What we collect, why, and for how long.
TrueCom Labs, Inc. operates the managed plane of the TrueCom protocol. This policy describes what data the managed plane collects, the lawful bases for processing, retention, and your rights. The OSS reference client collects nothing on its own.
Who is the controller.
TrueCom Labs, Inc. (Delaware C-corporation) is the data controller for the managed plane. Subprocessors (cloud, HSM, observability, support) act as processors under data-processing agreements that mirror our obligations to you.
What we collect.
Account-level data: company name, billing contact email, billing address, tax registration number where applicable. We use this to invoice and to respond to support requests.
Operational data: per-transaction metadata (timestamp, scope, rail, counterparty public key, transaction hash). We do not collect transaction payloads. Receipts are stored in their signed form; the signed form does not contain end-user PII unless your application includes it explicitly.
Telemetry: error reports, request latency, rail dispatch counts. Telemetry is aggregated at the tenant level and is used to operate the service. Telemetry is not sold and is not shared with third parties for advertising.
Marketing site: standard server-side request logs (IP address, user agent, requested URL) retained for 30 days for security and operational purposes. We do not run third-party analytics scripts on truecom.ai.
What we do not collect.
We do not run third-party advertising trackers. We do not sell or rent any user data. We do not collect biometric, health, or payment-card data. We do not retain DPoP private key material; DPoP keys are session-scoped and discarded after the session closes.
Retention.
Operational receipts: retained for the contractual retention window agreed in the order form, default seven years (matches the longest applicable financial-records retention period in our markets). Receipts can be exported and deleted on customer request, except where retention is mandated by applicable law (e.g., AML hold).
Account-level data: retained for the duration of the customer relationship plus seven years after termination for tax and audit purposes.
Server logs: 30 days. Aggregated telemetry: 13 months. Support tickets: three years from resolution.
Sharing.
We share with: cloud infrastructure providers (currently AWS), payment-processor counterparties on the rails our customers transact through, and government bodies where required by lawful process. We do not sell. We do not share with marketing third parties.
Cross-border transfer: managed plane data is processed in the United States and Canada. EU customer data is processed under standard contractual clauses where applicable.
Your rights.
You may access, correct, export, or delete your personal data by writing to [email protected]. We respond within 30 days. EU residents have additional rights under GDPR; California residents under CCPA/CPRA; Canadian residents under PIPEDA. We honor all of them.
If your data was processed on behalf of a TrueCom customer (i.e., we are a processor and they are the controller), please contact the controller directly. We will assist them in fulfilling their obligations to you.
Updates.
Material changes to this policy are announced on the changelog and emailed to billing contacts at least 30 days in advance. The current revision date is at the bottom of this page.
For questions: [email protected].
Last updated 2026-04-26.