Privacy Policy

🌐 Overview

Trollspace is a personal content organization and management platform. We are committed to protecting your privacy and being transparent about how we handle your data. This policy explains what information we collect, why we collect it, and how you can manage your data.

By using Trollspace, you agree to the collection and use of information in accordance with this policy.

🏢 Who We Are (Data Controller)

Trollspace is operated by Daniel Tollefsen, established in Norway. For the purposes of the EU/EEA and UK data protection laws (including the GDPR), we act as the data controller for the personal data described in this policy.

You can contact us at support@trollefsen.com for any privacy-related questions.

💾 Information We Collect

Account Information

• Email address (for authentication and communication)
• Password (encrypted and stored securely)
• Account creation and last login timestamps
• User approval status (pending, approved, rejected)

Content You Create

• Code snippets: Code, notes, ideas, and todos you save
• GitHub repositories: Repository metadata and save status
• Tools: Custom tool configurations and data
• Travel data: Countries and cities visited, travel dates, notes, photos, and status
• Music: Your music library entries and metadata
• Movies & TV: Viewing history, ratings, and watchlist
• Knowledge base: Personal notes and documentation
• Finances: Financial tracking data and cryptocurrency information
• AI conversations: Chat history with AI assistants

Integration Data

• API keys and tokens you provide for third-party services
• OAuth tokens and refresh tokens (encrypted)
• Integration configuration and settings
• Service connection status and metadata

Usage Information

• Pages visited and features used
• Device and browser information
• IP address and approximate location
• Session duration and interaction patterns

Cookies and Local Storage

We only use cookies and local storage that are strictly necessary to operate the application:

• Authentication cookies (session management)
• Preference cookies (theme, sidebar state, etc.)
• Local storage for application state

We do not use third-party analytics, tracking cookies, or advertising cookies. No cookie consent banner is required as we only use essential cookies necessary for the service to function.

👁 How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Trollspace platform
• Authenticate your identity and manage your account
• Store and organize your personal content securely
• Connect to third-party services you authorize
• Generate AI-powered recommendations and insights
• Improve and optimize the user experience
• Send important notifications about your account or service updates
• Prevent fraud, abuse, and security incidents
• Comply with legal obligations

⚖ Legal Bases for Processing (EEA/UK Users)

If you are located in the EEA or UK, we process your personal data on the following legal bases under the GDPR:

• Performance of a contract (Art. 6(1)(b)): To provide the Trollspace service, authenticate you, store your content, and maintain your account.
• Legitimate interests (Art. 6(1)(f)): To prevent fraud, secure the platform, run logs, debug issues, and improve Trollspace. Our legitimate interest is operating a stable and secure service.
• Performance of a contract and legitimate interests (Art. 6(1)(b), 6(1)(f)): To send essential service emails such as security alerts and account changes.
• Compliance with legal obligations (Art. 6(1)(c)): To comply with accounting, tax, and law-enforcement requests where required.

We do not currently send marketing emails or newsletters. If we add this in the future, we will obtain your consent where required (Art. 6(1)(a)) or rely on our legitimate interests with the ability to opt out.

🤝 Third-Party Services

Trollspace integrates with various third-party services. When you connect these services, they may collect and process your data according to their own privacy policies.

Infrastructure and Storage (Data Processor)

• Supabase — Database, authentication, and file storage. Supabase acts as our data processor. We have a Data Processing Agreement (DPA) in place with Supabase covering data protection, security, and international transfers.

Artificial Intelligence (Data Processors)

• OpenAI — AI-powered features and chat. Processes your prompts and content on our behalf.
• Google Gemini — AI features (optional). Processes your prompts and content on our behalf.

AI providers receive only the content you actively submit to AI features. We do not use AI for automated decision-making with legal or significant effects on you. AI recommendations and insights are purely assistive and you remain in control of all decisions.

Content and Media (Independent Controllers)

When you connect these services, they process your data as independent controllers under their own privacy policies:

• GitHub — Repository synchronization (optional)
• TMDB — Movie and TV metadata lookup (optional). We only query public movie/TV information.
• Spotify — Music streaming integration (optional)

Google Services (Independent Controller)

When you connect your Google account, Google acts as an independent controller for your Google data. We request specific permissions based on the features you use. These permissions (OAuth scopes) include:

• Email Address (userinfo.email): Used to identify and link your Google account to your Trollspace profile
• Google Sheets (Read-Only) (spreadsheets.readonly): Enables the AI assistant to read and analyze your spreadsheets when you request it
• Google Drive (drive): Allows browsing and importing files to your Knowledge base
• YouTube (youtube.force-ssl): Enables playlist management, subscription viewing, and video organization on the Videos page

For more information, see Google's Privacy Policy.

Financial Data (Independent Controllers)

For cryptocurrency integrations, we store only API keys and position/balance data that you choose to sync. These services process trading data as separate controllers under their own policies:

• Binance — Cryptocurrency portfolio data (optional). We store encrypted read-only API keys to fetch your balances.
• CoinGecko — Public crypto market data (optional). No personal data is shared.
• CryptoCompare — Public crypto analytics (optional). No personal data is shared.
• ExchangeRate API — Public currency conversion rates (optional). No personal data is shared.

Maps and Location

• MapLibre — Interactive maps for travel features

🔒 Data Security

We implement industry-standard security measures to protect your data:

• All data transmitted between your device and our servers is encrypted using TLS 1.3
• Passwords are hashed using bcrypt with strong salt rounds
• API keys and sensitive tokens are encrypted at rest using AES-256-GCM
• OAuth tokens encrypted using AES-256-GCM before storage
• Per-user encryption keys derived using secure key derivation functions
• Database access is restricted and monitored
• Regular security audits and updates
• Row-level security policies in Supabase for data isolation
• User approval system to prevent unauthorized access
• Zero-knowledge architecture: we cannot access your connected services without your direct action

While we strive to protect your data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

🛡 Your Rights

If you are located in the EEA or UK, you have the following data protection rights under the GDPR:

• Right of access: Request a copy of your personal data and information about how we process it.
• Right to rectification: Ask us to correct inaccurate or incomplete data.
• Right to erasure: Request deletion of your personal data in certain situations (for example, when it is no longer needed, or you withdraw consent where consent was the legal basis).
• Right to restriction: Request that we restrict processing of your personal data in certain circumstances.
• Right to data portability: Receive your data in a structured, commonly used, machine-readable format and transmit it to another controller where technically feasible.
• Right to object: Object to processing based on our legitimate interests, and to direct marketing at any time.
• Right to withdraw consent: Where we rely on consent, you can withdraw it at any time via Trollspace or by contacting us.
• Right to complain: You can lodge a complaint with your local data protection authority. In Norway, this is Datatilsynet.

How to Exercise Your Rights

You can exercise many of these rights directly in Trollspace:

• Access & Export: View and export your data through the application interface
• Rectification: Edit your content and profile settings directly
• Erasure: Delete individual items in the app, or contact us to delete your entire account
• Withdraw consent: Disconnect integrations from the Integrations page

For any other requests, contact us at support@trollefsen.com. We aim to respond within 30 days.

📁 Data Retention

We retain your data for as long as your account is active or as needed to provide you services. Specifically:

• Account data: Retained until you delete your account
• Content: Retained until you manually delete it
• Soft-deleted items: Marked as deleted but retained for recovery purposes (not visible to you)
• Backup data: May be retained for up to 90 days in backups
• Logs: Retained for 30-90 days for security and debugging

Upon account deletion request, we will permanently delete your data within 30 days, except where retention is required by law.

👶 Children's Privacy

Trollspace is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@trollefsen.com.

🌍 International Data Transfers

We primarily host Trollspace on Supabase infrastructure. Our primary database is located in Frankfurt, Germany (EU). However, some of our providers (including Supabase and its sub-processors, AI providers, and other integrations) may process your data from other countries.

When personal data is transferred outside the EEA/UK to a country without an adequacy decision, we rely on appropriate safeguards such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Additional technical and organizational measures implemented by our providers (for example, Supabase's DPA and security controls)
• Encryption of data in transit and at rest

You can contact us at support@trollefsen.com to learn more about the specific regions and safeguards we use.

⚠ Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any changes by:

• Updating the "Last updated" date at the top of this policy
• Sending you an email notification for significant changes
• Displaying a prominent notice in the application

Your continued use of Trollspace after such modifications constitutes your acknowledgment and acceptance of the modified policy.