Privacy Policy

Effective date: April 1, 2026

At Trowt, we take your privacy seriously. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our services. By using or accessing our Services in any manner, you acknowledge that you accept the practices and policies outlined below, and you consent to our collection, use, and sharing of your information as described in this Privacy Policy.

Your use of Trowt's Services is at all times subject to our Terms of Service. Any terms we use in this Privacy Policy without defining them have the definitions given to them in the Terms of Service.

If you have a disability, you may access this Privacy Policy in an alternative format by contacting us at legal@trowt.app.

1. Introduction and Scope

This Privacy Policy describes how Trowt ("we," "us," or "our") collects, uses, and shares personal information in connection with our Services, which include our web application, our AI assistant Rich, our APIs, and our integrations with third-party platforms such as Instagram and LinkedIn.

For purposes of this Privacy Policy, "Personal Information" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. This definition is consistent with the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

This Privacy Policy applies to:

Users who create accounts and use our Services
Organization members who are invited to collaborate within an organization on Trowt
Website visitors who browse our website or join our waitlist
Any individual whose Personal Information we process in connection with our Services

Our role. With respect to our own product data (account information, usage data, analytics), Trowt acts as the data controller. When we process social media data on behalf of our customers (such as importing and analyzing posts from connected Instagram or LinkedIn accounts), Trowt acts as a data processor on your behalf.

2. Personal Information We Collect

2.1 Information You Provide Directly

2.1.1 Account Registration

When you create a Trowt account, we collect:

Name and email address
Password (stored using cryptographic hashing, never in plain text)
Google OAuth data (if you choose to sign in with Google): your name, email address, and profile photo

2.1.2 Organization and Team Data

When you create or join an organization, we collect:

Organization details: organization name, URL slug, logo, and locale preference
Team membership: your role within the organization (owner, admin, or member)
Invitations: email addresses and roles for team members you invite

2.1.3 Brand and Business Profile

To personalize our AI features and content generation, we collect:

Company information: company name, website URL
Visual identity: brand colors, fonts, logos, tagline
Brand voice: tone of voice, brand values, aesthetic preferences
Business details: business overview, market segment, target audience, products and services, business objectives
Marketing briefing: marketing objective, offer, production capacity
Timezone

2.1.4 Reference Images and Uploads

Images you upload as visual references for content generation
Brand logos you upload to your account

2.1.5 Support Communications

Information you share with us through customer support channels, including email correspondence

2.1.6 Payment and Billing Data

In the future, when we introduce paid plans, we will collect payment card information and billing addresses. This payment data will be handled directly by our third-party payment processor (such as Stripe) and will not be stored on our servers.

2.2 Information Collected from Connected Social Media Accounts

When you connect your social media accounts to Trowt, we collect data from those platforms via their official APIs. You can disconnect your accounts at any time.

2.2.1 Instagram

We request the following OAuth scopes from Instagram:

instagram_business_basic: access to your profile information and posts
instagram_business_content_publish: ability to publish approved content on your behalf
instagram_business_manage_insights: access to audience and performance insights

Data we collect from Instagram:

Profile data: username, display name, profile picture, follower count, post count, account type
Existing posts: captions, media type, media URLs, thumbnail URLs, permalinks, timestamps
Engagement metrics (per post): likes, comments, shares, saves, reach, views, impressions, plays, total interactions
Audience demographics (aggregated, not individual): gender distribution, age range breakdown, top cities
Profile metrics (collected daily): followers, reach, views, engagement rate
Post metrics (per post): likes, comments, shares, saves, reach, views, engagement rate

2.2.2 LinkedIn

We request the following OAuth scopes from LinkedIn:

openid: authentication
profile: access to your profile data
r_organization_social: ability to read your organization's posts and metrics
w_organization_social: ability to publish approved content on behalf of your organization

Data we collect from LinkedIn:

Organization profile data: organization name, logo, follower count
Existing posts: text, media URLs, permalinks, publish date
Engagement metrics (per post): likes, comments, shares, clicks, impressions, unique impressions, engagement rate
Audience demographics (aggregated, not individual): industry, seniority, region, function, company size
Profile metrics (collected daily): followers, unique visitors, page views, clicks, engagement rate
Post metrics (per post): likes, comments, shares, clicks, impressions, engagement rate

2.2.3 OAuth Tokens

To maintain your social media connections, we store OAuth access tokens and refresh tokens. LinkedIn tokens are refreshed automatically before expiration. Instagram tokens require manual reconnection when they expire.

2.3 Information Generated by AI Features

2.3.1 Content Generated by AI

Our AI features generate and store the following on your behalf:

Content themes, captions, hashtags, and content strategies
Image prompts, art direction, and visual planning
AI-generated images

2.3.2 AI Analysis of Existing Content

When you connect your social media accounts, our AI analyzes your existing posts to provide insights, including:

Sentiment analysis, content categorization, and topic extraction
Strength and weakness analysis of individual posts
Strategy recommendations

2.3.3 Rich AI Assistant Memory

Our AI assistant, Rich, maintains persistent memory to provide contextual and personalized recommendations. This includes:

Conversation context and interaction history
Consolidated notes about your brand ("core notes")
Daily and weekly memory logs
Semantic embeddings (768-dimension vectors) used for contextual recall and search

2.3.4 Social Media Strategies

Our AI generates and stores social media strategies for each connected platform, including:

Content pillars (with funnel stages, preferred formats, and tone guidelines)
Posting schedules (day, time, and format assignments)
Format distribution preferences (e.g., percentage allocation across carousels, images, reels, stories)
Hashtag groups and tone guidelines
Cross-platform coordination notes

Strategies are versioned, and previous versions are retained with change history for reference.

2.3.5 Publication Records

For each piece of content published through Trowt, we store the approval record (including which user approved the content and their name), the scheduled and actual publication timestamps, the target platform, and the platform-specific post identifier and permalink.

2.3.6 Brand Knowledge Base

We build and maintain a knowledge base about your brand using AI-extracted information organized by topic, along with semantic embeddings for search.

2.3.7 Market Research

To provide proactive content suggestions, our system:

Generates search queries based on your brand context
Collects news articles, URLs, and snippets from web search results
Stores AI evaluation scores and suggested content angles for each result

2.4 Information Collected Automatically

2.4.1 Session and Technical Data

When you use our Services, we automatically collect:

IP address and user agent (browser and operating system information)
Session tokens and their expiration times

2.4.2 Analytics and Tracking (Waitlist Only)

On our waitlist application, we use PostHog analytics to collect:

Page views, signup events, and referral tracking
PostHog uses localStorage-based persistence (not traditional cookies)
After email verification, we identify users by email address

Note: The main Trowt application does not currently use PostHog or any third-party analytics tracking.

2.4.3 AI Usage Data

We log AI token usage per organization, including the AI model used, process type, and token counts (prompt, completion, and cached tokens). This data is used for capacity planning and future billing.

2.4.4 Prompt Translation Cache

We cache translated prompt fragments to improve performance across different locales. This cache stores translated text, locale identifiers, and version metadata.

2.4.5 Best Posting Times

We compute and store optimal posting times for each connected social media platform, recalculated weekly based on your audience engagement patterns. This data includes the recommended day, hour, and a relevance score.

2.4.6 Website Cookies

We use a limited number of cookies:

Language preference cookie: to remember your locale and redirect you to the appropriate language version
The main application does not currently use third-party tracking cookies

2.5 Information Extracted from Your Website

During the onboarding process, we may automatically scan your public business website to help set up your brand profile. Data extracted includes:

Page metadata: page title, meta description, Open Graph data, headings, body text
Visual assets: favicon URLs, logo URLs, CSS colors and fonts
Structured data: social media links, JSON-LD structured data
Visual analysis: dominant colors, page screenshot, logo detection
AI-generated insights: brand identity, tone of voice, values, aesthetic, business overview

For each extracted data point, we also store a confidence score indicating the AI's certainty in the extraction. This extraction only applies to the public website URL you provide during onboarding.

2.6 Waitlist and Early Access Data

If you join our waitlist or early access program, we collect:

Contact information: email, name
Business context: business type, Instagram handle, city
Referral data: referral code and referral relationships
Marketing attribution: UTM tracking parameters (source, medium, campaign)
Locale preference
Authentication: magic link tokens (stored as hashed values using SHA-256)
Fraud detection: we flag accounts with more than 20 referrals within 24 hours for review

3. How We Use Your Information

3.1 Providing and Operating the Service

Create and manage your account and organization
Connect and maintain your social media integrations
Generate AI-powered content, including themes, captions, images, and strategies
Publish content you have explicitly approved to Instagram and LinkedIn
Collect and display social media analytics and performance metrics

3.2 Personalizing the AI Experience

Train our AI assistant Rich on your brand context and preferences
Maintain persistent memory so Rich can provide contextual, personalized recommendations over time
Build and update your brand knowledge base
Research relevant market news to power proactive content suggestions

3.3 Analytics and Performance

Calculate optimal posting times for your audience
Track engagement trends and audience growth
Generate performance reports and dashboards

3.4 Communication

Send transactional emails, including email verification, password reset, and magic link authentication (via Brevo)
Send waitlist notifications and updates

Any commercial email communications will include a clear unsubscribe mechanism. You can opt out of non-essential email communications at any time by clicking the unsubscribe link in the email or by contacting us at legal@trowt.app. We will process your opt-out request within 10 business days.

3.5 Security and Fraud Prevention

Detect fraudulent referral activity on our waitlist (accounts exceeding 20 referrals in 24 hours)
Manage session security, including token issuance and expiration
Support admin impersonation for customer support purposes (all impersonation activity is logged, including the identity of the impersonating administrator)

3.6 Service Improvement

Track AI usage metrics (token consumption per process type) for capacity planning
Cache prompt translations for efficiency
Analyze aggregated usage patterns to improve our Services

3.7 Legal Compliance

Comply with applicable laws and regulations
Respond to legal process and government requests
Enforce our Terms of Service and other agreements

4. How We Share Your Information

We do not sell your Personal Information. We share your information only as described below.

4.1 AI Processing Providers

Google Gemini API. We send data to Google's Gemini API for AI processing, including: brand identity and voice data, content strategies, existing post content, user prompts, conversation history with Rich, reference images, and website screenshots. Google processes this data according to its API terms of service. Data submitted through the Gemini API is not used by Google to train its models.

4.2 Social Media Platforms

Instagram (Meta): We publish content you have approved and collect metrics via the Instagram API.
LinkedIn: We publish content you have approved and collect metrics via the LinkedIn API.

Only content you have explicitly approved is published to these platforms.

4.3 Observability and Monitoring

LangSmith (LangChain). We use LangSmith to monitor the quality and performance of our AI features. LangSmith receives traces of AI calls, including prompts and responses. This data may contain brand information and content from your account.

4.4 Web Search Providers

Tavily Search API. We use Tavily to conduct market research on your behalf. Tavily receives search queries generated based on your brand context. These queries may contain information about your business segment and interests.

4.5 Email Service Providers

Brevo. We use Brevo to send transactional emails only, such as email verification, password reset, and magic link authentication. Brevo receives the recipient's email address and name. We do not currently send marketing emails through third-party providers.

4.6 Analytics Providers

PostHog (waitlist only). We use PostHog on our waitlist application to track page views, signup events, and referral activity. PostHog data is stored on PostHog's US servers. PostHog is not used in the main Trowt application.

4.7 Infrastructure and Hosting

Convex. All application data is stored on Convex servers in the United States. This includes database records, uploaded images, AI-generated images, and brand logos stored in Convex File Storage.

4.8 Authentication Providers

Google OAuth. If you choose to sign in with Google, your authentication is processed through Google OAuth, which provides us with your name, email, and profile photo.

4.9 Payment Processors

In the future, when we introduce paid plans, payment card data will be handled directly by our payment processor (such as Stripe). Payment card details will not be stored on our servers.

4.10 Legal and Compliance

We may disclose your Personal Information to:

Law enforcement or government agencies when required by law or legal process
Protect the rights, property, or safety of Trowt, our users, or the public

4.11 Business Transfers

In connection with a merger, acquisition, reorganization, or sale of assets, your Personal Information may be transferred to the acquiring entity. We will notify you of any change in applicable privacy practices before your information is transferred and becomes subject to a different privacy policy.

4.12 Aggregated and De-identified Data

We may share aggregated, de-identified data that cannot reasonably be used to identify any individual. Such data may be used for business analysis, research, or industry benchmarking.

5. Do Not Sell or Share My Personal Information

Trowt does not sell your Personal Information. We have not sold Personal Information in the preceding 12 months, and we do not intend to sell Personal Information in the future.

Trowt does not share your Personal Information for cross-context behavioral advertising. While we share certain data with third parties like Google Gemini, Meta (Instagram), and LinkedIn to provide our Services, this sharing is strictly for service delivery purposes and constitutes "service provider" sharing, not "selling" or "sharing for cross-context behavioral advertising" as those terms are defined under the CCPA/CPRA. When we publish content to Instagram or LinkedIn on your behalf, that content becomes subject to the respective platform's own privacy policy. We do not share your Personal Information with Meta or LinkedIn for the purpose of cross-context behavioral advertising. Our API interactions with these platforms are limited to publishing content you have explicitly approved and retrieving publicly available metrics.

If you wish to submit a "Do Not Sell or Share" request, you may contact us at legal@trowt.app with the subject line "Do Not Sell or Share Request."

6. Cookies and Tracking Technologies

6.1 Types of Cookies and Tracking We Use

Essential cookies: Language preference cookie for locale detection and session authentication tokens
Analytics (waitlist only): PostHog analytics using localStorage-based persistence (not traditional cookies)

6.2 Third-Party Tracking

The main Trowt application does not currently use third-party tracking cookies. PostHog is used only in the waitlist application.

6.3 Your Cookie Choices

You can manage or delete cookies through your browser settings. Please note that disabling essential cookies may affect the functionality of our Services.
You can opt out of PostHog tracking on the waitlist by disabling JavaScript or clearing your browser's localStorage.
We currently do not respond to "Do Not Track" (DNT) browser signals, as there is no industry-standard protocol for DNT compliance. However, we respect your privacy choices as described throughout this Privacy Policy.

7. Data Security

7.1 Security Measures

We implement a range of technical and organizational measures to protect your Personal Information:

Password security: All passwords are stored using cryptographic hashing and are never stored in plain text.
Encryption in transit: All external communications are transmitted via HTTPS/TLS.
CSRF prevention: OAuth flows include a state parameter to prevent cross-site request forgery attacks.
Data isolation: We enforce multi-tenant data isolation at the organization level. Each organization's data is logically separated and inaccessible to other organizations.
Authentication: All operations within the application require authentication.
Admin support sessions: Admin impersonation sessions are logged and auditable, including the identity of the impersonating administrator and the session in which the impersonation occurred.

7.2 OAuth Token Security

OAuth access tokens and refresh tokens are stored in our database with appropriate security controls.
LinkedIn tokens are refreshed automatically before expiration.
When an Instagram token expires, we detect the expiration and notify you to reconnect your account.

7.3 Limitations

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your Personal Information, we cannot guarantee its absolute security. In the event of a data breach affecting your Personal Information, we will notify you as required by applicable law.

8. Data Retention

8.1 Account and Brand Data

We retain your account information, brand profile, and organization data for as long as your account remains active. Upon account deletion, this data is deleted within 30 days.

8.2 Social Media Data

Analytics and metrics: Retained while the social media account is connected to Trowt.
On disconnect: When you disconnect a social media account, we delete the social account record, all imported posts, and all analyses for that account. However, the following are not deleted on disconnect: AI-generated content and images, content strategies, publication records, and historical metrics for posts that were published through our platform. These items are retained as part of your account data and can be deleted by requesting full account deletion.

8.3 AI-Generated Content

Content themes, posts, images, strategies, and publication records generated by our AI features are retained while your account is active. Upon account deletion, this data is deleted within 30 days.

8.4 Rich AI Memory

Conversation context, memory logs, and core notes maintained by Rich are retained while your account is active. Memory is consolidated daily through an automated process. Upon account deletion, all memory data is deleted within 30 days.

8.5 Market Research Data

Search results, evaluations, and suggested content angles are retained while your account is active. Upon account deletion, this data is deleted within 30 days.

8.6 OAuth Tokens

OAuth tokens are retained until they expire, you disconnect the associated social media account, or you revoke access. Tokens are deleted immediately upon disconnect.

8.7 Session Data

Session data expires automatically based on our authentication configuration. Expired sessions are purged promptly.

8.8 Waitlist Data

Waitlist data is retained through the early access period. Waitlist sessions expire after 30 days. Once the early access period concludes, waitlist data will be migrated to active accounts or deleted within 60 days.

8.9 After Account Deletion

You may request account deletion by emailing legal@trowt.app or through in-app functionality when available. Upon receiving a valid deletion request:

We will delete your Personal Information within 30 days.
Certain data may be retained for up to 3 years if necessary to comply with legal obligations (such as tax or financial record-keeping requirements), resolve disputes, or enforce our agreements.
Aggregated, de-identified data that can no longer be associated with you may be retained indefinitely.

9. Your Privacy Rights

9.1 All Users

Regardless of your location, you have the right to:

Access your Personal Information that we hold
Correct inaccurate Personal Information
Request deletion of your Personal Information
Disconnect social media accounts (which triggers deletion of associated imported data and analyses)
Opt out of marketing communications
Request data portability (receive your data in a structured, commonly used, machine-readable format that can be transmitted to another entity without hindrance)

To exercise any of these rights, contact us at legal@trowt.app.

9.2 California Residents (CCPA/CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

Right to Know: You have the right to request the categories and specific pieces of Personal Information we have collected about you, including the categories of sources, the business purposes for collection, and the categories of third parties with whom we share your data.
Right to Delete: You have the right to request that we delete Personal Information we have collected from you, subject to certain exceptions.
Right to Correct: You have the right to request that we correct inaccurate Personal Information.
Right to Opt-Out of Sale/Sharing: Trowt does not sell your Personal Information or share it for cross-context behavioral advertising. We nonetheless provide a mechanism to submit opt-out requests.
Right to Limit Use of Sensitive Personal Information: You have the right to limit the use and disclosure of your Sensitive Personal Information. We may process Sensitive Personal Information in the form of your account login credentials (password hash) and OAuth tokens. These are used solely for authentication and service delivery purposes.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights. You will not receive different pricing, a different quality of service, or be denied service for exercising your rights.

Financial incentives. We do not offer any financial incentive programs that require the retention of your Personal Information. Our waitlist referral program is not contingent on the collection or retention of Personal Information beyond what is necessary for service delivery.

Authorized agents. You may designate an authorized agent to submit a request on your behalf. An authorized agent must provide (a) a signed, written authorization from you, or (b) proof of power of attorney pursuant to California Probate Code Sections 4121 to 4130. Even when an authorized agent submits a request, we may require you to verify your identity directly and confirm that you authorized the agent to act on your behalf.

Verification. To protect your privacy, we will verify your identity before processing your request. For Right to Know requests, we will verify your identity by matching at least two data points you provide against the information we have on file. For Right to Delete requests, we will verify your identity by matching at least two data points and may require a signed declaration under penalty of perjury. If we cannot verify your identity, we will explain why and inform you of our verification requirements.

Response timeline. We will respond to your request within 45 calendar days of receiving your verifiable request. If we need additional time, we will notify you in writing and may take up to an additional 45 days (90 days total).

9.3 CCPA Categories of Personal Information

The following table describes the categories of Personal Information we collect, as defined by the CCPA:

Category	Collected?	Examples	Disclosed to	Sold?
A. Identifiers	Yes	Name, email, IP address, social media usernames, organization name	Convex, Brevo, PostHog, Google OAuth, LangSmith	No
B. Customer Records	Yes	Name, email, organization data, brand profile data	Convex, Brevo, Google OAuth	No
C. Protected Classifications	No	N/A	N/A	No
D. Commercial Information	Yes	Social media engagement metrics, content strategies, marketing briefing data	Google Gemini, LangSmith, Tavily	No
E. Biometric Information	No	N/A	N/A	No
F. Internet/Network Activity	Yes	Session data, page views (waitlist), user agent	PostHog (waitlist only)	No
G. Geolocation Data	Yes (approximate)	IP-derived approximate location (not precise geolocation)	Convex	No
H. Sensory Data	Yes	Uploaded images, brand logos, AI-generated images, reference images	Google Gemini, Instagram API, LinkedIn API, Convex	No
I. Professional/Employment Info	No	N/A	N/A	No
J. Education Information	No	N/A	N/A	No
K. Inferences	Yes	AI-generated brand analysis, sentiment analysis, content categorization, strategy recommendations, semantic embeddings	Google Gemini, LangSmith	No

9.4 Other US State Privacy Rights

If you reside in Virginia, Colorado, Connecticut, Utah, Texas, or other states with comprehensive privacy laws, you may have similar rights, including:

The right to access your Personal Information
The right to correct inaccurate Personal Information
The right to delete your Personal Information
The right to data portability
The right to opt out of targeted advertising (note: Trowt does not engage in targeted advertising)
The right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects (Virginia, Colorado, Connecticut)

Universal opt-out signals. For residents of Colorado, Connecticut, and other states that require recognition of universal opt-out mechanisms, we will honor Global Privacy Control (GPC) signals and similar browser-based opt-out signals as valid opt-out requests.

Appeal process. To exercise these rights, contact us at legal@trowt.app. If we decline your request, you have the right to appeal our decision by emailing us at legal@trowt.app with the subject line "Privacy Rights Appeal." We will respond to appeals within 60 days, as required by applicable state laws. Texas residents are entitled to a 30-day cure period for alleged violations before enforcement action may be taken.

9.5 Nevada Residents

Nevada residents have the right to opt out of the sale of certain Personal Information. As stated above, Trowt does not sell Personal Information. If you wish to submit a request under Nevada law, please email legal@trowt.app with the subject line "Nevada Do Not Sell Request."

10. Automated Decision-Making and AI Transparency

10.1 How AI Is Used

Trowt uses artificial intelligence extensively to power its core features:

Content generation: Creating themes, captions, hashtags, images, and content strategies
Content analysis: Analyzing existing social media posts for sentiment, categorization, strengths, and weaknesses
Strategy recommendations: Developing and refining social media strategies based on your brand and audience
Market research: Evaluating relevant news and trends for proactive content suggestions
Proactive notifications: Rich may send you suggestions based on market research, upcoming opportunities, or strategy insights
Profiling: Our use of semantic embeddings and AI-generated analyses to build your brand knowledge base and personalize recommendations may constitute "profiling" as defined by certain state privacy laws. This profiling is used solely to improve the quality and relevance of our AI recommendations and does not produce decisions with legal or similarly significant effects on you. You may opt out of this profiling by contacting us at legal@trowt.app

10.2 Human Oversight

No content is published without your explicit approval. All AI-generated content goes through a review process where you can modify, reject, or request alternatives before anything is published to your social media accounts. AI suggestions are recommendations only and do not constitute automated decisions with legal or similarly significant effects.

10.3 Data Sent to AI Providers

Google Gemini API is our primary AI processing provider. We use multiple Gemini models for different purposes, including text generation (content, analysis, chat), image generation (with and without visual references), and vector embedding generation for semantic search. Data sent to Google Gemini includes:

Brand identity information (name, tone of voice, values, aesthetic, business overview)
Existing social media post content and metrics
Content strategies
Reference images you upload
Website screenshots captured during onboarding
Conversation history with Rich
Consolidated memory notes from Rich
Market research data for evaluation

Google has committed, under its API terms of service, not to use data submitted through the Gemini API to train its models.

LangSmith (LangChain) receives traces of all AI calls, including prompts and responses, for monitoring and quality assurance purposes. This means that brand information and content from your account may be processed by LangSmith.

10.4 Right to Opt Out of AI Processing

You may request that your data not be processed by our AI features by contacting us at legal@trowt.app. Please note that because AI processing is central to Trowt's core functionality (content generation, analysis, and strategy recommendations), opting out may significantly limit the features available to you.

11. Children's Privacy

Trowt's Services are not directed to children under the age of 13. We do not knowingly collect Personal Information from children under 13, and we do not knowingly solicit data from or market to children under 13, in compliance with the Children's Online Privacy Protection Act (COPPA).

If we become aware that a child under 13 has provided Personal Information to us without verifiable parental consent, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with Personal Information, please contact us immediately at legal@trowt.app.

12. International Data Transfers

All data collected by Trowt is stored and processed in the United States on Convex servers. AI processing is performed via Google servers, also located in the United States. Email delivery services are processed by Brevo, which operates servers in the European Union.

If you access our Services from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States. By using our Services, you consent to this transfer. The data protection laws in the United States may differ from those in your country of residence.

We rely on appropriate safeguards for international data transfers, including your explicit consent and, where applicable, standard contractual clauses or other recognized transfer mechanisms.

13. Third-Party Links and Services

Our Services may contain links to third-party websites and services. We are not responsible for the privacy practices of these third parties. In particular:

Instagram and LinkedIn have their own privacy policies governing how they handle your data.
Google has its own privacy policy governing Google OAuth and the Gemini API.

We encourage you to review the privacy policies of any third-party services you interact with through Trowt.

14. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy at any time. When we make material changes, we will notify you by email or through an in-app notification at least 30 days before the changes take effect.

Your continued use of our Services after the updated Privacy Policy takes effect constitutes your acceptance of the changes. The "Effective date" at the top of this page will always indicate when the Privacy Policy was last updated.

15. Contact Information

If you have questions or concerns about this Privacy Policy, your Personal Information, or our privacy practices, please contact us:

Trowt
Email: legal@trowt.app
Address: Rua Turunas, 78, Americana, São Paulo, Brazil

We aim to respond to all privacy-related inquiries within 10 business days.

Appendix: Automated Processing Schedule

Trowt performs the following automated data processing activities:

Process	Frequency	Description
Weekly content check	Mondays at 12:00 UTC	Checks whether content themes are planned for the upcoming week
Weekly strategy review	Mondays at 13:00 UTC	Rich reviews and evaluates active content strategies
Daily memory consolidation	Daily at 06:00 UTC	Consolidates Rich's daily interaction data into memory logs
Daily token refresh	Daily at 06:00 UTC	Renews expiring LinkedIn OAuth tokens automatically
Hourly metrics collection	Every hour	Collects profile and post performance metrics from connected social accounts
Weekly audience demographics	Every hour (collects weekly data)	Collects aggregated audience demographic data from connected social accounts
Market research dispatch	Every hour (mornings)	Runs market research queries relevant to your brand and evaluates results

Appendix: Sub-Processors List

The following third parties process data on our behalf:

Sub-Processor	Purpose	Data Processed	Location
Google Gemini API	AI content generation, analysis, and image generation	Brand data, content, images, prompts, conversation history	United States
Instagram API (Meta)	Social media connection, publishing, and metrics collection	Profile data, posts, metrics, audience demographics	United States
LinkedIn API	Social media connection, publishing, and metrics collection	Profile data, posts, metrics, audience demographics	United States
LangSmith (LangChain)	AI observability and quality monitoring	AI prompts and responses (which may include brand data)	United States
Tavily	Market research web search	Search queries related to your brand	United States
Brevo	Transactional email delivery	Email addresses, recipient names	European Union
Convex	Backend infrastructure, database, and file storage	All application data	United States
PostHog	Analytics (waitlist application only)	Page views, events, email addresses	United States
Google OAuth	User authentication	Name, email, profile photo	United States
Stripe (future)	Payment processing	Payment card data, billing address	United States

This sub-processor list is current as of the effective date of this Privacy Policy. We will update this list as our sub-processors change.

This Privacy Policy was drafted in compliance with the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), the Children's Online Privacy Protection Act (COPPA), the CAN-SPAM Act, and applicable state privacy laws including those of Virginia, Colorado, Connecticut, Utah, Texas, and Nevada.