Privacy Policy - Community Version

Effective date: November 10, 2025
Entity: Triform AB, Götgatan 23, 116 46 Stockholm, Sweden
Contact: [email protected] This Privacy Policy explains how Triform AB (“Triform,” “we,” “us,” or “our”) collects, uses, discloses, and safeguards your information when you use the Triform Community Version platform.

Quick summary: Your code and project creations are public and open source. Your execution data (inputs, outputs, logs) is yours, but we have the right to use de-identified versions to improve and train our systems. We take your privacy seriously and follow industry best practices.

1. Information We Collect

1.1 Account Information

When you create a Triform account, we collect:

Authentication data: Email address, username, profile information from OAuth providers (Discord, GitHub)
Profile data: Display name, avatar, user handle
Organization data: Organization name, member roles, team structure

1.2 Content You Create (Public by Default)

Project assets: Flows, Actions, Agents, and all project source code
Prompts and configurations: Instructions, settings, and documentation
Non-secret variables: Public configuration values
Comments and annotations: Notes within your projects

Important: All content listed in this section is public and open source in the Community Version. Do not include sensitive or proprietary information in these assets.

1.3 Execution Data (Private to Public, Used for Training)

When you build, test, or run components, we collect:

Inputs and outputs: Data passed to and returned from your components
Logs and traces: Execution logs, error messages, debugging information
Performance metrics: Execution duration, resource usage, success/failure rates
Chat interactions: Conversations with Triton (our AI assistant) during building
API calls: Requests made through your flows and actions

Your data ownership: This execution data is yours. However, by using the Community Version, you grant us the right to use de-identified and anonymized versions of this data to:

Improve the Triform platform
Train and enhance our AI models (including Triton)
Develop new features and capabilities
Conduct research and analysis

1.4 Secret Data (Not Used for Training)

Data you designate as secret is handled with extra care:

Secret variables: API keys, credentials, tokens stored as secrets
Secret inputs: Sensitive data passed through secure inputs
Authentication credentials: Passwords, OAuth tokens, API secrets

We do not use secret data for training purposes. We do not share secret data publicly. We do not include secret data in analytics or improvement processes.

1.5 Technical and Usage Data

We automatically collect:

Device information: Browser type, operating system, device identifiers
Usage analytics: Features used, pages viewed, time spent, click patterns
Network data: IP address, location (country/region level), connection type
Cookies and similar technologies: Session management, preferences, analytics

2. How We Use Your Information

2.1 To Provide and Operate the Service

Host and display your public projects
Execute your flows, actions, and agents
Enable collaboration within organizations
Provide the Builder and Chat workspaces
Facilitate authentication and access control

2.2 To Improve and Train Our Systems

We use de-identified execution data to:

Train AI models: Improve Triton and other AI capabilities
Enhance platform features: Develop smarter tooling, better error handling
Optimize performance: Improve execution speed and reliability
Build new capabilities: Create features based on usage patterns

De-identification process: Before using execution data for training or analysis, we:

Remove or pseudonymize personally identifiable information (PII)
Exclude all secret data and credentials
Aggregate data where appropriate
Transform identifying characteristics

We do not attempt to re-identify de-identified data.

2.3 To Communicate With You

Service announcements and updates
Response to support requests
Security and administrative notices
Product improvements and feature launches (with your consent)

2.4 For Security and Compliance

Detect and prevent fraud, abuse, and security incidents
Enforce our Terms of Service
Comply with legal obligations and regulatory requirements
Protect the rights and safety of our users and the public

3. Data Ownership and Your Rights

3.1 Your Data Ownership

You own your execution data. While we may use de-identified versions for improvement, the underlying data belongs to you.
Your code is open source. By using the Community Version, you agree that your project code and creations are public and available under the MIT License (see Community Terms).

3.2 Your Privacy Rights

Depending on your location (particularly in the EU/EEA under GDPR), you have the right to:

Access: Request a copy of the personal data we hold about you
Rectification: Correct inaccurate or incomplete personal data
Erasure: Request deletion of your personal data (“right to be forgotten”)
Restriction: Request we limit processing of your personal data
Data portability: Receive your data in a structured, machine-readable format
Object: Object to processing of your personal data for certain purposes
Withdraw consent: Withdraw consent for processing where we rely on consent

To exercise these rights, contact us at [email protected]. Important limitations:

Deleting your account will stop future use of your data for training, but already-trained models cannot be “untrained”
Public code and creations remain public (per the MIT License) even after account deletion
Backup copies may persist for a limited period for security and compliance purposes
We may retain certain data where required by law or for legitimate business purposes

The Community Version makes your projects public by default:

Anyone can view your project source code, flows, actions, and agents
Your public profile (username, avatar) is visible to all users
Your contributions may be featured in community showcases

4.2 Within Your Organization

Organization members can view projects within shared workspaces
Admins can manage team access and permissions

4.3 Service Providers

We share data with trusted third-party service providers who help us operate the platform:

Cloud infrastructure: AWS, Google Cloud, or similar hosting providers
Authentication: OAuth providers (Discord, GitHub)
Analytics: Usage analytics and error monitoring tools
AI/ML services: Third-party AI models and APIs (OpenAI, Anthropic, etc.)
Communication: Email service providers

These providers are contractually obligated to protect your data and use it only for specified purposes.

4.4 Legal Obligations

We may disclose information if required by law:

To comply with legal process (subpoena, court order)
To protect rights, property, or safety
To investigate potential violations
In connection with a merger, acquisition, or sale of assets

We may share information in other circumstances with your explicit consent.

5. Data Security

We implement industry-standard security measures to protect your data:

5.1 Technical Safeguards

Encryption in transit: TLS/HTTPS for all data transmission
Encryption at rest: Sensitive data encrypted in storage
Access controls: Role-based access with principle of least privilege
Secret management: Dedicated secure storage for secret variables
Regular security audits: Ongoing security assessments and testing

5.2 Organizational Safeguards

Employee training: Security awareness for all team members
Limited access: Only authorized personnel can access user data
Incident response: Procedures for detecting and responding to breaches
Vendor management: Security requirements for third-party providers

5.3 Your Responsibilities

Use strong, unique passwords
Enable two-factor authentication (when available)
Never hard-code secrets in your project code—use secret variables
Regularly review your organization’s member access
Report suspected security issues to [email protected]

6. Data Retention

6.1 Active Accounts

Account data: Retained while your account is active
Public projects: Remain public indefinitely (per MIT License)
Execution data: Retained for operational and improvement purposes
Logs and traces: Retained for 90 days for debugging and support

6.2 Deleted Accounts

When you delete your account:

Personal profile information is removed within 30 days
Execution data stops being used for future training
Public code remains public (cannot be deleted due to MIT License)
Backups may persist for up to 90 days
De-identified data in trained models cannot be extracted

6.3 Legal Retention

We may retain data longer where required by:

Legal or regulatory obligations
Dispute resolution and enforcement
Security and fraud prevention

7. International Data Transfers

Triform is based in Sweden (EU/EEA). However, we use service providers that may store or process data outside the EU/EEA, including in the United States. When we transfer personal data outside the EU/EEA, we ensure adequate protection through:

Standard Contractual Clauses (SCCs): EU-approved data transfer agreements
Adequacy decisions: Transfers to countries with adequate data protection
Additional safeguards: Encryption, access controls, and contractual protections

8. Children’s Privacy

The Triform Community Version is not intended for users under 16 (or the applicable age of digital consent in your jurisdiction, if higher). We do not knowingly collect personal information from children. If we learn that we have collected personal data from a child without appropriate consent, we will delete that information promptly. If you believe a child has provided us with personal data, please contact us at [email protected].

9. Third-Party Services and Integrations

9.1 OAuth Authentication

We use third-party OAuth providers (Discord, GitHub) for authentication. These services have their own privacy policies:

Discord Privacy Policy: https://discord.com/privacy
GitHub Privacy Policy: https://docs.github.com/en/site-policy/privacy-policies

9.2 AI Model Providers

Your execution data may be processed by third-party AI providers (OpenAI, Anthropic, etc.) when you use AI-powered features. We:

Use enterprise agreements with zero-retention policies where available
Do not send secret data to these providers
Strip PII before sending data for processing

9.3 External APIs

When your flows or actions call external APIs, those services are subject to their own privacy policies. You are responsible for:

Understanding the privacy practices of APIs you integrate
Obtaining necessary consents from end-users
Complying with third-party API terms

10. Cookies and Tracking Technologies

We use cookies and similar technologies for:

10.1 Essential Cookies

Authentication: Keep you logged in
Security: Prevent fraud and abuse
Preferences: Remember your settings

10.2 Analytics Cookies

Usage analytics: Understand how you use the platform
Performance monitoring: Identify and fix errors
Feature optimization: Improve user experience

You can control cookies through your browser settings, but disabling essential cookies may impact platform functionality.

11. Your Choices and Controls

11.1 Account Settings

Update your profile information
Manage organization memberships
Configure notification preferences

11.2 Data Controls

Secret variables: Use these for all sensitive data
Project visibility: Note that Community Version projects are public by default
Delete projects: Remove projects you no longer need
Delete account: Request full account deletion

11.3 Communication Preferences

You can opt out of:

Marketing and promotional emails (you’ll still receive essential service communications)
Community newsletters and updates

12. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

12.1 Right to Know

You can request information about:

Categories of personal information collected
Purposes for collection and use
Categories of sources and third parties we share with
Specific pieces of personal information we hold

12.2 Right to Delete

Request deletion of your personal information (subject to exceptions).

12.3 Right to Opt-Out

Opt out of “sale” of personal information. Note: We do not sell personal information in the traditional sense, but using de-identified data for training may qualify as a “sale” under CCPA. You can opt out by contacting us.

12.4 Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights. To exercise CCPA rights, contact us at [email protected] with “CCPA Request” in the subject line.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

Changes in our practices
Legal or regulatory updates
New features or services

When we make material changes, we will:

Update the “Effective date” at the top
Notify you via email or platform notification
Provide a summary of key changes

Continued use of the platform after changes constitutes acceptance of the updated policy. Review regularly: We encourage you to review this policy periodically.

14. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or your personal data: Email: [email protected]
Data Protection Officer: [email protected]
General contact: [email protected]
Mailing address: Triform AB, Götgatan 23, 116 46 Stockholm, Sweden Response time: We aim to respond to privacy inquiries within 30 days.

15. Supervisory Authority

If you are located in the EU/EEA and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection authority. Swedish Data Protection Authority (Datainspektionen)
Website: https://www.datainspektionen.se
Email: [email protected]

Summary of Key Points

✅ Your code is public and open source in the Community Version
✅ You own your execution data, but we can use de-identified versions for training
✅ Secret data is never used for training or shared publicly
✅ We anonymize personal data before any training or analysis
✅ You have control: Access, correct, delete, or export your data
✅ Security is a priority: Encryption, access controls, and regular audits
✅ Delete anytime: Stop future training use (but models can’t be “untrained”)
✅ GDPR and CCPA compliant: Full privacy rights for EU and California residents

By creating an account or using the Triform Community Version, you acknowledge that you have read and understood this Privacy Policy. Last updated: November 10, 2025

Get Started

Triton

Workspace

Tutorials

Core Concepts

Organizations

Reference

Resources

Legal

​Privacy Policy - Community Version

​1. Information We Collect

​1.1 Account Information

​1.2 Content You Create (Public by Default)

​1.3 Execution Data (Private to Public, Used for Training)

​1.4 Secret Data (Not Used for Training)

​1.5 Technical and Usage Data

​2. How We Use Your Information

​2.1 To Provide and Operate the Service

​2.2 To Improve and Train Our Systems

​2.3 To Communicate With You

​2.4 For Security and Compliance

​3. Data Ownership and Your Rights

​3.1 Your Data Ownership

​3.2 Your Privacy Rights

​4. How We Share Your Information

​4.1 Public Sharing (By Design)

​4.2 Within Your Organization

​4.3 Service Providers

​4.4 Legal Obligations

​4.5 With Your Consent

​5. Data Security

​5.1 Technical Safeguards

​5.2 Organizational Safeguards

​5.3 Your Responsibilities

​6. Data Retention

​6.1 Active Accounts

​6.2 Deleted Accounts

​6.3 Legal Retention

​7. International Data Transfers

​8. Children’s Privacy

​9. Third-Party Services and Integrations

​9.1 OAuth Authentication

​9.2 AI Model Providers

​9.3 External APIs

​10. Cookies and Tracking Technologies

​10.1 Essential Cookies

​10.2 Analytics Cookies

​11. Your Choices and Controls

​11.1 Account Settings

​11.2 Data Controls

​11.3 Communication Preferences

​12. California Privacy Rights (CCPA)

​12.1 Right to Know

​12.2 Right to Delete

​12.3 Right to Opt-Out

​12.4 Right to Non-Discrimination

​13. Changes to This Privacy Policy

​14. Contact Us

​15. Supervisory Authority

​Summary of Key Points