Privacy Policy
Last updated: 22 May 2026
This Privacy Policy explains how TrendSkew ("TrendSkew", "we", "us") collects, uses, shares and protects personal data when you visit our website, sign up for an account, use the Service, contact us, or otherwise engage with us. It is written to satisfy the transparency requirements of the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, and applicable Lithuanian national legislation.
1. Data Controller
The data controller for personal data processed about you is the legal entity identified in the "Service provider" block at the bottom of this page. You can reach us about any data-protection matter at privacy@trendskew.com.
If you are an EU/EEA data subject and you cannot resolve a matter with us directly, you have the right to lodge a complaint with the Lithuanian State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija, vdai.lrv.lt) or your local supervisory authority.
2. Scope
This policy applies to personal data we process as a controller about:
- visitors to our marketing website, blog and documentation;
- individuals who create an account, sign up for a trial, or buy a subscription;
- authorised users of customer accounts (where we still act as controller, e.g. for security and audit logs);
- people who request a demo, contact sales, open a support ticket or email us;
- recipients of our marketing communications (where permitted);
- applicants and other people who interact with us in a business context.
When we process personal data on behalf of a customer in connection with their use of the Service (e.g. data they upload via the chat or API), we act as a processor under the data-processing terms in Section 12.
Separately, the market intelligence we publish is derived from information observed on publicly accessible online retail sources and from data partners. Where that information includes personal data (for example the business names of sellers or merchants, or publicly posted seller contact details), we act as a controller and the dedicated disclosure in Section 13 explains how and why we process it and how the people concerned can exercise their rights.
3. Categories of Personal Data We Process
3.1 Account data
- name and business email address;
- password (stored only as a salted hash via our authentication provider, Supabase Auth);
- two-factor authentication factors (TOTP secret stored encrypted, recovery codes);
- language and region preferences;
- profile picture if you choose to upload one.
3.2 Company and billing data
- company name and legal form;
- VAT / tax identification number;
- billing address;
- billing contact name and email;
- payment-instrument identifiers (card brand, last four digits, expiry; full card numbers never reach our systems and are stored by our PCI-DSS-compliant payment processor Stripe);
- invoice and credit-note records.
3.3 Usage data
- information about your interactions with the Service: pages visited, dashboards opened, filters applied, exports generated, API calls made;
- session metadata such as user agent, browser type, language, screen size, IP address;
- diagnostic logs and error reports;
- performance telemetry (which features load slowly, which queries fail).
3.4 Communications data
- messages you send via our in-product support tickets, contact form, demo request form, or by email;
- attachments you share with us in those communications;
- customer-success notes our team takes about our interactions with you.
3.5 Marketing data
- email-list subscriptions and your status (subscribed, unsubscribed);
- engagement signals such as which marketing emails you opened or which links you clicked;
- inferred interest categories based on which pages of our website you visit, derived only from analytics or marketing cookies and only where you have consented to those cookies (see Section 10 and our Cookie Policy). This website analytics and marketing activity is the only profiling we carry out; it is always consent-based, it does not produce legal or similarly significant effects, and it is separate from the public-source processing in Section 13 (where we build no profiles of the individuals concerned).
3.6 Cookies and similar technologies
See our Cookie Policy for a detailed inventory of the cookies and similar technologies we use, their purposes, and the duration each one is stored.
3.7 Special categories
We do not knowingly process special-category personal data (racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic data, biometric data, health data, sex life or sexual orientation). Please do not submit such data through the Service.
4. Purposes and Legal Bases
We process personal data for the purposes and on the legal bases set out below.
4.1 To create and manage your account
Data: account data, company and billing data.
Legal basis: performance of the contract between you and us (GDPR Art. 6(1)(b)).
4.2 To provide and maintain the Service
Data: account data, usage data, communications data.
Legal basis: performance of the contract (Art. 6(1)(b)).
4.3 To bill you and prevent payment fraud
Data: company and billing data, payment metadata, IP/geolocation, device fingerprints.
Legal basis: performance of the contract (Art. 6(1)(b)); compliance with tax and accounting law (Art. 6(1)(c)); our legitimate interest in preventing payment fraud and chargebacks (Art. 6(1)(f)).
4.4 To secure the Service
Data: account data, session metadata, IP address, security logs, two-factor authentication factors.
Legal basis: our legitimate interest in protecting the Service and our users from unauthorised access, abuse and security incidents (Art. 6(1)(f)).
4.5 To respond to your enquiries and provide support
Data: communications data, account data.
Legal basis: performance of the contract (Art. 6(1)(b)); our legitimate interest in responding to enquiries from non-customers (Art. 6(1)(f)).
4.6 To improve and develop the Service
Data: usage data, diagnostic logs, performance telemetry, aggregated and de-identified data derived from your use.
Legal basis: our legitimate interest in improving our products and operating our business efficiently (Art. 6(1)(f)). You can object to processing on this basis as described in Section 9.
4.7 To send service announcements
Data: account data.
Legal basis: performance of the contract (Art. 6(1)(b)) and our legitimate interest in keeping you informed about changes to the Service that affect you (Art. 6(1)(f)).
4.8 To send marketing communications
Data: account data, marketing data.
Legal basis: your consent where required (Art. 6(1)(a)); our legitimate interest in marketing similar services to existing customers under the soft-opt-in rule of the ePrivacy Directive (Art. 6(1)(f)). You can withdraw consent or object at any time via the unsubscribe link in every marketing email or by emailing privacy@trendskew.com.
4.9 To comply with legal obligations
Data: as required by the obligation.
Legal basis: compliance with a legal obligation (Art. 6(1)(c)).
4.10 To establish, exercise or defend legal claims
Data: as relevant to the claim.
Legal basis: our legitimate interest in protecting our legal position (Art. 6(1)(f)).
5. How Long We Keep Personal Data
We keep personal data only for as long as necessary for the purposes listed above, after which we delete it or anonymise it. Indicative retention periods:
- Account data: for the duration of your account, plus up to twelve (12) months after closure for security and account-recovery purposes.
- Billing data and invoices: ten (10) years from the end of the financial year in which the invoice was issued, in line with Lithuanian accounting and tax law.
- Live-chat transcripts and support tickets: three (3) years from the last interaction, to allow us to investigate recurring issues and defend potential disputes.
- Security and audit logs: twelve (12) months, extended where a security incident is being investigated.
- Diagnostic logs: thirty (30) days.
- Marketing-list membership: until you unsubscribe, plus a suppression record kept indefinitely so we do not contact you again.
- Customer Data (as processor): available for export for thirty (30) days after the end of your subscription, after which it is deleted, with deletion (including from routine backups) completed within ninety (90) days of termination unless retention is required by law, as set out in the Terms of Service and our Data Processing Addendum.
- Cookies: as set out in the Cookie Policy.
Where personal data is needed to defend a legal claim, we may retain it for the duration of the limitation period applicable to that claim.
6. Who We Share Personal Data With
We do not sell personal data for money. We share it only with the categories of recipients listed below, under appropriate written contracts and safeguards. Certain US state privacy laws define "sale" and "sharing" very broadly, so that our use of advertising and analytics cookies may fall within those terms; Section 14 explains your right to opt out of that activity and how to do so.
6.1 Service providers (processors)
- Cloud infrastructure: Vercel Inc., Google Cloud (BigQuery, Cloud Storage), Supabase.
- Authentication: Supabase Auth.
- Payments: Stripe Payments Europe, Limited.
- Transactional and marketing email: our configured email provider (Resend, SendGrid or SMTP relay as set up in Global Settings).
- Product analytics and error tracking: the providers identified in our Cookie Policy.
- Advertising and conversion measurement: where we run advertising campaigns and you consent to marketing cookies, we may engage advertising partners (such as Meta, LinkedIn or Google Ads) to measure campaign performance and build audience segments. The specific partners active at any time are those listed in the marketing-cookie category of our Cookie Policy; where no such partner is configured, no advertising data is shared. As explained in Section 14, where this activity does occur it may be a "sale" or "sharing" under some US state laws, which you can opt out of.
- AI features: LLM providers used to power the in-product AI tools (e.g. OpenAI, Anthropic), which process the text you submit in the United States. We send that text under the data terms we have entered with each provider, which provide that it is used only to deliver the feature to us, is not used to train the provider's own foundation models, and is retained only for the limited period the provider applies for abuse-monitoring (or as required by law) before deletion.
- Customer support tooling: internal helpdesk and CRM systems we use to manage tickets and customer relationships.
A full and current list of our processors is available on request at privacy@trendskew.com.
6.2 Professional advisers
We may share personal data with our accountants, auditors and lawyers where reasonably necessary for them to perform their services.
6.3 Authorities and law-enforcement
We may disclose personal data to courts, regulators and other authorities where required by law or to protect our rights, our customers' rights, or public safety. We will, where lawful, notify the data subject before responding and challenge requests we consider overbroad.
6.4 Corporate transactions
If we are involved in a merger, acquisition, restructuring or sale of assets, personal data may be transferred to the counterparty subject to appropriate confidentiality obligations and to this policy or a successor policy at least as protective.
6.5 With your consent or instruction
We may share personal data with any other recipient where you give us explicit consent or instruction to do so (for example when you ask us to integrate a third-party tool with your account).
7. International Data Transfers
TrendSkew is operated from the European Union and Customer Data is stored on EU-based cloud infrastructure by default. Certain features you choose to use necessarily transmit data outside the EEA — in particular, the in-product AI features send the text you submit to US-based providers (see Section 6.1), and some infrastructure providers operate global edge networks or US-based corporate functions. Where transfers outside the European Economic Area happen, we put one or more of the following safeguards in place:
- an adequacy decision of the European Commission (e.g. the EU–US Data Privacy Framework for participating US recipients);
- the European Commission's Standard Contractual Clauses (2021/914) supplemented by the additional technical, organisational and contractual measures recommended by the EDPB in its recommendations 01/2020;
- for UK transfers, the UK International Data Transfer Addendum or the IDTA itself.
You may request a copy of the safeguards in place for a specific transfer at privacy@trendskew.com.
8. Security
We maintain appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access, in line with GDPR Art. 32. Without limitation, these include:
- encryption in transit (TLS 1.2+) and at rest for production databases and object storage;
- password hashing using industry-standard algorithms; passwords are never stored in plaintext;
- two-factor authentication enforced for administrative consoles and offered to, and prompted during set-up for, customer accounts;
- principle of least privilege for production access, with reviews of access rights performed periodically;
- network segregation between production, staging and development environments;
- automated dependency vulnerability scanning, static code analysis and pre-merge code review;
- centralised logging, monitoring and alerting for anomalous activity;
- documented incident-response and disaster-recovery procedures with regular rehearsals;
- written confidentiality undertakings from every employee and contractor with production access.
No system is completely secure. If you suspect that your account or personal data has been compromised, please contact us immediately at support@trendskew.com.
9. Your Rights
Subject to the conditions and limitations in applicable law, you have the following rights with respect to personal data we hold about you:
- Right of access — obtain confirmation as to whether we process personal data about you, and a copy of that data;
- Right to rectification — have inaccurate personal data corrected and incomplete data completed;
- Right to erasure ("right to be forgotten") — have personal data erased in certain circumstances;
- Right to restriction of processing — restrict our processing in certain circumstances, for example while we verify a rectification request;
- Right to data portability — receive personal data you have provided to us in a structured, commonly used, machine-readable format and transmit it to another controller;
- Right to object — object to processing carried out on the basis of our legitimate interests, including profiling for direct marketing;
- Right to withdraw consent — at any time, without affecting the lawfulness of processing carried out before withdrawal;
- Right not to be subject to a solely automated decision — including profiling that produces legal or similarly significant effects (we do not currently take such decisions);
- Right to lodge a complaint — with a supervisory authority (see Section 1).
To exercise any of these rights please email privacy@trendskew.com. We will respond within one (1) month of receipt, extendable by two (2) further months for complex requests. We may ask you to verify your identity before acting on your request.
10. Direct Marketing and Profiling
You can opt out of marketing emails at any time via the unsubscribe link in every message or by emailing privacy@trendskew.com. We do not use your personal data to make solely automated decisions that produce legal or similarly significant effects on you.
Where we use cookies or pixels to measure marketing-campaign performance, those activities and the consent mechanism are described in our Cookie Policy.
11. Children
The Service is intended exclusively for business use and is not directed at children. We do not knowingly collect personal data from children under the age of sixteen (16). If you believe we have done so, please contact us at privacy@trendskew.com and we will delete the data.
12. Processing of Customer Data (Data Processing Terms)
To the extent we process personal data on behalf of a customer in our capacity as a processor under GDPR Art. 28, the following terms apply and form an integral part of the Terms of Service:
12.1 Subject matter and duration
We process personal data submitted to the Service by you or by your authorised users for the purpose of providing the Service. Processing continues for the duration of your subscription, plus the post-termination period defined in the Terms.
12.2 Nature and purpose
Hosting, storage, retrieval, indexing, analysis, transmission, display, backup, and deletion of personal data, all to provide the Service to you.
12.3 Types of personal data and categories of data subjects
Determined by you. You agree not to submit special-category personal data, criminal-conviction data, or data of children, unless we agree otherwise in writing.
12.4 Our obligations
- we will process personal data only on your documented instructions, including with regard to transfers, unless required to do otherwise by EU or member-state law (in which case we will inform you, unless the law prohibits notification on important grounds of public interest);
- we will ensure that persons authorised to process personal data have committed themselves to confidentiality or are under a statutory obligation of confidentiality;
- we will implement the security measures set out in Section 8;
- we will assist you, taking into account the nature of the processing, in fulfilling your obligations to respond to data subject requests and to comply with Articles 32-36 GDPR;
- we will notify you without undue delay after becoming aware of a personal-data breach affecting your data, and in any event in sufficient time to enable you to meet your own notification deadlines under Articles 33 and 34 GDPR;
- we will, at your choice, delete or return all personal data after the end of the provision of the Service, and delete existing copies unless EU or member-state law requires storage;
- we will make available to you all information necessary to demonstrate compliance with these obligations and allow for audits on terms mutually agreed in writing, no more than once per year unless an incident has occurred.
12.5 Sub-processors
You give us general authorisation to engage sub-processors. We maintain an up-to-date list of sub-processors and will notify you of intended additions or replacements at least thirty (30) days in advance, giving you the opportunity to object on reasonable grounds. Where you object, we will use reasonable efforts to find an alternative; if we cannot, you may terminate the affected Subscription with a pro-rata refund of unused Fees.
13. Personal Data Obtained from Third-Party and Public Sources
This section is our notice under Article 14 GDPR for personal data we obtain other than directly from the individual concerned. It explains the personal data we may encounter when producing the market intelligence that powers the Service, and what we do with it.
13.1 Sources and categories
The Service is built on an observed sample of publicly available retail signals. We collect this information from publicly accessible online retail sources (such as product listings, public storefronts and publicly displayed catalogue, price and availability information) and from third-party data partners. The information is overwhelmingly about products and offers rather than about people. To the extent it incidentally contains personal data, the categories are limited to:
- business or trading names of sellers, merchants and brands, where those names identify a sole trader or other natural person;
- publicly posted seller storefront information and business contact details;
- public, non-authenticated identifiers such as a seller handle or shop URL.
We do not seek out, and instruct our sources and tooling not to ingest, account credentials, payment details, government identifiers, or content behind a login or paywall. We do not deliberately collect the special categories of data listed in Section 3.7 from these sources, we apply filtering intended to exclude them, and if we become aware that such data has nonetheless been ingested we suppress it from processing and delete it. We do not build profiles of, or take any decision about, individual consumers from these sources.
13.2 Purposes and legal basis
Purposes: to compile aggregated market statistics, indices, category and pricing analytics and similar directional intelligence for our business customers.
Legal basis: our legitimate interests, and the legitimate interests of our business customers, in understanding publicly observable market dynamics (Art. 6(1)(f) GDPR). We document a legitimate-interests assessment for this processing and, where it is likely to result in a high risk to individuals, carry out a data protection impact assessment under Article 35 GDPR; we keep these assessments under review. In weighing our interests against the rights and reasonable expectations of the individuals concerned, we take account of the following safeguards: we collect only information that is already accessible to the public on commercial trading sources; the information is overwhelmingly about products and offers, not people; we use it solely as an input to statistical aggregation; we do not use it to contact, advertise to, build profiles of, score, or take any decision about the individuals concerned; we retain source-level data only for the limited period described in Section 13.3; and we operate the objection and suppression process in Section 13.5. You may request a summary of that assessment, and information about how to object, at privacy@trendskew.com.
13.3 Aggregation and minimisation
Personal data from these sources is used only as an input to statistical aggregation. The outputs shown in the Service are aggregated so that they describe markets, categories and trends rather than identifiable individuals; we apply data-minimisation and aggregation measures designed to prevent those outputs from being attributed to an individual, and we do not attempt to re-identify anyone. Where source-level data continues to constitute personal data, we continue to treat it as personal data under this policy. We retain source-level data only for as long as needed to produce and quality-assure those outputs and then delete it; we do not build a standing repository of identifiable individuals from these sources.
13.4 Notice and disproportionate effort
For most of the individuals whose business names may appear in public listings we hold no direct contact details, and the data is processed only as an input to aggregate statistics, so providing individual notice would be impossible or involve a disproportionate effort within the meaning of Article 14(5)(b) GDPR. In those cases this Privacy Policy, which is public, serves as the required notice. Where a public listing does include a usable business contact detail and individual notice would not involve disproportionate effort, we will provide the Article 14 information to that individual directly. We will in all cases respond to any individual who contacts us.
13.5 Your rights
The rights in Section 9 — including the right to object to processing based on legitimate interests, and the right to erasure — apply to this processing. If you believe your personal data appears in our sources and you wish to object or request erasure, email privacy@trendskew.com with enough detail for us to locate it. Unless we can demonstrate compelling legitimate grounds, we will stop processing your personal data and suppress it from future ingestion.
14. US State Privacy Rights
This section provides additional disclosures and rights for residents of US states with comprehensive privacy laws, including California (the California Consumer Privacy Act as amended by the CPRA), Virginia, Colorado, Connecticut, Utah and other states with comparable laws. It applies to the extent such a law applies to our processing of your personal information. Terms such as "personal information", "sale", "sharing" and "sensitive personal information" have the meanings given to them in the applicable state law.
14.1 Notice at collection
The categories of personal information we collect, the sources, the purposes, and the categories of recipients are described in Sections 3, 4 and 6 of this policy. In the preceding twelve (12) months we have collected the following statutory categories: identifiers (e.g. name, email, IP address); commercial information (e.g. subscription and billing records); internet or network activity (e.g. usage and device data); geolocation inferred from IP address; and professional or employment-related information. We do not collect government identifiers, biometric data, or precise geolocation. The only categories we "sell" or "share" (as defined in Section 14.3) are identifiers and internet or network activity, and only through advertising and analytics cookies disclosed to the advertising and analytics partners listed in Section 6 and our Cookie Policy, for cross-context behavioural advertising and measurement. We do not sell or share any other category, and we retain each category only for the periods described in Section 5.
14.2 How we use and disclose personal information
We use each category for the business and commercial purposes set out in Section 4. We disclose personal information to the categories of service providers and recipients listed in Section 6 for those purposes. We do not knowingly sell or share the personal information of consumers we know to be under sixteen (16) years of age.
14.3 "Sale" and "Sharing" — your right to opt out
We do not sell personal information for monetary consideration. However, our use of third-party advertising and analytics cookies (see our Cookie Policy) may constitute a "sale" or "sharing" of identifiers and internet-activity information for cross-context behavioural advertising under some state laws. You have the right to opt out. You can exercise it by (i) rejecting the analytics and marketing categories in our cookie banner or via the "Cookie settings" link in the footer, and (ii) enabling a Global Privacy Control (GPC) signal in your browser, which we treat as a valid opt-out request for the browser that sends it. We do not use sensitive personal information for purposes that would require a "right to limit" offer.
14.4 Your rights
Subject to the applicable state law and its exceptions, you have the right to: (i) know and access the personal information we have collected about you; (ii) delete it; (iii) correct inaccurate information; (iv) opt out of any sale or sharing and of targeted advertising; (v) opt out of profiling that produces legal or similarly significant effects (we do not conduct such profiling); and (vi) not be subjected to unlawful discrimination for exercising your rights. Where your state provides it, you may also appeal a decision on your request.
14.5 How to exercise your rights
Submit a request by emailing privacy@trendskew.com. We will verify your identity using information already associated with you before acting, and we will respond within the timeframe required by the applicable law (for California, generally within forty-five (45) days, extendable once where reasonably necessary). You may use an authorised agent to submit a request on your behalf; we may require the agent to provide proof of authorisation and may still verify your identity directly. We do not charge a fee for a verifiable request unless it is manifestly unfounded or excessive. If we decline a request, we will explain why and tell you how to appeal where an appeal right exists.
14.6 No financial incentives; California "Shine the Light"
We do not offer financial incentives in exchange for the collection, sale or sharing of personal information. We do not disclose personal information to third parties for their own direct-marketing purposes, so we have nothing to report under California's "Shine the Light" law (Civil Code § 1798.83).
15. Personal-Data Breaches
Where we act as a controller and become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where feasible, within seventy-two (72) hours, in line with Article 33 GDPR. Where the breach is likely to result in a high risk to you, we will also notify you without undue delay in line with Article 34 GDPR and applicable US state breach-notification laws, and we will tell you what happened, the likely consequences, and the steps we and you can take. Where we act as a processor, our breach-notice obligations to the customer-controller are set out in Section 12.4 and in our Data Processing Addendum.
16. Our Establishment and Representatives
TrendSkew is operated from, and established in, the European Union. Because we have an EU establishment, we are not required to designate a representative under Article 27 GDPR. Where we offer the Service to data subjects in the United Kingdom and are required to designate a UK representative under Article 27 UK GDPR, that representative's details are available on request at privacy@trendskew.com. The identity and registered address of the controller are shown in the "Service provider" block at the foot of this page.
17. Changes to this Policy
We may update this Privacy Policy from time to time. Material changes will be announced via the Service or by email at least thirty (30) days before they take effect. The "Last updated" date at the top of this page shows the effective date of the current version. Older versions are available on request.
18. Contact
For any privacy or data-protection matter — including data subject requests, complaints, or questions about this policy — please contact privacy@trendskew.com.
Service provider
MB Potvynio sala
VAT: LT100013860614
Rusnės g. 12A
LT99161 Šilutės r., LITHUANIA
Legal & data-protection queries: legal@trendskew.com