Trivium

Trivium—Privacy Policy

Effective date: July 4, 2026 Last updated: July 4, 2026

This Privacy Policy explains how Trivium ("we", "us", "our") collects, uses, discloses, and protects personal information when you use the Trivium school information system, our website at usetrivium.com, and related services (together, the "Service").


1. Who we are and our two roles

Trivium provides a multi‑tenant student information system used by schools. Because of how the Service works, we handle personal information in two distinct roles:

  • As a service provider / processor (on behalf of a school). Most information in the Service—student records, grades, attendance, health and medical notes, report cards, guardian contacts, messages, applications, billing records, and staff records—is provided by, and belongs to, the school that uses Trivium (the "School"). For this information the School is the data controller (UK GDPR), the educational institution responsible under FERPA (US), and the organization responsible under PIPEDA / provincial law (Canada). Trivium acts as the School's processor / service provider / "school official" and handles this information only on the School's documented instructions and under our agreement with the School (including any Data Processing Addendum, "DPA").

*If you are a parent, guardian, student, or staff member, your school—not Trivium—controls your records in the Service. Please direct access, correction, and deletion requests about those records to your school first. We will assist the school in responding.*

  • As a controller (for our own purposes). For a limited set of information—for example, the contact and billing details of the School and its administrators, account‑security data, error diagnostics, and support communications with us—Trivium acts as the controller and this Policy governs directly.

This Policy describes both roles. Where a specific regional law applies (Canada, UK, US), see Section 11—Your rights.


2. Information we collect

We collect the following categories of personal information. Not all categories apply to every user.

Account & identity

  • Names, email addresses, phone numbers, mailing addresses
  • Usernames, hashed passwords, and authentication tokens
  • Role within a school (administrator, staff/teacher, parent/guardian, student)
  • Profile photos (where uploaded)

Student records (provided and controlled by the School)

  • Student name, preferred name, date of birth, gender, grade level, photo
  • Enrollment status, schedules, and class assignments
  • Grades, scores, assignments, report cards, transcripts, and "wisdom & virtue" / character ratings
  • Attendance records and discipline notices
  • Health information, including medical conditions, allergies, medications, physician details, and health‑card numbers
  • Uploaded student documents

Family & guardian information

  • Guardian names, relationships, contact details, and which students they are linked to
  • Application/inquiry information from prospective families, including the details above plus parent employment, emergency contacts, educational history, reasons for applying, and statement‑of‑faith/church information

Staff & HR information (provided and controlled by the School)

  • Employment profile, title, hire date, contact details
  • Compensation/salary, recorded absences, and time‑off requests

Financial information

  • Tuition, fee schedules, invoices, payment plans, discounts, and donation records
  • Limited payment metadata. Card and bank details are processed by our payment processor (Stripe) and are not stored by Trivium.

Communications

  • Messages and channel posts between school staff, parents, and students within the Service
  • Emails we send on a school's behalf and support correspondence with us
  • Newsletters and forms a school sends and the responses families submit

Technical & usage data

  • IP address (including for e‑signature audit records), device and browser type, log data, timestamps, and pages/actions within the Service
  • Cookies and similar technologies (see Section 10)

AI assistant interactions

  • Prompts you enter into, and content surfaced by, the in‑app AI assistant (see Section 6)

We do not intentionally collect special‑category/sensitive data beyond the health information and faith‑related application fields described above, which a School chooses to capture for legitimate educational and admissions purposes.


3. How we collect information

  • Directly from the School and its authorized users as they set up and use the Service.
  • From prospective families who submit inquiry and application forms.
  • Automatically, through cookies, server logs, and error monitoring.
  • From sub‑processors that provide hosting, email, payment, and AI functionality (see Section 7).

4. How we use information, and our legal bases

We use personal information to:

PurposeUK GDPR legal basis (illustrative)
Provide, operate, and secure the Service for the SchoolPerformance of a contract; the School's legitimate interests / public task
Authenticate users and protect accountsLegitimate interests; legal obligation
Process applications, enrollment, billing, and donationsContract; legitimate interests
Send transactional and school‑directed communicationsContract; legitimate interests; consent where required (e.g., marketing newsletters)
Provide the AI assistant features at a user's requestPerformance of a contract; legitimate interests
Provide support and respond to requestsContract; legitimate interests
Maintain audit trails, including e‑signature recordsLegal obligation; legitimate interests
Improve, troubleshoot, and develop the ServiceLegitimate interests (using de‑identified/aggregated data where practical)
Comply with law and enforce our termsLegal obligation; legitimate interests

For student and other School‑controlled records, the School determines the purposes and legal basis; we process only as instructed.

We do not sell personal information, and we do not use student personal information for advertising or to build advertising profiles.


5. Children's privacy

The Service is designed for use by schools, including for students who are minors.

  • United States (FERPA & COPPA). Trivium handles student "education records" as a "school official" with a legitimate educational interest, under the School's direct control, and uses them only to provide the Service. We do not re‑disclose them except as the School directs or as law permits. For students under 13, the School provides consent on behalf of parents for the educational use of the Service, consistent with COPPA's school‑consent guidance. We do not condition participation on collecting more information than is reasonably necessary, and we do not use children's data for behavioral advertising.
  • United Kingdom. Where children use the Service, processing is carried out for the School under its lawful basis. We design child‑facing features consistent with the ICO's Age Appropriate Design Code principles. Student logins are intended to be created and managed by the School.
  • Canada. Consent for the collection and use of a minor's information is managed by the School and, where required, the parent/guardian, consistent with PIPEDA and applicable provincial law.

Parents and guardians with questions about a child's information should contact their school, which controls those records.


6. Artificial intelligence features

The Service includes an in‑app AI assistant. When a user invokes it, relevant content from that user's authorized view (scoped by the same access controls as the rest of the Service) may be sent to a third‑party large language model provider (currently Anthropic) to generate a response.

  • The assistant only operates on data the requesting user is already permitted to see.
  • We instruct our AI provider not to use customer/School data to train their foundation models, and we rely on Anthropic's commercial API data‑handling terms, under which API inputs and outputs are not used to train Anthropic's models.
  • AI outputs may be inaccurate; they are assistive and should not be solely relied upon for decisions about a student.

7. How we share and disclose information

We share personal information only as follows. We do not sell it.

  • With the School and its authorized users, according to the roles and permissions configured in the Service.
  • With sub‑processors that perform services for us under contract and data‑protection obligations, including (confirm current list):
  • Supabase—database, authentication, and file storage (hosting region: United States)
  • Vercel—application hosting and content delivery
  • Resend—transactional and newsletter email delivery
  • Stripe—payment and donation processing
  • Anthropic—AI assistant functionality
  • Sentry—error monitoring, so we can detect and fix failures in the Service; error reports and stack traces are scrubbed of emails, phone numbers, cookies, and authentication headers before transmission, and no student records are intentionally sent
  • Twilio—text-message (SMS) delivery for emergency alerts and reminders, used only when a School enables SMS; receives recipient phone numbers and the message content
  • For legal reasons—to comply with law, lawful requests, or legal process, and to protect the rights, safety, and security of users, the School, the public, or Trivium.
  • In a business transfer—in connection with a merger, acquisition, financing, or sale of assets, subject to this Policy and applicable law.
  • With your consent or at your direction.

A current list of sub‑processors, including hosting regions, is published at usetrivium.com/subprocessors and available on request at privacy@usetrivium.com.


8. International data transfers

Trivium is operated from the United States, and our sub‑processors (including hosting) may store and process data in the United States and other countries. This means information may be transferred across borders, including outside Canada, the UK, and the EEA.

  • UK transfers. Where we transfer personal information from the UK to a country without UK "adequacy" status, we rely on appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, plus a transfer risk assessment.
  • Canada. Personal information handled in Canada may be stored or processed in the United States by our service providers and may therefore be accessible to foreign authorities under that country's laws. Québec Law 25 transfer‑assessment requirements are addressed in our DPA with the School.
  • United States. Data is primarily hosted in the United States.

You may contact us for more information about the safeguards we use.


9. Data retention

  • For School‑controlled records, we retain personal information for as long as the School maintains its account and as instructed in our agreement with the School. On termination, we make data available for export and then delete or de‑identify it within 90 days of termination, except where retention is required by law (including financial records retained as required by tax law).
  • For data we control (e.g., billing and account records), we retain it as long as needed for the purposes described in this Policy and to meet legal, accounting, and audit obligations.
  • Backups are retained for 30 days on a rolling basis.

10. Cookies and similar technologies

We use strictly necessary cookies to authenticate users and keep the Service secure and functioning. We use no analytics cookies, and we do not use advertising or cross‑site tracking cookies. Where required by law (e.g., UK PECR), we obtain consent for non‑essential cookies through our cookie banner. You can control cookies through your browser settings; disabling essential cookies may break the Service.


11. Your rights

Your rights depend on where you live and your relationship to the School. For student, family, and staff records held on behalf of a School, contact your School first—we will help the School fulfill the request.

11.1 Canada (PIPEDA and provincial laws, including Québec Law 25, Alberta PIPA, BC PIPA)

You may:

  • Request access to the personal information we hold about you and information about how it has been used and disclosed;
  • Request correction of inaccurate information;
  • Withdraw consent, subject to legal or contractual restrictions;
  • Make a complaint to us and, if unresolved, to the Office of the Privacy Commissioner of Canada (or your provincial commissioner, e.g., the CAI in Québec).

We will respond within the timelines set by applicable law. Our Privacy Officer is identified in Section 14.

11.2 United Kingdom (UK GDPR and Data Protection Act 2018)

Where Trivium is the controller, you have the right to: access; rectification; erasure; restriction of processing; data portability; object to processing (including processing based on legitimate interests and direct marketing); and rights related to automated decision‑making (we do not make solely automated decisions producing legal or similarly significant effects). To exercise these rights, contact us at privacy@usetrivium.com. You may also complain to the Information Commissioner's Office (ICO) at ico.org.uk. Where Trivium is a processor, we will refer your request to the School.

11.3 United States

  • FERPA. Parents and eligible students have rights to inspect, review, and seek correction of "education records." These rights are exercised through the School, which controls the records; Trivium assists the School.
  • COPPA. For children under 13, the School provides and manages consent; parents may direct requests to the School.
  • California (CCPA/CPRA). For information where we act as a "service provider", requests are directed to the School. Where Trivium is a business with respect to certain information, California residents may request to know, access, correct, and delete personal information, and to opt out of "sale" or "sharing"Trivium does not sell or share personal information as those terms are defined, and does not use sensitive personal information for purposes requiring a right to limit. We will not discriminate against you for exercising your rights.
  • Other US states. Residents of states with comprehensive privacy laws (e.g., Virginia, Colorado, Connecticut, Texas, and others) may have similar rights; we honor applicable state rights and, for School‑controlled data, refer requests to the School. Many student‑privacy laws (e.g., California's SOPIPA) restrict the use of student data—we comply by using student data only to provide the Service, not for advertising or profiling, and not selling it.

How to make a request. Email privacy@usetrivium.com with your request and enough information for us to verify your identity and locate your records. We may need to confirm the request with the relevant School.


12. Security

We use technical and organizational measures to protect personal information, including encryption in transit, hashed credentials, row‑level access controls that scope data by school and role, least‑privilege access for staff, and logging. No method of transmission or storage is completely secure. If we become aware of a personal‑data breach, we will notify affected Schools, regulators, and individuals as required by applicable law (including PIPEDA's "real risk of significant harm" standard, UK GDPR's 72‑hour regulator notification, and applicable US state breach laws), and will assist Schools in meeting their own notification obligations.


13. Third‑party links

The Service or school communications may link to third‑party sites we do not control. Their privacy practices are governed by their own policies.

14. Contact us

Privacy Officer / Data Protection contact: Trivium Privacy Team Email: privacy@usetrivium.com Mailing address: available on request via the email above.

  • Canada—Privacy Officer: Trivium Privacy Team, privacy@usetrivium.com
  • UK / EU: Trivium has not appointed a UK/EU representative or Data Protection Officer; contact privacy@usetrivium.com for data‑protection matters.

15. Changes to this Policy

We may update this Policy from time to time. We will post the updated version with a new "Last updated" date and, where required, notify Schools or users of material changes. Your continued use of the Service after changes take effect constitutes acceptance, to the extent permitted by law.