Privacy Policy

TrueUser, Inc. (“TrueUser,” “we,” “us”) operates trueuser.dev and the API at api.trueuser.dev. We are the data controller for account information you give us, and a data processor for the email addresses and signup metadata your application sends to /api/v1/verify.

Account data

• Email address, name, and avatar from your OAuth provider when you sign in.
• API keys you generate (we store only a hashed prefix).
• Verdict-rule configuration and dashboard preferences you save.

Verification request data

Each call to /api/v1/verify is persisted as one row, owned by your account. The row contains:

• The email being verified, plus any optional username, ip, user_agent, and free-form metadata you pass through.
• The verdict and signal scores we computed (disposable, alias, role-account, batch-cluster score, suspicious-pattern score, etc.) and the one-line reasoning.
• Server latency, the API key id that issued the request, and token-usage counts from the model call.

For up to one hour, the most recent verifications for your account are also held in process memory so the model can detect batch signups across requests.

Operational data

• Standard server logs (IP, user-agent, request path) for abuse-prevention and debugging.
• Anonymous product analytics on the marketing site and dashboard via Google Analytics.

• To run the verification you requested and return a verdict.
• To power your dashboard — the verifications table, signal charts, and batch-cluster detection across your recent traffic.
• To meter usage for billing and rate limits.
• To detect abuse of the service (e.g. credential stuffing against the API) and to improve the product.

We do not sell your data, and we do not use the email addresses your application submits to train any model.

We use a small number of vendors to operate the service. Each sees only what it needs to do its job.

• Google (Gemini API) — receives the email under check plus a short list of recent registrations from your account, to score the signals. Inputs and outputs are processed under Google’s API terms.
• Cloud hosting and Postgres provider — stores verification rows and account data at rest.
• OAuth providers — handle sign-in. We receive only the profile fields you authorize.
• Stripe — processes payments if you upgrade to a paid plan. We never see your card data.

• Verification rows are kept for as long as your account is active so the dashboard and batch-cluster detection have history to work with. You can request earlier deletion at any time.
• The in-memory recent-registrations cache trims entries older than one hour automatically.
• When you delete your account we remove account records and disassociate verification rows from you within 30 days.

You can access, export, correct, or delete your data by emailing us. If you are in the EEA, UK, or California you have additional rights under GDPR / CCPA — including the right to object to processing and to lodge a complaint with your supervisory authority.

Data in transit is encrypted with TLS. API keys are hashed before storage and shown to you only once at creation time. Database access is restricted to production services and a small number of administrators.

Our infrastructure runs in the United States. By using TrueUser, you consent to the transfer and processing of data there, subject to the safeguards above.

TrueUser is a developer tool and is not directed at children under 13. We do not knowingly collect personal data from children.

We may update this policy. Material changes will be announced in the dashboard or by email at least 14 days before they take effect. The “Last updated” date at the top reflects the latest version.

Questions, requests, or concerns: [email protected].