Privacy Policy.
This policy explains what data Trooply Inc. ("Trooply", "we") collects, how we use it, and the rights you have over it. We keep it short and plain. Contact [email protected] with any questions.
Who we are
Trooply is a visual and text search API for e-commerce, operated by Trooply Inc. ("we", "us"). This policy applies to search.trooply.ai and every sub-path under it, including the portal, the API, the widget script, and the marketing site.
What we collect
Account data
When you sign up we collect your name, email, and company. If you subscribe to a paid plan, our payment processor (Stripe) collects card details directly — Trooply never sees the card number, only a billing token and metadata like the last four digits and billing country.
Catalog data
When you index a product, you send us its ID, image URL, and whatever metadata you choose to include (name, price, category, custom fields, etc.). We download the image, encode it into a 768-dimensional CLIP vector, and store the vector plus the metadata in a dedicated per-tenant Qdrant collection. Raw image bytes are discarded after encoding — we keep the embedding, not the pixels.
Shopper-query data
When a shopper runs a search, we log the query (or the filename + size for image uploads), the timestamp, the top result IDs, and the response time. Uploaded image bytes used as search queries are held only long enough to generate the query embedding and are then discarded. We do not store the raw shopper image.
Usage data
We log API request metadata (endpoint, status code, request ID, duration) for operational monitoring, billing, and abuse prevention. We do not log request bodies except when debugging a specific issue under your consent.
Cookies
The marketing site (/, /pricing, /docs, /blog, /features, etc.) does not set analytics or advertising cookies. The portal (/portal) uses a first-party session cookie purely for authentication; it expires on sign-out.
How we use it
- Operate the service — run your searches, serve your catalog, render the portal.
- Billing — charge your subscription via Stripe, send invoices.
- Support — reply to your emails and respond to tickets.
- Improve the platform — aggregate, non-identifying usage metrics (total queries per day, global error rates). We do not train shared models on your catalog or your shoppers' queries.
- Anti-abuse — detect and rate-limit scraping or malicious usage.
Who we share with
We only share data with processors that are necessary to operate the service:
- Stripe — payments, subscription management. EU + US.
- Cloudflare — CDN, DDoS protection. Global edge.
- Our hosting provider — the servers that run the API and the database. Data stays in the region we tell you at contract time.
- Email (SMTP) — transactional notifications (verification, password reset, billing receipts).
We do not sell your data. We do not share it with advertisers. We do not use it to train models shared across tenants.
How long we keep it
| Category | Retention |
|---|---|
| Account and billing records | Until account deletion, plus a legal minimum for tax records (typically 7 years). |
| Catalog embeddings + metadata | Until you delete the product, or you delete your account. |
| Shopper-query image bytes | Discarded within seconds of embedding — we only retain the query embedding for reranking and then drop that too after the response. |
| Search-history log rows | 90 days for Free / Basic, 12 months for Premium / Enterprise. |
| API request logs | 30 days. |
| Error logs | 30 days. |
International transfers
Trooply processes data primarily in the region specified in your contract (default: EU). When a processor is headquartered elsewhere (for example, Stripe US or Cloudflare US), transfers are governed by the Standard Contractual Clauses (SCCs) and the respective processor's adequacy decisions where available.
Your rights
If you are in the EEA, UK, California, or another jurisdiction with data-subject rights, you can:
- Access the personal data we hold about you.
- Correct data that is inaccurate.
- Delete your account and all associated data. Some billing records are retained to meet tax-law retention minimums.
- Export your catalog and search history as JSON via the API.
- Object to processing or withdraw consent where we rely on it.
Email [email protected] to exercise any of these rights. We aim to respond within 30 days.
Security
See our Security page for a summary of our controls. In short: TLS 1.3 in transit, encrypted storage at rest, per-tenant data isolation, OAuth 2.0 with signed JWTs, Origin-bound public keys for the widget.
Children
Trooply is a B2B platform. We do not knowingly collect data from anyone under 16. If you believe we have, email [email protected] and we will delete it.
Changes
We revise this policy when the underlying practice changes. The effective date at the top reflects the most recent revision. Material changes will be announced by email to account owners 14 days before they take effect.
Contact
Privacy questions, access requests, complaints: [email protected]. We are also happy to send our DPA (Data Processing Agreement) on request or through the portal.