GDPR, Data protection
This page describes how Trinity Insights processes personal data under EU Regulation 2016/679 (GDPR) and the French Loi Informatique et Libertés. It complements the privacy policy which details cookies, analytics and user choices.
Data controller
Trinity Insights is the data controller for personal data collected through trinityinsights.io, the REST API, the MCP server and associated communications. Full contact details are in the Terms of service.
Privacy contact: [email protected]
Categories of personal data
| Category | Purpose | Legal basis |
|---|---|---|
| Account identifier (email, name) | Account creation, authentication, service communications. | Contract performance (GDPR art. 6.1.b). |
| Billing data | Subscription, renewal, EU VAT invoicing. | Contract performance + legal obligation (GDPR art. 6.1.b + 6.1.c). |
| API key + usage metadata | Tier quota enforcement, abuse prevention, observability. | Legitimate interest (GDPR art. 6.1.f). |
| Application error logs | Service stability, incident diagnostics. | Legitimate interest (GDPR art. 6.1.f). |
| Anonymised product analytics | Aggregate usage understanding, product improvement. | Consent (GDPR art. 6.1.a), revocable at any time. |
| Connection data (IP, user-agent) | Service security, abuse protection. | Legitimate interest (GDPR art. 6.1.f). |
Trinity Insights does not process any special category of personal data within the meaning of GDPR article 9 (health, political opinions, biometrics, etc.). Self-declared financial information (portfolio size, allocations) is never collected or requested.
Retention periods
- Active account: as long as you are a customer. Deletion on request within thirty days, except where a legal obligation applies (billing: retained per French accounting and tax rules).
- Closed account: full deletion within ninety days.
- Error logs and usage telemetry: aggregated and anonymised beyond sixty days.
- Product analytics: retained in anonymised form only (no user identifier attached).
- Accounting documents (invoices): French legal retention (ten years for accounting records).
Sub-processors
Trinity Insights relies on the following sub-processors, each governed by a data processing agreement (DPA). Non-EU/EEA transfers are covered by the European Commission's Standard Contractual Clauses (SCCs).
| Sub-processor | Purpose | Region | Agreement |
|---|---|---|---|
| Hetzner Online GmbH | Application infrastructure hosting (app server, database, cache). | Germany (Nuremberg, EU) | DPA → |
| Clerk, Inc. | Authentication, identity management, sessions. | United States (SCCs) | DPA → |
| Paddle.com Market Limited | Merchant of Record, billing, payment collection. | United Kingdom (adequacy decision EU) | DPA → |
| Functional Software, Inc. (Sentry) | Application error tracking. | European Union (eu.sentry.io) | DPA → |
| PostHog, Inc. | Anonymised product analytics (usage cohorts, feature funnels). | European Union (eu.posthog.com) | DPA → |
| Cloudflare, Inc. | Content delivery network, DDoS protection, public static asset caching. | Global edge (SCCs) | DPA → |
This list is kept up to date. Any addition or removal of a sub-processor triggers an update of this page, with reasonable advance notice when the nature of processing changes materially.
International transfers
Application data (account, logs, API content) is hosted in Germany (EU). Transfers to non-EU/EEA sub-processors (primarily the United States) are covered by the Standard Contractual Clauses adopted by the European Commission (decision 2021/914).
Your rights
Pursuant to GDPR articles 12 to 22, you have the following rights over your data:
- Right of access (GDPR art. 15)
- Right to rectification (GDPR art. 16)
- Right to erasure (GDPR art. 17)
- Right to restriction (GDPR art. 18)
- Right to data portability (GDPR art. 20)
- Right to object (GDPR art. 21)
- Right not to be subject to automated decision-making (GDPR art. 22)
- Right to withdraw consent at any time, without affecting the lawfulness of prior processing.
To exercise these rights, email [email protected] specifying the right you wish to exercise. We respond within thirty days (extendable to sixty days for complex requests, with prior notice). No fee is charged for the exercise of your rights.
Automated decision-making
Trinity Insights does not make any decision producing legal or similarly significant effects on you based solely on automated processing. The scores and indicators presented are educational analytical tools and do not entail any automated decision concerning you.
Cookies
Trinity Insights uses functional cookies (session, preferences) and, after explicit consent, anonymised analytics cookies. Cookie families and durations are detailed in the privacy policy.
Security of processing
- TLS encryption in transit with HSTS on every public domain.
- Encryption of secrets and API keys at rest (server-side HMAC-SHA256 with pepper for API keys).
- Append-only access logs with hashed arguments (no PII in plain text).
- Encrypted backups with rotation and a documented restore drill.
- Strict Content-Security-Policy and security headers (X-Frame-Options, Referrer-Policy, Permissions-Policy).
Breach notification
Should a personal data breach likely to result in a risk to your rights occur, Trinity Insights notifies the CNIL within seventy-two hours pursuant to GDPR article 33, and informs you directly without undue delay if the risk is high (article 34).
Right to lodge a complaint
If you believe the processing of your data does not comply with the regulation, you may lodge a complaint with a supervisory authority at any time, in particular the CNIL in France or the supervisory authority of your habitual residence in the EU/EEA.