Privacy Policy
Effective date: [to be set on publish]
Last reviewed: [to be set on publish]
This Privacy Policy describes how Trilot LLC ("Trilot," "we," "us," or "our") collects, uses, shares, and protects personal information when you visit trilot.com (the "Site") or use our services.
We have written this policy in plain English. We have tried to make it short. If anything is unclear, email us at [email protected].
i. who we are
The data controller for personal information collected through this Site is:
Trilot LLC 30 N Gould St #46524 Sheridan, WY 82801 United States
Trilot LLC is a Wyoming limited liability company, registered in 1999 and re-registered in 2024. Operations are conducted from offices in Sheridan, Wyoming (registered office) and Amman, Jordan (operating office at St. Kraim Al-Dayyaty, Near Nadi Al-Malaki — Seventh Circle, Amman 11814, Jordan).
Trilot does not have a formally designated Data Protection Officer. Data-protection responsibilities are exercised directly by the operator, who is reachable at [email protected] or [email protected].
ii. what information we collect
We collect only what we need to operate the Site and respond to inquiries. Specifically:
Information you provide directly:
- Contact form submissions. When you use the contact form, we collect: your name, email address, optional company/context, your project description, and how you heard about Trilot.
- Newsletter subscription. When you subscribe to the Trilot newsletter, we collect: your email address and optionally your name. You opt in by submitting the form, and confirm by clicking the link in the verification email (double opt-in).
- Calendar bookings. When you book a consultation through our Cal.com calendar, Cal.com collects: your name, email address, your selected time slot, and any optional message you include. Cal.com is the data controller for that interaction in addition to Trilot.
- Project brief submissions. If you send a project brief through the contact form, we receive whatever content you provide.
- WhatsApp messages. If you initiate a WhatsApp conversation with us, WhatsApp (Meta Platforms, Inc.) processes that conversation under its own terms. We see the content you send. We do not export or archive WhatsApp conversations to our own systems.
Information collected automatically:
- Server logs. Our hosting provider (Cloudflare) records standard server logs including IP address, user-agent string, referring URL, the URL you requested, and timestamp. These are retained by Cloudflare for a limited period (currently approximately 30 days) and are used for service security and abuse prevention.
- Bot-protection signals. We use Cloudflare Turnstile to distinguish humans from automated bots on submission forms. Turnstile processes browser characteristics and behavioral signals. We do not retain or have access to these signals beyond the pass/fail outcome.
- Web analytics. We use Cloudflare Web Analytics, which is cookieless and does not track individuals across sessions or sites. We see aggregated page-view counts and approximate geographic regions of visitors. We do not see individual visitor identifiers.
Information we do NOT collect:
- Payment-card information (handled exclusively by third-party payment processors such as Stripe; we never receive raw card data)
- Sensitive categories of personal data (racial or ethnic origin, religious beliefs, health data, biometric data, etc.)
- Children's data (see section ix)
iii. why we collect this information
We rely on the following lawful bases for processing (terminology aligned with GDPR; equivalent grounds apply under UK GDPR, the California Consumer Privacy Act, and Wyoming state law):
| Data | Purpose | Lawful basis |
|---|---|---|
| Contact form submissions | Respond to your inquiry | Legitimate interest + your consent at submission |
| Newsletter signup | Send you the editorial newsletter | Consent (double opt-in) |
| Calendar bookings | Schedule and conduct the consultation | Performance of contract |
| Project brief | Evaluate fit and respond | Legitimate interest + consent at submission |
| Server logs | Service operation, security, abuse prevention | Legitimate interest |
| Bot-protection signals | Prevent automated abuse of forms | Legitimate interest |
| Web analytics | Understand site usage in aggregate | Legitimate interest (no individual tracking) |
We will not use your information for purposes incompatible with those listed above without obtaining fresh consent.
iv. who we share information with
We do not sell personal information. We do not share personal information with third parties for their own marketing or advertising purposes.
We do share information with the following sub-processors solely so that they can perform services on our behalf. Each sub-processor is bound by a data-processing agreement with Trilot or, where applicable, by its standard customer terms incorporating appropriate safeguards.
| Sub-processor | Purpose | Categories of data | Location | Transfer safeguard |
|---|---|---|---|---|
| Cloudflare, Inc. | Hosting, CDN, DNS, Turnstile bot protection, cookieless analytics | Server logs, form payloads in transit, bot-protection signals | United States with global edge presence | SCCs / DPF participant where applicable |
| Resend (Resend, Inc.) | Transactional email delivery from [email protected] |
Email contents, sender + recipient addresses | United States | SCCs / DPF participant where applicable |
| MailerLite (UAB Mailerlite) | Newsletter list management and sending | Email address, optional name, subscription metadata | European Union / United States | SCCs |
| Google LLC (Google Workspace) | [email protected] inbox |
Email content you send to us | United States | SCCs / DPF participant where applicable |
| Cal.com, Inc. | Calendar booking | Name, email, booking time, optional message | United States | SCCs / DPF participant where applicable |
| GitHub, Inc. | Source-code hosting (does not normally process your personal data) | None in normal operation | United States | SCCs / DPF participant where applicable |
We may also disclose personal information when required by law, valid legal process, or to protect Trilot's or others' rights. We will narrowly tailor any such disclosure.
We will update this list of sub-processors as our operations change. Material changes will be communicated via the newsletter and posted as a banner on the Site for 30 days before taking effect.
v. how long we retain information
We retain personal information only as long as we need it for the purposes described in section iii.
| Data | Retention |
|---|---|
| Contact form submissions | 24 months from last activity, then deleted |
| Newsletter subscribers | Until you unsubscribe, then 30 days, then deleted |
| Calendar bookings | 24 months from the event date |
| Web analytics | Aggregated, no individual retention |
| Server logs | Per Cloudflare standard retention (~30 days at time of writing) |
| Engagement records (after contract) | Retained per the engagement letter and applicable accounting law (typically 7 years for US tax records) |
When the retention period ends, we delete the data or anonymize it so it can no longer be linked to you.
vi. where your data lives and how it crosses borders
Trilot is a US company. Most of our sub-processors are US-headquartered, though several have global infrastructure. If you contact us from the European Economic Area, the United Kingdom, or Switzerland, your personal data will be transferred to the United States and possibly to other countries where our sub-processors operate.
For transfers from the EEA, UK, and Switzerland to the United States, we rely on:
- The EU-US Data Privacy Framework and the UK Extension to the DPF, where the receiving sub-processor is a certified DPF participant; and/or
- Standard Contractual Clauses (SCCs) as approved by the European Commission, where DPF participation is not in place.
You may request a copy of the safeguards in place for any specific transfer by emailing [email protected].
vii. your rights
Depending on where you live, you have some or all of the following rights with respect to your personal information.
Under the GDPR and UK GDPR:
- Access. Request a copy of the personal data we hold about you.
- Rectification. Correct inaccurate data we hold about you.
- Erasure. Request deletion of your personal data ("right to be forgotten"), subject to legitimate retention requirements.
- Restriction. Restrict our processing of your data in specific circumstances.
- Portability. Receive your data in a structured, commonly used, machine-readable format.
- Objection. Object to processing based on legitimate interest.
- Withdrawal of consent. Withdraw consent at any time for consent-based processing (e.g., newsletter unsubscribe).
- Complaint. Lodge a complaint with your supervisory authority.
Under the California Consumer Privacy Act (CCPA / CPRA):
- Right to know what categories of personal information we collect, the purposes, the categories of recipients, and the specific pieces of information.
- Right to delete personal information we hold about you, subject to exceptions.
- Right to correct inaccurate personal information.
- Right to opt out of sale or sharing. We do not sell or share personal information for cross-context behavioral advertising. There is therefore nothing to opt out of, but the right remains available.
- Right to non-discrimination for exercising any CCPA right.
To exercise any right, email [email protected] from the address we have on file for you, or send a verifiable request describing the right you wish to exercise. We will respond within 30 days under GDPR/UK GDPR and within 45 days under CCPA (extensions as permitted by law). We will verify your identity before processing requests that involve disclosure or deletion.
You will not be charged a fee for exercising your rights, except where requests are manifestly unfounded or excessive (e.g., repetitive). We will not retaliate against you for exercising your rights.
viii. cookies and similar technologies
Trilot's use of cookies is minimal. Please see our Cookie Policy (/cookies.html) for the complete list and purposes. In summary:
- We use a small number of strictly-necessary cookies set by Cloudflare for service security and bot protection.
- We do not use third-party advertising cookies.
- We do not use cross-site tracking pixels.
- The newsletter strip on every page uses a single first-party cookie to remember if you dismissed it (so we don't show it to you again for 30 days). You can clear this cookie at any time through your browser.
ix. children
Trilot's services are designed for businesses and adults. We do not knowingly collect personal information from any individual under the age of 16 (or under 13 in jurisdictions where that age is the threshold). If you believe a child has provided personal information to us, please contact us at [email protected] and we will delete that information promptly.
x. security
We use industry-standard safeguards to protect personal information from unauthorized access, alteration, or destruction. These include encryption in transit (TLS/HTTPS), access controls on systems holding personal data, secure password practices, and contractual obligations with our sub-processors. No method of internet transmission or electronic storage is 100% secure; we cannot guarantee absolute security but we will notify affected individuals and relevant authorities in the event of a personal-data breach as required by law.
xi. updates to this policy
We may update this Privacy Policy. The "Effective date" at the top of the document reflects the most recent revision.
If we make material changes, we will:
- Update the "Effective date";
- Post a notice on the Site for 30 days; and
- Where you have given us your email address (for example, by subscribing to the newsletter), notify you by email.
Your continued use of the Site after a material change takes effect constitutes acceptance of the updated policy.
xii. how to contact us
For any privacy-related question, request, or complaint:
- Email: [email protected] or [email protected]
- Mail (US registered office): Trilot LLC, 30 N Gould St #46524, Sheridan, WY 82801, United States
- Mail (Amman office): Trilot, St. Kraim Al-Dayyaty, Near Nadi Al-Malaki — Seventh Circle, Amman 11814, Jordan
- WhatsApp: +1 307 998 3995
We aim to respond to privacy inquiries within five business days. Formal rights requests are handled within the statutory timeframes described in section vii.