Last updated: June 2, 2026
This Privacy Policy explains how Trigv collects, uses, stores, and shares information when you use our
developer notification service — including the Trigv API (api.trigv.com), web dashboard
(app.trigv.com), mobile apps (iOS and Android), and related services.
1. Who we are
Data controller: Webtions OU (dba Trigv)
Registered address: Sepapaja 6, Tallinn 15551, Estonia
VAT: EE102051737
Governing jurisdiction: Estonia, European Union
Contact: [email protected]
Trigv is a developer notification service. You send events from your products (via API, webhook, or SDK); Trigv delivers push alerts to your registered devices and shows a live delivery feed in the dashboard (status and counts, not message text).
| Service | URL | Purpose |
|---|---|---|
| Marketing site | trigv.com | Product information, waitlist |
| API | api.trigv.com | Event ingest and mobile API |
| Dashboard | app.trigv.com | Account, billing, channels, live feed |
| Mobile apps | App Store / Google Play | Push notifications and on-device history |
2. Two kinds of people (B2B model)
Trigv is primarily a business-to-business (B2B) service for developers and teams.
Account holders (developers)
If you create a Trigv account, sign in to the dashboard, manage a workspace, or send events via API, you are an account holder. We act as the data controller for your account data, billing information, and workspace configuration.
Notification recipients
If you receive a Trigv push notification on a device because a developer added you to their workspace or you installed the mobile app and subscribed to channels, you are a notification recipient. The developer (account holder) decides what content to send. Trigv processes that content only in transit to deliver the push — we do not store notification title, body, or history on our servers (see section 4).
Developers are responsible for ensuring they have a lawful basis to send notifications to their recipients and for any privacy notices they provide to their own users.
3. Our core privacy model
| Data | Server | Device |
|---|---|---|
| Account, workspace, API keys, channels | ✓ | — |
| Registered devices, push provider IDs | ✓ | — |
| Event metadata, delivery status, usage (7-day retention) | ✓ | — |
| Notification title, message, description, feed history | ✗ | ✓ |
When you send an event to Trigv:
- We receive the event, including title and message, temporarily.
- We deliver the notification content to push and realtime providers (Firebase Cloud Messaging, Pusher) so alerts reach your devices.
- We store metadata only on our servers (event type, level, channel, delivery counts, status).
- We do not persist notification title, message, description, raw payload, or searchable history on the server.
- Your mobile app stores notification content and history locally in SQLite on the device.
This is a deliberate architectural choice, not an afterthought.
4. What we do not store on our servers
We do not store the following on Trigv platform servers:
- Notification title, message, or description
- Raw event payloads or HTTP headers from ingest requests
- Server-side notification history or searchable event archives
- Feed content beyond metadata shown in the dashboard live feed
Event content may pass through our systems briefly during processing and delivery, then is discarded. Only metadata and delivery tracking records remain.
5. What data we collect and why
5.1 Account and authentication data
What: Name, email address, hashed password, email verification status, timezone, profile avatar URL (if provided), login timestamps, last login IP address, session data.
Why: Create and secure your account, authenticate dashboard and mobile app access, send password reset emails, and provide account settings.
Social login (if enabled): Provider name, provider user ID, provider email, avatar URL, and OAuth tokens (encrypted if stored) when you sign in with Google or other supported providers.
5.2 Workspace and product configuration
What: Workspace name, slug, plan, billing status, settings; workspace membership and roles; channel names, slugs, descriptions, colors, and icons; API key names, prefixes, hashed keys, scopes, last-used timestamps and IPs, revocation records.
Why: Operate the service you configure — route events to channels, enforce plan limits, and manage your developer setup.
We store API keys as hashes only. The full key is shown once at creation and cannot be retrieved afterward.
5.3 Devices and notification subscriptions
What: Device name, platform (iOS, Android, web, etc.), app instance ID, FCM push token, app version, last-seen timestamp; subscription links between your devices and workspace channels; mute/stop preferences.
Why: Deliver push notifications to the correct devices and respect your notification preferences (including "stop notifications" and timed pauses).
5.4 Event metadata and delivery tracking
What: Public event IDs, workspace and channel references, event type (e.g.
deployment.completed), severity level, processing status, delivery counts, timestamps,
idempotency keys, request trace IDs; per-device delivery status, provider references, and error codes/messages.
Why: Enforce usage limits, show the dashboard live feed (metadata only), debug delivery failures, and maintain short-term operational records.
Retention: Event metadata and delivery statuses are automatically deleted after 7 days. We do not store title, message, or description in these records.
5.5 Billing and usage
What: Billing customer and subscription records (via Creem), plan, subscription status, billing period dates, billing email; monthly event usage counters and limits per workspace; payment provider webhook logs (including raw webhook payloads for support and debugging).
Why: Process payments, manage subscriptions and lifetime deals, enforce plan limits, and resolve billing support issues.
5.6 Support, security, and audit logs
What: Records of significant actions (e.g. login, API key created/revoked, channel changes, billing updates), IP addresses, user agents, and related metadata.
Why: Security monitoring, fraud prevention, and customer support.
5.7 Marketing site
The site at trigv.com (waitlist, marketing pages) may collect email addresses for the waitlist and newsletter via MailerLite. That collection is covered by this policy when you sign up through Trigv-owned forms. Analytics on the marketing site, if enabled, will be described here when live.
6. On-device data (mobile apps)
The Trigv mobile apps (Flutter, iOS and Android) store notification content and history locally on your device using SQLite. This data does not sync to Trigv servers.
Typical local fields include:
- Notification title and message
- Event type, level, and public IDs (workspace, channel, event)
- Timestamps (received, read, archived)
- Optional local metadata JSON
You control this data. It remains on your device until you uninstall the app, clear app data, or delete history within the app (where supported). Uninstalling the app removes local notification history from that device.
7. How we use your data
We use collected data to:
- Provide, operate, and improve the Trigv service
- Authenticate users and authorize API requests
- Deliver push notifications and dashboard realtime updates
- Enforce plan limits and prevent abuse
- Process billing and send transactional emails (password reset, billing-related notices)
- Respond to support requests and investigate security incidents
- Comply with legal obligations
We do not sell your personal data. We do not use notification content for advertising or profiling, because we do not retain that content on our servers.
8. Cookies and sessions (dashboard)
When you log in to app.trigv.com, we use session cookies and related authentication mechanisms to keep you signed in. Session data may include your user ID, IP address, user agent, and session payload.
These cookies are essential for dashboard functionality. We do not use third-party advertising cookies on the Trigv platform dashboard or API.
If we add optional analytics or non-essential cookies in the future, we will update this policy and, where required, obtain consent.
9. Third-party services (subprocessors)
We use trusted third-party providers to run Trigv. They process data on our behalf under their own terms and privacy policies.
| Provider | Purpose | Privacy / terms |
|---|---|---|
| Laravel Cloud | Application hosting, database, queues, background jobs | Privacy Policy |
| Google Firebase | Mobile push delivery (FCM; iOS via APNs) | Privacy · Terms |
| Creem | Payments, subscriptions, and billing | Privacy · Terms |
| Pusher | Dashboard live feed (event metadata only via WebSockets) | Privacy · Terms |
| Cloudflare | DNS and CDN | Privacy Policy |
| Postmark | Transactional email (password reset, signup, billing notices) | Privacy Policy |
| MailerLite | Marketing list: waitlist and subscriber sync | Privacy Policy |
| Apple | iOS push delivery (APNs); App Store distribution | Privacy Policy |
| Android push delivery (FCM); Google Play distribution | Privacy Policy |
When you send an event, notification content is transmitted to Google Firebase Cloud Messaging (and Apple/Google push infrastructure) solely to deliver the alert. Retention on their side is governed by their policies.
We may update subprocessors as our infrastructure evolves. Material changes will be reflected in an updated version of this policy.
10. Data retention
| Data category | Retention period |
|---|---|
| Event metadata | 7 days, then automatically deleted |
| Delivery statuses | 7 days, then automatically deleted |
| Account, workspace, API keys, channels, devices | While your account is active, plus a reasonable period after deletion for backups and legal compliance |
| Billing records | As long as required for tax, accounting, and legal obligations |
| Session data | Until session expires or you log out |
| Password reset tokens | Short-lived; deleted after use or expiry |
| Billing webhook logs | Retained for support and dispute resolution |
To delete your account, contact [email protected]. We will delete or anonymize personal data associated with your account, subject to exceptions for data we must retain by law or for legitimate business purposes (e.g. billing records).
Local notification history on your devices is not deleted by us when you close your account — you must remove it by uninstalling the app or clearing local data.
11. International data transfers
Trigv and our subprocessors may process data in countries other than your own, including the United States and the European Union, depending on provider infrastructure.
Where required by applicable law, we rely on appropriate safeguards for cross-border transfers (such as Standard Contractual Clauses or equivalent mechanisms offered by our providers).
12. Your rights
Depending on where you live, you may have rights regarding your personal data, including:
- Access — request a copy of personal data we hold about you
- Correction — request correction of inaccurate data
- Deletion — request deletion of your personal data
- Restriction — request that we limit certain processing
- Portability — request a machine-readable copy of data you provided
- Objection — object to certain processing based on legitimate interests
- Withdraw consent — where processing is based on consent
To exercise these rights, contact [email protected]. We will respond within the timeframe required by applicable law (typically one month under GDPR).
You may also:
- Revoke API keys and remove devices from your dashboard
- Adjust notification subscriptions and stop/pause preferences in the mobile app
- Uninstall the mobile app to remove local notification history from that device
If you are a notification recipient and believe a developer is misusing Trigv to send you unwanted alerts, contact the developer who added you. You can also contact us and we will review abuse reports.
European Economic Area (EEA) and UK
If you are in the EEA or UK, you have the rights listed above under the GDPR and UK GDPR. Our legal basis for processing typically includes: contract performance (providing the service), legitimate interests (security, fraud prevention, service improvement), and consent (where applicable, e.g. marketing emails).
You may lodge a complaint with your local supervisory authority. In Estonia, this is the Data Protection Inspectorate (Andmekaitse Inspektsioon).
13. Security
We implement technical and organizational measures appropriate to the nature of the data we process, including:
- Hashed passwords and hashed API keys (never stored in plain text)
- Encrypted connections (HTTPS/TLS) for API and dashboard traffic
- Access controls and workspace-scoped data isolation
- Background job queues for reliable, auditable delivery processing
No method of transmission or storage is 100% secure. If you believe your account or API keys have been compromised, revoke affected keys immediately and contact us.
14. Children
Trigv is not directed at children. You must be 18 years or older (or the age of majority in your jurisdiction) to create an account. We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact us and we will delete it.
15. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top. For material changes, we will provide notice through the dashboard, by email, or on trigv.com, as appropriate.
Continued use of Trigv after changes take effect constitutes acceptance of the updated policy, unless otherwise required by law.
16. Contact us
Email: [email protected]
Postal address: Webtions OU (dba Trigv), Sepapaja 6, Tallinn 15551, Estonia
Website: trigv.com
