Privacy — TraceForge

Summary

TraceForge stores valve package documents (ITPs, Data Books, BOMs) per project under your user account. Processing uses third-party document AI services. This page describes what the application does today — your organization's deployment and contracts may add further policies.

What we store

Account data: email address and a bcrypt password hash in the application database.
Project metadata: project name and identifiers linked to your account.
Project files: uploaded PDFs, search indexes, parse caches, and output logs under storage/users/<user_id>/projects/<project_id>/ on the server where the API runs.

Files are not shared across users or projects. Other customers cannot access your projects when authentication is enabled.

Third-party processing

To parse ITPs and Data Books and to organize or search content, the API sends document content to:

LlamaCloud (LlamaParse) — table and text extraction from uploaded PDFs.
Google Gemini — embeddings for Data Book search; ITP organization and summaries.

Those services are governed by their own terms and privacy policies. API keys are configured on the server (typically by your administrator). For sensitive packages, use deployments where your organization controls keys, network egress, and data processing agreements.

Retention and deletion

Data remains until you delete the project (Projects screen) or remove files from the server filesystem.
Deleting a project removes its database record and deletes the on-disk project folder (Data Book, indexes, caches, outputs).
Deleting a project does not delete your user account.

Backups, if any, are the responsibility of whoever operates the server. Ask your administrator about backup retention.

Security expectations (production)

Operators hosting this app for others should:

Enable HTTPS (TLS) in front of the API and web UI.
Set VALVE_ENV=production, a strong VALVE_JWT_SECRET, and never use VALVE_AUTH_DISABLED in production.
Use encrypted disks or volumes for storage/.
Restrict network access to the API and keep secrets out of git.

See docs/PRODUCTION_SECURITY.md in the repository for a full checklist.

Your responsibilities

Do not commit .env, Data Book PDFs, or storage/ to git.
Use strong passwords; do not share accounts.
Confirm that sending package documents to cloud AI providers is acceptable for your contract and employer before uploading real vendor data.

Contact

For privacy or security questions about a specific deployment, contact the team that operates your instance (not this generic beta page). Replace the site contact email in the footer with your operator address.