Privacy Policy

We collect information through several methods depending on how you interact with the Service:

1.1 Information You Provide Directly

• Account Registration: Name, email address (via Google OAuth), and profile information provided through your Google account.
• Report Requests: Company name, website URL, social media URLs, industry, business model, team size, annual revenue range, business goals, pain points, and other form fields submitted for AI report generation.
• Payment Information: Billing details processed securely through Stripe. We do not store credit card numbers on our servers.
• Campaign Data: Email content, lead information, target audience descriptions, campaign configurations, and outreach materials provided for managed campaigns.
• Communications: Messages, emails, and support requests you send to us.

1.2 Information Collected Automatically

• Device and Browser Data: IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
• Usage Data: Pages visited, features used, click patterns, session duration, referring URLs, and interactions with the Platform.
• Authentication Data: OAuth tokens and session identifiers necessary to maintain your authenticated state.
• Security Data: Cloudflare Turnstile verification tokens and associated metadata for bot protection.

1.3 Information from Third-Party Services

• Google OAuth: Your name, email address, and profile picture as authorized during sign-in.
• Instantly: Campaign analytics, email delivery data, reply content, and lead engagement metrics (accessed via your API credentials).
• Stripe: Subscription status, payment history, and billing information.

1.4 Information from Public Sources

When generating AI reports, our research agents collect publicly available information about your business from sources including your website, social media profiles, review platforms, job postings, news articles, and public business registries. This information is used solely for report generation.

We use the information we collect for the following purposes:

2.1 Service Delivery

• Operating and maintaining the Trevexia Platform.
• Generating AI Business Intelligence Reports using our multi-agent orchestration system.
• Managing outreach campaigns on your behalf, including prospect research, sequence execution, and reply handling.
• Classifying inbound messages and generating response drafts for your review.
• Processing payments and managing subscriptions.
• Authenticating your identity and maintaining session security.

2.2 Service Improvement

• Analyzing usage patterns to identify and fix bugs, improve performance, and enhance features.
• Training and improving our AI models using anonymized and aggregated data patterns (never raw client data).
• Conducting internal research and analytics to improve service quality.

2.3 Communication

• Sending transactional notifications (report completion, campaign alerts, system status).
• Providing customer support and responding to your inquiries.
• Sending marketing communications about new features and services (only with your consent; you may opt out at any time).

2.4 Security and Compliance

• Detecting, preventing, and responding to fraud, abuse, and security threats.
• Enforcing our Terms of Service and acceptable use policies.
• Complying with legal obligations, court orders, and regulatory requirements.

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction that requires a legal basis for processing personal data, we rely on the following:

• Contractual Necessity: Processing required to perform our contract with you (e.g., providing the Service, generating reports, managing campaigns).
• Legitimate Interests: Processing for our legitimate business interests, such as improving the Service, ensuring security, and conducting analytics, where these interests are not overridden by your data protection rights.
• Consent: Processing based on your explicit consent, such as marketing communications. You may withdraw consent at any time.
• Legal Obligation: Processing necessary to comply with applicable laws and regulations.

We do not sell, rent, or trade your personal data. We share your information only in the following circumstances:

4.1 Service Providers

We share data with trusted third-party service providers who assist in operating the Service, subject to contractual obligations to protect your data:

• Supabase (Postgres + Auth): Database hosting and user authentication. Data stored in Frankfurt, Germany (EU region).
• Vercel: Platform hosting and deployment. Edge functions execute in the region closest to the user.
• Stripe: Payment processing. PCI DSS Level 1 certified.
• Cloudflare: Bot protection (Turnstile), DDoS mitigation, and CDN services.
• Google: OAuth authentication services.
• Perplexity AI: Research queries for AI report generation (company-level data only; no personal information is transmitted).
• KIE AI: AI model inference for content analysis and generation.
• DataForSEO: SEO and web analytics data for report generation.
• Resend: Transactional email delivery.

4.2 Connected Platforms (Your Authorization)

When you connect Third-Party Services via API credentials, data flows between the Service and those platforms as directed by you. This includes Instantly (email campaigns) and Telegram (notifications).

4.3 Legal Requirements

We may disclose your information if required by law, subpoena, court order, or governmental request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

4.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your data may be transferred to the acquiring entity. We will notify you of such a transfer and any changes to this Privacy Policy.

We implement comprehensive technical and organizational measures to protect your data:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
• Encryption at Rest: Data stored in our database is encrypted using AES-256 encryption.
• Workspace Isolation: Row-Level Security (RLS) policies ensure strict data isolation between different client workspaces. No client can access another client's data.
• Credential Security: API keys and sensitive credentials are encrypted using application-level AES encryption before storage.
• Authentication Security: Multi-factor authentication support via Google OAuth. Session tokens are securely managed with automatic expiration.
• Infrastructure Security: Hosted on Vercel and Supabase with enterprise-grade infrastructure security, automatic patching, and DDoS protection via Cloudflare.
• Access Controls: Role-based access control (admin, client, viewer) limits data access based on user permissions.

While we strive to protect your data using industry best practices, no system is completely secure. We cannot guarantee absolute security and encourage you to use strong, unique passwords and safeguard your account credentials.

We retain your data according to the following schedule:

• Active Account Data: Retained for the duration of your account and active Subscription.
• AI Reports: Retained indefinitely while your account is active. Deleted 30 days after account termination.
• Campaign and Lead Data: Retained for the duration of your Subscription plus 30 days after termination.
• Payment Records: Retained for 7 years to comply with tax and financial reporting obligations.
• Usage and Analytics Data: Retained in anonymized, aggregated form indefinitely for service improvement. Individual session data is purged after 90 days.
• Support Communications: Retained for 2 years after the last interaction.
• Backups: Encrypted backups containing account data are purged within 90 days of account deletion.

You may request earlier deletion of your data at any time by contacting us at contact@trevexia.com, subject to any legal retention obligations.

Depending on your location, you may have the following rights regarding your personal data:

7.1 Rights Under GDPR (EEA/UK Residents)

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete personal data.
• Right to Erasure ("Right to Be Forgotten"): Request deletion of your personal data, subject to legal retention requirements.
• Right to Restrict Processing: Request that we limit how we process your data in certain circumstances.
• Right to Data Portability: Receive your personal data in a structured, machine-readable format (JSON or CSV) and transmit it to another service.
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint: File a complaint with your local data protection authority.

7.2 Rights Under CCPA (California Residents)

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to Delete: Request deletion of personal information we have collected from you.
• Right to Opt-Out of Sale: We do not sell personal information. If this changes, we will provide a clear opt-out mechanism.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

7.3 Rights Under UAE PDPL

Residents of the United Arab Emirates have rights under the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), including the right to access, correct, and delete personal data, and the right to object to processing. We comply with all applicable UAE data protection requirements.

To exercise any of these rights, please contact us at contact@trevexia.com. We will respond to verified requests within 30 days (or sooner, as required by applicable law).

Your data may be processed in countries other than your country of residence, including the United States, European Union, and United Arab Emirates. When transferring data internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA.
• Data Processing Agreements (DPAs) with all service providers that process personal data on our behalf.
• Selection of service providers with recognized security certifications (SOC 2, ISO 27001, PCI DSS).

We use a minimal set of cookies and similar technologies:

We do not use:

• Third-party advertising or retargeting cookies.
• Cross-site tracking pixels or beacons.
• Fingerprinting or device-identification technologies for advertising purposes.

You may control cookies through your browser settings. Disabling essential cookies may prevent the Service from functioning properly.

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child under 18, we will take immediate steps to delete that information. If you believe a child has provided us with personal data, please contact us at contact@trevexia.com.

Some browsers transmit "Do Not Track" (DNT) signals. Because there is no industry-wide standard for DNT, we do not currently respond to DNT signals. However, as stated above, we do not engage in cross-site tracking for advertising purposes.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

• We will update the "Last updated" date at the top of this page.
• We will notify registered users via email at least 15 days before material changes take effect.
• We may display a notice on the Platform.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes take effect constitutes your acceptance of the updated Policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For data protection inquiries from EEA residents, you may also contact your local supervisory authority.