Discover our latest updates and insights. Read the blog

Privacy Policy

Last updated: April 2026

Triqai ("Triqai", "we", "us") is a trade name of Rediant, registered in the Netherlands (KVK: 97621803). This Privacy Policy explains how we collect, use, store, and protect personal data when you use the Triqai website, dashboard, and API (the "Services").

We are committed to privacy by design and operate in accordance with the General Data Protection Regulation (GDPR).

1. Scope

This Privacy Policy applies to:

  • The Triqai marketing website
  • The Triqai dashboard
  • The Triqai API and related services

This policy applies to both individual developers and business users.

The Services are not intended for children.

2. Roles Under GDPR

Depending on the context, Triqai acts as:

  • Data Controller
    For personal data related to our own users and business operations, including account management, authentication, billing, website analytics, support, and security operations.
  • Data Processor
    When processing customer transaction data through the API on behalf of customers. In that context, the customer is the controller and Triqai processes data under customer instructions and applicable agreements.

3. Personal Data We Collect

3.1 Account and Authentication Data

When you create or manage an account, we may process:

  • Name
  • Email address
  • Hashed password (for credential-based authentication)
  • OAuth identifiers (for example GitHub or Google)
  • Organization and membership information

3.2 API and Transaction Data

Customers may submit transaction descriptions and related metadata. These inputs can contain personal data.

Organization-scoped raw data:

  • Raw transaction descriptions are stored within the customer organization scope.
  • Raw transaction descriptions are not shared with other customers.
  • When configured, raw transaction fields are encrypted at rest.

Derived enrichment data:

  • Triqai derives enrichment outputs (for example merchant entities, company identifiers, locations, intermediaries, and categories).
  • Some derived enrichment signals may be reused to improve enrichment consistency across organizations.
  • Triqai is designed to avoid deliberate sharing of direct personal identifiers across organizations, but customers should treat submitted transaction data as potentially personal data.

Triqai does not use customer transaction content to train third-party or internal foundation AI models.

3.3 Operational Diagnostics, Logs, and Caching

To operate, secure, and troubleshoot the Services, we process limited operational data including request metadata, activity logs, diagnostics, and cache records. In some cases these records may include transaction content snippets required for troubleshooting or abuse prevention.

We process this data under our legitimate interests in security, fraud prevention, platform reliability, and service quality.

3.4 Website Analytics

We use privacy-oriented website analytics on marketing pages to understand aggregate usage patterns and improve the site. We do not use website analytics for advertising profiling or cross-site behavioral targeting.

Analytics providers may receive limited technical metadata required to deliver analytics (for example request-level or device-level metadata). We configure analytics to minimize personal data collection and retention.

3.5 Cookies and Similar Identifiers

Triqai uses a limited set of cookies and identifiers required for authentication, security, and abuse prevention.

NamePurposeTypeTypical LifetimeLegal Basis
better-auth.session_token (and secure/host-prefixed variants)Maintains authenticated session stateStrictly necessarySession or auth-configured TTLContract / Strictly necessary
better-auth.session_data (and secure/host-prefixed variants)Session cache and auth continuityStrictly necessaryShort-lived, auth-configuredContract / Strictly necessary
triqai_org_syncOrganization context synchronization after account or org changesStrictly necessaryShort-livedContract / Strictly necessary
__Host-triq_anon_vidAnonymous playground abuse prevention and rate-limit continuityStrictly necessary security identifierUp to 30 daysLegitimate interest / Strictly necessary

We do not use marketing or advertising cookies on the Services.

4. Legal Bases for Processing

  • Performance of a contract to provide requested Services
  • Legitimate interests for security, abuse prevention, reliability, and product improvement
  • Legal obligations for accounting, tax, and regulatory compliance

5. Data Retention

  • Account and organization records: retained until account/organization deletion, subject to legal obligations.
  • Transaction records and related transaction-linked data: retained for up to 90 days by default through automated retention controls.
  • Operational logs, diagnostics, and transient caches: retained up to 90 days, with limited exception handling for active security/support investigations (up to 1 year where strictly necessary).
  • Pseudonymous abuse-prevention identifiers: retained up to 180 days.
  • Billing and invoicing records: retained as required by law and payment-provider obligations.

Account deletion initiates primary deletion workflows promptly. Some operational systems are purged on scheduled cleanup cycles.

6. Data Sharing and Sub-Processing

We use trusted service providers and subprocessors to deliver the Services (for example infrastructure, payments, email delivery, monitoring, analytics, anti-abuse, search enrichment, and AI inference).

Before sharing data with subprocessors, Triqai applies minimization and redaction controls where feasible. Because transaction text can be unstructured, customers should assume personal data may still be present in certain processing flows.

Current subprocessors, purposes, locations, and transfer information are published on our Subprocessors page. We provide advance notice for material subprocessor changes as described in our DPA. Some third parties (such as payment providers and optional social-login providers selected by the user) may act as independent controllers for their own processing activities under their own terms and privacy notices.

We do not sell personal data.

7. Security Measures

We maintain technical and organizational security measures, including:

  • Encryption in transit (HTTPS/TLS)
  • Access controls and organization-scoped data isolation
  • Rate limiting and abuse-prevention controls
  • Monitoring, logging, and incident response processes
  • Encryption at rest for sensitive transaction fields where configured

8. International Data Transfers

We process data in the EU where possible. Where data is transferred outside the EU/EEA/UK/Switzerland, we rely on appropriate safeguards such as Standard Contractual Clauses and equivalent mechanisms as applicable.

9. Your Rights Under GDPR

Subject to applicable law, you may request access, rectification, erasure, restriction, objection, and portability. Requests can be made via support@triqai.com. We respond within applicable legal timelines.

10. Data Processing Agreement (DPA)

For customers acting as controllers, our Data Processing Agreement governs processor obligations under GDPR Article 28.

11. Enterprise Contracting

Enterprise customers may execute additional contractual terms (for example order forms, enterprise addenda, or master agreements). Where executed, those documents may supplement or supersede parts of these public terms as specified therein.

Related Legal Pages

Subprocessors | Enterprise Addendum

12. Changes to This Policy

We may update this policy. Material changes will be communicated via the website, dashboard, or account contacts as appropriate.

13. Contact

Email: support@triqai.com
Company: Rediant (trade name: Triqai)
Jurisdiction: Netherlands

View legal changelog