Privacy Policy

Effective: 2026-05-06 · Version 2026-05-06

This Privacy Policy describes what data TrailerShopperAI ("TSAI," "we," "us") collects, why, who we share it with, and the rights you have over it. This Policy applies to dealers who hold accounts with us and is incorporated by reference into our Terms of Service.

1. Who is responsible for your data

TSAI acts as a data controller for account information you provide directly to us, and as a data processor for inventory data, photographs, voice samples, and other content you upload for us to process on your behalf. The controller of any buyer-side personal data appearing in social platform DMs, comments, or reviews routed into your inbox remains the respective social platform.

2. Data we collect

From you, directly

Account info: name, email, password (hashed and salted via better-auth — we never store plaintext), dealership business name.
Contact info: phone number, business address (optional, for local SEO and dealer panel features).
Inventory data: trailer titles, descriptions, prices, specs, status, photos.
Branding: logos, color palette, default voice/tone preferences.
Voice samples (optional, only if you opt into voice cloning): audio files of speech you upload, used to clone a voice via ElevenLabs and tied to your dealer account.
Messages you compose, manually or with AI assistance, for distribution or inbox replies.

Automatically, when you use the Service

Authentication and session data (cookies issued by better-auth, set on api.trailershopper.ai).
Audit-log entries: timestamp, IP address, user-agent, and event type for legally significant actions (subscription, acceptance of policies, video generation, distribution events). See our No-Refund Policy for what this enables.
Server logs: request paths, response codes, error stacks, performance traces. These contain IP and may contain query strings.
Generated outputs: AI-produced videos, voiceovers, music tracks, captions, and AI reply drafts. Stored in our private Backblaze B2 bucket.
Distribution metadata: which video you posted, which platforms, scheduling info, and lifecycle events returned by the distribution provider.

From third parties

PayPal: subscription status, payment events, payer ID. We never see card numbers or bank-account numbers.
Distribution provider: post status (published, failed), inbound DMs, comments, reviews, and analytics aggregated from connected social platforms.
TrailerShopper.com (if integrated): listing data and dealer pairing info.

3. How we use your data

Operate and maintain the Service — generate videos, distribute posts, surface inbox messages, render dashboards.
Process payments via PayPal and reconcile billing with our records.
Maintain the immutable audit log required by our No-Refund Policy and for fraud / dispute resolution.
Improve the Service — analyze aggregated usage patterns, debug errors, and refine AI prompt templates. We do not train shared AI models on your individual voice clones, customer content, or inventory data.
Send transactional emails (subscription receipts, distribution failure alerts, account changes). We do not send marketing emails without your opt-in.
Comply with legal obligations (tax records, subpoenas, valid legal process).

4. Lawful basis (where applicable)

For dealers and end users in jurisdictions with formal lawful-basis requirements (e.g., GDPR), we process personal data on the following bases: (a) contract — to provide the Service you signed up for; (b) legitimate interests — to operate, secure, and improve the Service, including audit logging and fraud prevention; (c) legal obligation — to comply with tax, accounting, and regulatory requirements; (d) consent — for optional features such as voice cloning, where consent can be withdrawn by removing the cloned voice from your dashboard.

5. Third-party processors and recipients

We share your data with the following processors strictly to the extent needed for each function:

Cloudflare, Inc. — hosting, edge networking, DNS, DDoS protection, D1 database, KV cache, Queues. Data may transit Cloudflare's global network.
Backblaze, Inc. — private object storage of generated videos, voiceovers, music, and uploaded photos.
Anthropic, PBC — AI text generation (selling angles, captions, AI reply drafts).
ElevenLabs, Inc. — voice synthesis, voice cloning, music generation. Voice samples you upload are processed by ElevenLabs to produce a clone tied to your account.
fal.ai, Inc. — image-to-video AI clip generation (Kling model).
Distribution provider — outbound posting to social platforms (Facebook, Instagram, TikTok, YouTube, X, LinkedIn, Pinterest, Threads, Reddit, Bluesky, Snapchat, WhatsApp, Telegram, Google Business) and inbound webhook events from those platforms.
PayPal, Inc. — payment processing and subscription management.
Resend (when enabled) — transactional email delivery.

We do not sell your personal data, and we do not share it with advertising networks. We may disclose data in response to a subpoena, court order, or other valid legal process; in connection with a payment dispute via the audit-log mechanism described in our No-Refund Policy; or in connection with a merger, acquisition, financing, or sale of assets, with notice to affected dealers.

6. International data transfers

We are a US-based service. If you access the Service from outside the United States, your data may be transferred to and processed in the United States and other countries where our processors operate. By using the Service you consent to those transfers. Where required by law (e.g., GDPR), we rely on standard contractual clauses or other approved transfer mechanisms.

7. Data retention

Account data — retained while your account is active and for 90 days after closure (in case of restoration request), then deleted except as required for legal/audit purposes.
Audit log entries — retained indefinitely. The audit log is the legal record of acceptance and billing events; deletion would compromise dispute defense and is not technically performed.
Generated videos and audio — retained in our private storage while your account is active; on closure, retained 90 days then permanently deleted.
Voice clones — retained while you keep them in your dashboard; deleting a clone removes it from our DB and triggers deletion at ElevenLabs.
Server logs — retained 30 days for operational/security purposes, then rotated out.
Payment records — retained 7 years to satisfy tax and accounting obligations.

8. Your rights

Depending on your jurisdiction, you may have the right to:

access the personal data we hold about you;
correct inaccurate data;
delete data, subject to legal retention obligations (audit log, payment records);
export your data in a portable format;
restrict or object to certain processing;
withdraw consent (e.g., for voice cloning) at any time;
lodge a complaint with a supervisory authority.

To exercise these rights, email …. We will respond within 30 days. We may require identity verification before fulfilling sensitive requests.

9. California residents (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, how it's used, and with whom it's shared, the right to request deletion, the right to correct inaccuracies, and the right to opt out of any sale or sharing of personal information. We do not sell personal information.We may "share" data with the third-party processors listed above strictly to provide the Service. To exercise CCPA rights, email ….

10. Cookies and tracking

We use first-party cookies set by better-auth for authentication and session management. We do not deploy third-party advertising cookies, behavioral retargeting, or cross-site tracking on the dealer panel. We honor "Do Not Track" and Global Privacy Control signals where technically supported.

11. Security

Data in transit is encrypted via TLS 1.2+. Data at rest is encrypted by Cloudflare D1, KV, and R2/B2 storage. The B2 bucket holding dealer videos and audio is configured private; all access is mediated by our Worker via signed, time-bounded URLs. We follow least-privilege internal access controls, log administrative actions to a separate immutable admin audit log, and conduct regular security review of our integrations. No system is perfectly secure; in the event of a breach affecting your data, we will notify you as required by applicable law.

12. Children

The Service is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will delete it.

13. Changes to this Policy

We may update this Policy. Material changes require re-acceptance from existing dealers and trigger a version bump above. Prior versions remain on file in our audit log so you can confirm what you originally agreed to.

Privacy questions: …. Security incidents: ….