Privacy Policy

Last updated: April 1, 2026

1. Introduction

Trinity AI Labs ("we", "us", "our") operates the Trinity desktop application and the trinityailabs.com website (collectively, the "Service"). This Privacy Policy explains how we collect, use, store, and protect your information when you use our Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, and password (hashed). If you sign up via Google or GitHub OAuth, we receive your name, email, and profile picture from those providers. We do not receive or store your OAuth passwords.

2.2 Subscription & Billing

Payments are processed by Lemon Squeezy, our Merchant of Record. We do not collect or store credit card numbers or payment method details. Lemon Squeezy handles all payment processing, tax calculation, and VAT compliance. We receive subscription status, plan details, and transaction identifiers from Lemon Squeezy via webhooks.

2.3 Project Data

Trinity stores your project data — including project configurations, PRDs, stories, roadmaps, knowledge base entries, comments, activity feeds, and execution history — in cloud databases (Turso) to enable sync across your devices and team collaboration. This data is associated with your account.

2.4 Secrets & API Keys

You may store API keys and secrets within Trinity for use in project execution. These are encrypted at rest using a per-database 256-bit encryption key. Encryption keys are delivered to your desktop app over HTTPS. We do not access or use your stored secrets for any purpose other than delivering them to your authenticated devices.

2.5 Device Information

The Trinity desktop app generates a stable, random device identifier on first launch. This is used for execution ownership (tracking which device is running which task) and presence indicators. We also collect a device name (e.g., "Alex's MacBook") for display purposes.

2.6 Usage & Execution Data

We collect execution metrics including AI token usage, cost tracking, pipeline durations, and agent handoff data. This data powers the metrics dashboard and is visible to you and your team members. It is stored in your synced database, not on separate analytics infrastructure.

2.7 Asset Files

If you use Trinity-managed asset storage, files you upload (wireframes, PDFs, fonts, images) are stored on Cloudflare R2. File metadata syncs across your devices via Turso. If you use bring-your-own storage (S3/R2/B2), files are stored in your own bucket — we only store metadata.

2.8 Bug Reports

If you submit a bug report through the desktop app, we collect the report title, description, your app version, operating system, and the current route. You may optionally attach screenshots or files. Bug reports and attachments are stored in our database and Cloudflare R2 respectively. Bug reports are visible to Trinity AI Labs administrators for triage and resolution. Do not include sensitive information (passwords, API keys, proprietary code) in bug reports.

2.9 Local-Only Data

Certain data never leaves your machine: filesystem paths, worktree locations, local process IDs, port allocations, and machine-specific settings. This data is stored in a local SQLite database on your device and is never transmitted to our servers.

3. How We Use Your Information

  • Provide the Service — authenticate you, sync your project data across devices, enable team collaboration, and run the execution pipeline.
  • Process payments — manage your subscription status via Lemon Squeezy.
  • Send transactional emails — account verification, team invitations, and password resets via Resend.
  • Display metrics — show execution analytics, cost tracking, and team activity within the app.
  • Maintain security — detect unauthorized access, manage device authentication tokens, and enforce subscription status.
  • Rate limiting — protect the Service from abuse using request rate limits.

We do not sell your personal information. We do not use your project data or code to train AI models. We do not serve third-party display advertisements.

4. Third-Party Services

We use the following third-party services:

  • Turso — cloud database hosting for account data and synced project databases.
  • Lemon Squeezy — payment processing, subscription management, tax/VAT compliance (Merchant of Record).
  • Resend — transactional email delivery.
  • Cloudflare — website CDN, DNS, DDoS protection, and analytics (traffic volume, geographic distribution, request counts). Cloudflare R2 is used for asset file storage (managed tier).
  • Upstash — Redis-based rate limiting to protect API endpoints from abuse. Stores request counts by IP address with short-lived expiry.
  • Vercel — website hosting and serverless functions.
  • Google / GitHub — OAuth authentication providers (only if you choose to sign in with these).
  • Google Analytics (GA4) — website analytics. Collects anonymised usage data (page views, session information) via browser cookies and server-side Measurement Protocol. We send hashed user identifiers to GA4 on key conversion events (sign-up, subscription, contact form).
  • Meta (Facebook) — advertising measurement and attribution. A Meta Pixel is loaded on the website via Google Tag Manager and sets a browser cookie (_fbp). We also send conversion events (sign-up, subscription, contact form) server-side via the Meta Conversions API using hashed email addresses and internal user identifiers. We do not share your name, project data, or any unencrypted personal information with Meta.

Each service processes data in accordance with their own privacy policies. We share only the minimum data necessary for each service to function.

5. AI & Claude Code

Trinity orchestrates Claude Code (by Anthropic) as a subprocess on your local machine. Trinity does not proxy AI requests — Claude Code connects directly to Anthropic using your own Claude subscription or API key. Your code and prompts are sent from your device to Anthropic, not through our servers. Anthropic's privacy policy governs their handling of that data.

6. Sponsorship & Seat Gifting

Users may sponsor seats for other users. When you sponsor someone, we share your name and email with the recipient so they know who gifted the seat. Sponsors can see whether the recipient has accepted or declined the gift. Sponsors do not have access to the recipient's projects, data, usage metrics, or any other account information. Recipients may cancel a sponsored seat at any time.

7. Referral & Affiliate Links

The Service may include referral or affiliate links to third-party products and services (for example, AI providers, hosting platforms, or developer tools). When you click a referral link, the destination service may set cookies or tracking parameters that associate your visit with Trinity AI Labs. If you purchase or sign up through such a link, we may receive a referral commission. These links are always marked with a referral indicator within the Service. Clicking a referral link does not change the price you pay. We only recommend products that are relevant to the Trinity workflow — we do not accept payment for placement or prioritize recommendations based on commission rates.

8. Cookies & Authentication

The website uses the following cookies:

  • Session cookies — secure, HTTP-only cookies used for authentication. Strictly necessary; cannot be disabled.
  • Analytics cookies — Google Analytics sets _ga and related cookies to measure website traffic and usage patterns.
  • Advertising measurement cookies — Meta Pixel sets a _fbp cookie used to measure the effectiveness of our advertising campaigns. This does not enable Meta to show you ads on our website.

The desktop app authenticates via a device code flow — you approve a code on the website, and the app receives JWT access and refresh tokens which are stored in your operating system's secure keyring.

9. Data Storage & Security

  • Synced databases are hosted on Turso with TLS encryption in transit.
  • Secrets are encrypted at rest using AES-256 with per-database keys.
  • Authentication tokens (JWTs) are stored in your operating system's secure keyring on desktop.
  • Website sessions use secure, HTTP-only cookies.
  • Each team gets a physically isolated database — your team's data is not co-mingled with other teams.

10. Data Retention

Your data is retained for as long as your account is active. If your subscription lapses, your data is preserved (read-only access) and is never deleted. Reactivating your subscription restores full access. If you request account deletion, we will delete your account data, personal sync database, and any team databases you own (after notifying team members). Deleted team databases are held for 30 days before permanent deletion.

11. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users by email within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, what data was affected, and steps we are taking in response.

12. Team Collaboration & Shared Data

When you join a team, your name, email, handle, and avatar are cached in the team's database so team members can see who they are collaborating with, including offline. Activity feeds (including story status changes, execution events, PRD updates, and project configuration changes), comments, and execution status are visible to all team members. If you are removed from a team, your Turso access token is revoked and you can no longer access the team's data.

13. Your Rights & Regional Privacy Laws

You may:

  • Access your personal data via the dashboard and desktop app.
  • Update or correct your profile information in your account settings.
  • Export your project data from the desktop app (local database files).
  • Request deletion of your account and associated data.
  • Request a copy of all personal data we hold about you in a portable format.

European Users (GDPR)

If you are in the European Economic Area (EEA), UK, or Switzerland, we process your personal data under the following legal bases: contract performance (providing the Service), legitimate interest (security, abuse prevention), and consent (where applicable). You have additional rights including the right to erasure, the right to restrict processing, the right to data portability, and the right to object to processing. You may also lodge a complaint with your local data protection authority.

California Users (CCPA)

If you are a California resident, you have the right to know what personal information we collect and how it is used, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise these rights, contact us at the email below.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

14. Children's Privacy

Our Service is not directed at children under 16. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 16, we will delete it promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via a notice in the Service. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

16. Contact

If you have questions about this Privacy Policy, contact us at [email protected].