Privacy Policy
Last updated: May 5, 2026
This Privacy Policy explains how The Midnight Lounge processes personal data in connection with Triumvir and Life Companion. It covers purposes, legal bases, data categories, subprocessors, retention, and user rights under GDPR.
1. Data Controller
2. Personal Data We Process
Account and identity data
- email address, name if provided, account preferences and language;
- authentication data, hashed passwords, session tokens, and information needed to secure the account.
Service data entered by you
- income, expenses, loans, reserves, balances, checkpoints, scenarios, assumptions, notes, and other financial or decision-related information manually entered by the user.
Billing data
- subscription plan, status, billing identifiers, payment history, and information required for accounting records;
- full payment-card details are handled by Stripe and are not stored by The Midnight Lounge.
Technical data
- IP address, browser type, device, access timestamps, technical logs, security information, and incident-diagnostic traces.
Support and contact data
- messages sent to contact addresses, support requests, GDPR rights requests, and exchanges needed to handle them.
3. Purposes and Legal Bases
The Midnight Lounge does not sell personal data, does not use it for behavioural advertising, and does not track users across third-party websites.
- Account creation and management: contract performance or pre-contractual steps.
- Provision of Life Companion: contract performance, including computations, projections, scenarios, capacity, buffer, and trade-off features.
- Billing and subscription management: contract performance and legal accounting/tax obligations.
- Security and abuse prevention: legitimate interest in protecting the service, users, and infrastructure.
- Support and user requests: contract performance, legitimate interest, or legal obligation depending on the request.
- Legal compliance: legal obligation.
- Optional client-side error monitoring: consent where required.
4. Subprocessors and Providers
The Midnight Lounge uses providers necessary to operate the service. They act as processors or technical providers depending on their role, and process data under documented instructions or their own legal obligations where they act as separate controllers for specific operations.
5. International Transfers
Data is primarily processed within the European Economic Area where provider configurations allow it. Some providers may involve transfers outside the EEA for hosting, payment, edge delivery, or technical support.
Where transfers occur, The Midnight Lounge relies on appropriate safeguards such as European Commission Standard Contractual Clauses, adequacy decisions, the EU-U.S. Data Privacy Framework where relevant, or other GDPR-recognised mechanisms.
6. Retention
- Active accounts: for the duration of service use.
- Service data after deletion or cancellation: deleted within 30 days unless longer retention is required by law or needed to defend legal rights.
- Invoices and accounting records: retained for ten (10) years under French commercial-law obligations.
- Security logs: retained for up to twelve (12) months for security, incident response, and abuse prevention.
- Rights and support requests: kept for the time needed to handle the request, then archived only where necessary for evidence.
7. Security
The Midnight Lounge implements technical and organisational measures appropriate to the data processed, including encrypted communications, access controls, logical account-level data isolation, restricted internal access, CSRF protection, rate limiting on sensitive routes, security logging, and export/deletion procedures.
No security measure can provide absolute protection. If a personal-data breach is likely to result in a risk to users’ rights and freedoms, The Midnight Lounge will notify the CNIL and, where required, affected users under GDPR.
8. Cookies, Local Storage, and Error Monitoring
Triumvir uses cookies and local storage that are strictly necessary for authentication, CSRF protection, consent-state storage, and certain local preferences. These do not require prior consent where strictly necessary.
Client-side error monitoring through Sentry is optional where consent is required. Sentry does not perform session replay, analytics, or advertising profiling. Configuration disables automatic transmission of directly identifying data with sendDefaultPii: false and applies strict scrubbing to remove financial amounts, balances, IBANs, emails, phone numbers, and user-entered data before transmission.
9. Your Rights
Under GDPR and French data-protection law, you may exercise rights of access, rectification, erasure, restriction, objection, portability, withdrawal of consent where processing is based on consent, and instructions regarding your data after death.
To exercise these rights, email privacy@triumvir.io. We will respond within the GDPR timeframe, subject to reasonable identity verification and legal limits.
10. CNIL Complaint
You may lodge a complaint with the Commission Nationale de l’Informatique et des Libertés (CNIL), 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France, or through www.cnil.fr.
11. Changes
This policy may be updated to reflect changes to the service, processing operations, or applicable law. The current version is published on this page. For material changes, The Midnight Lounge will seek to inform users through an appropriate channel.
12. Contact
For privacy or personal-data questions, contact privacy@triumvir.io.