Skip to content
Glasstrace Glasstrace

Privacy Policy

Last updated: April 30, 2026

Glasstrace is operated by Main Street Integrations LLC. This Privacy Policy explains how Glasstrace collects, uses, shares, and retains data for the Glasstrace SDK, MCP server, dashboard, website, and browser extension.

Glasstrace is a development debugging tool. It is designed to observe errors, traces, and browser actions in development and staging workflows so developers and their AI coding agents can debug more effectively.

Contact

Section titled “Contact”

For privacy, data access, deletion, or security requests, contact security@glasstrace.dev. A dedicated support alias is tracked separately and may replace this contact path later.

Data We Collect

Section titled “Data We Collect”

Account and Authentication Data

Section titled “Account and Authentication Data”

When you create or use a Glasstrace account, we collect account and service metadata such as:

  • email address
  • authentication session metadata
  • API key metadata, key prefixes, and key hashes
  • subscription status, trial status, and account lifecycle events
  • domain allowlist entries that you add to your account
  • account configuration settings, including capture settings

We do not need your raw API key after it is created. Store API keys only in server-side environment variables and revoke any key that is accidentally exposed.

Server-Side Trace Data

Section titled “Server-Side Trace Data”

The Glasstrace SDK sends server-side trace data to the Glasstrace ingestion API. Depending on your application and configuration, trace data may include:

  • route, URL path, HTTP method, status code, and duration
  • error messages, error categories, and stack trace metadata
  • OpenTelemetry span names, timing, and attributes
  • ORM and database operation metadata such as model, operation, and duration
  • outbound fetch target, method, status, and timing metadata
  • source-mapped file names and line numbers when source maps are uploaded
  • correlation IDs used to link browser actions to server traces
  • environment variable names referenced in error context

Glasstrace does not capture request bodies by default.

Optional Error Response-Body Capture

Section titled “Optional Error Response-Body Capture”

Error response-body capture is off by default. If an account owner enables it, the SDK may attach failed HTTP response bodies for 4xx and 5xx responses. Those bodies may contain personal data, authentication artifacts, signed URLs, or user-supplied content if the application returned those values in the failed response.

Account owners should enable response-body capture only for projects where they are authorized to collect that data for debugging. Disabling the setting stops new response-body retention, but does not erase bodies already retained. Export and erasure requests can be sent to the contact address above.

More detail is available in Response-Body Capture.

Browser Extension Data

Section titled “Browser Extension Data”

The Glasstrace browser extension observes allowlisted development domains. It may collect:

  • gesture type, such as click, submit, or keypress
  • event timestamps
  • element fingerprints, such as data-testid, id, aria-label, component name, or class fallback
  • outbound request URLs, HTTP methods, and timing metadata
  • console errors, truncated and filtered for common credential patterns
  • the x-gt-cid correlation UUID used to link browser actions to server traces

The extension does not collect form input values, passwords, cookies, request bodies, response bodies, non-error console output, or browsing activity outside allowlisted development domains.

Local Data

Section titled “Local Data”

The SDK may write local Glasstrace configuration and anonymous credentials under .glasstrace/ in your project. The browser extension stores auth state, domain allowlist state, and temporary observation buffers in Chrome extension storage.

Website Analytics

Section titled “Website Analytics”

The public website may use Vercel Analytics or similar first-party deployment analytics to understand aggregate page usage and site health.

How We Use Data

Section titled “How We Use Data”

We use data to:

  • provide trace ingestion, MCP tools, dashboard views, and browser correlation
  • link anonymous traces to a signed-in account when you complete the claim flow
  • run AI root-cause enrichment and test-suggestion features when enabled
  • operate, secure, debug, and improve the service
  • enforce rate limits, retention windows, subscription status, and account controls
  • respond to support, privacy, security, export, erasure, and purge requests
  • maintain audit records for sensitive operator actions

Sharing and Service Providers

Section titled “Sharing and Service Providers”

We share data only as needed to operate Glasstrace. Service providers may include infrastructure, database, queue, object-storage, analytics, billing, and AI-enrichment providers. These providers process data for the service purposes described in this policy.

When AI enrichment is enabled, relevant trace and error context may be sent to AI model providers so Glasstrace can generate root-cause analysis or test suggestions. Do not enable optional response-body capture unless you are comfortable with retained failed-response content being used for the debugging features you request.

We may disclose data if required by law, to protect the service, or to prevent abuse.

Retention

Section titled “Retention”

Glasstrace applies tier-based retention windows:

  • anonymous traces: 48 hours
  • trial and trial-expired accounts: 7 days
  • Pro and Pro-lapsed accounts: 90 days

Account deletion starts a purge process for account-domain data. User-requested erasure may be handled immediately or through an operator-controlled purge workflow depending on the request and affected data.

Account Owner and End-User Data

Section titled “Account Owner and End-User Data”

If you enable Glasstrace for an application that processes your own users’ data, you are responsible for making sure you have authority to send that data to Glasstrace. For optional response-body content captured from your application, you decide whether capture is enabled; Main Street Integrations LLC processes that retained content to provide the Glasstrace debugging service.

Security

Section titled “Security”

Glasstrace is designed with a small data footprint:

  • the SDK disables itself in production environments unless explicitly forced
  • anonymous traces expire quickly
  • non-localhost browser extension capture requires an authenticated account and explicit domain allowlisting
  • console errors are filtered for common credential patterns
  • response-body capture is off by default
  • operator export, erasure, purge, and capture-control actions are audited

No system is perfectly secure. If you believe you found a vulnerability, contact security@glasstrace.dev.

Your Choices

Section titled “Your Choices”

You can:

  • use anonymous mode without creating an account
  • revoke or rotate API keys in account settings
  • remove domains from your allowlist
  • disable optional error response-body capture
  • request access, export, erasure, or account deletion by contacting us

Changes

Section titled “Changes”

We may update this policy as Glasstrace changes. The latest version will be published at this URL.