Privacy Policy

Last updated: February 2026

1. Introduction

Trigga ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use the Trigga mobile application ("the App"). Trigga is designed with a privacy-first architecture — your n8n data stays between your device and your n8n instance.

2. Our Architecture: How Your Data Flows

Trigga acts as a thin client that communicates directly with your n8n instance. Understanding this architecture is key to understanding our privacy model:

  • Device ↔ Your n8n Instance (direct): All workflow data, execution results, and workflow management actions travel directly between your device and your n8n instance over HTTPS. Trigga never proxies, relays, or intercepts this traffic.
  • Device ↔ Firebase: When you create an account, your authentication credentials (email, display name) are stored in Firebase. Minimal settings preferences may be stored in Firebase Firestore for account management.
  • Device ↔ PostHog: Anonymous product analytics events (such as screen views and feature usage) are sent to PostHog to help us improve the App. No personally identifiable information is included.

3. Information We Collect

Account Information (Required)

An account is required to use the App. You can create an account via email/password, Google, or Apple sign-in. Firebase Authentication stores your email, display name, and authentication provider.

Anonymous Analytics

We use PostHog to collect anonymous product analytics to help us understand how the App is used and to improve it. The following data is collected automatically by the PostHog SDK:

  • Device model and operating system version
  • App version and build number
  • Screen dimensions and device locale
  • Session duration and screen views
  • Feature usage events (e.g. workflow toggled, execution viewed, subscription events)

All analytics events are tied to an anonymous device identifier — not your email, name, or Firebase account. We do not use this data to track you across other apps or websites.

Subscription Data

When you subscribe to Trigga Pro, RevenueCat receives your Firebase UID to manage your subscription. RevenueCat also automatically collects your device model, OS version, app version, and country/region (from App Store or Google Play receipts) for purchase validation and analytics. RevenueCat does not receive any n8n data.

What We Do NOT Collect

We want to be explicit about data we never collect, store, or have access to:

  • Your n8n API key or access tokens (stored only in your device's native keychain)
  • Your n8n instance URL (stored only on your device)
  • Your workflow definitions, names, or configurations
  • Your execution results, logs, or error details
  • Your n8n node credentials or connected service tokens
  • Any data processed by your workflows
  • Location data, contacts, photos, or other device data

4. Tracking & Cross-App Data

Trigga does not track you across other companies' apps or websites. We do not participate in ad networks, retargeting, or cross-app tracking of any kind. We do not use Apple's IDFA (Identifier for Advertisers) or any equivalent advertising identifier. Accordingly, the App does not present an App Tracking Transparency (ATT) prompt because no cross-app or cross-site tracking occurs.

5. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:

  • Contractual necessity: Account creation and authentication are required to provide the App's core functionality (Art. 6(1)(b) GDPR).
  • Legitimate interest: Anonymous product analytics via PostHog are collected to improve the App's quality and performance. These analytics are anonymized and do not include personally identifiable information (Art. 6(1)(f) GDPR).
  • Contractual necessity: Subscription management via RevenueCat is necessary to fulfill your purchase and provide access to paid features (Art. 6(1)(b) GDPR).

6. API Key Storage & Security

Your n8n API key is the most sensitive piece of data the App handles. Here is exactly how we protect it:

  • Stored exclusively in your device's native encrypted keychain using Expo Secure Store (iOS Keychain / Android Keystore) with WHEN_UNLOCKED_THIS_DEVICE_ONLY access level
  • Injected into API requests at the time of each call via an HTTP interceptor
  • Never written to AsyncStorage, logs, crash reports, or any unencrypted location
  • Never transmitted to Firebase, Trigga servers, or any third-party service
  • Never synced across devices — you must re-enter your API key on each device
  • Immediately deleted from secure storage when you sign out or remove an instance

7. Firebase Data

The following data is stored in Firebase under your user account:

  • Authentication: Email, display name, and authentication provider (managed by Firebase Authentication)
  • Settings preferences: Theme (light/dark/system) and auto-lock timeout

All Firebase data is transmitted over HTTPS and encrypted at rest by Google Cloud.

8. Instance Data

Your n8n instance information (name, URL, type, API key) is stored entirely on your device. Instance URLs and names are kept in local device storage (AsyncStorage). API keys are stored in encrypted device storage (iOS Keychain / Android Keystore). None of this data is sent to Firebase, Trigga servers, or any third party.

9. Third-Party Services

The App integrates with the following third-party services:

  • Firebase Authentication (Google): Account sign-in and session management. Collects email, display name, and authentication provider.
  • Firebase Firestore (Google): Settings preferences storage.
  • RevenueCat: Subscription and in-app purchase management. Receives your Firebase UID, purchase history, and device metadata for purchase validation.
  • PostHog: Anonymous product analytics. Receives anonymous device identifiers, device metadata, and usage events. Does not receive your email, name, or any n8n data.
  • Apple App Store / Google Play Store: App distribution and payment processing.

We require that each third-party service provider maintains data protection standards that are the same as or equivalent to those described in this Privacy Policy. We do not use session recording tools (no LogRocket, Clarity, or similar). We do not use third-party crash reporting (no Sentry, Bugsnag, or similar).

10. Data Sharing

We do not sell, trade, or rent your personal information to third parties. We do not share your data with third-party AI services. Your data is shared only with the third-party services listed above, solely for the purpose of providing the App's functionality. We may disclose your information if required by law or to protect our legal rights.

11. Analytics Opt-Out

If you prefer not to participate in anonymous analytics, you can opt out by contacting us at support@trigga.app with the subject line "Analytics Opt-Out." We will disable analytics collection for your device. Opting out does not affect the App's core functionality.

12. Data Retention & Deletion

We retain your account information only for as long as your account is active.

When you sign out or delete your account, the following data is immediately removed:

  • All API keys from device secure storage
  • PIN hash and biometric authentication flags
  • All instance data from device storage
  • All cached workflow and execution data
  • All Firebase documents (settings preferences)
  • Your Firebase Authentication record (on account deletion)
  • RevenueCat user session

Account deletion is available directly within the App under Settings and is immediate and irreversible. After deletion, no personal data remains in our systems.

13. App Lock & Biometrics

The App offers optional PIN and biometric (Face ID / fingerprint) authentication for additional security. Your PIN is stored as a hash in device secure storage — never in plain text. Biometric data is handled entirely by your device's operating system and never touches the App.

14. Your Rights

You have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Delete your account and all associated data at any time from within the App
  • Remove individual n8n instances and their associated data from your device
  • Opt out of anonymous analytics (see Section 11)

Additional rights for EEA/UK residents (GDPR): You also have the right to data portability, the right to restrict or object to processing, and the right to lodge a complaint with your local data protection authority.

Additional rights for California residents (CCPA/CPRA): You have the right to know what personal information we collect, the right to delete your data, and the right to opt out of the sale or sharing of personal information. We do not sell or share your personal information as defined under the CCPA.

15. Children's Privacy

The App is not intended for use by children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under the applicable age, we will take steps to delete such information.

16. International Data Transfers

Firebase services are hosted by Google Cloud and may process data in various regions. PostHog data is processed in the United States. RevenueCat processes data in the United States. Your n8n data travels directly between your device and your n8n instance and is not subject to transfer through our infrastructure. For data transferred outside the EEA, appropriate safeguards (such as Standard Contractual Clauses) are in place in accordance with applicable data protection laws.

17. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy within the App or on our website. Your continued use of the App after changes constitutes acceptance of the updated policy.

18. Contact Us

If you have any questions about this Privacy Policy, our data practices, or wish to exercise any of your rights, please contact us at support@trigga.app.

19. Summary

In short: Trigga is a thin client for your n8n instance. Your API keys never leave your device's keychain. Your instance URLs stay on your device. Your workflow data never touches our servers. We use Firebase for authentication and settings, PostHog for anonymous analytics, and RevenueCat for subscriptions. We do not track you across apps or websites. When you delete your account, everything is gone.