Privacy Policy

Last updated: May 1, 2026

Who we are

This Privacy Policy describes how TrigVia (“TrigVia”, “we”, “us”, “our”) collects, uses, stores, and shares personal data when you use our website (including www.trigvia.com and related pages), the TrigVia browser extension, and our TrigVia API / backend (for example api.trigvia.com), together the “Services”.

TrigVia is operated from India. For privacy requests and grievances: trigvia@gmail.com.

Our Terms of Service govern your use of the Services. If you do not agree with this Policy, please do not use the Services.

This Policy is provided for transparency. It does not constitute legal advice. You may wish to consult counsel regarding obligations that apply to your own use of third-party services or regulated data.

Scope and audience

The Services are intended for users who are at least 13 years old. The Services are not directed at children under 13. TrigVia is designed for individual consumers and may also be used for internal business purposes; the same Policy applies unless we enter a separate written agreement with an organization.

TrigVia is offered as a paid product. Payment processing details will be described here and at checkout when a payment provider is connected.

Personal data we collect (based on how you use TrigVia)

The following reflects how the Services are built today (website, extension, and API). If we add features, we will update this Policy.

Website account (Supabase authentication)

  • Identifiers and credentials. Today, sign-in is email and password through Supabase Auth. Passwords are handled by Supabase using standard practices; we do not store plaintext passwords on our own servers.
  • Future sign-in methods. We may add options such as “Sign in with Google” for the website account. If we do, this Policy will be updated to describe what data the provider shares with us.
  • Account metadata. User ID, authentication events, and profile fields you provide or that the auth system attaches (for example email address).

Early access / waitlist (optional)

  • If you submit the early-access form, we collect full name, email address, a use-case category (for example developer, researcher, student, other), whether you want beta notifications, a source tag (for example “website”), and a timestamp. This is stored in Supabase (database table configured for waitlist signups).
  • If configured in our deployment, the same record may be copied to a Google Sheet using a Google service account (spreadsheet access only for operational follow-up). That transfer is subject to Google’s terms.
  • If Cloudflare Turnstile is enabled, your browser loads a challenge from Cloudflare and sends a verification token to our server, which Cloudflare validates. Cloudflare may process technical data (such as IP address and browser signals) as described in Cloudflare’s documentation and privacy notice.
  • Our waitlist API applies rate limiting using your IP address (or forwarded IP from our host) to reduce abuse.

Extension ↔ TrigVia API (license and product data)

  • When you complete website sign-in and link the extension, our backend issues or restores a license key tied to your account email (via a “bridge” that verifies your Supabase session). We process your email address and license key for this purpose.
  • The extension stores settings and identifiers (including the license key and API base URL) using browser extension storage (for example chrome.storage) on your device. That data stays on your device unless you sync it through browser features outside our control.
  • For certain sign-in pages we host, we may set an HTTP-only session cookie so you stay signed in across visits when using those pages in a normal browser tab.
  • When you use product features, the extension calls our API with your license key (in headers, body, or query parameters depending on the endpoint) so we can authenticate the request, enforce plan limits, and return results.
  • Highlights, reminders, and saved items. Content and metadata you create through the extension (for example selected text, page URL, titles, reminder times) may be sent to our API and stored so the product can sync and display your data across sessions.
  • AI-assisted actions. When you run actions that use AI, text you select or submit, along with context such as the page URL and other fields the extension sends (for example action type), may be processed on our servers and passed to third-party AI inference providers we configure to generate a response. Do not submit secrets or legally restricted information you are not allowed to share with us or those providers.
  • Reminders preview. A portion of text may be sent in a request (for example as a query parameter) to suggest reminder titles or times.
  • Feedback on actions. If you submit a rating or similar feedback after an action, we may store that together with request metadata needed to improve quality and reliability.

Google Workspace integration (optional, user-initiated)

  • If you connect Google, we receive and store OAuth tokens and related metadata needed to maintain the connection. With your consent, we use Google APIs for purposes consistent with our product (for example Google Calendar events, Google Docs, and Google Drive file access as implemented in the product). The exact scopes are presented to you in Google’s OAuth consent screen.
  • We do not use Google Workspace integrations for advertising profiling. You can revoke access in your Google Account security settings or by disconnecting in TrigVia where available.

Other integrations

Additional third-party integrations may be added over time. When we launch a new integration, we will update this Policy to name the provider and describe the data involved. Third-party integrations that are not yet offered are not covered as active processing here.

Technical and log data

  • Our servers and hosting providers may log IP address, user agent, request paths, timestamps, and error information for security, debugging, and reliability.
  • The website may load Google Fonts; Google may receive technical data typical of font delivery requests.

Purposes and legal bases

India (including the Digital Personal Data Protection Act, 2023, where applicable). We process personal data for lawful purposes such as providing the Services you request, security and fraud prevention, compliance, and—where required—based on your consent (for example optional marketing or certain cookies if we add them). You may contact us to exercise rights available to you under Indian law, including grievance redressal at the email below.

EEA, UK, and Switzerland (GDPR / UK GDPR). Where those laws apply, we rely on one or more of the following legal bases:

  • Contract — processing necessary to provide the Services, create and manage your account, and handle payments when enabled.
  • Legitimate interests — securing the Services, preventing abuse, improving reliability, understanding aggregated usage, and sending service-related communications, balanced against your rights.
  • Consent — where required for optional integrations, non-essential cookies, or marketing emails you can withdraw.
  • Legal obligation — where we must retain or disclose data to comply with law.

How we share personal data

We share data with categories of recipients as needed to run the Services:

  • Supabase — authentication and database services for accounts and waitlist storage.
  • Vercel — hosting for the website and server-side functions (including API routes) and for deploying our TrigVia backend as configured.
  • Cloudflare — Turnstile verification on the early-access flow when enabled; Cloudflare processes related technical data. We do not use Cloudflare Images for user photos in the current website configuration.
  • Google — (a) optional Google Workspace APIs when you connect Google; (b) optional Google Sheets copy of waitlist rows when that integration is configured; (c) Google Fonts delivery as described above.
  • AI inference providers — when you use AI features, prompts and context may be processed by vendors we use to run models.
  • Payment processors — when billing is enabled, the processor will receive payment details you provide; we receive limited transaction metadata.
  • Professional advisors — lawyers, accountants, or insurers where appropriate.
  • Authorities and safety — if required by law or to protect rights, safety, and security.
  • Business transfers — in connection with a merger, acquisition, or asset sale, subject to confidentiality and continuity safeguards.

We do not sell your personal data for money. We do not use your content to train generalized AI models for TrigVia; third-party model providers may have their own policies for their environments.

International transfers

We operate from India, but our service providers (for example Supabase and Vercel) may process data in the United States and other countries. If you are in the EEA, UK, or Switzerland, and we transfer personal data to countries without an adequacy decision, we use appropriate safeguards such as Standard Contractual Clauses or other mechanisms permitted by law, unless an exception applies.

Retention

We keep personal data only as long as needed to provide the Services, comply with law, resolve disputes, and enforce our agreements. Integration tokens are deleted or invalidated when you disconnect or delete your account, subject to short technical delays and backup cycles. Server logs are retained for a limited period appropriate for security and operations. Waitlist records remain until you ask us to delete them or you delete your account (our account deletion flow also attempts to remove matching waitlist entries tied to your email).

Security

We use administrative, technical, and organizational measures designed to protect personal data, including access controls and encryption in transit for modern clients. No online service is perfectly secure. If we are required to notify you of a personal data breach, we will do so in accordance with applicable law.

Cookies and similar technologies

We use cookies or local storage where needed for authentication flows, preferences, and security on the website. The extension uses extension storage APIs. You can control cookies in your browser; blocking required cookies may break sign-in or onboarding flows. We show a cookie notice on the website; details are in our Cookie Policy.

Your rights

Depending on your location, you may have rights to access, correct, delete, or export your personal data; to restrict or object to certain processing; to withdraw consent where processing is consent-based; and to lodge a complaint with a supervisory authority.

EEA, UK, and Switzerland. You may contact us at trigvia@gmail.com to exercise GDPR / UK GDPR rights. You may also complain to your local supervisory authority; EU authorities are listed via the European Data Protection Board.

India. You may contact us at the same email for access, correction, erasure where applicable, grievance redressal, and nominations under Indian law where relevant. We may need to verify your identity before fulfilling requests.

United States (state privacy laws). Residents of certain states may have additional rights (for example California). We will honor applicable requests as required by law. We do not sell personal data or share it for cross-context behavioral advertising as defined in the CPRA in the way we operate TrigVia today; if that changes, we will update this Policy.

Automated decisions

We do not make solely automated decisions that produce legal or similarly significant effects concerning you. Some features use algorithms to suggest content; you choose whether to rely on them.

Third-party links

The Services may link to third-party sites. Their privacy practices are governed by their own policies.

Changes

We may update this Policy from time to time. We will post the new version on this page and change the “Last updated” date. For material changes, we will provide additional notice where appropriate (for example email or in-product message).

Contact

Privacy questions and requests: trigvia@gmail.com