How Tren handles
your data.

In the ordinary and customary course of providing, administering, maintaining, securing, and operating the Service, the Company collects, may collect, or may be deemed to collect, directly or indirectly, the following categories of personal information, identifiers, and related data (collectively, "Personal Information"), without limitation:

(a) Account Identifiers. Upon the establishment, registration, or activation of an account hereunder, the Company collects and processes an electronic mail address (the "Email Address") associated with such User, together with a cryptographic representation, hash, or digest of any password elected by such User, the plaintext form of which password is at no time stored, retained, persisted, or otherwise rendered accessible to the Company or its personnel.

(b) Hardware-Derived Device Identifiers. For purposes of, and solely to the extent necessary for, the administration, enforcement, and integrity of per-seat licensing arrangements applicable to your subscription, the desktop component of the Service shall compute, generate, and transmit to the Company a deterministic one-way cryptographic hash (such hash, the "Device Hash") derived from one or more hardware identifiers exposed by the computing device upon which such desktop component is executed; provided, however, that the underlying hardware identifiers themselves are not collected, retained, transmitted, or otherwise stored by the Company in any unhashed or otherwise reversible form, and provided further that such Device Hash, by virtue of the cryptographic properties of the one-way function utilized in the computation thereof, cannot be inverted so as to disclose or otherwise identify the source device beyond the four corners of the Service.

(c) User-Generated Configuration Data. Such configuration data, settings, parameters, profiles, preferences, and related artifacts as you may, in your sole discretion, elect to synchronize to, persist within, or otherwise associate with your account through the cloud-synchronization functionality of the Service (collectively, the "Configuration Data").

(d) Operational, Diagnostic, and Audit Records. Records, logs, and entries reflecting events deemed by the Company to be material to the operation, security, and integrity of the Service, including without limitation authentication events, session establishment and termination events, download events, device authorization and de-authorization events, subscription state transitions, and any other events the Company may from time to time elect to record, which records may include, inter alia, internet protocol addresses, timestamps expressed in coordinated universal time or such other temporal reference frame as the Company may elect, and basic information concerning the client software in use (collectively, the "Audit Records").

(e) Payment-Adjacent Information. All processing of payment instruments, credit and debit card numbers, banking information, and related sensitive payment data shall be conducted by and through Stripe, Inc. ("Stripe"), and the Company shall not at any time receive, retain, store, or have access to such full instrument numbers; provided, however, that the Company shall receive and retain a Stripe-issued customer identifier and metadata pertaining to your subscription, including without limitation plan tier, status, billing cycle, and renewal date (collectively, the "Subscription Metadata").

(f) Correspondence. The full content, headers, attachments, and metadata of any electronic mail or other communication transmitted by you to the Company, which shall be retained for such period as the Company reasonably deems necessary for the purposes of responding to, acting upon, and following up with respect to the same.

The Company processes Personal Information for one or more of the following legitimate business purposes, without limitation: (i) the operation, provision, maintenance, repair, and improvement of the Service; (ii) the authentication of Users and the authorization of access to features in respect of which such Users have remitted consideration; (iii) the enforcement of per-seat licensing arrangements by reference to the Device Hash; (iv) the cloud synchronization of Configuration Data; (v) the processing of payments and the administration of subscription entitlements through Stripe; (vi) the investigation, detection, prevention, and mitigation of abuse, fraud, license-sharing, account compromise, and other security events; (vii) the provision of customer support and the resolution of disputes; and (viii) the discharge of such legal, regulatory, judicial, and quasi-judicial obligations as may be imposed upon the Company from time to time.

The Company does not sell Personal Information, does not engage in cross-context behavioral advertising, and does not share Personal Information with advertising networks for purposes of targeted advertising.

The Company engages a limited number of third-party service providers (each, a "Sub-Processor"), each of which shall process Personal Information solely to the extent necessary for the function in respect of which it is engaged, and subject to such contractual, technical, and organizational measures as the Company deems appropriate:

• aStripe, Inc., for the processing of payments and the administration of subscription billing;
• bRender Services, Inc., for the hosting of the Company's application infrastructure and the provision of managed database services;
• cVercel Inc., for the hosting and delivery of the Company's web frontend;
• dCloudflare, Inc., for domain name resolution, denial-of-service mitigation, edge caching, object storage (including without limitation through the "R2" service), and serverless compute (including without limitation through the "Workers" platform) for purposes of authorizing the delivery of downloads; and
• eFunctional Software, Inc., doing business as Sentry, for the collection of error reports, exception traces, and operational telemetry.

Each such Sub-Processor operates pursuant to its own privacy notices, terms of service, and security commitments, which the Company does not and cannot unilaterally control, and the Company does not authorize any such Sub-Processor to process Personal Information for such Sub-Processor's own marketing purposes.

Personal Information is stored, processed, and maintained primarily within data centers and facilities operated by the Sub-Processors enumerated in Section 3, predominantly within the United States of America. The Company shall retain account-related Personal Information for so long as the corresponding account remains active, and shall retain Audit Records for such duration as the Company shall determine, in its reasonable judgment, to be necessary or appropriate for legitimate operational, security, accounting, or legal purposes.

The Company shall, from time to time and without prior or separate notice to Users, create, generate, store, and maintain encrypted backup copies of its databases and storage systems, which backups may incorporate the hashing of sensitive fields where the Company deems appropriate, and which backups shall be retained on a rotating schedule, after the expiration of which such backups shall be overwritten, expired, or otherwise rendered inaccessible. No such backup data shall be sold, transferred, or otherwise made available to any unrelated third party.

A User may, at such User's election, initiate the deletion of such User's account through (i) the account settings interface within the dashboard, or (ii) the transmission, by such User as an authenticated principal, of an appropriate request to the Company's account-deletion endpoint. Such deletion shall be processed without queueing, deferral, or grace period and shall, upon successful execution, give effect to each of the following, in such order and manner as the Company may from time to time determine:

• athe cancellation, through Stripe, of each non-terminal subscription associated with such User;
• bthe revocation of all then-active authentication sessions associated with such User;
• cthe permanent and irreversible deletion of the User's account record from the Company's primary database;
• dthe cascading deletion of all related records, including without limitation subscription records, authorized device records, and pending authorization codes; and
• ethe retention, but anonymization, of audit and entitlement event records, by means of setting the user identifier associated with such records to a null value, the Company having determined that the continued retention of such records, in such anonymized form, is reasonably necessary for the integrity of its fraud-prevention, billing, and accounting systems.

Once such deletion has been effected, neither the affected account nor any Configuration Data associated therewith may be recovered. Residual copies of Personal Information may persist within encrypted backup media until such time as the relevant backup retention schedule shall cause the expiration of the same.

The Company employs such reasonable and appropriate technical and organizational measures as it deems designed to protect Personal Information from unauthorized access, disclosure, alteration, or destruction, including without limitation the use of Transport Layer Security ("TLS") for transmissions between client and server, the storage of passwords solely in hashed form by means of a modern adaptive password-hashing function, the requirement of authenticated sessions in respect of all sensitive operations, and the restriction of internal personnel access to production data on a need-to-know basis.

Notwithstanding any of the foregoing, no system, process, or measure can be guaranteed to be impervious to compromise, and the Company makes no representation, warranty, covenant, or guaranty, express or implied, that the Service or any data transmitted in connection therewith is or shall be absolutely secure. In the event the Company becomes aware of any incident which the Company reasonably believes constitutes a personal data breach within the meaning of any applicable law, the Company shall provide such notifications as such law may require.

Subject to and as provided by applicable law, including without limitation Regulation (EU) 2016/679 (the "General Data Protection Regulation" or "GDPR"), the United Kingdom General Data Protection Regulation, and the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the "CCPA"), a User may possess one or more of the following rights with respect to Personal Information relating to such User: the right of access; the right to rectification or correction; the right to erasure or deletion; the right to restriction of, or objection to, certain processing; and the right to data portability. To exercise any such right, the User shall transmit a request to the address set forth in Section 11 hereof from the Email Address associated with the relevant account. The Company shall not discriminate against any User for the exercise of any such right.

The Service is made available on a global basis. By accessing or otherwise utilizing the Service from a jurisdiction other than the United States, the User hereby acknowledges, consents to, and agrees that Personal Information relating to such User shall be transferred to, processed within, and stored in the United States and such other jurisdictions in which the Sub-Processors enumerated in Section 3 may operate, which jurisdictions may afford a level of data protection materially different from, and in some cases less protective than, the User's jurisdiction of residence.

The Service is intended exclusively for Users who have attained the age of thirteen (13) years. The Company does not knowingly direct the Service to, solicit Personal Information from, or knowingly collect Personal Information from any individual under the age of thirteen (13). In the event the Company is made aware that Personal Information has been collected from any such individual, the Company shall promptly cause the same to be deleted upon notification transmitted to the address set forth in Section 11.

The Company reserves the right, in its sole and absolute discretion, to amend, supplement, restate, or otherwise modify this Policy from time to time, with such modification taking effect upon the publication of a revised version hereof bearing an updated Effective Date. In the event such modification is, in the Company's judgment, material, the Company shall endeavor to provide notice thereof to active Users by means of the Email Address of record or through the dashboard prior to the effectiveness of such modification; provided, that the failure of the Company to so notify shall not, in and of itself, invalidate any such modification.

All inquiries, requests, complaints, and other communications relating to this Policy shall be directed to:

[Support](/contact#reveal)