Privacy Policy

The data controller within the meaning of the General Data Protection Regulation (GDPR) is:

sydacos GmbH
Hasenböge 17, 21514 Klein Pampau, Germany
Email: contact@trigvale.com
Managing Director: Thomas Wagner
Amtsgericht Lübeck · HRB 10411 HL · VAT DE176831611

sydacos GmbH is not required to appoint a Data Protection Officer under Art. 37 GDPR in conjunction with §38(1) BDSG (we do not process special categories of data, do not engage in regulated profiling, and our headcount of personnel processing personal data does not reach the statutory threshold). For any data-protection inquiry, contact contact@trigvale.comwith the subject line "Data protection request".

We process the minimum personal data required to provide the Service. Each category below names the data, its purpose, and the lawful basis:

• Account data (Clerk user ID, email address, optional name and profile image) — provided to us by Clerk when you sign up or sign in. Purpose: identifying you as the account holder, securing your session, sending essential transactional notifications. Lawful basis: contract performance, Art. 6(1)(b) GDPR.
• Founder profile data (declared GitHub handle, audience size per channel, distribution channels actually used, capital, weekly time budget, prior shipped products, languages, geography, regulatory comfort) — provided by you in Settings. Purpose: calibrating the rubric output to your declared situation. Lawful basis: contract performance, Art. 6(1)(b) GDPR.
• Verified GitHub signal — when you authorise the GitHub social connection in Clerk, we read your public repositories, top-language distribution, total stars, and 30-day commit cadence to verify the founder profile. We do not read repository contents or private repositories unless you explicitly grant the `repo` scope. Lawful basis: contract performance and your consent (Art. 6(1)(a)).
• Idea content (titles, problem statements, founder assumptions, evidence rows, scoring history, sharpening edits, sprint outputs) — provided by you when you score, sharpen, or generate sprints for an idea. Purpose: providing the core Service. Lawful basis: contract performance, Art. 6(1)(b) GDPR.
• Billing data (Stripe customer ID, plan, subscription status, invoice history, country of residence) — processed by Stripe Payments Europe Ltd. We receive only what we need to apply quotas and entitlements; payment-instrument data (card number, IBAN, etc.) never reaches our infrastructure. Lawful basis: contract performance, Art. 6(1)(b) GDPR; statutory tax-record retention, Art. 6(1)(c) GDPR.
• Usage telemetry (per-source live-evidence cache HIT/MISS/ERROR counters per day, request paths, latency, error logs) — used solely for operating, securing, and improving the Service. Lawful basis: legitimate interest, Art. 6(1)(f) GDPR. Our interest is keeping the Service reliable; this overrides the limited residual interest you have in not having aggregated counters logged.
• Technical request data (IP address, user agent, request method and path, timestamp, response code) — captured briefly in CloudWatch logs for security monitoring and debugging. Retained 14 days. Lawful basis: legitimate interest in operating a secure service.

Primary processing and storage occur in the European Union, specifically AWS region eu-central-1 (Frankfurt), operated by AWS EMEA SARL. The following sub-processors process limited data on our behalf:

When you score an idea, we enrich the brief with signals pulled from public APIs (Reddit, GitHub, Hacker News, Stack Overflow, dev.to). These calls use a short canonical query phrase derived from the idea's archetype — never the idea's full text and never personally identifying data. Queries are cached per archetype, so the vast majority of evaluations result in zero outbound API calls.

The above public APIs are not sub-processors within the meaning of the GDPR because we do not transmit personal data to them. They appear in the brief as informational references only.

Trigvale uses only the cookies strictly necessary to operate the Service: a Clerk session cookie and a CSRF cookie. We do not use third-party analytics, advertising cookies, or cross-site tracking. No consent banner is required because we do not place any non-essential cookie (§25(2) TTDSG).

We retain personal data only as long as necessary for the purposes set out above and within the periods listed below:

• Account, founder profile, and idea data: kept for the duration of your account. When you delete your account from Settings, the corresponding rows are removed from DynamoDB within 30 days. Point-in-time-recovery snapshots may retain historical state for a further 35 days for disaster-recovery purposes.
• CloudWatch operational logs: 14 days.
• Per-source live-evidence usage counters: kept while the source remains in operation; aggregate-only, no per-user attribution.
• Billing records (invoices, payment confirmations): retained as required by §147 AO (German Fiscal Code) and §257 HGB — currently up to 10 years.

You have the following rights with respect to your personal data:

• Right to access (Art. 15 GDPR) — request a copy of the data we hold.
• Right to rectification (Art. 16) — request correction of inaccurate data.
• Right to erasure (Art. 17), the so-called "right to be forgotten".
• Right to restriction of processing (Art. 18).
• Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
• Right to object (Art. 21) — particularly to processing based on legitimate interest.
• Right to withdraw consent (Art. 7(3)) — for any processing based on consent (e.g. the GitHub OAuth connection); withdrawal does not affect the lawfulness of prior processing.
• Right to lodge a complaint with a supervisory authority (Art. 77).

To exercise any of these rights, email contact@trigvale.com. We respond within one month (Art. 12(3)). The competent supervisory authority for sydacos GmbH is:

Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD)
Holstenstraße 98, 24103 Kiel, Germany
Phone: +49 431 988-1200
Email: mail@datenschutzzentrum.de
Web: datenschutzzentrum.de

You may also lodge a complaint with the supervisory authority of your habitual residence or place of work.

All data is encrypted in transit (TLS 1.2 or higher) and at rest (AWS-managed KMS keys for DynamoDB, S3, and Secrets Manager). Production access is limited to the controller and is logged in CloudTrail. Authentication is handled by Clerk with JWT-based session tokens; passwords are never stored on our infrastructure.

The Service produces automated outputs — a numerical score (Venture Readiness Score), a verdict (kill / pivot / test / build), and a brief — based on the idea content and your founder profile. These outputs are decision support, not legally binding decisions about you within the meaning of Art. 22 GDPR. No third party receives these outputs unless you choose to share them.

The Service is not directed at children under the age of 16. If you become aware that we have collected personal data from a child without verifiable parental consent, please contact us immediately and we will delete it.

We will update this page when our processing practices change. The "Last updated" date above always reflects the most recent revision. For material changes that affect existing users we will additionally notify you by email at least 30 days before the change takes effect.