Privacy Policy

Last updated: June 2026

1. Who We Are

Trivium ("we", "us", "our") is an educational platform that provides AI-powered conversations with historical thinkers. We are operated from the United Kingdom.

Data Controller: Trivium
Contact: privacy@trivium.education

2. What Data We Collect

2.1 Account Information

• Email address (for account creation and communication)
• Full name and optional nickname (for personalisation)
• Password (stored as a bcrypt hash — we never see your plaintext password)

2.2 Conversation Data

• Messages you send to thinkers
• AI-generated responses
• Conversation metadata (titles, selected thinkers, mode, timestamps)
• Supervision topic selections and assessment results

2.3 Usage Data

• Number of messages sent (for rate limiting and tier enforcement)
• Feature usage (deep research, supervision mode, export)
• Browser type and device information (for responsive design)

2.4 Payment Data

Payment processing is handled by Stripe. We do not store your card number, CVV, or full billing details. We store:

• Stripe customer ID and subscription ID
• Subscription tier and billing interval
• Payment status and next billing date

3. How We Use Your Data

• Service delivery: To provide AI-powered conversations, supervision sessions, and educational content
• Account management: To authenticate you, manage your subscription, and enforce tier limits
• Communication: To send service-related emails (account confirmation, billing alerts)
• Improvement: To understand usage patterns and improve the platform (we do not use your conversations for AI training)
• Legal compliance: To comply with applicable laws and regulations

4. Legal Basis for Processing (UK GDPR)

• Contract: Processing necessary to deliver the service you signed up for
• Legitimate interests: Platform improvement, fraud prevention, analytics
• Consent: Marketing communications (only if you opt in)
• Legal obligation: Tax records, law enforcement requests

5. Data Sharing

We share data with the following service providers, strictly for service delivery:

• OpenAI: Your messages are sent to OpenAI's API to generate thinker responses. OpenAI processes this data under their API data usage policy (they do not train on API data).
• Stripe: Payment and subscription data for billing processing
• RunLobster: Hosting and infrastructure provider

We do not sell your personal data to third parties. We do not share your data for advertising purposes.

6. Data Retention

• Account data: Retained while your account is active, deleted within 30 days of account deletion
• Conversations: Retained while your account is active; you can delete individual conversations at any time
• Payment records: Retained for 6 years (UK tax law requirement)
• Usage logs: Retained for 12 months for rate limiting and abuse prevention

7. Your Rights

Under UK GDPR, you have the right to:

• Access: Request a copy of all personal data we hold about you
• Rectification: Correct inaccurate personal data
• Erasure: Request deletion of your personal data ("right to be forgotten")
• Restriction: Request that we limit how we use your data
• Portability: Receive your data in a structured, machine-readable format
• Objection: Object to processing based on legitimate interests
• Withdraw consent: Where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at privacy@trivium.education. We will respond within 30 days.

8. Cookies

We use the following cookies:

• Essential cookies: trivium_token — an authentication session cookie, httpOnly, secure, lasts 30 days. Required for the service to function.
• No tracking cookies: We do not use Google Analytics, Facebook Pixel, or any advertising/tracking cookies.

See our Cookie Policy for full details.

9. Data Security

• All data is transmitted over HTTPS (TLS 1.2+)
• Passwords are hashed with bcrypt (10 rounds)
• Session tokens are JWT-signed with a persistent, server-side secret
• Database is not web-accessible and is stored on encrypted infrastructure
• Regular security audits are conducted

10. International Transfers

Your data is processed in the United Kingdom and the European Economic Area (EEA). Where our service providers process data outside the UK/EEA (e.g., OpenAI in the US), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or equivalent mechanisms.

11. Children

Trivium is not directed at children under 13. We do not knowingly collect data from children under 13. If you are a parent or guardian and believe your child has provided us with personal data, please contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice on the platform. Continued use of Trivium after changes constitutes acceptance of the updated policy.

13. Contact

For any questions about this Privacy Policy or your personal data:

Email: privacy@trivium.education

If you are not satisfied with our response, you have the right to complain to the UK Information Commissioner's Office (ICO): ico.org.uk