Triage.club is operated by [TRIAGE LEGAL ENTITY NAME], a company registered in England and Wales under company number [COMPANY NUMBER], with its registered address at [REGISTERED ADDRESS].
We are the data controller for personal data collected through your Triage account (your name, email address, and usage information). This means we decide why and how that data is processed.
[CONFIRM WITH SOLICITOR: Where users upload prospect contact data (for example, CSV files containing names and email addresses of their sales prospects), we may act as a data processor on behalf of the user, who remains the data controller for that prospect data. The precise controller/processor relationship for uploaded prospect data requires legal confirmation.]
If you have any questions about how we handle your data, you can reach our privacy team at privacy@triage.club.
We only collect personal data that we genuinely need to provide and improve Triage. Here is what we collect, why, and the legal basis we rely on under UK GDPR.
| Data category | Purpose | Lawful basis |
|---|---|---|
| Name, email address, company name | Creating and managing your account | Performance of a contract (Art. 6(1)(b)) |
| Hashed password | Authentication and account security | Performance of a contract (Art. 6(1)(b)) |
| Uploaded CSV contact data (prospect names, emails, job titles, etc.) | Generating outbound preparation briefs for you; processed transiently and not stored permanently | Performance of a contract (Art. 6(1)(b)) |
| Usage data and feature interactions | Understanding how Triage is used so we can improve the product | Legitimate interests (Art. 6(1)(f)) |
| Anonymised IP address and browser metadata | Product analytics (via PostHog EU Cloud with IP anonymisation enabled) | Legitimate interests (Art. 6(1)(f)) |
| Payment information | Processing subscription payments (handled entirely by Stripe; we do not store card details) | Performance of a contract (Art. 6(1)(b)) |
| Transactional email address | Sending account-related emails (welcome, password reset, billing) | Performance of a contract (Art. 6(1)(b)) |
Where we rely on legitimate interests, our interest is in understanding product usage to improve the service. We have assessed that this processing is proportionate and does not override your rights, particularly as we anonymise IP addresses and do not track you across other sites.
We do not collect special category data. We do not use your data for advertising. We do not sell your data to anyone.
We use your personal data for the following purposes, each tied to the lawful bases set out in section 2 above.
Account creation and authentication. When you sign up, we store your name, email, company, and a securely hashed password in Supabase (hosted in EU Ireland) to create and maintain your account.
Delivering the Triage service. When you upload a CSV of prospect contacts, we process that data transiently to generate AI-powered outbound preparation briefs using Anthropic Claude. The CSV data is not stored permanently. On paid tiers, we may also verify email addresses via ZeroBounce and enrich contact records via People Data Labs to improve brief quality.
Anthropic Claude does not train on your data. We use the Anthropic API with a zero-retention agreement. Your uploaded prospect data and generated briefs are not used to train AI models.
Product analytics and improvement. We use PostHog (EU Cloud, with IP anonymisation) to understand which features are used and how the product can be improved. We do not use marketing cookies or cross-site tracking.
Transactional communications. We send account-related emails (such as welcome emails, password resets, and billing receipts) via Resend. We do not send marketing emails unless you have explicitly opted in.
Payments. Subscription payments are handled by Stripe. We do not receive or store your full card number. Stripe processes your payment data as an independent data controller under its own privacy policy.
Background job processing. We use Inngest to manage asynchronous processing tasks (such as queuing brief generation). Inngest processes job metadata on our behalf as a sub-processor.
Security and abuse prevention. We use Supabase Row Level Security (RLS) policies to ensure users can only access their own data. We log access events and monitor for unusual activity to protect your account.
We keep your data only for as long as we need it. Here are our retention periods for each category.
| Data category | Retention period |
|---|---|
| Account data (name, email, company, hashed password) | Retained while your account is active, then deleted within 30 days of account closure |
| Uploaded CSV contact data | Processed transiently during brief generation and not stored permanently; removed from temporary storage once processing is complete |
| Generated briefs and outputs | Retained while your account is active; deleted within 30 days of account closure |
| Analytics data (PostHog) | 12 months, with anonymised IP addresses |
| Payment records (Stripe) | Retained by Stripe in accordance with financial record-keeping obligations; we retain only a transaction reference |
| Transactional email logs (Resend) | Retained for up to [CONFIRM RETENTION PERIOD] for delivery tracking and debugging |
When you delete your account, we remove your personal data from our active systems within 30 days. Some data may persist in encrypted backups for a limited period, after which it is permanently deleted.
If you would like your data deleted sooner, contact us at privacy@triage.club and we will action your request within 30 days.
We do not sell your personal data. We do not share it with advertisers. We only share data with trusted sub-processors who help us deliver the Triage service, and only to the extent necessary.
| Sub-processor | Purpose | Data location |
|---|---|---|
| Supabase | Authentication, database, and file storage | EU (Ireland) |
| Vercel | Application hosting and CDN | Global edge / US |
| Anthropic (Claude API) | AI brief generation (zero-retention; no model training on user data) | US |
| ZeroBounce | Email verification (paid tier only) | US |
| People Data Labs | Contact enrichment (paid tier only) | US |
| Stripe | Payment processing | US |
| PostHog | Product analytics (EU Cloud, IP anonymisation enabled) | EU |
| Resend | Transactional email delivery | US |
| Inngest | Background job queue and task processing | US |
Each sub-processor is bound by a data processing agreement. For a full, up-to-date list of sub-processors including their data protection credentials, see our Trust Centre.
We may also disclose personal data if required to do so by law, regulation, or court order.
Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data.
Right of access. You can request a copy of the personal data we hold about you.
Right to rectification. If any of your data is inaccurate or incomplete, you can ask us to correct it.
Right to erasure. You can ask us to delete your personal data. We will do so unless we have a lawful reason to retain it (for example, financial record-keeping obligations).
Right to restriction of processing. You can ask us to temporarily stop processing your data while a concern is resolved.
Right to data portability. You can request a machine-readable copy of the data you provided to us, so you can transfer it to another service.
Right to object. You can object to processing based on legitimate interests. We will stop unless we can demonstrate compelling grounds that override your rights.
Rights related to automated decision-making. We do not currently make any decisions based solely on automated processing that produce legal or similarly significant effects on you. AI-generated briefs are informational tools for your own use, not automated decisions about you.
To exercise any of these rights, email us at privacy@triage.club. We will respond within 30 days. If your request is complex, we may extend this by a further two months, but we will let you know within the first 30 days.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection.
ICO website: ico.org.uk | ICO helpline: 0303 123 1113
Triage uses a minimal set of cookies. We do not use marketing cookies, advertising cookies, or cross-site tracking cookies.
We use strictly necessary cookies for authentication and session management. These do not require your consent because the service cannot function without them.
Our analytics provider, PostHog (EU Cloud), is configured with IP anonymisation enabled. [CONFIRM WITH SOLICITOR: Whether PostHog's tracking method constitutes a cookie requiring consent under PECR, and whether a cookie consent banner is needed.]
For full details of the cookies we use, their purposes, and how to manage them, please see our Cookie Policy.
Your core account data is stored in the EU (Supabase, Ireland region). However, some of our sub-processors are based in the United States, which means personal data may be transferred outside the UK and EEA.
The following sub-processors involve transfers to the US: Vercel (hosting), Anthropic (AI processing), ZeroBounce (email verification), People Data Labs (enrichment), Stripe (payments), Resend (transactional email), and Inngest (job queue).
For each of these transfers, we rely on one or more of the following safeguards as required under UK GDPR:
- The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs), as appropriate for each sub-processor.
- [CONFIRM WITH SOLICITOR: Verify that appropriate transfer mechanisms (IDTA/SCCs) are in place with each US-based sub-processor and that transfer impact assessments have been completed where required.]
Data processed by PostHog remains within the EU (EU Cloud configuration). Data stored by Supabase remains in EU Ireland.
We may update this privacy policy from time to time to reflect changes in our practices, our sub-processors, or applicable law.
If we make material changes, we will notify you by email (using the address associated with your Triage account) and by posting a prominent notice within the product at least 14 days before the changes take effect.
The "Last updated" date at the top of this page will always reflect the most recent revision. We encourage you to review this policy periodically.
Continued use of Triage after the effective date of a revised policy constitutes your acknowledgement of the changes. If you do not agree with a revised policy, you may close your account at any time.
If you have any questions about this privacy policy, your personal data, or wish to exercise your data protection rights, please contact us.
Privacy enquiries: privacy@triage.club
Data controller: [TRIAGE LEGAL ENTITY NAME], registered in England and Wales
Registered address: [REGISTERED ADDRESS]
Company number: [COMPANY NUMBER]
[CONFIRM WITH SOLICITOR: Whether a Data Protection Officer (DPO) is required or has been appointed. If so, include DPO contact details here.]
We aim to respond to all privacy-related enquiries within 30 days.
This policy is governed by the laws of England and Wales. [CONFIRM WITH SOLICITOR: Confirm governing law and jurisdiction.]
We recommend Termly (termly.io/privacy-policy-generator) or iubenda (iubenda.com). Both tools generate jurisdiction-aware policies, integrate directly into your site via script tag, and update automatically as legislation changes — reducing the ongoing compliance burden significantly.