Privacy Policy

Last updated: May 20, 2026

GDPR + PIPEDA compliant

1. Who we are

Trumflow Inc. ("Trumflow", "we", "us") operates the AI-powered customer communication platform at trumflow.vercel.app. We are headquartered in Montreal, Quebec, Canada. For privacy inquiries: privacy@trumflow.com.

2. What data we collect

Account data: name, email, company name, billing address. Usage data: features used, conversation counts, API calls, timestamps. Conversation data: messages sent through the Trumflow chatbot on your website (stored per tenant, isolated). Technical data: IP address, browser type, device, cookies, session tokens. Payment data: processed by Stripe — we never store card numbers.

3. Why we collect it (legal basis)

Contract performance: to provide the service you signed up for (GDPR Art. 6(1)(b)). Legitimate interest: to improve the platform, prevent fraud, and ensure security. Consent: for marketing emails — you may opt out at any time. Legal obligation: to comply with applicable laws (tax, financial records).

4. How we use your data

To provide and operate the Trumflow platform. To send transactional emails (invoices, password resets, service updates). To analyze platform usage and improve performance. To respond to support requests. To comply with legal obligations. We do not sell your data to third parties. We do not use your data to train AI models without explicit consent.

5. Data sharing

Supabase (database, EU region available). Stripe (payment processing). Twilio (WhatsApp messaging). OpenAI (AI processing — messages sent to GPT-4o). Vercel (hosting). Resend (transactional email). Pusher (real-time features). All processors are under data processing agreements. We do not share data with advertising networks.

6. International transfers

Your data may be processed in the United States (OpenAI, Vercel, Twilio) and the European Union (Supabase EU region). Transfers to the US are covered by Standard Contractual Clauses (SCCs) under GDPR. Canadian customers: we comply with PIPEDA and applicable provincial privacy laws.

7. Data retention

Account data: retained for the duration of your subscription plus 90 days after cancellation. Conversation logs: retained for 12 months by default, configurable in Settings. Billing records: retained for 7 years (legal requirement). Deleted accounts: data purged within 30 days of deletion request.

8. Your rights

Under GDPR (EU/UK) and PIPEDA (Canada), you have the right to: access your personal data; correct inaccurate data; delete your data ("right to be forgotten"); export your data in a portable format; object to or restrict processing; withdraw consent at any time. To exercise these rights, email privacy@trumflow.com. We respond within 30 days.

9. Cookies

We use: Essential cookies (session management, authentication) — always active. Analytics cookies (platform usage, only if you consent) — you may decline. We do not use advertising or tracking cookies. You can manage cookies in your browser settings.

10. Children's privacy

Trumflow is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided data, contact privacy@trumflow.com and we will delete it promptly.

11. Security

We implement: TLS 1.3 encryption in transit. AES-256 encryption at rest. Per-tenant data isolation (Row Level Security). Multi-factor authentication option. Regular security audits. Incident response within 72 hours of discovery. See our Security page for full details.

12. Changes to this policy

We will notify you by email and in-app notification at least 30 days before material changes take effect. The date at the top of this page always shows when the policy was last updated. Continued use after changes constitutes acceptance.