PRIVACY
Privacy policy
Version 2026-05 · effective May 2026
This policy explains what data Trochia collects, what we do with it, what we do not do with it, and how to get it back or delete it. We tried to write it the way we would explain it to a founder, short, specific, in plain English.
What we collect
Account data: name, email, authentication metadata, billing identifiers (the payment-card number itself is handled by our payments sub-processor, Trochia never sees it).
Customer content: the material you put into Trochia. In Phase 1, that is your business memory, your decks, your investor pipeline. In later modules it includes meeting transcripts and signed SAFE documents.
Product analytics: pseudonymous event identifiers, which pages you visit, which features you use, which onboarding step you reach. Free-text content (deck bodies, transcripts, financial figures) is never sent as an event property.
Operational logs: error reports and request traces, scrubbed of sensitive fields before they leave the application.
What we do with it
We use customer content only to operate the product features you invoke, secure and maintain the service, and comply with your instructions. We do not sell customer data. We do not share it for advertising. We do not let our vendors use it for anything other than running the Service.
What we never do
No training.Your business memory, decks, transcripts, and pipeline never enter a model-training pipeline. Not ours, not our model provider's, not any sub-processor's. The commitment is contractual with the model providers we use, reflected in the Data Processing Addendum, and documented in the sub-processor inventory at /legal/dpa.
No autonomous external sends. Trochia drafts outreach, follow-ups, and signature requests; the founder approves each one before it leaves the product. That is a feature of how the product works, not just a policy.
No call-speaker mode. Trochia ingests transcripts and drafts follow-ups; it does not speak in your calls.
Sub-processors
We use a short list of trusted vendors to operate the service: Supabase (database + storage), Stripe (payments), our model provider, Resend (transactional email), Sentry (error monitoring), Amplitude (product analytics), Langfuse (model-call tracing), Inngest (background jobs), Vercel (hosting). Each is bound by a data-processing contract that mirrors the commitments here. The full inventory, with each vendor's training posture, retention window, and contract status, lives in our internal vendor-data-flow document and is referenced from the DPA.
Your rights
You can export your data at any time, a JSON dump of every tenant-scoped table we hold for your account, delivered as a private signed URL.
You can delete your account at any time. Deletion is a 30-day soft-delete window, during which you can restore, followed by permanent purge across our primary databases. Backups age out on their normal cycle.
Both flows live in your account settings.
Geography
Today, Trochia operates in the US, UK, and India. Data is stored in the US region of our database provider. EU data residency is on the V2 roadmap. We apply Standard Contractual Clauses and the UK International Data Transfer Addendum where required.
Children
Trochia is not designed for and not directed at anyone under 16. We do not knowingly collect data from minors.
Changes to this policy
We bump the version and notify the account owner by email on material changes. Cosmetic edits (grammar, broken links) do not bump the version.
Contact
Email privacy@trochia.ai for any privacy-related request. We reply within 14 days, usually sooner.