Legal

Privacy Policy

Last updated: 18 March 2026 · Effective date: 18 March 2026

This policy explains what personal data Trimora collects, why, how long we keep it, and what your rights are. We have written it in plain language on purpose. If anything is unclear, contact us.

1. Who we are

Trimora is a financial awareness tool for small and medium-sized businesses. It analyses your uploaded bank statements and email inbox to identify unnecessary costs, unused subscriptions, and wasteful spending — and tells you exactly what to do about it.

The data controller responsible for your personal data is:

Legal name: Trimora (Alexandru Victor Vasiliu)
Location: Sas van Gent, Netherlands (full address available on request)
KvK number: 42006445
Contact: Contact us
Supervisory authority: Autoriteit Persoonsgegevens (AP), The Hague, Netherlands

2. What data we collect and why

2.1 Waitlist signups

If you join our waitlist at trimora.ai, we collect your email address. We use it solely to notify you when Trimora launches. We do not send marketing emails. We do not share this with third parties.

Legal basis: Legitimate interest (Article 6(1)(f) GDPR)
Retention: Until you request deletion, or until 12 months after launch — whichever comes first

2.2 Account and contact information

When you create a Trimora account, we collect your name, email address, and company name. We use this to operate your account, send you product notifications, and provide support.

Legal basis: Contract performance (Article 6(1)(b) GDPR)
Retention: Until account deletion, plus 30 days for backup purposes

2.3 Bank statement data

With your explicit action, you upload your business bank statement (PDF or CSV) to Trimora. We never request access to your online banking or require your bank credentials.

Important: We operate a strict two-layer data model. Raw transaction data (merchant name, amount, date, reference number) is processed in memory and deleted within minutes of the scan completing. We never store raw bank transactions permanently. What we do store is the derived output — for example: "Notion — €16/month — detected 3rd March — next renewal 3rd April." This is your product data, not your financial data.

Legal basis: Contract performance (Article 6(1)(b) GDPR) and your explicit consent
Raw transaction data: Deleted within minutes of analysis
Processed subscription records: Retained until account deletion

2.4 Email metadata

With your explicit consent, Trimora connects to your business email inbox (Gmail or Outlook) to detect subscription renewals, invoices, and vendor communications. We scan email metadata and relevant content to identify financial patterns. We do not read, store, or index personal correspondence.

Legal basis: Contract performance (Article 6(1)(b) GDPR) and your explicit consent
Retention: Email content is not stored. Only extracted subscription and renewal data is retained, until account deletion

2.5 Payment data

Payments are processed by Stripe. Trimora never sees, stores, or processes your card details. Stripe is an independent data controller for payment data. Their privacy policy is available at stripe.com/privacy.

3. How we store your data

All personal data is stored in the European Union — specifically on Supabase infrastructure in Frankfurt, Germany. Data does not leave EU servers.

Uploaded statement data and any derived findings are encrypted at the application layer using AES-256 before being written to the database. Even in the event of a database breach, data is not readable without the encryption key.

Row-level security is enforced in our database — your data is never accessible to other Trimora users.

4. Who we share data with

We do not sell your data. We do not share your data with advertisers. We share data only with the following sub-processors, who are contractually required to protect it:

Sub-processor	Purpose	Location
Supabase	Database and authentication	EU (Frankfurt)
Vercel	Application hosting	EU (Frankfurt, fra1) + SCCs for edge functions
Resend	Transactional email delivery	US (SCCs in place)
Stripe	Payment processing	US (independent controller)
Cloudflare	DNS, CDN, and waitlist storage	EU/US (SCCs in place)

For Vercel, Resend, and Cloudflare, data transfers outside the EU are covered by Standard Contractual Clauses (SCCs) as required under GDPR Chapter V.

5. Cookies and tracking

Trimora does not use cookies, tracking pixels, analytics scripts, or any third-party tracking technology on the trimora.ai landing page. No consent banner is shown because none is required — there is nothing to consent to.

The Trimora application uses one type of cookie only: a strictly necessary session cookie to keep you logged in. This cookie:

Is essential for the service to function — without it you cannot stay logged in
Does not track you across other websites
Contains no personal data beyond a session identifier
Is deleted when you log out or when your session expires
Does not require consent under the ePrivacy Directive (Directive 2002/58/EC)

We do not use Google Analytics, Facebook Pixel, HotJar, Intercom, or any other third-party tracking or analytics service.

6. Your rights under GDPR

As a data subject under GDPR, you have the following rights:

Right of access — You can request a copy of all personal data we hold about you
Right to rectification — You can ask us to correct inaccurate data
Right to erasure — You can request deletion of all your data. We will comply within 48 hours and confirm by email
Right to restriction — You can ask us to stop processing your data while a dispute is resolved
Right to data portability — You can request your data in a machine-readable format (JSON or CSV)
Right to object — You can object to processing based on legitimate interest
Right to withdraw consent — Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, contact us. We will respond within 30 days. There is no fee.

If you believe we have handled your data unlawfully, you have the right to lodge a complaint with the Autoriteit Persoonsgegevens: autoriteitpersoonsgegevens.nl.

7. Data security

We take the following technical and organisational measures to protect your data:

AES-256 encryption of all sensitive data at the application layer
Row-level security — each user can only access their own data
HTTPS enforced on all connections
No sensitive data written to log files
Tokens and credentials stored server-side only — never in the browser
One-click deletion of all your data — deletion is immediate and permanent
Minimum data collection — we do not store what we do not need

8. Data breaches

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to your rights, we will also notify you directly without undue delay.

9. Children

Trimora is a business tool. It is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it immediately.

10. Changes to this policy

We may update this policy as the product evolves. When we make material changes, we will notify registered users by email and update the "Last updated" date at the top of this page.

11. Contact

For any privacy-related questions, requests, or concerns, please use our contact page or write to us at:

Trimora (Alexandru Victor Vasiliu)
Sas van Gent, Netherlands
KvK 42006445

We aim to respond to all privacy requests within 5 business days.