Privacy Policy

Controller

The controller for personal data processed on this website and in the Trailmaker SaaS platform under the GDPR is the legal entity identified in our Imprint. For privacy requests, contact privacy@trailmaker.app. Imprint.

What data we process

We process personal data in the following categories:

• Account data (email, hashed password, display name, workspace membership)
• Brand and product data you actively enter (name, URL, positioning, angle briefs, uploaded performance exports)
• Usage data (login timestamps, feature usage, engine run logs — solely for product improvement and billing)
• Billing data on paid plans (payment via Stripe — we do not store credit card data)
• Meta integration data — when you connect a Facebook or Instagram ad account: encrypted long-lived OAuth access tokens, ad-account IDs, ad/campaign/adset IDs, and aggregated performance metrics (impressions, reach, clicks, spend, conversions). Used solely to render your performance dashboard.

Purpose

To provide the product, perform creative strategy analyses (including transfer of prompt data to our sub-processors Anthropic and Google Vertex for LLM generation), handle billing, meet legal obligations, and communicate with you.

Onboarding emails (7-day trial)

When you sign up for the trial, we send you up to three automated emails: a welcome email immediately after sign-up, a check-in email on day three with concrete setup hints based on your current account state, and a conversion reminder in the final 24 hours before trial end.

Legal basis: the welcome and day-3 emails are necessary for performance of the contract (Art. 6(1)(b) GDPR) — they enable use of the trial you explicitly accepted at sign-up. The day-6 conversion email is based on our legitimate interest (Art. 6(1)(f) GDPR) in informing you before trial expiry.

Right to object: every email contains a 1-click unsubscribe link. You may object to the day-6 email at any time without giving reasons and without disadvantage. An objection to all emails including the contract-fulfilment ones is possible; in that case important account information will also be suppressed.

Email delivery is handled by our EU-based processor Resend (see sub-processor list). No third-country transfer takes place.

Meta Marketing API integration

If you connect your Facebook or Instagram ad account to Trailmaker, we receive an OAuth access token from Meta with the ads_read permission. We use this token solely to fetch aggregated ad performance metrics — impressions, reach, clicks, spend, and conversions — from the ad accounts you have explicitly authorised. We do not access end-customer personal data, message content, audience-targeting attributes of individuals, or any data outside the scope of ads_read.

What we store: access token (encrypted at rest with AES-256-GCM), ad-account IDs, campaign/ad-set/ad IDs, and performance metrics keyed to those IDs.

What we never do: we do not sell, license, transfer, or share Meta Platform Data with any third party other than the strictly necessary sub-processors listed in our subprocessor overview. We do not use Meta Platform Data to build user profiles, train machine-learning models for unrelated purposes, perform identity ascertainment or surveillance, or for any purpose Meta's Developer Data Use Policy prohibits.

Disconnection and deletion: you can revoke Trailmaker's access at any time at Facebook → Settings & privacy → Business integrations. On revocation, Meta sends us a data-deletion request which we honour automatically: the access token is invalidated within 24 hours and all cached Meta data is purged within 7 days. You may also delete your account inside Trailmaker (Settings → Account → Delete account) or email privacy@trailmaker.app.

Legal bases

• Art. 6 (1) (b) GDPR — contract performance (Trailmaker terms of use)
• Art. 6 (1) (f) GDPR — legitimate interest (product improvement, security, abuse protection)
• Art. 6 (1) (a) GDPR — consent (newsletter, optional cookies, Meta ad-account connection)

Processors and recipients

We use carefully selected sub-processors. The full list is at Subprocessor overview.

Security

All Customer Data and Meta Platform Data is encrypted in transit (TLS 1.3) and at rest (AES-256). OAuth access tokens are stored as ciphertext in our database with a server-only key; even an attacker with row-read access cannot recover the token. We enforce row-level security on all multi-tenant tables, multi-factor authentication on every administrative system, and we maintain audit logs of security-relevant events for 90 days. To report a security vulnerability email security@trailmaker.app — we acknowledge reports within two business days and will not pursue legal action against good-faith research.

Retention

Account and brand data are stored for the duration of the contract plus statutory retention periods (e.g. German HGB § 257 / AO § 147 for billing, typically 10 years). After account deletion, non-billing personal data is erased within 30 days. Specific retention windows per data category:

Your rights

Under the GDPR you have the following rights:

• Access to your stored data (Art. 15 GDPR)
• Rectification of incorrect data (Art. 16 GDPR)
• Erasure of your data, unless statutory retention obligations apply (Art. 17 GDPR)
• Data portability in a structured, common format (Art. 20 GDPR)
• Objection to processing based on legitimate interest (Art. 21 GDPR)
• Lodging a complaint with a supervisory authority (Art. 77 GDPR)

To delete your account and all associated data: open the Trailmaker app → Settings → Account → Delete account, or email privacy@trailmaker.app. Within 30 days we erase all account, brand and Meta-integration data; statutory billing records are retained for 10 years per German HGB § 257 / AO § 147.

For all privacy requests you can reach us at privacy@trailmaker.app

Cookies and tracking

Trailmaker uses only technically necessary cookies for authentication (Supabase session cookie) and CSRF protection. Marketing or analytics cookies are set only after explicit consent via our consent manager — these include Google Analytics 4, Bing UET, Vercel Analytics, Meta Pixel with Conversions API (CAPI), and PostHog product analytics.

California (CCPA / CPRA)

If you reside in California, the California Consumer Privacy Act (CCPA, as amended by the CPRA in 2023) grants you the following rights with respect to Trailmaker:

• Right to Know - what personal information we have collected about you, where it came from, and who we shared it with.
• Right to Delete - have your data deleted (subject to statutory exceptions).
• Right to Correct - have inaccurate personal information corrected.
• Right to Opt-Out of Sale/Share - we do not sell personal information in the classic sense, but our advertising and analytics pixels count as sharing under the CPRA. You can disable that path any time.
• Right to Limit Use of Sensitive Personal Information - we do not collect sensitive personal information (health, biometric, precise geolocation, religious belief, sex life).
• Right to Non-Discrimination - exercising any of these rights will never lead to degraded service or different pricing.

We honour the Global Privacy Control (GPC) browser signal automatically as a valid opt-out request per California Code of Regulations Title 11 Section 7025.

Submit a request at: /legal/do-not-sell.

Other US states

Equivalent rights apply in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MTCDPA), Delaware (DPDPA), Iowa (ICDPA), Tennessee (TIPA), New Hampshire (NHDPL), New Jersey (NJDPA), Minnesota (MCDPA), Maryland (MODPA), Nebraska, Indiana (INCDPA, effective 2026), Kentucky (KCDPA, effective 2026), Rhode Island (RI HB 7787, effective 2026), Florida (FDBR). We handle requests from all of these states equivalently - email privacy@trailmaker.app with the state in the subject line.

Children's data (COPPA)

Trailmaker is not directed at children under 13 and we do not knowingly collect their personal information. People under 13 are not permitted to use the service. If we learn that we have inadvertently collected data from a child under 13, we delete it immediately. Parents can reach us at privacy@trailmaker.app.

Marketing email (CAN-SPAM Act)

Marketing emails (such as our day-3 and day-6 onboarding emails) include our real sender identity, an accurate subject line, our physical postal address in the footer, and a working unsubscribe link. We honour unsubscribes within 10 business days. Transactional email (login codes, invoices) is exempt under CAN-SPAM.