Triage Trust Centre
We believe trust is earned through transparency. Here's exactly how Triage handles your data.
Last reviewed: March 2026
GDPR Compliance EU
Triage is designed GDPR-compliant from day one. Compliance is not a retroactive patch — it shaped the architecture of the product.
Data We Collect
Account data
Email address and display name, collected for authentication only via Supabase Auth. We do not collect phone numbers, billing addresses, or personal identifiers beyond what is needed to identify your account.
Usage data
Brief generation counts and credit usage are logged against your account to enforce plan limits and track billing. Product analytics (feature usage, session behaviour) are collected anonymously via PostHog EU Cloud. Individual events are not tied to identifiable personal data in analytics.
CSV uploads
When you upload a CSV, the data is processed server-side to generate contact briefs. CSV contents are not permanently stored beyond your active session. Once briefs are generated, the raw CSV data is discarded.
Domain scrape results
When Triage fetches signals from a company's public web presence (homepage, job postings, blog), results are cached per domain — not per contact. No personally identifiable information is cached as part of the domain scrape.
CRM data (when connected)
CRM integrations operate on a read-only API basis by default. Triage reads contact and account data to generate briefs. We write data back to your CRM only when you explicitly trigger a push action (e.g. saving a brief to a CRM note). We do not store raw CRM contact objects in our own database.
Sub-processors
The following sub-processors are used in the delivery of the Triage service. All sub-processors are bound by Data Processing Agreements.
| Sub-processor | Purpose | Location | DPA in place |
|---|---|---|---|
| Supabase | Database & authentication | Ireland (EU) EU | Yes |
| Vercel | Hosting & edge delivery | EU / US | Yes |
| Anthropic (Claude) | AI brief generation | US | Yes — data not used for model training |
| ZeroBounce | Email verification | US | Yes |
| People Data Labs | Contact enrichment | US | Yes |
| Stripe | Payment processing | US / EU | Yes |
| PostHog | Product analytics | EU Cloud EU | Yes |
| Resend | Transactional email | US | Yes |
| Inngest | Background job processing | US | Yes |
For transfers to US-based sub-processors, appropriate safeguards (Standard Contractual Clauses) are in place in accordance with GDPR Chapter V.
Security Practices
A summary of the technical and organisational measures in place. See the full Security page for more detail.
Your Rights
As a data subject under GDPR, you have the following rights. To exercise any of them, contact privacy@triage.club or use your account settings.
Right to access
Export all your personal data directly from account settings at any time.
Right to deletion
Deleting your account removes all your data from our systems within 30 days.
Right to portability
Export your contacts and generated briefs as CSV from your account.
Right to object
Object to our processing at any time by contacting privacy@triage.club.
Right to restrict processing
You can pause your account at any time, which halts all active processing of your data.
Right to rectification
Update your account details at any time via account settings. Contact us for corrections we can't surface in-product.
Data Processing Agreement
A formal Data Processing Agreement (DPA) is available to Enterprise tier customers as standard.
If you require a DPA on a lower tier — for example, as a condition of your organisation's procurement process — contact legal@triage.club and we will review on a case-by-case basis.
Standard Contractual Clauses (SCCs) are available for non-EU customers where data transfers outside the European Economic Area require additional safeguards under GDPR Chapter V.