Trovebase Privacy Policy

Effective Date: April 18, 2025

Preamble

For the purposes of this Privacy Policy, the following terms have the meanings set out below:

  • Trovebase: the SaaS platform offering a marketing‑operations platform (content scheduling, AI-drive SEO optimization, project management, AI ad optimization) under the name “Trovebase,” accessible at https://trovebase.com/.

  • Administrator: an agency owner or in‑house marketer who registers for TroveBase to manage their clients and workflows.

  • Client: a natural or legal person whose accounts are managed through Trovebase by an Administrator.

  • Data Controller: Trovebase, operated by Trovebase Inc., with registered address at 8 Cumberland Street, Toronto, ON, Canada.

  • Data Protection Officer: Rehaan Kothari (rehaan@trovebase.com).

1. Personal Data We Collect

1.1 Account Registration & Authentication

  • What: First & last name, agency name, email, hashed password, SSO identifiers (Google OAuth), profile picture.

  • Why: To create and secure your Trovebase account.

  • Basis: Performance of a contract.

1.2 OAuth Tokens

  • What: Encrypted Google Ads, Meta, LinkedIn, and Stripe refresh/access tokens.

  • Why: To integrate external accounts and pull campaign data or process payments.

  • Basis: Performance of a contract.

1.3 External Approver Data

  • What: Client name, email, WhatsApp number.

  • Why: To send approval requests by email or WhatsApp.

  • Basis: Performance of a contract.

1.4 Billing & Payment

  • What: Company name, billing address, payment method metadata (Stripe token), invoice history.

  • Why: To charge your plan, issue invoices, and maintain tax records.

  • Basis: Performance of a contract; legal obligation (tax/accounting).

1.5 Support & Communications

  • What: Support chat transcripts, email newsletter subscriptions (with timestamped consent).

  • Why: To respond to support requests and send product updates.

  • Basis: Legitimate interest (support); consent (marketing).

1.6 Security & Access Logs

  • What: Login timestamps, IP addresses, basic server‑side logs.

  • Why: Fraud prevention, security auditing, troubleshooting.

  • Basis: Legitimate interest (security).

1.7 Cookies & Similar Technologies

  • What: Strictly necessary cookies to maintain sessions; CookieYes consent cookie.

  • Why: To keep you logged in and remember your cookie‑preferences.

  • Basis: Legitimate interest; consent for any non‑essential cookies.

1.8 Automatically Collected Data

  • Device & Usage: IP address, browser type, operating system, feature use, error logs.

  • Location: Inferred from IP or explicit device permission for precise geolocation.

1.9 Sensitive Data

  • We do not collect sensitive categories (health, biometric, racial, political opinions) except if you explicitly submit them (e.g. support ticket). Processed only with explicit opt-in (GDPR Article 9).

2. Purpose & Legal Basis

Purpose

Data Category

Legal Basis

Account creation & login
Registration, OAuth tokens
Contract performance
Payment processing & invoicing
Billing & payment data
Contract performance; legal obligation
Client approvals
External approver data
Contract performance
Support responses
Support communications
Legitimate interest
Marketing emails
Newsletter subscriptions
Consent
Security & fraud prevention
Access logs
Legitimate interest
Cookie preferences
Cookies
Necessary: legitimate interest; optional: consent

3. Data Retention Periods

  • Account & profile data: Until 2 weeks after account deletion.

  • Billing records: 6 years (Canadian tax law).

  • Security logs: 12 months.

  • Support transcripts: 2 years.

  • Cookie consent records: Retained per CookieYes default (up to 12 months).

Data retained only as long as necessary for the purposes above and to meet legal obligations. After each retention period, personal data are securely erased or irreversibly anonymized.

4. Recipients & Sub‑processors

When you use Trovebase, some of your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. These destinations may not have the same data-protection laws as your home jurisdiction.

Standard Contractual Clauses (SCCs)
Where personal data is exported outside the EEA, Trovebase relies on the European Commission’s Standard Contractual Clauses or other approved transfer mechanisms (e.g. EU–U.S. Data Privacy Framework) to ensure GDPR-equivalent safeguards.

Sub-processors
We engage only trusted third-party service providers to process data on our behalf and under strict contract terms. If you’d like a full, up-to-date list of our sub-processors (and their DPAs), please contact us at rehaan@trovebase.com.

5. International Data Transfers

Personal data may be transferred to servers in Canada, the U.S., and EU. Transfers from the EEA are safeguarded by EU Standard Contractual Clauses (SCCs) or equivalent. Data remains protected under GDPR-level safeguards.

6. Your Rights

Under GDPR, UK GDPR, and Canadian PIPEDA you have the right to:

  • Access your personal data.

  • Rectify inaccuracies.

  • Erase data (the “right to be forgotten”), subject to legal obligations

  • Restrict processing in certain circumstances.

  • Object to processing based on legitimate interest or direct marketing.

  • Portability: receive your data in a structured, machine‑readable format.

  • Withdraw consent at any time for marketing or non‑essential cookies.

  • Complain to a supervisory authority:

    • Canada: Office of the Privacy Commissioner (https://www.priv.gc.ca/)

    • EU/UK: Your local Data Protection Authority (e.g. ICO in the UK, AEPD in Spain).

To exercise any right, email us at rehaan@trovebase.com with a copy of your ID.

7. Security Measures

We implement industry‑standard safeguards, including:

  • TLS encryption in transit.

  • AES‑256 encryption at rest

  • Hashed & salted passwords (bcrypt).

  • Access controls & role‑based permissions.

  • Regular vulnerability scans and patch management.

  • Monthly penetration tests; continuous vulnerability scanning.

  • Encrypted backups with routine integrity checks and disaster recovery plans.

8. Children’s Privacy

Trovebase is for users 18 years and older. We do not knowingly collect data from anyone under 18. If you believe we have, please contact us to have it deleted.

9. Cookies & Tracking

We use only strictly necessary cookies and a single consent cookie via CookieYes. We do not deploy analytics or marketing cookies unless you explicitly opt in. See our Cookie Policy for details.

10. Automated Decision‑Making

Trovebase does not perform any solely automated profiling or decision‑making that would legally require additional disclosures or user consent.

11. Online Dispute Resolution

In the EU, you may use the EU Commission’s ODR platform:

https://ec.europa.eu/consumers/odr/

12. Changes to This Policy

We may update this Policy. Material changes are notified via email or in-app banner 15 days prior. Non-material changes take effect immediately. Previous versions are available upon request.

Data Protection Officer: Rehaan Kothari (rehaan@trovebase.com).

Run your marketing agency with less chaos. And way fewer tools.

Trovebase replaces the clutter with a calm, focused workspace that’s built for the way your team works.

Get Early Access
Book a Demo
© 2025 Trovebase Inc. All rights reserved.