Privacy Policy
Last Updated: March 16, 2026
TroveDesk (“we”, “us”, or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and safeguard your personal information when you use the TroveDesk application tracking service at trovedesk.app.
1. Who We Are
TroveDesk is operated as a trading name from Accra, Ghana. For all privacy inquiries, contact us at trovedesk@gmail.com.
2. Information We Collect
We collect the following categories of personal information:
| Category | Examples | Purpose |
|---|---|---|
| Account information | Full name, email address, phone number | Account creation, authentication, and transactional notifications |
| Authentication credentials | Password (hashed), Google OAuth token | Secure login; passwords are never stored in plaintext |
| Application data | Title, organisation, category, status, deadline, notes, portal link, priority, location, amount | Core service delivery |
| Contact records | Name, role, email, phone of contacts linked to your applications | Helping you track people involved in your applications |
| User preferences | Tracked categories, application volume, reminder settings | Personalising your experience |
| Technical data | IP address, browser type, error logs, request metadata | Security, rate limiting, error monitoring, and service reliability |
| Theme preference | Light or dark mode (stored in localStorage) | UI preference only; never transmitted to our servers |
3. How We Collect Information
- Directly from you — when you create an account, fill in forms, or add data to the Service.
- Automatically — technical data such as IP addresses and error logs are collected automatically by our hosting and monitoring infrastructure.
- From third parties — if you sign in with Google, we receive your name, email address, and Google account ID from Google.
4. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA) or the United Kingdom, we rely on the following legal bases:
- Performance of a contract — processing your account information and application data is necessary to provide you with the Service.
- Legitimate interests — technical data processed for security, error monitoring (Sentry), and service reliability.
- Consent — where we ask for your consent (e.g., for optional reminder emails), you may withdraw consent at any time via Settings → Notifications.
5. How We Use Your Information
- To create and manage your account
- To provide, operate, and improve the Service
- To send deadline and follow-up reminder emails (when enabled in Settings)
- To authenticate your identity and maintain session security
- To enforce our Terms of Service and prevent fraud or abuse
- To diagnose and fix errors and performance issues
- To comply with legal obligations where required
We do not use your data for advertising, profiling, or sale to third parties.
6. Third-Party Service Providers
We share personal data with the following processors who act on our behalf and are bound by data processing agreements:
| Service | Purpose | Data shared |
|---|---|---|
| Supabase | Authentication and database hosting (Ireland, EU) | All user and application data |
| Vercel | Web hosting and CDN (global edge network) | HTTP request data, IP addresses |
| Resend | Transactional email delivery | Email address, reminder content |
| Upstash | Rate limiting and dashboard caching | User ID, request counts |
| Sentry | Error monitoring | Stack traces, user ID (no sensitive application content) |
| OAuth sign-in (optional) | Name, email address, Google account ID | |
| Anthropic | AI-powered URL extraction (optional feature) | Content of submitted URLs only — no personal account data |
We do not sell your personal data to any third party. We do not share your data with any party not listed above except where required by law.
7. Cookies and Local Storage
- Session cookie (essential) — Supabase sets a secure, httpOnly session cookie to maintain your authenticated session. This cookie is necessary for the Service to function and cannot be disabled.
- Theme preference (localStorage) — Your light/dark mode preference is stored in your browser's localStorage. This is a functional preference stored only on your device and is never transmitted to our servers.
We do not use advertising cookies, tracking pixels, Google Analytics, or any cross-site tracking technology. Vercel Analytics, if enabled, collects only aggregated, non-identifiable traffic data and sets no cookies.
8. Data Retention
We retain your personal data for as long as your account is active. When you delete your account (Settings → Account → Delete account), all your data — including application records, contacts, documents, and audit logs — is permanently deleted from our database.
Technical data such as error logs held by Sentry is retained in accordance with Sentry's own retention policies (typically 90 days). Vercel request logs are retained in accordance with Vercel's policies.
We may retain anonymised, aggregated data that cannot identify you for service improvement purposes indefinitely.
9. Data Security
- All data is transmitted over TLS-encrypted connections (HTTPS).
- Passwords are hashed using bcrypt by Supabase Auth and are never stored or accessible in plaintext.
- Sessions use secure, httpOnly, SameSite cookies.
- All data is scoped to your account — no other user can access your data.
- Mutating API endpoints are rate-limited to prevent abuse.
- Our database is hosted by Supabase in the European Union (Ireland region).
While we implement industry-standard security measures, no system is completely secure. We cannot guarantee absolute security of your data.
10. Your Rights
You have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you.
- Correction — update inaccurate data via your account settings or by contacting us.
- Deletion — delete your account and all associated data at any time via Settings → Account.
- Portability — request an export of your data by emailing trovedesk@gmail.com.
- Objection / restriction — object to or restrict processing where permitted by law by contacting us.
- Withdraw consent — turn off email reminders at any time via Settings → Notifications.
To exercise any of these rights, contact us at trovedesk@gmail.com. We will respond within 30 days.
11. International Data Transfers
Our primary database is hosted by Supabase in Ireland (EU). Other service providers (Vercel, Resend, Sentry, Upstash) may process data in the United States or other countries. Where data is transferred outside the EEA, we rely on Standard Contractual Clauses or the service provider's own adequacy mechanisms.
Supabase provides a Data Processing Agreement (DPA) available at supabase.com/privacy.
12. Children's Privacy
TroveDesk is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will delete the account and associated data promptly. If you believe a child has created an account, please contact us at trovedesk@gmail.com.
13. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email at least 30 days before the changes take effect, and we will update the “Last Updated” date at the top of this page. Your continued use of the Service after the effective date constitutes acceptance of the revised policy.
14. Contact
If you have questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:
If you are an EEA resident and are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.