Privacy Policy

Trikkl is operated by SIA Mad Digital, a limited liability company registered in Latvia (the “Company”, “we”, “us”). We provide software that helps local service contractors collect Google reviews, track quotes, and remind past customers of recurring services (the “Service”).

US correspondence address: 3277 S White Rd #21, San Jose, CA 95148, United States. Questions about this policy: privacy@trikkl.app.

This policy describes how we handle two distinct categories of data:

• Contractor data - personal data of contractors who create a Trikkl account (business owners, operators, team members). For this data, SIA Mad Digital is the data controller.
• Customer data- personal data of the contractor's own customers (name, phone number, email, job details) that the contractor uploads or enters into Trikkl in order to send review requests, quote follow-ups, and reminders. For this data, the contractor is the data controller and SIA Mad Digital is a data processor acting on their instructions.

From contractors (account holders)

• Name, business name, email address, phone number, city, state, trade
• Authentication credentials (OTP codes, hashed password) via Supabase
• Billing information processed by Stripe (we never store full card numbers)
• Usage analytics: pages visited, features used, messages sent
• Device and connection metadata: IP address, user agent, approximate location derived from IP

From contractors about their customers

• Customer first name, last name (if provided), phone number, email address (if provided)
• Job descriptions, service types, appointment dates, job values
• Quote amounts and follow-up timestamps
• Review responses (1-5 ratings) and private feedback text
• Opt-out flags (STOP/unsubscribe)

From prospective contractors (outreach)

• Publicly listed business information (business name, trade, city, Google review count, public email)
• Email delivery and engagement data (opens, clicks, replies, bounces)
• Unsubscribe state
• Outreach is sent from a separate domain (trikkl.email), includes a one-click unsubscribe, and contains our physical address per CAN-SPAM.

• Contract performance (Art. 6(1)(b) GDPR): creating and running your account, processing payments, delivering messages you configure, providing customer support.
• Legal obligations (Art. 6(1)(c) GDPR): tax records, fraud prevention, responding to lawful requests from regulators.
• Legitimate interest (Art. 6(1)(f) GDPR): product improvement, security monitoring, abuse prevention, marketing outreach to businesses with publicly listed contact details - in each case balanced against your rights.
• Consent (Art. 6(1)(a) GDPR): where required (for example, non-essential analytics cookies). Consent can be withdrawn at any time.

When a contractor uses Trikkl to message their customers, the contractor represents and warrants that they have obtained the customer's consent to receive SMS and email messages from their business. Trikkl sends those messages on the contractor's behalf as a processor. This includes:

• Review requests after jobs
• Quote follow-up nudges
• Service rebooking reminders
• Custom campaigns the contractor creates

Every outbound SMS includes a clear sender identity and STOP/HELP instructions (TCPA and carrier requirements). Every outbound email includes an unsubscribe link. Opt-outs are respected immediately and across every future message from that contractor.

We use the following infrastructure providers. Each processes limited data on our behalf under a Data Processing Agreement:

• Supabase, Inc. - database, authentication, file storage. Data hosted in the United States.
• Vercel, Inc. - application hosting, edge functions, error monitoring. Data processed in the United States and Europe.
• Twilio Inc. - SMS delivery and inbound message handling. Messages transit US telecom infrastructure.
• Resend, Inc. - transactional email delivery and event webhooks.
• Stripe, Inc. - payment processing. Stripe stores card data; we do not.
• Google LLC- when you connect a Google Business Profile, we receive limited profile and review data subject to Google's own terms.
• Anthropic, PBC - text analysis for sentiment and classification features (never used for contractor account content training).

International transfers outside the European Economic Area rely on Standard Contractual Clauses or equivalent legal safeguards.

• Active accounts: for the life of the account plus 30 days after cancellation.
• Financial records (invoices, Stripe transactions): 7 years, as required by accounting law.
• Opt-out / unsubscribe records: kept indefinitely so we can respect opt-outs even after an account closes.
• Outreach leads: retained until unsubscribe or until the lead is shown to be bad data, whichever is sooner.
• Logs and security audit trails: up to 18 months.

If you are in the European Economic Area, United Kingdom, or Switzerland you have the right to:

• Access the data we hold about you
• Correct inaccurate data
• Delete data (“right to be forgotten”), subject to legal retention limits
• Restrict or object to processing
• Receive your data in a portable format
• Withdraw consent where processing is based on consent
• Lodge a complaint with your local supervisory authority (in Latvia: Datu valsts inspekcija)

To exercise any of these rights, email privacy@trikkl.app. We respond within 30 days.

If you are a California resident, you additionally have the right to know what categories of personal information we collect and sell (we do not sell personal information), to request deletion, to correct inaccurate information, and to not be discriminated against for exercising these rights. Email privacy@trikkl.app to submit a request. We will verify your identity before fulfilling it.

We use strictly necessary cookies for authentication and session management. We may use first-party analytics to understand product usage. We do not use third-party advertising cookies. Outreach emails use a single-pixel image and wrapped links to measure open and click rates; unsubscribing stops all tracking for that recipient.

All traffic is encrypted in transit via TLS. Data at rest is encrypted by our infrastructure providers. Row-level security policies prevent one contractor's data from leaking to another. API keys, webhook secrets, and billing credentials are stored in encrypted secret stores.

No security program is perfect. If we become aware of a breach that affects your data, we will notify you and the relevant regulators within the statutory timeframes (72 hours for GDPR).

Trikkl is a B2B product for adult business owners. We do not knowingly collect data from anyone under 16. If you believe a child has provided data to us, email us and we will delete it.

We will post material changes on this page and update the effective date. For significant changes we will notify active account holders by email at least 14 days before the change takes effect.

Data controller: SIA Mad Digital
US correspondence: 3277 S White Rd #21, San Jose, CA 95148, USA
Privacy requests: privacy@trikkl.app
General support: support@trikkl.app