Legal

Privacy Policy

Last updated June 16, 2026

This Privacy Policy explains how Trovaru ("Trovaru", "we", "us", "our") collects, uses, shares, and protects your information when you use the Trovaru domain and SSL operations platform at trovaru.com (the "Service"). It also describes your rights and choices. By using the Service you agree to the practices described here. This Policy should be read together with our Terms of Service.

For most personal information, Trovaru is the data controller. For Customer Data you load into your workspaces (such as the domains, certificates, and records you monitor), Trovaru generally acts as a processor on your behalf, processing it under your instructions to provide the Service.

1. Information we collect

We collect only what we need to operate the Service:

  • Account information — your first and last name, email address, and (for Google sign-in) your Google account identifier. We never receive or store your Google password.
  • Authentication data — sign-in events, magic-link tokens, session identifiers, and OAuth grants used to keep you signed in securely.
  • Workspace and monitoring data — the domains, SSL/TLS certificates, DNS records, WHOIS records, owners, categories, notes, and the monitoring history we generate for you (expiry checks, certificate chains, DNS diffs, uptime results, blacklist/reputation results, and alerts).
  • Registrar and provider Credentials — API keys, tokens, and OAuth grants you connect for Cloudflare, GoDaddy, Namecheap, Porkbun, Route 53, and other providers. These are stored encrypted and used only to sync and monitor the data you ask us to.
  • Integration Credentials — secrets for notification channels (Slack, webhooks, Telegram, WhatsApp) and PSA platforms (such as HaloPSA) that you connect. These are stored encrypted per workspace.
  • Billing information — handled by our payment processor, Paddle, who acts as merchant of record. We store your Plan, subscription status, and billing name, but never your full card number.
  • Support and communications — messages you send us and our responses.
  • Usage and technical data — log data such as IP address, browser and device type, pages viewed, referring pages, and timestamps, used for security, debugging, and improving the Service.
  • Cookies — strictly necessary cookies for authentication and session management. We do not use third-party advertising cookies.

2. Sources of information

We collect information directly from you (when you register, configure workspaces, or connect Credentials), automatically (through your use of the Service), and from third parties you authorise — including Google (sign-in), Paddle (billing status), and the registrars, DNS resolvers, certificate authorities, blocklist operators, and reputation providers we query on your behalf.

3. How we use your information

  • To provide domain expiry, SSL/TLS, DNS, WHOIS, uptime, and blacklist/reputation monitoring, and to send the alerts you configure.
  • To synchronise your portfolio from connected registrars and providers.
  • To deliver notifications through the channels you enable, and to create tickets or sync assets with connected PSA platforms.
  • To authenticate you, including via Google sign-in and passwordless magic links.
  • To process subscriptions and send transactional and billing email.
  • To provide support, respond to your requests, and send essential service messages.
  • To secure the Service, prevent and detect abuse, and meet legal obligations.
  • To analyse usage and improve the reliability and features of the Service.

We do not sell your personal information, and we do not use your workspace data to train third-party AI models.

4. Legal bases for processing

Where the GDPR or similar laws apply, we rely on the following legal bases: performance of a contract (to provide the Service you sign up for), legitimate interests (to secure, maintain, and improve the Service, and to prevent abuse), consent (where required, such as for optional integrations you choose to connect), and legal obligation (to comply with tax, accounting, and other laws). You may withdraw consent at any time where processing is based on consent.

5. Cookies and similar technologies

We use only strictly necessary cookies and local storage required to authenticate you, maintain your session, and keep the Service secure. We do not use advertising or cross-site tracking cookies, and we do not run third-party ad networks. Because these cookies are essential to the Service, they cannot be disabled without breaking sign-in.

6. How we share information

We share data only with service providers ("sub-processors") that help us operate the Service, each bound to protect it and to process it only on our instructions:

  • Google — OAuth sign-in and the Google Safe Browsing API (to check domain reputation).
  • Paddle — subscription billing and payment processing (merchant of record).
  • Brevo — delivery of transactional, magic-link, and notification email.
  • DigitalOcean — cloud hosting and infrastructure.
  • Cloudflare — DNS, network protection, and secure tunnelling.
  • DNS blocklist operators — public DNSBL services (such as Spamhaus, SpamCop, Barracuda, SURBL, and URIBL) queried to check whether your domains or IPs are listed.
  • Registrar and DNS APIs — Cloudflare, GoDaddy, Namecheap, Porkbun, Route 53, and others you connect, contacted only to read the records you choose to monitor.
  • Notification channels — Slack, Telegram, WhatsApp, and webhook destinations you connect, which receive the alert content you direct to them.
  • PSA platforms — HaloPSA and similar tools you connect, for ticketing and asset sync.

We may also disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, safety, and security of Trovaru, our users, or the public. If Trovaru is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, subject to this Policy.

7. Third-party integrations you enable

When you connect a third-party service — a registrar, notification channel, or PSA platform — you direct us to exchange data with that service to provide the feature. Those services process data under their own privacy policies, over which we have no control. Disconnecting an integration stops future data exchange but does not retrieve data already sent.

8. International transfers

Trovaru operates from Nepal and uses providers that may store or process data in other countries, including outside your own. Where required by law, we rely on appropriate safeguards — such as standard contractual clauses or equivalent mechanisms — for international transfers of personal data.

9. Data retention

We keep personal data and Customer Data for as long as your Account is active and as needed to provide the Service:

  • Account and workspace data — retained while your Account is active.
  • DNS change history — retained for up to 30 days.
  • Monitoring snapshots and logs — retained for a limited period for operational and security purposes, then pruned.
  • Billing records — retained as required to meet tax and accounting obligations.

When you delete your Account, we remove your personal data and workspace contents within 30 days, except where we must retain certain records to meet legal, tax, or accounting obligations. Connected Credentials are deleted when you disconnect them or delete your Account.

10. Security

We take the security of your data seriously. Registrar, provider, and integration Credentials are encrypted at rest using per-purpose encryption keys. We use TLS to protect data in transit, scoped access controls to isolate data between workspaces and accounts, and regular automated security checks (including static analysis with Brakeman and dependency and importmap vulnerability scans). No system is perfectly secure, but we work hard to protect your data and will notify you and any relevant authority of a breach affecting your personal data as required by law.

11. Your rights

You can access, correct, export, or delete much of your personal data directly from your account settings, or by contacting us. Depending on your location, you may have additional rights under the GDPR, UK GDPR, the CCPA/CPRA, or similar laws, including the rights to:

  • Access the personal data we hold about you and request a copy.
  • Correct inaccurate or incomplete data.
  • Delete your data ("right to erasure"), subject to legal retention obligations.
  • Restrict or object to certain processing, including processing based on legitimate interests.
  • Data portability — receive your data in a structured, machine-readable format.
  • Withdraw consent where processing is based on consent.
  • Lodge a complaint with your local data-protection authority.

We do not sell or share personal information for cross-context behavioural advertising, so there is nothing to opt out of in that respect. We will respond to verified rights requests within the time required by applicable law and will not discriminate against you for exercising your rights.

12. Automated decision-making

We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing.

13. Children

The Service is not directed to anyone under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it.

14. Do Not Track

Because we do not track users across third-party sites for advertising, we do not respond to browser "Do Not Track" signals differently; our processing is limited to operating the Service as described here.

15. Changes to this policy

We may update this Policy from time to time. Material changes will be announced on this page with a new "last updated" date and, where appropriate, by email. Your continued use of the Service after changes take effect means you accept the updated Policy.

16. Contact

Questions about this Policy or your data, or to exercise your rights? Email [email protected]. For general support, email [email protected].