Privacy Policy

How Trinity collects, uses, and protects personal data — including call recordings, transcripts, and account information.

Last updated: 22 April 2026
Version: 1.0

Who we are

Trinity is an AI voice platform built for car dealerships. We help dealerships answer every incoming call, book appointments, and analyse call recordings for quality and training. This policy explains what personal data we collect, how we use it, and the rights you have under UK data protection law.

Trinity is operated by Future Laboratories LTD (company number 17047436), registered in England and Wales, with its registered office at 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ. For the purposes of UK GDPR, we act as a data processor when we handle your dealership's customer call data on your behalf, and as a data controller for information about your dealership's own users and account. The processor relationship is governed by our Data Processing Agreement, which is incorporated into our Terms of Service.

What personal data we collect

Information you provide when signing up

When a dealership administrator creates a Trinity account or is invited to one, we collect:

Name and work email address
The dealership business you belong to and your role within Trinity (for example, administrator, reviewer)
Authentication identifiers issued by WorkOS (our auth provider)

Information from your telephony integration

Once your dealership connects Trinity to your telephony platform (for example, Mitel CloudLink), we ingest and process data about completed phone calls, including:

Call recordings (audio)
Call metadata (direction, caller number, callee number, timestamps, duration, agent extension)
Transcripts, speaker-diarised turn labels, and derived analytics generated by Trinity's AI (categorisation, summaries, quality signals)

Callers whose voices appear in these recordings are data subjects under UK GDPR. Your dealership is responsible for informing them that calls are recorded and analysed by a third-party processor (typically via your IVR greeting). Trinity supports the dealership's obligation to provide that notice but does not deliver it directly to callers.

Information we collect automatically

When you use the Trinity dashboard, we collect usage information such as log timestamps, device and browser type, IP address, and interaction events. This information is used to operate, secure, and improve the service.

How we use your data

We use personal data only for the following purposes:

Providing the service — running the Trinity dashboard, ingesting calls from your telephony platform, transcribing and analysing them, and making results available to you.
Security and abuse prevention — detecting and preventing unauthorised access, fraud, or misuse.
Service improvement — using aggregated, de-identified usage telemetry (never call content or identifying data) to monitor service quality and plan product improvements.
Support and communication — responding to requests, sending service-critical notifications, and (with your consent where required) sending updates about the service.
Legal compliance — meeting obligations under UK GDPR, PECR, and other applicable laws.

What we do not do

We do not use your data to train AI models. Trinity does not train, retrain, or fine-tune any machine-learning model on your call recordings, transcripts, or derived analytics, and we contractually require the same restriction of our AI subprocessors.
We do not use voice recordings for biometric identification. We do not generate persistent voiceprints or voice templates. Speech-to-text transcription and intra-call speaker diarisation do not, in our assessment, constitute processing for the purpose of uniquely identifying a natural person under Article 9 of the UK GDPR.
We do not sell or share personal data for marketing purposes.

Our legal basis for processing

Under UK GDPR we rely on the following lawful bases in Article 6:

Performance of a contract (Article 6(1)(b)) — when we process personal data to provide services requested by you or your dealership.
Legitimate interest (Article 6(1)(f)) — when we process data for security, service improvement, or administering your account, provided our interests do not override your rights.
Legal obligation (Article 6(1)(c)) — when required to comply with applicable law.

We also comply with the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR") and, where relevant, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, to the extent they apply to our processing.

Who we share data with

Trinity engages a small number of service providers ("subprocessors") who process personal data on our behalf. Each is bound by contractual confidentiality and data-protection obligations, and we remain responsible for their acts and omissions.

We engage subprocessors within the following categories. Trinity selects providers that offer UK or EU processing regions where operationally supported, and applies UK IDTA or UK Addendum safeguards where processing takes place outside the UK/EEA.

Application platform — application database, backend functions, and dashboard hosting (European Union).
Voice and telephony infrastructure — call media, SIP connectivity, and call-recording object storage (European Union).
Authentication and identity — administrator login and session management (European Union).
AI speech services — speech-to-text transcription and text-to-speech synthesis (predominantly European Union; some providers in the United States, protected by UK IDTA and enterprise zero-retention terms where enabled).
AI language models — large language model inference for call analysis and agent behaviour (predominantly United States, protected by UK IDTA and enterprise zero-data-retention terms where enabled).
Email delivery — transactional email notifications (European Union).
Observability and logging — application logs and security monitoring (European Union).
Product analytics — aggregated dashboard usage analytics; we do not send call recordings, transcripts, or call content to analytics providers (European Union).
Integration orchestration — OAuth connection broker for third-party integrations such as calendar or CRM (European Union).
Calendar and scheduling — appointment booking and availability for businesses that enable it.
Payment processing — Customer subscription billing (Customer account data only; no call content). Provided by a UK-contracted payment processor.

We maintain a current list of the specific named entities engaged in each category, together with the contractual transfer safeguards in place for each. This list is available to Customer organisations on written request to privacy@trinityapp.ai. The authoritative description of our subprocessor engagements is in Annex A of our Data Processing Agreement.

We do not share personal data with third parties other than our subprocessors, except where required by law (for example, in response to a valid legal request) or with your explicit consent.

Where your data is stored

Trinity's core infrastructure — application platform, voice and telephony infrastructure, authentication, email delivery, observability, and product analytics — is hosted in the European Union. Transfers of UK personal data to these providers rely on the UK's recognition of the EEA as providing an adequate level of protection, in force from time to time under the UK GDPR international transfer regime.

Some AI language model providers process personal data in the United States. Transfers to those providers are protected by the UK International Data Transfer Agreement (or the UK Addendum to the EU Standard Contractual Clauses) issued by the UK Information Commissioner's Office, together with enterprise zero-retention contractual terms where available.

How long we keep your data

We retain personal data only for as long as necessary to provide the service and to meet our legal obligations. In general:

Call recordings, transcripts, and derived analytics: up to one year from the call date, unless a longer period is agreed in writing.
Dashboard account information: retained for the duration of your account plus a short period afterwards to handle any final obligations, then deleted or anonymised.
Operational and audit logs: up to one year, unless required longer for security investigations or legal compliance.

When our retention period ends, or at your written request, we delete the data from our active systems. Backup copies may remain in encrypted form for a short additional period before being overwritten.

Your rights under UK GDPR

Where Trinity is the data controller for your personal information, you have the following rights:

Access — request a copy of the personal data we hold about you.
Rectification — correct inaccurate or incomplete data.
Erasure — ask us to delete personal data (subject to legal retention requirements).
Restriction — limit how we process your data in certain circumstances.
Portability — receive your data in a structured, commonly used format.
Objection — object to processing based on legitimate interest.
Complaint to a supervisory authority — you have the right to lodge a complaint with the UK Information Commissioner's Office at ico.org.uk.

If your personal data is in our service because your dealership recorded a call you were part of, please contact the dealership first — they are the data controller for that recording. We will support them in responding to your request.

To exercise any of these rights, email privacy@trinityapp.ai. We will respond without undue delay, and in any event within one calendar month of receiving your request. We may extend this period by up to two further months where necessary, taking into account the complexity and number of the requests; if we do, we will tell you within one month of receiving your request and explain the reasons for the delay.

Cookies and tracking

The Trinity dashboard uses essential cookies required for authentication and session management. We do not use advertising cookies or sell browsing behaviour to third parties. Our marketing website may use a small number of analytics cookies; where those require consent under UK PECR we will request it before setting them.

How we protect your data

Trinity encrypts data in transit (TLS 1.2 or higher) and at rest. Our hosting subprocessors (including our application platform, voice infrastructure, object storage, and observability providers) apply AES-256 encryption at rest as their platform standard. Integration credentials (for example, Mitel CloudLink client secrets) are encrypted at the application layer with a rotation-capable master key held by Trinity, using AES-256-GCM. Access to production systems is restricted to authorised engineering staff, requires multi-factor authentication, and is logged. We conduct regular security reviews and respond quickly to credible vulnerability reports.

Changes to this policy

We may update this policy from time to time. When we do, we will update the "Last updated" date at the top of the page. If the changes are material, we will notify dealership administrators by email.

Accessibility

Trinity aims to meet the Web Content Accessibility Guidelines (WCAG) 2.2 at Level AA across the Trinity dashboard and this website. Accessibility is an ongoing effort and some pages may not yet fully conform; we review and improve the experience on a rolling basis as features ship.

If you encounter a barrier using Trinity, or if you need information from Trinity in an alternative format, email legal@trinityapp.ai and we will respond within 5 working days.

How to contact us

For privacy questions or to exercise any of the rights above, email privacy@trinityapp.ai.