Privacy Policy

Effective date: 24 June 2026

In short: Trefnus Training is offline-first. Your training and certification records stay on your Device and are never sent to us. The only data that leaves your Device does so to verify your licence and sign you in: your email address, an account identifier, a randomly generated device identifier and a basic device label. We do not sell your data, we do not use advertising or tracking cookies, and we do not run third-party analytics.

This Privacy Policy explains how Trefnus Training ("we", "us", "our") handles information in connection with the Trefnus Training application (the "Application"). It should be read together with our Terms of Service and Cookie & Local Storage Policy.

1. Information We Collect

1.1 Information you provide

Email address — submitted when you request a sign-in "magic link" to activate or verify your licence.
Local password — set by you to lock the Application on your Device. This is never transmitted; it is stored only as a salted PBKDF2 hash on your Device and we cannot read or recover it.

1.2 Information collected automatically (transmitted off-device)

To operate licensing and the device limit, the Application transmits the following to our authentication and licensing provider:

Account identifier — the user ID associated with your authenticated email.
Device identifier — a random identifier generated on your Device (a UUID); it is not derived from hardware and does not identify you personally.
Device label — a basic, non-unique description combining your browser/operating-system platform string and the activation date (for example, "Win32 – 24/06/2026"), shown so you can recognise your own devices.
Licence and activation timestamps — when a device was activated and last verified.

1.3 Information stored only on your Device (local-only)

The following never leaves your Device and is not accessible to us. These are stored in your browser's localStorage and IndexedDB:

Your training data — employees, certification types, training records, training packages, providers, notifications and your settings, stored under the key trefnus_training_v1. This may include personal data of your employees that you choose to enter (names, email addresses, departments, certifications, dates).
Local security material — your password hash (app_training_pwd_hash) and any "remember this device" expiry (app_training_remember_until).
Licence state cached locally — app_training_licence_activated, app_training_licence_user_id, app_training_licence_activated_at, app_training_last_verified, and the device identifier app_training_device_hash.
Legal acceptance record — app_training_legal_acceptance, recording that you accepted these policies and when.
Optional Backup Folder handle — if you nominate a backup folder, a reference (handle) to it is stored in an IndexedDB database named trefnus_training_backup. Backups you write there may be encrypted and may sync to a cloud drive you have chosen (e.g. OneDrive, Dropbox, iCloud, Google Drive) — that syncing is governed by your provider, not us.

A full key-by-key breakdown is in the Cookie & Local Storage Policy.

1.4 What we do NOT collect

We do not collect, receive or have access to your training or certification records or any employee data you enter.
We do not use advertising cookies, marketing trackers, or third-party analytics/telemetry.
We do not collect precise location, contacts, biometric data, or device sensor data.
We do not sell or rent personal information, and we do not "share" it for cross-context behavioural advertising.

2. How We Use Your Information

Data	Purpose	Legal basis (UK/EU GDPR)
Email address	Send sign-in magic links; authenticate you; associate your licence	Performance of a contract; legitimate interests in securing access
Account identifier	Link your authenticated session to your licence	Performance of a contract
Device identifier & label	Enforce the per-account device limit; let you recognise your devices; prevent licence abuse	Performance of a contract; legitimate interests in preventing unauthorised use
Licence/activation timestamps	Validate licence status; apply offline grace periods	Performance of a contract
Local password hash	Restrict access to the Application on your Device	Legitimate interests in protecting your data (processed only on-device)
Your training data (on-device)	Provide the core functionality of the Application	You are the controller of this data; processed only on your Device

3. Data Storage and Security

Off-device data (email, account identifier, device identifier/label, timestamps) is processed by our authentication and licensing provider on managed cloud infrastructure protected by encryption in transit (HTTPS/TLS). On-device data is stored in your browser's storage; backups you create may be encrypted using AES-256-GCM with a key derived from your passphrase.

No method of transmission or storage is completely secure. While we take reasonable measures, we cannot guarantee absolute security, and to the maximum extent permitted by law we disclaim liability for unauthorised access beyond our reasonable control. The security of data on your Device depends on the security of your Device, browser and account — which are your responsibility. See our Disclaimer.

4. Data Sharing

We do not sell your personal information. We share the limited off-device data described above only with:

Our authentication and licensing provider (a cloud platform acting as our processor), to deliver sign-in and licence verification;
A content-delivery network, which may receive your IP address as a technical necessity when your browser downloads software libraries;
Authorities or third parties where required by law, to enforce our Terms, or to protect rights, safety or property; and
A successor entity in connection with a merger, acquisition or sale of assets.

5. Data Retention

We retain off-device licensing data for as long as your licence is active and for a reasonable period afterwards to meet legal, accounting and anti-abuse needs, after which it is deleted or anonymised. On-device data is retained until you delete it, clear your browser storage, or uninstall the Application — this is entirely within your control.

6. Your Rights

Depending on your location, you may have rights to access, rectify, erase, restrict or object to processing of your personal data, to data portability, and to withdraw consent. For the limited off-device data we hold, contact privacy@trefnus.co.uk. For on-device data, you can exercise these rights directly using the Application's own controls (edit, export and delete) and your browser's storage settings, because we have no access to it. Where you enter employee personal data, you are the data controller and are responsible for handling your employees' rights requests.

7. International Data Transfers

Our service providers may process data in countries other than your own. Where personal data is transferred internationally, we rely on appropriate safeguards (such as standard contractual clauses or an adequacy decision) where required by law. By using the Application you understand that limited licensing data may be transferred and processed in such locations.

8. Children's Privacy

The Application is intended for use by businesses and adults (18+) and is not directed at children. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact privacy@trefnus.co.uk and we will take reasonable steps to delete it.

9. Third-Party Links

The Application or our communications may link to third-party websites or services. We are not responsible for their content or privacy practices. Review their policies before providing any information.

10. Changes to This Policy

We may update this Privacy Policy from time to time. The "Effective date" shows when it was last revised. Material changes will be notified by reasonable means. Continued use after changes take effect constitutes acceptance.

11. UK/EU GDPR Compliance

For users in the United Kingdom and the European Economic Area, we process personal data in accordance with the UK GDPR and the EU GDPR. For the off-device licensing data, we act as a controller. For the employee and training data you enter on your Device, you act as the controller and we are not a processor of it, because it never reaches us. You have the right to lodge a complaint with your supervisory authority (in the UK, the Information Commissioner's Office, ico.org.uk).

12. California CCPA/CPRA Rights

If you are a California resident, you have rights to know, access, correct and delete personal information, and to opt out of "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under the CCPA/CPRA, and we do not discriminate against you for exercising your rights. To make a request, contact privacy@trefnus.co.uk. We will verify your request using the email associated with your account.

13. Data Breach Notification

In the event of a personal data breach affecting off-device data that we control and that is likely to result in a risk to your rights, we will notify the relevant supervisory authority and affected individuals where and as required by applicable law. Because your training and employee data resides on your Device and not with us, you are responsible for breach assessment and notification in respect of that data.

14. Contact

Privacy enquiries: privacy@trefnus.co.uk
General support: support@trefnus.co.uk