Privacy Policy

Who is responsible for the data

TRISLON is the controller for account, subscription, support, security, and service-usage data used to operate the platform. A business owner is generally the controller for customer, lead, booking, review, campaign, and chatbot data collected through their mini-site or entered into their workspace. TRISLON processes that business-customer data on the owner's instructions.

Data we collect

• Account data such as name, email, auth provider, avatar, sessions, and subscription status.
• Business profile data such as services, prices, opening hours, location, contact details, brand settings, website content, reviews, chatbot knowledge, and uploaded images.
• Lead and booking data submitted by visitors, including name, phone, email, preferred time, service, message, source, campaign attribution, and Telegram reminder opt-in details when enabled.
• Usage and analytics data from public mini-sites when analytics consent is accepted, including event type, source, campaign, page path, visitor/session IDs, and timestamps.
• AI request context needed to generate content, replies, campaigns, mini-site drafts, chatbot answers, and weekly recommendations.
• Billing identifiers and subscription status from Stripe. TRISLON does not store full card numbers.

Where personal data comes from

• Directly from account holders and mini-site visitors when they register, contact a business, book, use the chatbot, request support, upload content, or manage billing.
• From Google or Facebook through Firebase when a user chooses social sign-in, including the provider user ID and available profile details such as name, email, and avatar.
• From Stripe about customers, subscriptions, invoices, payments, refunds, disputes, and billing status. Full card details are handled by Stripe, not stored by TRISLON.
• From Telegram when a visitor actively connects reminders, including a chat ID, username, messages, and opt-in status.
• From business owners when they manually enter or import customer enquiries, reviews, bookings, or other CRM information, and from public referral or campaign information attached to a mini-site visit.

Purposes and lawful bases

• Contract: to register users, authenticate accounts, provide workspaces and product features, process subscriptions, deliver support, and fulfil the service agreement.
• Legitimate interests: to secure the service, prevent fraud and abuse, diagnose faults, maintain business records, improve reliability, and understand aggregate product performance where those interests do not override individual rights.
• Consent: for optional mini-site analytics storage, Telegram reminders, and electronic marketing where consent is required. Consent can be withdrawn at any time.
• Legal obligation: to keep records and process information where required for accounting, tax, fraud prevention, regulatory, or legal-claims purposes.
• For lead and customer data processed for a business owner, the owner determines the relevant lawful basis and instructions; TRISLON acts as its processor.

Processors and integrations

Depending on the enabled features, TRISLON may use hosting providers, Supabase/PostgreSQL for data storage, Stripe for billing, Firebase with Google and Facebook for authentication, OpenAI for AI generation, Resend for email, Telegram for customer reminders, Cloudflare R2 for uploads, and Cloudflare Turnstile for public form protection. Data is shared only as needed to provide, secure, support, or lawfully administer the service.

International transfers

Some providers may process data outside the United Kingdom. Where UK data-protection law requires safeguards, TRISLON will use an applicable adequacy regulation or appropriate contractual safeguards, such as the UK International Data Transfer Agreement or UK Addendum, together with provider security and data-processing terms.

Retention and deletion

• Account and workspace data is normally kept while the account is active and until it is deleted through available controls or a verified deletion request.
• Mini-site lead, booking, content, review, chatbot, and analytics records are kept until the business owner deletes the relevant workspace or the data is no longer needed for the service.
• The essential login cookie expires after 30 days. Expired server-side session records may be removed during routine maintenance.
• Billing, security, dispute, and legal records may be kept longer where reasonably needed to meet tax, accounting, fraud-prevention, contract, or legal-claims obligations.
• Deleted data may remain temporarily in restricted backups until those backups are securely rotated or deleted.

Your data-protection rights

• Depending on the circumstances, you may request access, correction, deletion, restriction, or portability of your personal data, or object to processing based on legitimate interests.
• You can withdraw consent without affecting processing that was lawful before withdrawal. Visitors can reject or later withdraw optional mini-site analytics through Cookie settings.
• Requests can be sent to the support email shown above. Identity may be verified before a request is completed. TRISLON normally responds within one month, subject to any lawful extension.
• You may complain to the UK Information Commissioner's Office at ico.org.uk if you are unhappy with how a concern is handled.

AI and automated decisions

TRISLON uses AI to produce drafts, suggestions, summaries, and chatbot responses. These features are intended to assist people, not to make solely automated decisions that have legal or similarly significant effects. Business owners must review outputs and remain responsible for decisions and communications.

Children

TRISLON accounts are intended for business users aged 18 or over and the service is not directed to children. A business owner must not intentionally use the platform to collect children's data without an appropriate lawful basis, notice, and any required parental authorisation.

Sensitive and special-category data

TRISLON is not designed to store medical records, diagnoses, detailed health information, payment-card numbers, government identifiers, biometric data, or other highly sensitive information. Mini-site visitors should provide only the details needed for a general enquiry or appointment request. Businesses that need to process special-category data must first ensure they have an Article 9 condition, suitable notices, safeguards, contracts, and any required impact assessment.