Legal
Privacy Policy
Last updated: July 10, 2026
This is a good-faith, plain-English draft written to accurately describe how Trammel actually handles data, based on how the product is built. It is not legal advice and has not yet been reviewed by counsel. Facts that require a real legal entity or contact — the data controller and its contact address — are marked with bracketed placeholders and will be completed before this notice is treated as final. It should be reviewed by a lawyer for GDPR, UK GDPR, CCPA/CPRA, and any other regime that applies to you before you rely on it.
1. Who we are and how Trammel is built
Trammel is a floor-plan editor that runs in your web browser. The service is operated by [Company legal entity], which is the data controller for the personal data described here. Trammel is offline-first by design: every plan you draw is written to your own device first, and you can use the editor — including the constraint solver and export — without an account and without your drawing content leaving your device. You only share data with us when you take an action that requires it: creating an account, enabling sync, paying for a plan, or looking up a real-world address for a site plan. This policy explains exactly what each of those does.
2. Data we collect, and why
We collect only what specific features need. We do not buy personal data about you, and we do not build advertising profiles.
Plan content — on your device first.Every plan you draw — walls, doors, windows, rooms, dimensions, title-block details, and any address or site geometry you attach — is stored locally in your browser's IndexedDB and localStorage. This on-device copy is the primary one; Trammel keeps working offline from it. If you never sign in, this content stays on your device and is never sent to us.
Account data — when you sign in.Creating an account is handled by Supabase (our authentication and database provider). You sign in either with Google (OAuth) or with a one-time email "magic link" — we do not ask you to create a password. As a result we store your email address and the authentication identifiers Supabase issues (an account ID, and, for Google sign-in, the identifier the OAuth provider returns). We use this to sign you in, keep you signed in via a session cookie, sync your projects, and apply the plan tier you are entitled to. Legal basis: performance of our contract with you (running the service you asked for).
Synced project data — when you enable sync. When you are signed in and sync is on, we store a copy of your projects in our Supabase (Postgres) database so they are available across your devices. Each synced record contains the project name, the serialized plan content (its geometry, dimensions, and title block), a small thumbnail image of the plan, and timestamps. Rows are scoped to your account by database row-level security, and data is encrypted in transit (HTTPS). Sync is optional: without it, your projects remain only on your device. Legal basis: performance of our contract with you.
Payment and billing data — when you buy a plan. Paid plans are processed by Stripe. Trammel never receives or stores your full card number, CVC, or bank details — Stripe collects and processes those directly. From Stripe we keep only what we need to run your subscription: a Stripe customer/subscription reference and your entitlement state (your plan tier, the subscription status Stripe reports, and when paid access is valid until). See Stripe's privacy policy for how Stripe handles payment data. Legal bases: performance of our contract with you, and our legal obligation to retain billing and tax records.
Product analytics. When analytics is configured, we use PostHog to understand how the product is used. Analytics is off unless an analytics key is set, runs only in your browser, and is deliberately narrow: we do not auto-capture every click, and we only record a defined set of product-funnel events — for example, that an export dialog was opened, that a Pro-only export format was viewed, that an export completed, that a free-plan project limit was hit, that an upgrade button was clicked, or that checkout was started — plus manual page views and a de-identified client-error signal (an error name, a truncated message, a numeric hash of the stack trace, and the page path — never the raw stack). These events describe actions, not drawing content: we do not send the geometry of your plans, your project names, or the addresses you look up to our analytics provider. Anonymous visitors are recorded as events without a personal profile; once you sign in, events and a profile are associated with your account ID and email so we can, for instance, see that a signed-in user hit an error. Legal basis: your consent where the law requires it for analytics, otherwise our legitimate interest in improving the product. [Confirm with counsel whether a prior-consent banner is required in your target regions; the product does not currently present one.]
Site-plan lookups (address, parcel, and aerial imagery). The site-plan feature is optional and only runs when you choose to look up a real address. When you do, the following third-party services are contacted:
- US Census Geocoder — the one-line address you type is sent, through our own geocoding proxy, to the US Census geocoding service to turn it into coordinates. The proxy is rate-limited by IP address to prevent abuse.
- Public GIS parcel and building-footprint servers — your resulting coordinates (and a small search area around them) are sent, directly from your browser, to public ArcGIS servers to fetch the parcel boundary and any building footprints: Charlottesville city GIS, Albemarle County GIS, and the VGIN Virginia statewide parcel service.
- Aerial imagery tiles— map tiles for the area around your point are loaded, directly from your browser, from Virginia's VBMP orthoimagery service and the USGS National Map imagery service.
These are public government and GIS data sources; we do not send them your account identity, only the address you entered and the map coordinates needed to draw the site. Legal basis: performance of our contract with you (providing the feature you invoked) and our legitimate interest in operating it. If you don't use the site-plan feature, none of these services are contacted.
Technical data. Like any web service, our servers process basic technical information to deliver pages and to keep the service secure — for example, the IP address used to rate-limit the geocoding proxy. We do not use this to build a marketing profile of you.
3. Cookies and local storage
Trammel uses your browser's IndexedDB and localStorage to hold your plans, preferences, and a cached copy of your plan entitlement so the editor works offline. When you sign in, Supabase sets a session cookie so we can keep you authenticated across requests. When analytics is enabled, PostHog sets its own cookies/identifiers to distinguish visitors and sessions. We do not use third-party advertising cookies, and we do not sell or share this data for cross-site advertising.
4. Third-party processors and services
We share personal data only with the providers needed to run the service, each under its own data-processing terms, and only for the purposes above:
- Supabase — authentication and the Postgres database that stores your account and synced projects.
- Google — only if you choose "Continue with Google", as the OAuth sign-in provider.
- Stripe — payment processing and subscription management; Stripe, not Trammel, handles your card details.
- PostHog — product analytics and error reporting, when analytics is enabled.
In addition, the optional site-plan feature contacts public data services on your behalf — the US Census Geocoder, the Charlottesville, Albemarle, and VGIN ArcGIS parcel/footprint servers, and the VBMP and USGS aerial-imagery services — as described in Section 2. Our fonts are self-hosted (bundled with the app at build time), so loading a Trammel page does not call an external font CDN.
5. Data retention and deletion
Local project data lives on your device until you delete it or clear your browser storage — clearing storage or losing the device removes the local copy, so keeping your own backups of important work is worthwhile. Synced account and project data is kept for as long as your account is active. You can delete individual projects at any time; deleting your account removes your synced projects and account record from our systems, except for billing records we are required to retain for tax and accounting purposes. Narrow analytics events are retained by our analytics provider for its configured retention period.
6. Security
Data in transit is encrypted with HTTPS. Access to synced project data is enforced at the database level by row-level security, so one account cannot read another's rows, and the privileged keys that bypass those checks are used only by server-side billing code and are never exposed to the browser. Payment card data is handled entirely by Stripe. No system is perfectly secure, and because your device holds the primary copy of your work, some of your data's safety depends on how you secure your own device and sign-in method.
7. International data transfers
Our processors may store and process data outside your country — for example, PostHog analytics defaults to a US endpoint, and Stripe and Supabase may process data in the United States or other regions. The public GIS and imagery services used for site plans are operated by US government and Virginia state agencies. Where data leaves your region, we rely on the transfer safeguards offered by these providers. [Confirm the applicable transfer mechanism — e.g. Standard Contractual Clauses — with counsel and the current provider configuration.]
8. Your rights and choices
Depending on where you live, you may have rights over your personal data, including the right to access it, to correct it, to delete it, to receive a portable copy, and to object to or restrict certain processing. You can use Trammel entirely offline without an account to minimise what you share, and you can export or delete your projects, and delete your account, from within the product. To exercise a data-subject right, contact us using the details in Section 11.
We do not sell your personal data, and we do not share it for cross-context behavioural advertising. Under the CCPA/CPRA and similar US state laws there is therefore nothing to opt out of in terms of a "sale" of your data; you still have the right to know what we collect, to request deletion, and not to be discriminated against for exercising those rights. We also do not use your drawings to train AI models.
9. Children
Trammel is not directed to children and is not intended for use by anyone under the age required to consent to online services in their jurisdiction. We do not knowingly collect personal data from children; if you believe a child has provided us personal data, contact us and we will delete it.
10. Changes to this policy
We may update this policy as the product changes. We'll post the new version here with an updated date, and where a change meaningfully affects how we handle your data we'll flag it in-app where practical.
11. Contact
Questions about this policy or your data, or to exercise a privacy right, reach the data controller at [Data controller contact email], through the contact options in your account settings, or via the address listed on our homepage. See also our Terms of Service, which include our owner-builder disclaimer.
This is a good-faith draft describing how Trammel actually handles data, not attorney-reviewed legal advice. Have it reviewed by a lawyer for your applicable privacy laws, and complete the bracketed placeholders, before relying on it as your published privacy notice.