Placeholder page. The formal Terms of Service, Acceptable Use Policy, and Data Processing Addendum are being finalized for the Flavor B public launch. The summary below is the current operating posture; the binding documents will replace this page when they ship.
Tracebind ships under a split license. Utility packages (types,
config, logger, autobrowser-client,
normalize, schema, openapi) are
Apache 2.0. The capture engine
(@tracebind/capture) is AGPSL v4 — source-available for
inspection, free for individuals, accredited educational institutions,
and nonprofits; commercial use requires a paid Tracebind license. Premium
SDK generators, the dashboard, the controller, and the MCP emitter ship
under BUSL 1.1 with a Change Date of 2030-05-20, after which they
convert to Apache 2.0. The authoritative PACKAGES.md
matrix ships with the product and is provided to customers and design
partners.
Tracebind is local-first by default. Captures stay on the operator's infrastructure unless the customer chooses to push artifacts to the public bucket. The private bucket serves only signed-URL pulls; URL issuance is the auditable moment. Customers control retention, signing, and per-bucket region selection (subject to tier). The full data flow and residency policy ships with the formal DPA.
Vulnerability reports go to security@tracebind.dev. We acknowledge within one business day. Coordinated disclosure timeline is 90 days from acknowledgement; expedited where active exploitation is observed. PGP key on request.
ArmoredGate LLC. Operations in the United States. hello@tracebind.dev for general inquiries; /contact for sales, partnerships, and press.
Last updated: 2026-05-22. Subject to replacement by formal Terms before public launch.