Frequently asked questions.

Tracelight runs 32 OSINT (Open-Source Intelligence) workers in parallel against a single subject — name, email, phone, alias, IP, or domain — and produces a structured profile with citation-anchored evidence. Every claim in the report links back to the exact API response that produced it.

As little as one identifier. Examples: a name, email address, phone number, social media username, IP address, domain, or photo. The more identifiers you can provide up-front, the higher the cross-source verification rate on the resulting findings.

A single subject typically completes in 60–90 seconds. A full M&A team of 6–10 executives takes 5–8 minutes total. Reports generate in under 30 seconds once enrichment is done.

Breach indices (HIBP, Dehashed, IntelX, BreachDirectory), sanctions lists (OFAC, EU, UK, UN), court records (PACER + state systems), corporate registries (Companies House, OpenCorporates), social media (Twitter/X, LinkedIn, Telegram, GitHub, Reddit, and 30+ others via username probe), adverse media (80,000+ news sources), dark-web monitoring, IP/domain intelligence (Shodan, AbuseIPDB, VirusTotal), and image analysis (Google Vision OCR + reverse image).

Public pricing starts at $49/month (Starter, 25 cases). Pro and Agency tiers scale up. Every plan includes the full feature set — Lookup, Watch, Vetting, and Intel — no per-module pricing. See /pricing for the current tiers.

Yes — every plan includes a 7-day free trial. No credit card required to start. You get the full feature set during the trial, including running real cases.

Not as a published plan today. Solo PIs running fewer than 5 cases per month often get the most value from the Starter monthly plan ($49/mo for 25 cases) — substantially cheaper per case than competitor pay-as-you-go pricing once you run more than two cases.

Yes. Subscriptions are month-to-month with no annual commitment. Cancellation takes effect at the end of the current billing period and your data stays accessible during that window.

Every piece of evidence is timestamped, hash-locked, and traces back to a specific API call. Multiple investigators have used Tracelight evidence in subrogation actions and litigation. Always coordinate with your counsel for jurisdictional admissibility, but the underlying audit trail is built to survive cross-examination.

Tracelight is a tool — your organization (or your CRA partner) is the reporter. We help you stay FCRA-compliant by enforcing consent capture, recording timestamps, providing pre-built adverse-action notice templates, and audit-logging every viewer/download. You remain the data controller.

We provide per-subject DSAR (data subject access request) export endpoints in JSON format. Per-workspace data retention controls are configurable, with an automatic purge cron that respects your retention window.

Encrypted at rest in Supabase Postgres (US region by default). Workspace isolation is enforced at the database level via Row-Level Security — your investigation data is never visible to other workspaces, including ours. Slack OAuth tokens and other long-lived secrets are AES-256-GCM encrypted at the application layer.

Yes — every case can be shared via a signed read-only URL with token expiry, view tracking, and download counts. Editors, counsel, and clients never need to log in.

Slack (full OAuth bot + slash command), Discord, Microsoft Teams, generic JSON webhooks, Zapier-compatible event subscriptions, inbound email forwarding (forward an email to inbox+slug@trytracelight.com to auto-create a subject), and a public REST API at /api/v1.

Today, no — we run a fixed set of OSINT workers. On the roadmap: a worker SDK that lets you plug your own data source into the enrichment pipeline.

Yes, fully documented at /docs. Bearer-token auth, rate-limited per plan tier, hourly enrichment caps with 429/Retry-After. Build your own integrations or wire Tracelight into your existing case-management system.

Only people you invite. Workspace isolation is enforced at the database level — Supabase Row-Level Security gates every query by your workspace_id. Our team can access your data only when you grant explicit support access (rare, time-limited).

No. Investigation data, evidence, and reports are never used for model training. The Claude API calls we make for narrative generation are stateless — Anthropic's enterprise API doesn't retain or train on prompts.

Not yet. Architecture is SOC 2-ready (encrypted at rest + in transit, RLS isolation, full audit logging, no shared infra) but formal audit is on the 2026 roadmap once customer demand justifies the cost.

Hosted on Vercel (US-East primary, global edge for static assets) with Supabase as the database. Status updates at our internal dashboard; automated nightly backups. We don't currently publish a status page or SLA — small enough operation that the founder gets paged on incidents.

Email support@trytracelight.com. We aim to respond within one business day on the Starter plan; faster on Pro and Agency. There's no 24/7 hotline today — we're a small operation.