Privacy Policy
We collect only what we need to run the product. We do not sell your data. We do not use it to train AI models without your consent.
Last updated: 2026-05-26. This is the initial draft of our Privacy Policy. Pending formal legal review.
1. Introduction
This Privacy Policy describes how TrendSuite (“we”, “our”, “us”) collects, uses, stores, and discloses personal data when you use the TrendSuite platform, website, and related services (collectively, the “Service”). It applies to all users worldwide and is supplemented by jurisdiction-specific disclosures where applicable (see Sections 4 and 7).
This policy does not apply to third-party websites or services that we may link to. We encourage you to review the privacy policies of those services separately.
2. Data We Collect
Identifiers.Email address and display name, collected at account creation. If you sign in with Google, we receive your name and email from Google’s OAuth endpoint.
Brand profile data. The niche, target audience, tone of voice, content pillars, brand archetypes, and never-say rules you provide during onboarding and in subsequent profile edits. This is the primary input to content generation.
Social platform OAuth tokens. When you connect a social account, we store the OAuth access token and refresh token for that platform. These tokens are encrypted at the application layer using AES-256-GCM before being written to the database. We never store your social account passwords.
Usage data. Pages visited, features used, content plans created, posts scheduled, and similar in-product events. Collected to understand how the product is used and to improve it. Opt-out available from your account settings.
Technical data. IP address, browser user agent, and device type. Collected by our hosting provider (Vercel) as part of normal server-side logging. Retained for 90 days.
Payment data. We do not collect or store payment card data. All payment processing is handled directly by Stripe; we receive only non-sensitive billing metadata (subscription status, last-four card digits for display purposes).
3. How We Use Your Data
Running the product. Authentication, session management, content generation, trend personalisation, scheduling, and all core features of the Service.
Trend personalisation. Your brand profile (niche, audience, tone) is used to filter and rank trend signals so that what you see is relevant to your specific brand context.
AI content generation. Brand profile data is included in prompts sent to our AI providers (OpenAI, Anthropic) to generate on-brand content output. Both providers operate under zero-retention agreements with us — prompts and completions are not stored by them beyond the duration of the API call.
Billing. Subscription management, trial state, plan upgrades and downgrades, and payment processing via Stripe.
Communication. Welcome emails, trial lifecycle nudges, service announcements, and responses to your support requests. You may opt out of marketing emails at any time via the unsubscribe link; transactional emails (such as password resets) cannot be opted out of while your account is active.
Product analytics. We use aggregated, pseudonymised usage events to understand which features are used and to prioritise the roadmap. Opt-out is available in your account settings.
Security monitoring. Error logs (via Sentry) and request logs (via Vercel) are used to detect and investigate security incidents, bugs, and abuse.
4. Legal Bases for Processing (GDPR)
For users in the European Economic Area, United Kingdom, and Switzerland, we rely on the following legal bases:
- Contract performance (Article 6(1)(b)) — processing necessary to operate the Service you have signed up for, including authentication, content generation, and scheduling.
- Legitimate interest (Article 6(1)(f)) — security monitoring, fraud prevention, error tracking, and product improvement through aggregated analytics.
- Consent (Article 6(1)(a)) — product analytics beyond what is necessary for product operation. You may withdraw consent at any time from your account settings.
- Legal obligation (Article 6(1)(c)) — complying with applicable law, including responding to valid legal process.
5. Sub-Processors
We use the following third-party sub-processors to operate the Service. Each receives only the minimum data required for its specific function. We enter into Data Processing Agreements with each sub-processor that handles personal data of EEA/UK users.
| Sub-processor | Purpose | Data shared | Location | Certifications |
|---|---|---|---|---|
| Supabase | Database and authentication | All user and workspace data | US-East | SOC 2 Type II |
| Stripe | Payment processing and billing | Name, email, billing address | US / Ireland | PCI DSS Level 1 |
| Resend | Transactional email delivery | Name, email address | US | SOC 2 (in progress) |
| OpenAI | AI content generation | Brand profile data, trend context | US | Zero retention via API agreement |
| Anthropic | AI content generation | Brand profile data, trend context | US | Zero retention via API agreement |
| Vercel | Application hosting and edge network | Request logs, IP addresses | Global CDN | SOC 2 Type II |
| Sentry | Error monitoring and performance | Stack traces, request context | US / EU | SOC 2 Type II |
| Upstash | Rate limiting and cache | Session identifiers, rate counters | US / EU | SOC 2 Type II |
| Apify | Trend data collection | No personal data | EU | GDPR-compliant |
| SerpAPI | Search trend signals | Niche query strings, no personal data | US | TLS in transit |
We will notify users of material changes to this list at least 30 days in advance where required by applicable law.
6. Data Retention
Account data. Retained for the lifetime of your account. On account deletion, we initiate deletion within 30 days, subject to any legal hold obligations.
Server logs. Request and error logs are retained for 90 days, after which they are automatically purged.
AI generation history. Content plan generation history is retained for 365 days by default. You may reduce this to 30 or 90 days, or disable storage entirely, in your account settings.
Billing records. Transaction records are retained for 7 years as required by applicable tax and accounting laws, regardless of account deletion.
7. Your Rights
Depending on your jurisdiction, you have some or all of the following rights regarding the personal data we hold about you:
- Access (GDPR Art. 15; CCPA): Request a copy of the personal data we hold about you.
- Correction (GDPR Art. 16): Request that we correct inaccurate or incomplete data.
- Deletion (GDPR Art. 17; CCPA): Request erasure of your personal data, subject to legal retention obligations.
- Export / Portability (GDPR Art. 20): Receive your data in a structured, commonly used, machine-readable format.
- Restriction (GDPR Art. 18): Ask us to restrict processing of your data under certain circumstances.
- Objection (GDPR Art. 21): Object to processing based on legitimate interest, including profiling.
- Opt-out of sale (CCPA): We do not sell personal data. If this changes, we will provide a clear opt-out mechanism.
- Lodge a complaint: You have the right to lodge a complaint with your local supervisory authority (e.g., your national Data Protection Authority in the EU).
To exercise any right, email privacy@trendsuite.ai. We will respond within 30 days (or the shorter period required by applicable law). For complex or high-volume requests, we may extend this period by a further 60 days with notice.
8. International Transfers
TrendSuite operates primarily from the United States. When we transfer personal data of EEA or UK users to sub-processors outside the EEA/UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemental technical and organisational measures where required, and the UK Addendum to the EU SCCs for UK transfers.
All sub-processors listed in Section 5 that are based outside the EEA operate under SCCs or equivalent transfer mechanisms. Copies of the applicable transfer mechanisms are available on request.
9. Cookies & Tracking
We use only essential cookies necessary to operate the Service:
- Authentication session cookie — maintains your logged-in state. Set by Supabase Auth. Expires when you log out or after the session timeout.
- Theme preference — stores your light/dark mode preference. Session-scoped; no personal data.
We do not use advertising cookies, third-party tracking pixels, or cross-site tracking of any kind. We do not use Google Analytics or any other cloud analytics service that transfers browsing data to advertising platforms.
10. Children
The Service is not directed to children under 13 years of age. We do not knowingly collect personal data from children under 13. If we learn that a user under 13 has created an account, we will promptly delete the account and associated data. If you believe a child under 13 has provided us with personal data, please contact privacy@trendsuite.ai.
11. Security
We implement technical and organisational measures to protect your personal data. A detailed description of these measures — including encryption standards, access control architecture, and our responsible disclosure programme — is available on the Security Overview page.
12. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority within 72 hours of becoming aware of it, as required by GDPR Article 33. Where the breach is likely to result in a high risk to individuals, we will also notify affected users directly without undue delay.
13. Changes to This Policy
We will update the “Last updated” date at the top of this page when we make material changes. For significant changes that affect your rights or how we use your data, we will notify you by email at least 14 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
14. Contact
Privacy questions and rights requests: privacy@trendsuite.ai
Data Processing Agreement requests: dpa@trendsuite.ai
EU/EEA representative: To be appointed before general availability in the European Union.
Data Protection Officer: To be appointed before EU general availability. Applicable to processing at scale of special-category data or systematic monitoring, as required by GDPR Article 37.