Privacy Policy — TR-GAB Backoffice

1. Overview

The Backoffice is the commercial web layer for TR-GAB Pro. We collect the minimum data necessary to:

• Operate the waitlist.
• Manage your account and one-time Lifetime License purchase.
• Process payments via Stripe.
• Issue and verify your software license (online verification mechanism, see Section 2.3).
• Send transactional and, with your consent, marketing emails.
• Provide best-effort support.
• Comply with U.S. tax and legal obligations.

We do not sell your personal information. We do not engage in cross-context behavioral advertising.

2. What We Collect

2.1 Account & contact data

• Email address — primary identifier.
• Password hash — bcrypt-hashed via Supabase.
• Anonymous user UUID — Supabase auth.users.id.
• First name (optional, if provided during signup).
• Country of residence (declared at signup; used for geo-block enforcement).
• Last sign-in timestamp — for security auditing.
• Authentication metadata — managed by Supabase (session tokens).

2.2 Purchase & payment data

• Stripe customer ID — link to your one-time payment record.
• License status — issued, active, refunded, revoked.
• Cohort marker — Founders Cohort or Early Access Cohort (for accounting and support context).
• Invoice references — for support and tax compliance.

We do NOT store credit card numbers, CVV, expiration dates, or bank account / routing numbers. Those are stored by Stripe, Inc. under their own Privacy Policy and PCI-DSS compliance.

2.3 License verification data (TR-GAB Pro desktop application)

TR-GAB Pro uses an online licensing mechanism (see Backoffice Terms of Service, Section 7). When the desktop application performs license verification against our license server, we collect:

• Machine hash — SHA-256 of the Windows MachineGuid of the device on which the application is installed. We do not store the raw MachineGuid, only its hash.
• Device last_seen timestamp — when the device last successfully verified its license.
• Application version and OS family — for compatibility and support context.
• IP address at verification — used transiently for rate-limiting and abuse protection; not retained as part of a long-term profile.

This data is used solely to enforce the licensing model (seat count, device binding, offline grace window of approximately 48 hours) and to support you when a verification problem occurs. It is not used for marketing or analytics.

2.4 Consent & audit data

• Marketing consent flag — opt-in / opt-out for promotional emails (default opt-out).
• Consent audit log — version of Terms / Privacy / Disclaimer you accepted, with a timestamp and, where technically available, the IP address at the time of acceptance. Both web and in-app acceptances are recorded (the in-app acceptance is the legally binding one per DEC-LEGAL-DOCS-MODEL). The IP address is captured for acceptances made through the website and the in-app legal gate; the initial consent recorded automatically at account creation may not include an IP address.
• Privacy request log — any requests you submit under California law, with verification metadata.

2.5 Waitlist data (if you joined the waitlist)

• Email address.
• UTM parameters — to understand which marketing channel brought you (e.g., utm_source=reddit).
• IP address at signup — basic anti-abuse.
• Timestamp.

Waitlist data is used solely for:

• Sending you product launch announcements and product-related emails.
• Operating the Founders Cohort offer (first 100 seats at $599).
• Understanding marketing channel performance (aggregate, not individual targeting).

2.6 Analytics data

We do NOT use any third-party analytics service at present. We do NOT use Google Analytics, Facebook Pixel, Meta Ads tracking, or any cross-context behavioral advertising tracker. If this changes in the future, we will update this Policy and bump LEGAL_LAST_UPDATED.

2.7 Support & operational data

When you contact support, we receive your email, the message body, any attachments, and our own response history for context on future tickets.

3. How We Use Your Data

• Account creation and authentication — performance of contract.
• One-time Lifetime License purchase and license issuance — performance of contract.
• Online license verification (machine hash, last_seen, seat binding) — performance of contract; enforcement of licensing terms.
• Transactional emails (welcome, purchase confirmation, refund confirmation, account deletion confirmation, security alerts) — performance of contract.
• Marketing emails (if opted in) — your opt-in consent.
• Best-effort support and customer service — performance of contract.
• Compliance with U.S. tax, legal, and regulatory obligations — legal obligation.
• Security, fraud prevention, abuse detection — legitimate interest.
• Geo-block enforcement (declared country, IP) — legitimate interest + legal obligation (OFAC compliance).

We do not use your data for automated decision-making with legal effects, profiling, or targeted behavioral advertising.

4. Sub-Processors (Service Providers)

We share data with the following service providers, each governed by a Data Processing Agreement (DPA) where applicable:

• Supabase, Inc. (Auth, account database, license database, audit logs, file storage — United States): supabase.com/terms
• Stripe, Inc. (Payment processing, tax handling, billing portal — United States): stripe.com/legal/dpa
• Resend, Inc. (Transactional emails — United States): resend.com/legal
• Beehiiv, Inc. (Waitlist subscription management and marketing emails — United States): beehiiv.com/privacy
• Netlify, Inc. (Hosting and CDN for trgab.com — United States): netlify.com/privacy
• Cloudflare, Inc. (DNS, CDN, DDoS protection — United States): cloudflare.com/privacypolicy

We may update this list. Material changes will be communicated via email notice and via bump of LEGAL_LAST_UPDATED, which triggers re-acceptance of the bundled in-app legal documents on next application launch.

4.5 User-Initiated Support Logs

If you contact us via the in-app support form or submit a support log from the desktop application:

• Logs are generated and stored locally on your machine for desktop apps; web support is limited to the message body you write in the Backoffice support form.
• For desktop logs: when you click “Send log to support”, you will see a preview of the log content before transmission. No log is transmitted without your explicit click.
• Support submissions may contain: application version, operating system, error stack traces, recent user operations, account email, ticket subject, and timestamps. We automatically redact known sensitive fields (passwords, API keys, broker credentials) before transmission from desktop apps. We never log such fields in plain text.
• We store support submissions in our infrastructure (Supabase) associated with your ticket, accessible only to authorized support staff. Retention by category:
  • Support log files uploaded from the desktop application: retained 90 days after the ticket is resolved, then automatically deleted.
  • Web support ticket history (subject, body, your messages, our responses, non-log attachments): retained 3 years after the ticket is resolved, then deleted.
  • Earlier deletion of either category may be requested at privacy@trgab.com (subject “Delete support data”).
• We use support submissions solely for the purpose of resolving your inquiry. We do not aggregate them for analytics, marketing, training AI models, or any secondary purpose.

If you do not initiate a support submission, no log content ever leaves your machine (for desktop apps).

5. Data Retention

• Account email, license record, auth metadata: retained while your account is active; deleted within 30 days of an account deletion request, subject to legal retention obligations below.
• Stripe customer & purchase history: retained per Stripe's legal requirements (typically 6+ years for tax/compliance).
• License verification records (machine hash, last_seen, device binding): retained while the license is active. After account deletion or license revocation, retained up to 12 months for fraud-and-abuse forensics, then deleted.
• Auth logs (sign-in timestamps, IP): 30 days.
• Waitlist data (if you joined): until launch + 60 days, or until you unsubscribe. After launch, converted to customer record or deleted.
• Marketing consent records: while account is active + 6 years post-deletion (legal evidence).
• Support ticket history: 3 years after resolution.
• Backups (Supabase automated): 90 days.

6. Your Privacy Rights

6.1 General rights

You have the right to:

• Access the personal data we hold about you (request to privacy@trgab.com).
• Correct inaccurate personal data (email change via dashboard; other changes via privacy@trgab.com).
• Delete your account (Dashboard → Profile → “Danger zone” → “Delete account”). When you request account deletion, your Supabase auth.users record and the personal data we hold about you in our database (profile, license bindings, subject to the retention schedule in Section 5) are removed. Sub-processor records (e.g. Stripe customer, Resend audience, Beehiiv subscriber) require separate deletion requests via support — write to privacy@trgab.com and we will guide you through each provider. We aim to complete cascade automation in a future release.
• Export your account data in machine-readable format on request to privacy@trgab.com.
• Object to marketing emails (unsubscribe link in every marketing email; transactional emails are not opt-out).
• Lodge a complaint with your relevant authority.

6.2 California residents — CCPA / CPRA

If you are a resident of California, you have specific rights under the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”):

• Right to Know: what categories of personal information we collect, the sources, the purposes, and the third parties we share with (this Policy provides those details).
• Right to Delete: request deletion of personal information we hold about you (subject to legal exceptions like tax records).
• Right to Correct: request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: we do not sell or share your personal information. We do not engage in cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information: we do not collect sensitive personal information as defined under CCPA.
• Right to Non-Discrimination: we will not discriminate against you for exercising any CCPA right.

Categories of personal information collected (CCPA categories):

• Identifiers (email, UUID, IP at signup and at license verification).
• Commercial information (Lifetime License purchase, cohort marker, Stripe references).
• Internet or other electronic activity information (sign-in timestamps, license-verification timestamps, device last_seen).
• Geolocation information (declared country, IP for geo-block enforcement only).
• Device identifiers in hashed form (SHA-256 of the Windows MachineGuid).

Sources: directly from you (registration, support); from Stripe (for purchase status); from your device / browser (for IP at signup, sign-in timestamps, and license verification metadata).

Purposes: account management, license issuance and verification, payment processing, support, marketing (with consent), security, legal compliance.

Third parties we disclose to (not sell): see Section 4 (Sub-Processors).

Submitting a CCPA request: send to privacy@trgab.com with subject line “CCPA Request — [Access / Delete / Correct / Opt-Out]”. We will verify your identity (typically by sending a verification email to your account email) and respond within 45 days (extendable by another 45 days for complex requests, with notice).

You may designate an authorized agent to submit requests on your behalf. We require verification of the agent's authority.

6.3 “Do Not Sell or Share My Personal Information”

We do not sell or share your personal information as defined under the CCPA. This statement also serves as our “Do Not Sell or Share” notice. No further action is required to opt out.

If our practices change, we will update this Policy and provide a clear opt-out mechanism.

7. Cookies & Tracking on trgab.com

The Backoffice uses only essential cookies required for authentication and security (e.g., session token, CSRF token). These cookies are strictly necessary and do not require consent under CCPA or CAN-SPAM.

We do NOT use:

• Third-party tracking cookies.
• Marketing or advertising cookies.
• Cross-site behavioral profiling.
• Facebook Pixel, Google Ads tag, Meta tracking, or any retargeting tag.

If in the future we add cookies, third-party analytics, or any tracking technology, we will update this Policy and provide a consent banner where required.

8. Marketing Communications

8.1 Transactional emails

We will send you essential emails about your account and our service:

• Welcome email upon registration.
• Email verification (if applicable).
• Purchase confirmation, payment receipt, payment failure notice, refund confirmation.
• License issuance and device-activation notifications.
• Account deletion confirmation.
• Security alerts (suspicious sign-in, password change).
• Service updates that materially affect your account (for example, changes to Terms, Privacy, or the licensing mechanism).
• Any 60-day advance notice required under the Plan B / business-wind-down provision of the Terms of Service (Section 12.2).

These transactional emails are not opt-out. They are essential to providing the Service.

8.2 Marketing emails

We will send you promotional emails (about new features, launches, tips, Founders Cohort progress) only if you have opted in.

You can unsubscribe at any time:

• Via the unsubscribe link in any marketing email.
• By changing your preferences in your account dashboard.
• By replying with “UNSUBSCRIBE” to any marketing email.

We comply with the CAN-SPAM Act: every marketing email includes our identifying information, a clear unsubscribe link honored within 10 business days, and a truthful subject line.

8.3 Waitlist drip sequence

If you joined the waitlist, you will receive a sequence of emails between signup and launch. These are governed by your opt-in consent at waitlist signup. You may unsubscribe at any time.

9. Security

We implement industry-standard technical and organizational measures to protect your data:

• Encryption in transit (HTTPS / TLS) for all browser and license-verification communication.
• Encryption at rest for the Supabase database.
• Secure password hashing (Supabase-managed, bcrypt).
• Access controls and role-based authorization on our infrastructure.
• Audit logs of administrative actions.
• Dependency security audits (npm audit, Renovate / Dependabot).
• Webhook signature verification for Stripe events.

Breach notification

In the event of a personal data breach affecting your information, we will:

• Notify you without undue delay when the breach is likely to result in a risk to your rights.
• Cooperate with any applicable regulatory authority.
• Take all reasonable steps to mitigate harm.

10. Children's Privacy

The Service is not directed to children under 18 years of age. We do not knowingly collect personal information from children under 18. If you believe we have inadvertently collected such information, please contact privacy@trgab.com and we will delete it.

11. Geographic Restrictions & International Transfers

The Service is currently offered to residents of the United States only. Our servers and all sub-processors are located in the United States.

If and when we expand to other jurisdictions in the future, we will update this Privacy Policy to address applicable transfer mechanisms (Standard Contractual Clauses, EU-U.S. Data Privacy Framework, etc.).

12. Data Controller & Contact

Data Controller: Becarr Labs LLC, a Wyoming limited liability company.

Registered agent: Northwest Registered Agent Service Inc, 30 N Gould St Ste N, Sheridan, WY 82801.

For privacy inquiries, data subject requests, or to report a privacy concern:

• Email: privacy@trgab.com
• Subject line: include the nature of your request (e.g., “CCPA Request — Delete”).

We respond within 45 days as required by CCPA, and sooner whenever feasible.

13. Changes to This Privacy Policy

We may update this Privacy Policy when:

• Sub-processors change (added or removed).
• We add new features that change data collection.
• Applicable law changes.
• We expand to new jurisdictions.

When we update, we will:

• Update the “Last updated” date.
• Bump LEGAL_LAST_UPDATED, which triggers re-acceptance of the bundled in-app legal documents on next application launch.
• For material changes affecting your rights, provide at least 30 days' notice by email.