Privacy Policy
隐私政策

Your privacy, by design.

隐私保护,从设计开始。

We don't sell your data. We don't run ad trackers. Here's exactly what we do.

我们不出售您的数据,不运行广告追踪器。以下是我们实际所做的事情。

Effective date: 2026-05-09  ·  Trove Deck Solution, Malaysia

生效日期:2026-05-09  ·  Trove Deck Solution,马来西亚

01 What We Collect

Website (trovedeck.com): We collect standard server logs — IP address, user-agent string, and timestamp — for security and abuse detection only. There are no third-party analytics scripts or ad-tracking pixels on the homepage.

Contact form: When you submit the contact form, we collect your name, email address, and message. This information is stored solely to respond to your inquiry and is not used for marketing.

In-house products (PowerDash, POS, TroveChat, VellumNote, TroveTrack, TroveDial, TroveScope, MTPines, ReplyAI, CC Remote — each product's subdomain may carry a specific privacy supplement with additional detail):

  • Account email, password (stored as a bcrypt hash — never plaintext), and display name
  • Product-specific data you create: POS orders, PowerDash dashboard entries, VellumNote notes (end-to-end encrypted — see Section 3), TroveChat messages, TroveTrack habit records, and equivalent data in other products
  • Billing data is processed entirely by Stripe — we receive only transaction metadata (subscription tier, payment status). We never see or store your full card number.

Custom development engagements: We collect project requirements, communication records, and any code or data you provide to fulfil the delivery. This data is governed by the terms of your engagement contract.

02 What We Do Not Do

  • We do not sell, rent, or broker your personal data to any third party.
  • We do not run ad tracking, retargeting, or third-party analytics on trovedeck.com.
  • We do not perform cross-site profiling or build behavioral advertising profiles.
  • We do not use your strategy logic, business data, or code for our own marketing.
  • We do not disclose your private code, configurations, or business intelligence without your explicit authorization.

03 Encryption and Security Architecture

End-to-end encryption (selected products): Sensitive product data — such as VellumNote notes — is encrypted using Argon2id key derivation combined with AES-256-GCM authenticated encryption. The encryption key is derived from your password client-side. We cannot decrypt your raw content server-side, even as the operator.

Password storage: Account passwords are hashed with bcrypt (or equivalent adaptive hashing). We never store plaintext passwords.

Infrastructure practices:

  • Least-privilege access control across all services
  • Layered key management and environment isolation
  • Default minimum-visibility policy for all sensitive data handling
  • Nightly encrypted database backups with rolling retention

04 Purpose of Data Use

  • To deliver the products and services you signed up for
  • To respond to your contact-form inquiries
  • To process subscription billing through Stripe (we receive transaction metadata, not card data)
  • To improve security posture, system stability, and support response quality
  • To fulfil contractual, legal, and risk-control obligations where applicable

05 Data Retention and Deletion

  • Website server logs: Retained for 30 days for security and abuse detection, then rotated.
  • Contact-form submissions: Retained until your inquiry is resolved, plus a reasonable follow-up window.
  • In-house product data: Retained while your account is active. On account deletion, data is purged within 30 days unless retention is legally required (e.g., billing records may be retained for up to 5 years for tax compliance).
  • Custom development data: Retained per the terms of your engagement contract.

06 Your Rights

You may request access, export, correction, or deletion of your personal data at any time.

  • For in-house products, account deletion is typically available in product Settings.
  • For all other requests, email [email protected] — we respond within a reasonable window, usually 7–14 business days.
  • You may also reach us on Telegram at @trovedeck.

07 Third-Party Services We Use

  • Stripe — payment processing. Handles all billing card data. Subject to Stripe's Privacy Policy.
  • Resend — transactional email. Sends welcome, password-reset, and receipt emails on our behalf.
  • Cloudflare — DNS and CDN for some subdomains. Passes traffic and may log IP addresses at the edge per Cloudflare's Privacy Policy.

We do not use Google Analytics, Facebook Pixel, or any advertising network on trovedeck.com. Individual products may use minimal first-party telemetry — refer to each product's privacy supplement for specifics.

08 Cookies on trovedeck.com

The trovedeck.com homepage uses a single localStorage entry to remember your language preference (EN / 中文). No tracking cookies and no third-party advertising cookies are set on the homepage.

Individual in-house products may use session cookies for authentication. Refer to each product's privacy supplement for details.

09 International Transfers

Trove Deck Solution is based in Malaysia. The third-party services we rely on (Stripe, Resend, Cloudflare) operate global infrastructure, meaning your data may transit through their servers in various regions, subject to their respective privacy policies and security standards.

We select providers with adequate security practices and, where applicable, contractual data-protection commitments.

10 Updates and Contact

This Privacy Policy may be updated from time to time. Material changes will be communicated with reasonable notice. The latest version is always available at trovedeck.com/privacy.html.

Privacy questions and rights requests:

Effective date: 2026-05-09

01 我们收集哪些信息

网站(trovedeck.com):我们收集标准服务器日志——IP 地址、用户代理字符串及访问时间戳——仅用于安全防护和滥用检测。主页上不存在任何第三方分析脚本或广告追踪代码。

联系表单:当您提交联系表单时,我们收集您的姓名、电子邮件地址及留言内容。这些信息仅用于回复您的咨询,不用于任何营销目的。

自研产品(PowerDash、POS、TroveChat、VellumNote、TroveTrack、TroveDial、TroveScope、MTPines、ReplyAI、CC Remote——各产品子域名可能附有更详细的专项隐私补充说明):

  • 账户电子邮件、密码(以 bcrypt 哈希形式存储,从不明文保存)及显示名称
  • 您在产品中创建的数据:POS 订单、PowerDash 仪表盘条目、VellumNote 笔记(端对端加密,详见第 3 节)、TroveChat 消息、TroveTrack 习惯记录,以及其他产品的对应数据
  • 付款数据由 Stripe 全程处理——我们仅收到交易元数据(订阅等级、支付状态),从不接触或存储您的完整银行卡号。

定制开发项目:我们收集项目需求、沟通记录,以及您为交付而提供的代码或数据。此类数据受您与我们签订的项目合同约束。

02 我们不做什么

  • 我们出售、出租或转让您的个人数据给任何第三方。
  • 我们在 trovedeck.com 上运行广告追踪、再营销或第三方分析。
  • 我们进行跨站点用户画像或建立行为广告档案。
  • 我们将您的策略逻辑、商业数据或代码用于自身营销。
  • 未经您明确授权,我们披露您的私有代码、配置文件或商业机密。

03 加密与安全架构

端对端加密(部分产品):敏感产品数据(如 VellumNote 笔记)采用 Argon2id 密钥派生算法结合 AES-256-GCM 认证加密方案进行保护。加密密钥在客户端从您的密码派生,我们作为运营方也无法在服务端解密您的原始内容。

密码存储:账户密码以 bcrypt(或同等自适应哈希算法)加密存储,从不以明文形式保存。

基础设施安全实践:

  • 所有服务采用最小权限访问控制
  • 分层密钥管理与环境隔离
  • 所有敏感数据处理遵循默认最低可见性原则
  • 每夜进行加密数据库备份,并按滚动策略保留

04 数据使用目的

  • 为您提供所注册的产品和服务
  • 回复您通过联系表单提交的咨询
  • 通过 Stripe 处理订阅付款(我们仅获得交易元数据,不涉及银行卡信息)
  • 提升安全防护能力、系统稳定性和客户支持质量
  • 履行合同义务、法律义务及风险管控要求

05 数据保留与删除

  • 网站服务器日志:保留 30 天用于安全和滥用检测,之后自动轮转删除。
  • 联系表单提交:保留至您的咨询得到解决,并保留合理的后续跟进期。
  • 自研产品数据:在您的账户有效期间保留。账户注销后,数据将在 30 天内清除,除非法律规定须保留(如账单记录可能因税务合规需保留最长 5 年)。
  • 定制开发数据:按项目合同约定的期限保留。

06 您的权利

您随时可以请求访问、导出、更正或删除您的个人数据。

  • 对于自研产品,通常可在产品"设置"中直接删除账户。
  • 其他请求,请发送邮件至 [email protected]——我们通常在 7–14 个工作日内回复。
  • 您也可通过 Telegram 联系我们:@trovedeck

07 我们使用的第三方服务

  • Stripe — 支付处理。负责处理所有银行卡付款数据,受 Stripe 隐私政策约束。
  • Resend — 事务性邮件。代表我们发送欢迎邮件、密码重置邮件及收据邮件。
  • Cloudflare — 部分子域名的 DNS 及 CDN 服务。负责流量传输,可能在边缘节点记录 IP 地址,受 Cloudflare 隐私政策约束。

我们在 trovedeck.com 上使用 Google Analytics、Facebook Pixel 或任何广告网络。各自研产品可能使用极少量的第一方遥测数据,详情请参阅各产品的专项隐私补充说明。

08 trovedeck.com 的 Cookie 使用

trovedeck.com 主页仅使用一个 localStorage 条目来记住您的语言偏好(EN / 中文)。主页上不设置任何追踪 Cookie 或第三方广告 Cookie。

各自研产品可能使用会话 Cookie 用于身份验证,详情请参阅各产品的专项隐私补充说明。

09 跨境数据传输

Trove Deck Solution 注册于马来西亚。我们所依赖的第三方服务(Stripe、Resend、Cloudflare)运营全球性基础设施,这意味着您的数据可能经由这些服务商在不同地区的服务器传输,并受其各自隐私政策和安全标准约束。

我们只选择具备完善安全实践的服务提供商,并在适用时要求其履行数据保护承诺。

10 政策更新与联系方式

本隐私政策可能不时更新。重大变更将提前以合理方式通知您。最新版本始终发布于 trovedeck.com/privacy.html

隐私咨询与权利请求:

生效日期:2026-05-09