Troja

Privacy Policy

Last updated: June 7, 2026

Privacy Policy

Effective date: June 7, 2026

This Privacy Policy explains how Troja ("Troja", "we", "us", or "our"), a service operated by FounderGem LLC, a Delaware limited liability company, collects, uses, discloses, and safeguards your information when you use troja.dev and related services (the "Service"). If you have questions, contact us at [email protected].

1. Who we are

Troja is a website security, SEO, and answer-engine-optimization (AEO) scanner. You point the Service at a website you own or control, and we analyze it for vulnerabilities, configuration issues, and visibility gaps. FounderGem LLC is the data controller for personal data described in this policy.

2. Information we collect

  • Account data. Email address, hashed authentication credentials, and basic profile details you provide when you register.
  • Scan data. The URLs you submit, the domains you verify, and the technical scan results we generate (HTTP headers, detected technologies, findings, and remediation guidance).
  • Billing data. Plan, subscription status, and payment metadata. Card details are handled directly by our payment processor, Stripe, and are never stored on our servers.
  • Usage and device data. IP address, browser type, pages viewed, and timestamps, collected to operate and secure the Service.
  • Communications. Messages you send to support and your correspondence with us.

3. How we use your information

We process your data to:

  • provide, maintain, and improve the Service and deliver scan results;
  • authenticate you and secure your account;
  • process payments and manage subscriptions;
  • send transactional emails (receipts, scan completion, security alerts);
  • respond to support requests;
  • detect, prevent, and investigate fraud or abuse; and
  • comply with legal obligations.

4. Legal bases (EU/EEA/UK users)

Where the GDPR applies, we rely on: contract (to deliver the Service you sign up for), legitimate interests (to secure and improve the Service), consent (for optional analytics and marketing, where required), and legal obligation (for tax and accounting records).

5. Sharing and subprocessors

We do not sell your personal data. We share data with vetted service providers who process it on our behalf — including Supabase (database and authentication), Stripe (payments), Railway (hosting), Cloudflare (DNS, CDN, and WAF), and our transactional email provider. See our Subprocessors page for the current list. We may also disclose data when required by law or to protect our rights and users.

6. International transfers

Our providers may process data in the United States and the European Union. Where personal data leaves the EEA or UK, we rely on Standard Contractual Clauses or equivalent safeguards.

7. Data retention

We retain account and scan data for as long as your account is active. When you delete your account, we remove or anonymize personal data within 30 days, except where retention is required by law. See Account Deletion & Data Removal.

8. Your rights

Depending on your location, you may have rights to access, correct, delete, port, restrict, or object to the processing of your data, and to withdraw consent. To exercise any right, email [email protected]. You may also lodge a complaint with your local supervisory authority.

9. Security

We use encryption in transit (TLS), access controls, and least-privilege practices. No system is perfectly secure, but we work to protect your data and to notify you of material breaches as required by law.

10. Children

The Service is not directed to children under 16, and we do not knowingly collect their data.

11. Changes

We may update this policy. Material changes will be announced in-app or by email, and the effective date above will be revised.

Questions or requests: [email protected].

Privacy Policy — Troja