Trophy Jar

Privacy Policy

Effective Date: May 12, 2025  |  Last Updated: May 12, 2025

n-frames, LLC (“we,” “us,” or “our”) operates Trophy Jar, a review automation platform that helps small businesses collect, manage, and display customer reviews. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our services.

Plain-English Summary

Your Data

  • We only collect what we need to run the service. Nothing more.
  • We never sell your data or your customers’ data to anyone, ever.
  • We do not use your data for advertising or to benefit any other business.

Your Customers’ Data

  • Your customers’ contact details are used only to send review requests on your behalf.
  • Every review request email includes an unsubscribe link. We remove anyone who opts out, immediately.
  • Your customers can ask to be deleted from our system at any time by contacting you or us directly.

Connected Platforms

  • When you connect HubSpot, QuickBooks, or any other platform, we access only the data you approve during setup.
  • You can disconnect any integration at any time. We delete the associated data within 30 days.

Your Rights

  • You can request a copy of your data, ask us to correct it, or ask us to delete it. Just email us.
  • We respond to all data requests within 30 days.

1. Who This Policy Applies To

This policy applies to:

  • Business owners and administrators who subscribe to and use the Service (“Merchants”)
  • End customers of Merchants whose contact information is submitted to the Service for review solicitation (“End Customers”)
  • Visitors to our website and marketing pages

2. Information We Collect

2.1 Information You Provide Directly

  • Account registration: name, email address, business name, phone number, billing address
  • Payment information: processed securely via Stripe; we do not store full card numbers or bank account details
  • Business profile data: logo, business description, website URL, review platform links
  • Support communications: emails, chat messages, and attachments you send us

2.2 Information Collected via Platform Integrations

When you connect a third-party platform, we receive only the data you explicitly authorise through that platform’s OAuth or API consent flow. This may include:

  • Customer contact records (name, email, phone) — used solely to send review requests
  • Transaction or job completion events — used solely as triggers for automated review requests
  • Business or organisational metadata — used to personalise review request messaging

We access only the minimum scopes required to deliver the Service. We do not access, store, or process payment card data, financial account credentials, or sensitive personal data beyond what is necessary for review automation.

2.3 Information Collected Automatically

  • Usage data: pages visited, features used, session duration, click events
  • Device and browser information: IP address, browser type, operating system
  • Cookies and similar tracking technologies (see Section 8)

2.4 End Customer Data

Merchants submit End Customer contact information to trigger review requests. We process this data solely on behalf of and under the instructions of the Merchant. End Customers may opt out of future communications at any time by clicking the unsubscribe link in any review request email.

3. How We Use Your Information

We use collected data to:

  • Deliver and operate the Service, including sending review request emails on behalf of Merchants
  • Authenticate your account and manage your subscription
  • Process payments and manage billing via Stripe
  • Respond to customer support requests
  • Send transactional and product communications (feature updates, policy changes, security alerts)
  • Improve the Service through anonymised usage analytics
  • Detect, investigate, and prevent fraud, abuse, or violations of our Terms
  • Comply with applicable legal obligations

We do not use your data or your End Customers’ data for advertising, profiling, or sale to third parties.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, our legal bases for processing your personal data are:

  • Contract performance: processing necessary to provide the Service you subscribed to
  • Legitimate interests: improving the Service, fraud prevention, security
  • Legal obligation: compliance with applicable law
  • Consent: where required by law (e.g., non-essential cookies)

5. Sharing and Disclosure of Information

We do not sell, rent, or trade your personal information. We share data only as follows:

5.1 Service Providers

We engage vetted third-party vendors to support our operations, including:

  • Stripe — payment processing
  • Cloud hosting providers — data storage and infrastructure
  • Email delivery providers — sending review request emails
  • Analytics providers — aggregated, anonymised usage analytics

All service providers are contractually bound to process data only on our behalf and to maintain appropriate security standards.

5.2 Platform Partners

When you connect a Platform Partner integration, data flows are governed by your authorisation. We share data back to Platform Partners only as explicitly enabled by you and as permitted under the Platform Partner’s API terms.

5.3 Legal Requirements

We may disclose information if required by law, court order, or governmental authority, or when necessary to protect the rights, property, or safety of our users or the public.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of substantially all assets, user data may be transferred as part of that transaction. We will provide notice prior to any such transfer and the acquirer will be bound by equivalent privacy protections.

6. Data Retention

  • Account data is retained for the duration of your subscription plus 90 days following cancellation, after which it is permanently deleted.
  • End Customer contact data is retained for the minimum period necessary to deliver review requests and honour opt-outs, typically deleted within 30 days of the triggering event.
  • Billing records are retained for 7 years as required by applicable financial regulations.
  • You may request earlier deletion of your data by contacting us at support@trophyjar.com

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: request a copy of the data we hold about you
  • Correction: request correction of inaccurate data
  • Deletion: request deletion of your data (subject to legal retention obligations)
  • Portability: receive your data in a structured, machine-readable format
  • Objection / Restriction: object to or request restriction of certain processing activities
  • Withdraw Consent: where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at support@trophyjar.com. We will respond within 30 days.

California residents have additional rights under the CCPA/CPRA, including the right to know, delete, correct, and opt out of sale (we do not sell personal information).

8. Cookies and Tracking

We use cookies and similar technologies for:

  • Essential functions: session management, authentication, security
  • Analytics: understanding how users interact with the Service (anonymised)

You may control non-essential cookies through your browser settings or our cookie preference centre.

9. Data Security

We implement industry-standard security measures including:

  • TLS/HTTPS encryption for all data in transit
  • Encryption at rest for sensitive stored data
  • Access controls and role-based permissions for internal staff
  • Regular security reviews and vulnerability assessments

In the event of a data breach, we will notify affected users as required by applicable law.

10. Third-Party Platform API Data Usage

Our integrations with Platform Partners are subject to the following restrictions:

  • We access only the API scopes explicitly authorised by you during the OAuth connection flow
  • Data obtained via third-party APIs is used solely to deliver the Service — never for secondary purposes, advertising, or to benefit other parties
  • We do not share third-party API data with other customers or third parties except as described in Section 5
  • We comply with each Platform Partner’s developer and API usage policies
  • You may revoke our access to any Platform Partner at any time; revocation triggers deletion of associated data within 30 days

11. Children’s Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child’s information has been submitted, we will delete it promptly.

12. International Data Transfers

Our services are operated from the United States. If you are located in the EEA or UK, we ensure appropriate safeguards such as Standard Contractual Clauses are in place for any cross-border transfers.

13. Changes to This Policy

We will notify you of material changes by email or in-app notice at least 14 days before the change takes effect.

14. Contact Us

n-frames, LLC
Email: support@trophyjar.com
Website: https://trophyjar.com
Covina, California

If you are in the EEA or UK and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection authority.