← Back to Legal Documents

Privacy Policy

Effective date: 23 May 2026

Summary. Trefnus Resource is a local-first application. The overwhelming majority of your data — your resources, bookings, settings, map images and configuration — never leaves your Device. We collect only the minimum personal data needed to verify your licence: your email address (to send you a magic sign-in link), a Supabase-issued user ID, and a randomly generated per-Device hash with a short device label. We do not sell, rent, share or trade your personal data, and we do not use any analytics, advertising or third-party tracking.

1. Information We Collect

1.1 Information you provide to us

1.2 Information collected automatically when you authenticate

Supabase, our authentication and database processor, may additionally process technical metadata such as your IP address, request timestamps and HTTP headers when handling these requests. We do not store or use that metadata. See Supabase’s privacy policy.

1.3 Information stored only on your Device (never sent to us)

The full list of storage keys is set out in our Cookie & Local Storage Policy.

1.4 What we do NOT collect

2. How We Use Your Information

DataPurposeLegal Basis (UK/EU GDPR)
Email addressSend magic sign-in link; respond to support; send essential service notices (security, legal, account)Performance of a contract (Art. 6(1)(b)); legitimate interests in operating and securing the Application (Art. 6(1)(f))
Supabase user IDIdentify your account when verifying your licencePerformance of a contract (Art. 6(1)(b))
Device hash & device labelEnforce the 5-device licence limit; allow you to see and remove Devices in SettingsPerformance of a contract (Art. 6(1)(b)); legitimate interests in preventing unauthorised use (Art. 6(1)(f))
Last seen timestampEnforce device limits; show device activity in Settings; allow short transient grace window if the licence server is briefly unreachableLegitimate interests in service operation and anti-abuse (Art. 6(1)(f))
App identifier (app_resource)Distinguish this Application from other Trefnus applications in the licence databasePerformance of a contract (Art. 6(1)(b))
Licence active flagDetermine whether you are entitled to launch the ApplicationPerformance of a contract (Art. 6(1)(b))
Support correspondenceRespond to and keep a record of your enquiryLegitimate interests in providing support (Art. 6(1)(f))

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you.

3. Data Storage and Security

Personal data we process is stored by Supabase on infrastructure operated by Supabase Inc. We rely on Supabase’s technical and organisational security measures including encryption in transit (TLS) and at rest, network isolation, access controls and audit logging.

Your local Application data is held in your browser’s IndexedDB (database name trefnus-resource) and localStorage on your own Device. The security of that data depends on the security of your Device, browser, operating system and any backup/sync tools you choose to use.

No security is perfect. No system of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your personal data, and disclaim all liability for unauthorised access, interception or use of your personal data to the maximum extent permitted by law.

4. Data Sharing

We do not sell your personal data. We do not rent, trade or otherwise share your personal data for marketing purposes. We share personal data only as follows:

5. Data Retention

We retain your account-level personal data (email, Supabase user ID, device records, last-seen timestamps) for as long as your licence is active, and for a reasonable period afterwards to satisfy legal, tax, accounting and dispute-resolution obligations — typically up to seven (7) years.

Support correspondence is retained for up to three (3) years.

You can delete data stored on your Device at any time by clearing browser storage for the Application’s origin or by using the data-reset controls in Settings. Deleting local data does not delete your account-level data held by Supabase.

6. Your Rights

Subject to applicable law and verification of your identity, you may have the following rights:

To exercise these rights, email privacy@trefnus.com. We will respond within one month (extendable by two further months for complex requests). We may charge a reasonable fee or refuse manifestly unfounded or excessive requests as permitted by law.

7. International Data Transfers

Supabase and our content delivery network providers operate global infrastructure, and your personal data may be processed in countries outside the United Kingdom or the European Economic Area, including the United States. Where we transfer personal data outside the UK/EEA, we rely on appropriate safeguards such as Standard Contractual Clauses adopted by the European Commission and the UK International Data Transfer Addendum, or on equivalent mechanisms recognised under applicable data protection law. By using the Application, you acknowledge that your personal data may be processed in those countries, which may have data-protection laws different from those of your country.

8. Children’s Privacy

The Application is not directed to children under the age of 16, and we do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact privacy@trefnus.com and we will delete it promptly.

9. Third-Party Links

The Application and its documentation may contain links to third-party websites and services (including Supabase, unpkg, jsDelivr and others). We are not responsible for the privacy practices or content of those third parties. Their privacy policies apply when you visit or use them.

10. Changes to This Policy

We may update this Privacy Policy from time to time. The updated version will be posted at /legal/privacy-policy.html with a new effective date. Material changes will be highlighted where reasonably practicable. Your continued use of the Application after the effective date constitutes acceptance of the updated policy.

11. UK / EU GDPR Compliance

For the purposes of the UK GDPR and the EU GDPR, Trefnus is the controller of the personal data described in this Policy. You can contact us about data protection matters at privacy@trefnus.com. Where required, our representative will be identified at that address.

We rely on the legal bases set out in the table in Section 2. Where we rely on legitimate interests, you can request further information about the balancing test we have conducted.

12. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the right to: know what categories of personal information we collect and the purposes for collection; access the specific pieces of personal information we hold about you; delete personal information we hold, subject to exceptions; correct inaccurate personal information; opt out of the “sale” or “sharing” of your personal information; and not be discriminated against for exercising these rights.

We do not sell or share your personal information as those terms are defined under the CCPA/CPRA, and we have not done so in the preceding twelve months. To exercise any California right, email privacy@trefnus.com. We will verify your request using the email address associated with your account.

13. Data Breach Notification

In the event of a personal data breach likely to result in a high risk to your rights and freedoms, we will notify affected users without undue delay and, where required, will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with applicable law.

14. Contact

Privacy questions or to exercise your rights: privacy@trefnus.com.
Legal questions: legal@trefnus.com.
Security concerns: security@trefnus.com.
General support: support@trefnus.com.