Privacy Policy

What We Collect

We collect only the information we need to run the Service. Specifically:

Account information. Your email address. This is required to create and operate your account.

Invoice documents. The waste-management invoice PDFs you upload to the dashboard or send to us by email.

Extracted invoice data. Information we read from those invoices in order to analyze them, including charge amounts, fee types, invoice dates, hauler names, your business name, and the service location (including address and ZIP/area) shown on the invoice. Your business name and street address are part of your account-bound data; they are removed or replaced with a pseudonymous identifier before any data enters our market dataset (see "Data Retention").

Payment information. When you subscribe to a paid plan, payment is processed by Stripe. We do not collect or store your full credit card number or other complete payment-card details. Stripe handles that directly. We receive limited information from Stripe such as your subscription status and a confirmation that payment succeeded.

Basic usage data. Operational records such as login times and upload timestamps, which help us run, secure, and troubleshoot the Service.

We do not intentionally collect sensitive personal information, and we ask that you not upload documents containing sensitive personal information that is unrelated to waste invoices.

How We Use It

We use the information above to:

• Create and maintain your account and authenticate your logins.
• Analyze your uploaded invoices for billing anomalies and irregular charges.
• Produce and deliver your monitoring results and monthly monitoring reports, by email or through the dashboard.
• Process payments and manage your subscription through Stripe.
• Operate, secure, monitor, and troubleshoot the Service.
• Respond to your requests and provide customer support.
• Comply with our legal obligations.
• Build pseudonymized market and benchmark data from invoices, and use it in aggregated form to provide benchmark comparisons and publish industry insights, as described in "Data Retention."

A note on how results are produced. In our current phase, results are reviewed by a member of our team before they are delivered to you, an approach we describe transparently. As the Service matures, we expect to automate part or all of this analysis, so some results may be produced with reduced or no manual review. Access to your invoice data is limited as described below.

Who Has Access

Access to your invoice data and extracted invoice data is limited to authorized TrixieWatch team members who need it to review and prepare your results. We restrict access on a need-to-know basis. Access to our pseudonymized market dataset is similarly limited to authorized team members and is used only to operate the Service and build aggregated benchmarks.

Beyond our own authorized team, your information is processed only by the third-party service providers ("subprocessors") listed in "Third-Party Services" below, each of which performs a specific function on our behalf.

We do not sell your personal information. We do not share your personal information with third parties for their own purposes, and we do not share it without your consent except with the subprocessors described in this policy who process it on our behalf to provide the Service. We may also disclose information if required by law, such as in response to a valid legal process, or to protect the rights, safety, and security of TrixieWatch, our customers, or the public.

Data Retention

We keep your information for as long as your account is active and you are using the Service.

If you cancel your account, within 30 days we delete your invoice documents and the personal and identifying information associated with your account, including the mapping that links our retained market data to you. If you ask us to delete your data sooner, we will do so promptly upon request. Contact us at hello@trixiewatch.com to make a deletion request. As described below, after that mapping is deleted we retain pseudonymized market data derived from your invoices that we can no longer link back to you.

We may retain a limited amount of information for longer where we are required to do so by law (for example, basic transaction records needed for tax or accounting purposes). Separately, we derive pricing and market data from invoices, including the hauler, charge types, amounts, dates, and geography to ZIP or census-area level. Before storing this data in our market dataset, we remove direct identifiers (your name, business name, street address, and ZIP+4) and replace the link to your account with a pseudonymous identifier. The mapping between that pseudonymous identifier and your account is held separately and is deleted when your account is deleted; after that deletion we can no longer link this data back to you. While your account is active, this data remains pseudonymized and is therefore still treated as your personal information, under the same security controls; we never use it to contact or profile you. We use this market data to operate and improve the Service, to give you and other users benchmark comparisons (such as how your charges compare to the regional average), and to publish aggregated industry insights, including publicly and for marketing. Because it can include precise geography, we do not claim it is fully anonymous even after deletion, which is why we publish or share it only in aggregated form covering at least 10 distinct businesses. We retain and use this market data on an ongoing basis, including after your account is deleted.

Third-Party Services (Subprocessors)

We rely on a small number of trusted service providers to deliver the Service. Each processes information only as needed to perform its function:

• Cloudflare: hosting and delivery of our application (Cloudflare Pages), including content delivery and security.
• Supabase: our application database (PostgreSQL, hosted in the United States), where account information and extracted invoice data are stored.
• Stripe: payment processing and subscription management. Stripe handles payment-card details directly; we do not store them.
• Anthropic (Claude API): the large language model service we use to analyze the content of your invoices and identify potential billing anomalies.

If we add or change a subprocessor, we will update this list.

Data Security

We protect your information using industry-standard safeguards. Data transmitted through our dashboard and between our systems is encrypted in transit using TLS, and data stored in our database is encrypted at rest. If you choose to send invoices by email, please be aware that email is not always encrypted in transit and that part of the transmission is outside our control; we secure your invoices once they reach us. Invoice PDFs are stored with our database provider, encrypted at rest and access-controlled; any invoice files handled on a reviewer's device during manual review are protected by full-disk encryption. We delete invoice PDFs once processing is complete: after manual review in our current phase, and immediately after successful extraction once that step is automated. We limit access to authorized team members on a need-to-know basis as described above. No method of transmission or storage is completely secure, but we work to protect your information and to keep our practices current.

Your Rights

Several U.S. states have enacted consumer privacy laws, and more do so each year. Rather than list specific states that may change over time, we extend the following rights to every user to the extent your state's law grants them. Depending on where you live and the law that applies, you may have the right to:

• Know / access the categories and specific pieces of personal information we have collected about you, the sources, the purposes for collecting it, and the categories of third parties with whom we share it.
• Delete the personal information we hold about you, subject to legal exceptions.
• Correct inaccurate personal information we hold about you.
• Data portability: receive a copy of certain personal information in a portable format.
• Opt out of the sale or sharing of your personal information, and of targeted advertising and certain profiling. We do not sell or share your personal information, we do not use it for targeted advertising, and we do not engage in profiling that produces legal or similarly significant effects. There is generally nothing to opt out of, but we state these rights for completeness. Where required, we honor browser opt-out preference signals such as Global Privacy Control (GPC).
• Be free from discrimination or retaliation for exercising any of these rights. We will not deny you service, charge you a different price, or provide a different level of service because you exercised your rights.

California.If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the CPRA, gives you the rights described above. The categories of personal information we collect, our purposes for using it, and the categories of recipients (our subprocessors) are described in the "What We Collect," "How We Use It," and "Third-Party Services" sections above. We do not sell or share personal information as those terms are defined under California law, and we have not done so in the preceding twelve (12) months.

How to exercise your rights. Contact us at hello@trixiewatch.com. We will verify your request, typically by confirming control of the account email associated with the information, before acting on it. You may use an authorized agent to make a request on your behalf where permitted by law; we may require proof of the agent's authorization and verification of your identity. We will respond within the timeframe required by applicable law (generally within 45 days, with an extension where permitted). There is no charge for a verifiable request unless it is excessive or repetitive.

Appeals. If we decline your request and the law that applies to you provides a right to appeal, you may appeal our decision by replying to our response or contacting us at hello@trixiewatch.com. We will respond to your appeal within the period required by your state's law.

This Privacy Policy describes our practices for personal information we handle as a business. Where we process invoice data on behalf of a business customer, we act as that customer's service provider (or processor) and handle the information according to our agreement with them and this policy. Note that many state privacy laws apply only to personal information about individuals acting in a personal or household capacity and exclude information handled in a purely business-to-business or employment context; we nonetheless aim to honor the rights above wherever practical.

Contact

If you have questions about this Privacy Policy or want to exercise your rights, contact us at:

Email: hello@trixiewatch.com

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. If we make material changes, we will take reasonable steps to notify you, such as by email or through the dashboard. Your continued use of the Service after an update means you accept the revised policy.