-- Fees are non-refundable except as required by law
-- All fees are in USD / CURRENCY] and exclude applicable taxes
-- You are responsible for all taxes, duties, and assessments
+For a period of thirty (30) days after termination, OpenTrace will make Derived Artifacts, Connected Data, and other Customer Data available for export through the Service's standard export tools. After that period, OpenTrace will delete Derived Artifacts, Connected Data, and other Customer Data from production systems within sixty (60) days, subject to retention in routine backups for up to ninety (90) days thereafter, after which they will be overwritten in the ordinary course. Customer may also delete specific repositories, projects, or integration-fetched datasets at any time through the Service, in which case the same sixty- and ninety-day windows apply to that data.
-### 8.2 Payment Methods
+## 9. Confidentiality
-We accept payment via:
+### 9.1 Definition
-- Credit card (Visa, Mastercard, American Express)
-- Invoice (for enterprise customers)
+"Confidential Information" means any non-public information disclosed by one party (the "Discloser") to the other (the "Recipient") that is identified as confidential or that, given the nature of the information and the circumstances of disclosure, a reasonable person would understand to be confidential. Customer Code, Connected Data, Derived Artifacts, and other Customer Data are Customer's Confidential Information. The Service, the Documentation, and OpenTrace's non-public technical and business information are OpenTrace's Confidential Information.
-You authorize us to charge your payment method on file.
+### 9.2 Obligations
-### 8.3 Late Payment
+The Recipient must: (a) use the Discloser's Confidential Information solely to perform the Recipient's obligations or exercise its rights under these Terms; (b) protect such Confidential Information using at least the same degree of care it uses for its own confidential information of similar nature, and in no event less than a reasonable degree of care; and (c) not disclose such Confidential Information to any third party except to its employees, contractors, and advisors who have a need to know and are bound by confidentiality obligations no less protective than those in these Terms.
-If payment fails:
+### 9.3 Exclusions
-- We will attempt to collect payment for 15 days
-- Your access may be suspended after 15 days
-- Your account may be terminated after 30 days
-- You remain liable for all outstanding charges plus collection costs
+Confidential Information does not include information that: (a) is or becomes publicly available without breach of these Terms by the Recipient; (b) was known to the Recipient before receipt from the Discloser; (c) is rightfully obtained by the Recipient from a third party without restriction; or (d) is independently developed by the Recipient without use of or reference to the Discloser's Confidential Information.
-### 8.4 Price Changes
+### 9.4 Compelled disclosure
-We may change pricing with 30 days' advance notice. Price changes apply:
+The Recipient may disclose Confidential Information if compelled by law or legal process, provided that, to the extent legally permitted, the Recipient gives the Discloser prior notice and reasonable assistance to seek a protective order or other relief.
-- Immediately for new customers
-- At next renewal for existing customers
+## 10. Intellectual Property
----
+### 10.1 OpenTrace IP
-## 9. Service Level and Availability
+OpenTrace and its licensors retain all right, title, and interest in and to the Service, the Documentation, and all related intellectual property, including all improvements, modifications, and derivative works. Except for the limited rights expressly granted in these Terms or in the applicable open-source license for OpenTrace Open-Source Components, no rights are granted to Customer.
-### 9.1 Service Availability
+### 10.2 Feedback
-OpenTrace is provided on an "as available" basis. We do not guarantee:
+If Customer or any Authorized User provides suggestions, ideas, or other feedback regarding the Service ("Feedback"), Customer grants OpenTrace a perpetual, irrevocable, worldwide, royalty-free license to use, exploit, and incorporate such Feedback into the Service and other OpenTrace products, without obligation or compensation to Customer.
-- Uninterrupted access to the Service
-- Error-free operation
-- Specific uptime percentages (unless covered by separate SLA)
-- Compatibility with all browsers or devices
+### 10.3 Trademarks
-### 9.2 Maintenance and Downtime
+Neither party may use the other party's trademarks, service marks, or logos without prior written consent, except that OpenTrace may identify Customer as a customer in customer lists and case studies with Customer's reasonable consent, not to be unreasonably withheld.
-We may:
+## 11. Warranties and Disclaimers
-- Perform scheduled maintenance with 24 hours advance notice
-- Perform emergency maintenance without notice
-- Temporarily suspend Service for security, legal, or technical reasons
+### 11.1 Mutual warranties
-### 9.3 Service Modifications
+Each party represents and warrants that it has the legal authority to enter into and perform the Agreement, and that its performance does not violate any other agreement to which it is a party.
-We reserve the right to:
+### 11.2 OpenTrace warranties
-- Add, modify, or remove features
-- Change Service architecture or technology
-- Update user interface design
-- Modify APIs (with reasonable notice for breaking changes)
+For Paid Service Plans, OpenTrace warrants that, during the subscription term, the Service will perform materially in accordance with the Documentation. As Customer's exclusive remedy and OpenTrace's entire liability for breach of this warranty, OpenTrace will use commercially reasonable efforts to correct the non-conformity, and if it cannot do so within a reasonable period, Customer may terminate the affected Order Form and OpenTrace will refund any prepaid fees for the unused portion of the term.
-We will make reasonable efforts to maintain backward compatibility and provide migration assistance for significant changes.
+### 11.3 AI-generated outputs
----
+Customer acknowledges that the Service applies algorithmic and, where Customer enables them, machine learning techniques to generate Outputs, and that such Outputs may be incomplete, incorrect, or otherwise unsuitable for a particular purpose. Customer is responsible for evaluating Outputs before relying on them for any consequential decision, and for any actions taken by automated systems, including AI agents, based on the Service's responses.
-## 10. Limitation of Liability
+To the extent the Service itself uses AI or other autonomous components to take actions — for example, to propose changes, perform tasks, or invoke other systems on Customer's behalf within the Service — those components may also make mistakes, including by drawing incorrect inferences, taking unintended actions, or producing results Customer did not anticipate. Customer is responsible for configuring appropriate authorization scopes and review checkpoints before allowing the Service to affect Customer's source code, infrastructure, or third-party systems.
-### 10.1 Disclaimer of Warranties
+Where AI agents acting on Customer's behalf take actions that modify Customer's source code, infrastructure, or third-party systems based on Outputs — for example, editing or deleting code, executing commits, deploying changes, or invoking other systems — Customer is responsible for implementing appropriate human-review checkpoints, authorization controls, and rollback procedures, and bears the risk of those actions.
-**THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO:**
+### 11.4 Disclaimer
-- **MERCHANTABILITY**
-- **FITNESS FOR A PARTICULAR PURPOSE**
-- **NON-INFRINGEMENT**
-- **ACCURACY OR RELIABILITY OF AI-GENERATED CONTENT**
-- **AVAILABILITY OR UNINTERRUPTED ACCESS**
-- **SECURITY OR FREEDOM FROM VIRUSES**
-- **RESULTS OR OUTCOMES FROM USE OF THE SERVICE**
+**EXCEPT AS EXPRESSLY SET OUT IN THIS SECTION 11, THE SERVICE AND ALL OUTPUTS ARE PROVIDED "AS IS" AND "AS AVAILABLE." OPENTRACE DISCLAIMS ALL OTHER WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND ANY WARRANTIES ARISING FROM COURSE OF DEALING OR USAGE OF TRADE. OPENTRACE DOES NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, OR SECURE, OR THAT OUTPUTS WILL MEET CUSTOMER'S REQUIREMENTS. FREE SERVICE PLANS ARE PROVIDED WITHOUT ANY WARRANTY OF ANY KIND.**
-**AI-SPECIFIC DISCLAIMER**: OpenTrace uses artificial intelligence and large language models that may produce inaccurate, incomplete, biased, or inappropriate output. We do not warrant the accuracy, completeness, or reliability of any AI-generated insights, analysis, or recommendations. You are solely responsible for reviewing, validating, and acting on (or not acting on) AI-generated content.
+### 11.5 Critical systems warning
-### 10.2 Limitation of Liability
+**THE SERVICE IS A DIAGNOSTIC, ANALYSIS, AND CODE-INTELLIGENCE TOOL AND IS NOT DESIGNED OR CERTIFIED FOR USE AS THE SOLE BASIS FOR OPERATIONAL DECISIONS IN: (a) LIFE-CRITICAL SYSTEMS, INCLUDING MEDICAL DEVICES, EMERGENCY SERVICES, LIFE-SUPPORT, AND CLINICAL DECISION-MAKING; (b) SAFETY-CRITICAL SYSTEMS, INCLUDING AVIATION, AUTOMOTIVE, RAIL, MARINE, INDUSTRIAL CONTROL, AND NUCLEAR SYSTEMS; (c) FINANCIAL TRANSACTION SYSTEMS SUBJECT TO REGULATORY ACCURACY OR AUDITABILITY REQUIREMENTS; OR (d) ANY OTHER SYSTEM WHERE A FAILURE, ERROR, OR OMISSION COULD REASONABLY BE EXPECTED TO RESULT IN DEATH, PERSONAL INJURY, OR SIGNIFICANT PROPERTY OR FINANCIAL DAMAGE. CUSTOMER IS SOLELY RESPONSIBLE FOR ENSURING APPROPRIATE HUMAN OVERSIGHT, INDEPENDENT VALIDATION, AND PROCEDURAL SAFEGUARDS BEFORE RELYING ON OUTPUTS — OR ACTIONS TAKEN BY THE SERVICE OR BY AI AGENTS ACTING ON OUTPUTS — IN ANY SUCH SYSTEM.**
-**TO THE MAXIMUM EXTENT PERMITTED BY LAW, OPENTRACE SHALL NOT BE LIABLE FOR:**
+## 12. Limitation of Liability
-- **INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR EXEMPLARY DAMAGES**
-- **LOSS OF PROFITS, REVENUE, DATA, OR BUSINESS OPPORTUNITIES**
-- **SYSTEM DOWNTIME OR INCIDENT RESPONSE DELAYS**
-- **ERRORS IN AI-GENERATED ANALYSIS OR RECOMMENDATIONS**
-- **ACTIONS TAKEN BASED ON SERVICE OUTPUT**
-- **UNAUTHORIZED ACCESS TO YOUR DATA**
-- **THIRD-PARTY INTEGRATION FAILURES**
-- **DAMAGE TO YOUR SYSTEMS FROM SERVICE USE**
+### 12.1 Cap on liability
-**OPENTRACE'S TOTAL LIABILITY FOR ALL CLAIMS ARISING FROM OR RELATED TO THESE TERMS SHALL NOT EXCEED THE AMOUNT YOU PAID TO OPENTRACE IN THE 12 MONTHS PRECEDING THE CLAIM (OR $100 IF NO FEES WERE PAID).**
+**EXCEPT FOR EXCLUDED CLAIMS, EACH PARTY'S AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO THE AGREEMENT, WHETHER IN CONTRACT, TORT, OR OTHERWISE, IS LIMITED TO THE GREATER OF (A) ONE HUNDRED U.S. DOLLARS ($100) OR (B) THE FEES PAID OR PAYABLE BY CUSTOMER UNDER THE AGREEMENT IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE LIABILITY.**
-### 10.3 Critical Systems Warning
+### 12.2 Exclusion of certain damages
-**⚠️ CRITICAL NOTICE**: OpenTrace is a diagnostic and analysis tool. **DO NOT USE OPENTRACE AS THE SOLE BASIS FOR OPERATIONAL DECISIONS IN:**
+**EXCEPT FOR EXCLUDED CLAIMS, IN NO EVENT WILL EITHER PARTY BE LIABLE FOR ANY LOST PROFITS, LOST REVENUES, LOSS OF DATA, LOSS OF GOODWILL, OR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, OR PUNITIVE DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.**
-- Life-critical systems (medical devices, emergency services)
-- Safety-critical systems (aviation, automotive, industrial control)
-- Financial transaction systems requiring regulatory compliance
-- Any system where failure could result in death, injury, or significant property damage
+### 12.3 Excluded Claims
-You are solely responsible for human oversight and validation of all Service outputs before taking action.
+"Excluded Claims" means: (a) Customer's payment obligations; (b) either party's breach of Section 9 (Confidentiality), excluding breaches arising from a security incident affecting Connected Data, Derived Artifacts, or other Customer Data, which are subject to the cap in Section 12.1; (c) either party's indemnification obligations under Section 13; (d) Customer's violation of Section 5 (Acceptable Use) or of OpenTrace's intellectual property rights; and (e) liability that cannot be excluded or limited under applicable law.
-### 10.4 Indemnification
+### 12.4 Duty to mitigate
-You agree to indemnify, defend, and hold harmless OpenTrace and its officers, directors, employees, and agents from any claims, damages, losses, liabilities, and expenses (including legal fees) arising from:
+Each party will use commercially reasonable efforts to mitigate any damages it incurs in connection with the Agreement. The limitations of liability in this Section 12 do not relieve a party of its obligation to mitigate.
-- Your use or misuse of the Service
-- Your violation of these Terms
-- Your violation of third-party rights
-- Your violation of applicable laws or regulations
-- Actions taken based on AI-generated content
-- Unauthorized access to systems via integrations
-- Your data or content submitted to the Service
+## 13. Indemnification
----
+### 13.1 OpenTrace indemnification
-## 11. Term and Termination
+OpenTrace will defend Customer against any claim by an unaffiliated third party alleging that the Service, when used in accordance with the Documentation and these Terms, infringes that third party's patent, copyright, trademark, or trade secret right ("IP Claim"), and will indemnify Customer for amounts finally awarded against Customer or agreed in settlement of such IP Claim. If the Service becomes, or in OpenTrace's opinion is likely to become, the subject of an IP Claim, OpenTrace may, at its option: (a) procure for Customer the right to continue using the Service; (b) modify the Service so that it is non-infringing; or (c) terminate the affected Service Plan and refund any prepaid fees for the unused portion of the term. The foregoing states OpenTrace's entire liability for IP Claims. This Section 13.1 does not apply to free Service Plans or to OpenTrace Open-Source Components used outside the Service.
-### 11.1 Term
+### 13.2 Customer indemnification
-These Terms begin when you first access the Service and continue until terminated by either party.
+Customer will defend OpenTrace against any claim by an unaffiliated third party arising out of (a) Customer Code, Connected Data, Derived Artifacts, or other Customer Data, including any claim that they infringe third-party rights; (b) Customer's use of the Service in violation of these Terms or applicable law; or (c) Customer's violation of Section 5, and will indemnify OpenTrace for amounts finally awarded or agreed in settlement of such claim.
-### 11.2 Termination by You
+### 13.3 Procedure
-You may terminate at any time by:
+The indemnified party must (a) promptly notify the indemnifying party in writing of the claim; (b) give the indemnifying party sole control of the defense and settlement, except that no settlement may impose any non-monetary obligation on the indemnified party without its consent; and (c) provide reasonable assistance at the indemnifying party's expense.
-- Canceling your subscription via the UI
-- Emailing support@opentrace.com with termination request
-- Closing your account in account settings
+## 14. Data Protection and Security
-Termination is effective at the end of your current billing period. No refunds for partial periods.
+### 14.1 Privacy Statement
-### 11.3 Termination by OpenTrace
+OpenTrace processes Personal Data as described in the OpenTrace Privacy Statement, which is incorporated into these Terms by reference.
-We may suspend or terminate your access immediately if:
+### 14.2 Data Processing Addendum
-- You breach these Terms
-- You fail to pay fees when due
-- Your use poses a security risk
-- We are required by law to terminate
-- We discontinue the Service (with 30 days' notice)
+To the extent OpenTrace processes Personal Data on Customer's behalf in the course of providing the Service, the OpenTrace Data Processing Addendum ("DPA") applies and is incorporated by reference. The current DPA is made available to Customer upon written request to legal@opentrace.com. Where required, the parties will execute the DPA, including the standard contractual clauses contained therein.
-### 11.4 Effect of Termination
+### 14.3 Security
-Upon termination or expiration of the Service:
+OpenTrace will implement and maintain administrative, technical, and physical safeguards designed to protect Connected Data, Derived Artifacts, and other Customer Data against unauthorized access, use, disclosure, alteration, or destruction. Details of OpenTrace's security program are described in the OpenTrace Security Documentation made available to Customer on request, subject to confidentiality obligations.
-* Your access to the Service will cease
-* You remain responsible for any outstanding fees
-* Customer Data will be retained and deleted in accordance with:
- * Your organization’s retention settings, and
- * Our Privacy Policy
-* You may request a data export for a limited period following termination, subject to authentication and security controls
+### 14.4 Subprocessors
-### 11.5 Data Export
+OpenTrace uses Subprocessors to provide the Service. A current list of Subprocessors is published at docs.opentrace.com/subprocessor-list/. OpenTrace will provide notice of any new Subprocessor before that Subprocessor begins processing Customer Data, by updating the list and, where Customer has subscribed to Subprocessor change notifications, by email.
-You may export your data before termination by:
+### 14.5 Security incidents
-- Using the data export feature in the UI
-- Requesting export via support@opentrace.com
-- Accessing data via API (while access is active)
+If OpenTrace becomes aware of any actual or reasonably suspected unauthorized access, acquisition, disclosure, or loss of Connected Data, Derived Artifacts, or other Customer Data ("Security Incident"), OpenTrace will notify Customer without undue delay and in any event within the timeframes required by applicable law, and will provide Customer with information reasonably required to satisfy Customer's notification and other obligations under applicable law.
-Data exports are provided in JSON format.
+## 15. Children
----
+The Service is not directed to children under the age of 13, and OpenTrace does not knowingly collect Personal Data from children. If you are under the age of 13, do not register for or use the Service. If OpenTrace learns that it has collected Personal Data from a child under the age of 13, it will delete that information as quickly as possible. If you believe a child under the age of 13 has provided Personal Data to OpenTrace, please contact privacy@opentrace.com.
-## 12. Confidentiality
+## 16. General
-### 12.1 Confidential Information
+### 16.1 Governing law and venue
-Confidential Information does **not** include information that:
+The Agreement is governed by the laws of the State of Delaware, United States, without regard to its conflict of laws principles. The state and federal courts located in Travis County, Texas have exclusive jurisdiction over any dispute arising out of or relating to the Agreement, and each party consents to the personal jurisdiction of those courts.
-* Is or becomes publicly available without breach
-* Was lawfully known prior to disclosure
-* Is independently developed without reference to Confidential Information
+### 16.2 Notices
-### 12.2 Confidentiality Obligations
+Notices to OpenTrace must be sent to legal@opentrace.com with a copy to OpenTrace, Inc., 14205 N Mo Pac Expy Ste 570, PMB 640435, Austin, Texas 78728-6529, USA. Notices to Customer may be sent to the email address associated with Customer's account or to the address set out on the applicable Order Form. Notices are deemed given on receipt.
-You agree to:
+### 16.3 Order Form and MSA precedence
-- Not disclose OpenTrace's Confidential Information
-- Use Confidential Information only for authorized purposes
-- Protect Confidential Information with reasonable care
-- Notify us promptly of any unauthorized disclosure
+These Terms govern Customer's use of the Service. If Customer and OpenTrace enter into a separately signed Master Services Agreement, Order Form, or other written agreement that expressly references these Terms, such agreement governs in respect of the matters expressly addressed therein, and these Terms continue to govern all other matters. In the event of a conflict between these Terms and a separately signed Order Form or MSA, the separately signed agreement prevails for the matters expressly addressed therein.
-We will treat your data and account information as confidential pursuant to our Privacy Policy.
+### 16.4 Assignment
----
+Neither party may assign or transfer the Agreement without the other party's prior written consent, except that either party may assign the Agreement, on notice but without consent, to an Affiliate or in connection with a merger, acquisition, or sale of substantially all of its assets. Any other purported assignment is void.
-## 13. General Legal Terms
+### 16.5 Force majeure
-### 13.1 Governing Law
+Neither party is liable for any failure or delay in performance (other than payment obligations) caused by circumstances beyond its reasonable control, including acts of God, war, terrorism, civil unrest, labor disputes, internet or telecommunications failures, governmental orders, and pandemics.
-These Terms are governed by the laws of Delaware, USA, without regard to conflict of law principles.
+### 16.6 Independent contractors
-### 13.2 Dispute Resolution
+The parties are independent contractors. The Agreement does not create an agency, partnership, joint venture, or employment relationship.
-Any dispute arising from these Terms shall be resolved exclusively in the state or federal courts located in Delaware, USA. You consent to personal jurisdiction in these courts.
+### 16.7 Severability and waiver
-### 13.3 Class Action Waiver
+If any provision of the Agreement is held unenforceable, the remaining provisions remain in effect, and the unenforceable provision will be modified to the minimum extent necessary to make it enforceable. A waiver is effective only if in writing and signed by the waiving party, and a waiver of any breach is not a waiver of any subsequent breach.
-You agree to resolve disputes with OpenTrace on an individual basis. You waive the right to participate in class actions, class arbitrations, or representative actions.
+### 16.8 Entire agreement
-### 13.4 Modifications to Terms
+The Agreement constitutes the entire agreement between the parties regarding its subject matter and supersedes all prior or contemporaneous communications, whether oral or written. The applicable open-source license for OpenTrace Open-Source Components governs Customer's use of those components in standalone, local-only configurations and is not superseded by these Terms.
-We may modify these Terms at any time by:
+### 16.9 Modifications to these Terms
-- Posting updated Terms on our website
-- Notifying you via email or in-app notification
-- Requiring acceptance of new Terms on next login (for material changes)
+OpenTrace may update these Terms from time to time. For material changes affecting Paid Service Plans, OpenTrace will provide at least thirty (30) days' advance notice by email or through the Service. Continued use of the Service after the effective date of a change constitutes acceptance of the updated Terms. If Customer does not agree to a change, Customer's sole remedy is to terminate the affected Service Plan before the effective date of the change.
-Continued use after changes constitutes acceptance. If you disagree with changes, your sole remedy is to terminate your account.
+### 16.10 U.S. Government end users
-### 13.5 Assignment
+The Service is "commercial computer software" and the Documentation is "commercial computer software documentation," each as defined in 48 C.F.R. § 2.101. Use, duplication, and disclosure by U.S. Government end users are subject to the restrictions in these Terms.
-You may not assign or transfer your rights under these Terms without our written consent. We may assign these Terms without your consent in connection with a merger, acquisition, or sale of assets.
+### 16.11 Export and sanctions
-### 13.6 Entire Agreement
+Customer must comply with all applicable export control and economic sanctions laws. Customer represents that it is not located in, and is not a national of, any country subject to comprehensive U.S. sanctions, and is not on any U.S. or other applicable restricted-party list.
-These Terms, together with our Privacy Policy and any additional agreements you enter into with OpenTrace, constitute the entire agreement between you and OpenTrace and supersede all prior agreements, understandings, and communications.
+### 16.12 Limitation of actions
-### 13.7 Severability
+Except for claims relating to either party's intellectual property rights, claims arising from a violation of Section 5 (Acceptable Use), or claims that under applicable law cannot be subject to a contractual limitation period, no action, regardless of form, arising out of or relating to the Agreement may be brought by either party more than one (1) year after the cause of action accrued.
-If any provision of these Terms is found unenforceable, the remaining provisions remain in full effect, and the unenforceable provision is modified to the minimum extent necessary to make it enforceable.
+### 16.13 Notice of dispute and cure period
-### 13.8 No Waiver
+Before initiating any legal proceeding arising out of or relating to the Agreement, the party with the claim will give the other party written notice describing the claim in reasonable detail and a period of thirty (30) days from receipt of that notice to cure or otherwise resolve the matter. This Section 16.13 does not apply to actions for injunctive, equitable, or other emergency relief, or to proceedings to enforce indemnification obligations once the underlying third-party claim has been finally resolved. Notices under this Section must be sent in accordance with Section 16.2 (Notices).
-Our failure to enforce any provision does not waive our right to enforce it later. Any waiver must be in writing and signed by an authorized representative.
+### 16.14 Class action waiver
-### 13.9 Force Majeure
+Each party agrees that any dispute arising out of or relating to the Agreement will be brought solely on an individual basis, and not as a plaintiff or class member in any purported class, collective, consolidated, or representative proceeding. To the extent permitted by applicable law, each party waives any right to participate in any class, collective, consolidated, or representative action.
-We are not liable for delays or failures due to causes beyond our reasonable control, including:
+### 16.15 Survival
-- Natural disasters, pandemics, or acts of God
-- War, terrorism, or civil unrest
-- Government actions or regulations
-- Labor disputes or strikes
-- Internet or telecommunications failures
-- Third-party service provider failures (Google Cloud, etc.)
+Sections of these Terms that by their nature should survive termination or expiration of the Agreement will so survive, including without limitation Section 4 (Customer Code, Derived Artifacts, and Outputs), Section 8.5 (Effect of termination), Section 8.6 (Data export and deletion), Section 9 (Confidentiality), Section 10 (Intellectual Property), Section 12 (Limitation of Liability), Section 13 (Indemnification), Section 14 (Data Protection and Security), and Section 16 (General).
-### 13.10 Export Compliance
-
-You represent that you are not located in a country subject to U.S. embargo or designated as a "terrorist supporting" country, and you are not on any U.S. government list of prohibited or restricted parties.
-
-You agree to comply with all export and import laws when using the Service.
-
-### 13.11 Government Use
-
-If you are a U.S. government entity, OpenTrace is a "commercial item" as defined in FAR 2.101, and licensing is in accordance with these Terms.
-
-### 13.12 Notices
-
-Notices to you may be sent to the email address associated with your account. Notices to OpenTrace should be sent to:
-
-OpenTrace, Inc
-14205 N MO PAC EXPY, STE 570, PMB 640435
-Austin, TX 78728, USA
-
-### 13.13 Relationship
-
-These Terms do not create a partnership, joint venture, employment, or agency relationship between you and OpenTrace.
-
----
-
-## 14. Contact Information
-
-For questions about these Terms, contact us at:
-
-**Email**: support@opentrace.com
-**Address**: 14205 N MO PAC EXPY, STE 570, PMB 640435
-Austin, TX 78728, USA
-**Website**: https://opentrace.com
-
----
-
-## 15. Definitions
-
-- **"Account"**: Your registered user account for accessing the Service
-- **"AI"**: Artificial intelligence, including large language models (LLMs)
-- **"API"**: Application Programming Interface provided by OpenTrace
-- **"Evidence"**: Files, screenshots, logs, or data collected during an investigation
-- **"Integration"**: Connection to third-party services like GitHub, Slack, Grafana
-- **"Investigation"**: A specific incident analysis session in OpenTrace
-- **"MCP"**: Model Context Protocol for tool integration
-- **"Organization"**: Multi-user tenant account in OpenTrace
-- **"Service"**: OpenTrace Insight Platform and all related services
-- **"Timeline"**: Chronological record of investigation events and AI agent actions
-- **"You"**: The individual or entity using OpenTrace
-
----
-
-**END OF TERMS OF SERVICE**
+_— End of Terms of Service —_
diff --git a/mkdocs.yml b/mkdocs.yml
index f75efe9..1071a8a 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -18,7 +18,7 @@ theme:
favicon: assets/favicon.ico
palette:
scheme: slate
- font: false # Loaded via CSS for full control
+ font: false # Loaded via CSS for full control
features:
- navigation.instant
- navigation.tracking
@@ -63,17 +63,18 @@ nav:
- Home: index.md
- Getting Started: getting-started.md
- Integrations:
- - Overview: integrations/index.md
- - AI Assistants:
- - Claude Code: integrations/claude-code.md
- - Claude Web: integrations/claude-web.md
- - GitHub Copilot: integrations/github-copilot.md
- - Data Sources:
- - GitHub: integrations/github.md
- - GitLab: integrations/gitlab.md
- - Excluding Files from Data Sources: otignore.md
- - AWS EKS (Early Access): integrations/aws-eks.md
+ - Overview: integrations/index.md
+ - AI Assistants:
+ - Claude Code: integrations/claude-code.md
+ - Claude Web: integrations/claude-web.md
+ - GitHub Copilot: integrations/github-copilot.md
+ - Data Sources:
+ - GitHub: integrations/github.md
+ - GitLab: integrations/gitlab.md
+ - Excluding Files from Data Sources: otignore.md
+ - AWS EKS (Early Access): integrations/aws-eks.md
- What You Can Do: capabilities.md
- Example Workflows: workflows.md
- Privacy Policy: privacy-policy.md
- Terms of Service: terms-of-service.md
+ - Subprocessor List: subprocessor-list.md