Privacy Policy

Last updated: May 5, 2026

TrooNow ("we", "us", "our") respects your privacy. This policy explains what data we collect, why, and what we do with it.

TrooNow is a software platform only. We are not a food business and have no involvement in the preparation, handling, or delivery of any food or beverage. When you place an order through a Merchant's site, your transaction is with that Merchant — not with TrooNow. Customer data collected during ordering is collected on behalf of the Merchant and is subject to the Merchant's own privacy practices in addition to this policy.

1. What we collect

From Merchants (food truck / restaurant owners)

• Account info: name, email, phone, business name, password (hashed)
• Business data: menu items, orders, customer lists, settings, uploaded images
• Financial record-keeping data you enter: expenses, vendors, mileage logs, invoices/bills, income entries, tax-rate settings, and any notes or attachments you upload to the bookkeeping tools. This data is retained in your tenant database until you delete it or cancel your account.
• Payment info: Stripe handles all payment processing. We never see or store your full card number. When you enable Stripe Tax, your Stripe-configured tax registrations and calculations are processed by Stripe directly.
• Terms-of-Service acceptance record: at signup we capture the acceptance timestamp, your client IP address, your browser user-agent string, and the version of the Terms you agreed to. This record is kept for the life of the account so we can prove you agreed to a specific version of the Terms.
• Usage data: pages visited, features used (for improving the product, not for advertising)

From Customers (people ordering from a Merchant)

• Order info: name, email, phone, order items, delivery address (if applicable)
• Payment info: processed by Stripe. We store the order total and confirmation status, not card details.

2. How we use your data

• To provide and operate the Service (hosting your site, processing orders, sending notifications)
• To send you account-related emails (order confirmations, billing receipts, password resets)
• To improve the Service (aggregate usage analytics — we don't sell or share individual data)
• To respond to support requests

We do not:

• Sell your data to anyone
• Show you ads or track you across the web
• Share your customer lists with other Merchants
• Use your data for AI training

3. Data isolation

Each Merchant's data is stored in a separate, isolated database file. One Merchant cannot access another Merchant's data. This is enforced at the operating-system level, not just by application logic.

4. Third-party services

We use the following third-party services that process data on your behalf:

• Stripe — optional payment processor for online orders (Stripe Checkout) and in-person POS sales (Stripe Terminal card readers and Stripe Checkout handoff for phone payments). Card data is entered directly into Stripe, never passes through TrooNow, and funds settle directly to the Merchant's connected Stripe account. For Stripe Terminal readers, we briefly request short-lived connection tokens scoped to the Merchant's Stripe account so the reader can authenticate; we do not store cardholder data. (Stripe's privacy policy)
• Square — optional payment processor for online orders (Square Payment Links). Merchants who already use Square can connect their existing Square account via OAuth. Card data is entered directly on Square's hosted checkout page, never passes through TrooNow, and funds settle directly to the Merchant's connected Square account. We store only the OAuth access token and merchant/location identifiers needed to create payment links on the Merchant's behalf; we do not store cardholder data. (Square's privacy policy)
• Twilio — SMS notifications, only if you configure it (their privacy policy)
• OpenStreetMap / Nominatim — map tiles and geocoding (their privacy policy)
• Google Places API — used to power the TrooNow food truck directory. We query Google's Places API to fetch publicly available business information (name, address, rating, photos) for food trucks in cities we index. No customer or merchant personal data is sent to Google through this integration. (Google's privacy policy)
• Mailgun — transactional email delivery (order confirmations, password resets, billing receipts, and other account notifications sent to Merchants and their customers). Email addresses and message content are transmitted to Mailgun for delivery. (Mailgun's privacy policy)
• Sentry — error monitoring and crash reporting. When an application error occurs, Sentry captures technical diagnostic information (stack traces, request URLs, error messages). We configure Sentry with send_default_pii=False to minimize personal data capture; however, error context may incidentally include non-sensitive request metadata. (Sentry's privacy policy)
• Cloudflare — DNS, CDN, and traffic proxy. All requests to troonow.com and tenant subdomains pass through Cloudflare's network, which processes IP addresses and request metadata to provide DDoS protection, SSL termination, and caching. (Cloudflare's privacy policy)

5. Data retention

• Active accounts: we keep your data as long as your account is active.
• Cancelled accounts: we delete your data within 30 days of account cancellation.
• Backups: encrypted daily backups are retained for 14 days, then automatically purged.
• Terms-of-Service acceptance records (timestamp, IP, user-agent, version) are retained for the life of the account plus seven (7) years after cancellation for legal-defensibility purposes.
• Financial records: you — not TrooNow — are responsible for retaining copies of your bookkeeping records for the periods required by applicable law (commonly three to seven years for U.S. tax purposes). Export your data any time from the bookkeeping dashboard using the "Download for your CPA" ZIP. See Terms §8.

6. Your rights

You can:

• Export your data anytime from your admin dashboard (Settings → Export Tenant Data)
• Delete your account — see our Data Deletion Instructions or email support@troonow.com. We remove everything within 30 days.
• Correct your information directly from your admin settings
• Request a copy of your data by emailing support@troonow.com

Meta (Facebook / Instagram) integration: We use Meta's Graph API to publish content you author to the Facebook Pages and Instagram Business accounts you authorize. We store only the access tokens and Page / account IDs needed to publish on your behalf. See our Data Deletion Instructions for how to remove this data, including by revoking the app from your Facebook settings.

7. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You may request that we delete personal information we have collected from you, subject to certain exceptions (e.g., data we are required to retain by law or for legitimate business purposes).
• Right to Correct: You may request that we correct inaccurate personal information we maintain about you.
• Right to Opt Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising purposes. No opt-out is required, but you may contact us to confirm this.
• Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond those permitted under CPRA.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.

How to submit a request: Email support@troonow.com with the subject line "California Privacy Request." We will respond within 45 days. We may need to verify your identity before fulfilling the request.

Shine the Light: California Civil Code § 1798.83 permits California residents to request information regarding disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

8. Cookies

We use the following cookies:

• admin_token / customer_token — session cookies for login (HttpOnly, secure)
• csrf_token — CSRF protection (required for form submissions)
• cart — shopping cart contents (customer-facing only)

We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

9. Security

• All passwords are hashed with bcrypt (never stored in plain text)
• All connections are encrypted via HTTPS / TLS
• CSRF protection on every form
• Rate limiting on authentication endpoints
• Per-tenant data isolation at the file-system level

10. Children

The Service is not intended for children under 13. We don't knowingly collect data from children.

11. Changes

We may update this policy. We'll email Merchants about significant changes at least 14 days before they take effect.

12. Contact

Privacy questions? Email us at support@troonow.com or use our contact form.