Privacy Policy

Effective Date: 19 March 2026 — Last Updated: 19 March 2026

At Trefnus, we are committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data. By using Trefnus CMMS, you acknowledge the practices described in this policy.

Trefnus is the data controller responsible for your personal data. We process personal data only where we have a lawful basis to do so under applicable data protection laws.

1. Information We Collect

1.1 Information You Provide

Email Address: Required for licence activation and account verification via magic link authentication.
Local Password: A password you create for local device authentication. This is hashed using SHA-256 and stored only on your device — we never receive or store your local password.

1.2 Information Collected Automatically

Device Identifier: A randomly generated unique identifier (UUID) stored on your device to manage device-based licence limits.
Device Label: Your device platform (e.g., "Win32", "MacIntel") and activation date, used to help you identify registered devices.
Licence Status Data: Activation timestamps, last verification timestamps, and licence validity status.
User ID: A unique identifier assigned by our authentication provider (Supabase) when you activate your licence.

1.3 Information Stored Locally on Your Device

The Application stores the following data exclusively on your device using browser storage technologies (IndexedDB and localStorage). We do not have access to or visibility of this data in the normal operation of the Application:

Asset records and equipment details;
Work orders and maintenance tasks;
Contract information;
To-do lists;
Reports and maintenance history;
Uploaded files and attachments;
Application settings and preferences;
Hashed local password.

1.4 Information We Do NOT Collect

We do not collect your name, physical address, phone number, or payment card details directly (payment processing is handled by third-party providers);
We do not use analytics, tracking pixels, or advertising cookies;
We do not collect location data;
We do not access, read, or transmit your locally stored maintenance data in the normal operation of the Application.

2. How We Use Your Information

Data	Purpose	Legal Basis
Email address	Licence activation, account verification, sending magic link sign-in emails, essential service communications	Performance of contract; Legitimate interest (essential service communications and account management)
Device identifier	Enforcing device limits per licence, preventing unauthorised use	Performance of contract; Legitimate interest (preventing unauthorised use and managing licences)
Device label	Helping users identify their registered devices	Legitimate interest (improving user experience for device management)
Licence status	Verifying active licence, managing access rights	Performance of contract
User ID	Account management, licence association	Performance of contract

3. Data Storage and Security

3.1 Server-Side Data

Licence and authentication data (email, user ID, device identifiers, licence status) is stored on servers managed by Supabase, which acts as a data processor on our behalf. Supabase employs industry-standard security measures including encryption at rest and in transit. Data is processed in accordance with Supabase's privacy policy and data processing agreement.

3.2 Client-Side Data

All maintenance data (assets, work orders, contracts, etc.) is stored exclusively on your device using browser technologies:

IndexedDB: For structured data and file attachments;
localStorage: For application settings, licence state, and authentication tokens.

The security of locally stored data depends on your device security. We recommend:

Using a strong local password within the Application;
Keeping your device's operating system and browser up to date;
Using device-level encryption;
Not sharing your device with untrusted persons.

3.3 Data Transmission

The Application transmits data to our servers only for:

Licence verification (checking if your licence is active);
Device registration (registering/verifying device identifiers);
Authentication (magic link email delivery).

All data transmission uses HTTPS (TLS encryption).

3.4 Browser Storage Technologies

The Application uses essential browser storage technologies (including localStorage and IndexedDB) required for its operation. These do not track users for advertising or analytics purposes. For further details, see our Cookie & Storage Policy.

4. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share limited data with:

Supabase (Data Processor): For authentication and licence management. Supabase processes data on our behalf under a data processing agreement;
Law Enforcement: When required by law, court order, or governmental regulation;
Business Transfers: In connection with a merger, acquisition, or sale of assets, in which case your data would remain subject to this Privacy Policy;
Legal Protection: To protect our rights, property, or safety, or that of our users or the public.

5. Data Retention

Server-side data (email, user ID, device records, licence status) is retained for as long as your account is active or as needed to provide services. Upon account deletion or licence termination, we will delete your server-side data within 90 days, except where retention is required by law.
Client-side data (maintenance records, settings) persists on your device until you clear your browser data, uninstall the Application, or delete the data through the Application's settings. We have no control over client-side data retention.

6. Your Rights

Depending on your jurisdiction, you may have the following rights:

Right of Access: Request a copy of the personal data we hold about you;
Right to Rectification: Request correction of inaccurate personal data;
Right to Erasure: Request deletion of your personal data ("right to be forgotten");
Right to Restriction: Request restriction of processing of your personal data;
Right to Data Portability: Request your data in a structured, commonly used, machine-readable format;
Right to Object: Object to processing of your personal data;
Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact us at privacy@trefnus.com. We will respond within 30 days (or the period required by applicable law).

7. International Data Transfers

Your data may be processed in countries outside your country of residence, including countries that may not provide the same level of data protection. Where such transfers occur, we ensure appropriate safeguards are in place, including Standard Contractual Clauses or equivalent mechanisms approved by relevant data protection authorities.

8. Children's Privacy

The Application is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us immediately.

9. Third-Party Links and Services

The Application may contain links to third-party websites or services. This Privacy Policy does not apply to third-party services. We encourage you to review the privacy policies of any third-party services you access.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Material changes will be communicated through the Application or via email. Your continued use of the Application after changes constitutes acceptance of the updated policy.

11. UK and EU Data Protection

If you are located in the United Kingdom or European Economic Area:

Our legal basis for processing is as outlined in the table in Section 2;
You have the right to lodge a complaint with your local supervisory authority (in the UK, the Information Commissioner's Office (ICO), the UK supervisory authority);
We process data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to know what personal information is collected and how it is used;
Right to delete personal information;
Right to opt out of the sale or sharing of personal information (note: we do not sell or share personal information);
Right to non-discrimination for exercising your privacy rights.

13. Data Breach Notification

In the event of a personal data breach affecting your data, we will notify you and any applicable regulator where required by law.

14. Data Protection Contact

For data protection enquiries, please contact:

Data Protection Contact
Email: privacy@trefnus.com

15. Contact Information

For questions or concerns about this Privacy Policy, contact us at:

Trefnus
Email: privacy@trefnus.com