Scope and who we are
This Privacy Policy applies to the TrustReply website at trustreply.app, the TrustReply web application, and any related services (collectively, the “Service”). It is published by TrustReply (“TrustReply,” “we,” “us,” or “our”).
[Placeholder — replace with your registered legal entity name and address before going live.] Example: TrustReply LLC, a Delaware limited liability company, with a registered address at [address].
For the purposes of the EU/UK General Data Protection Regulation (“GDPR”), when you use TrustReply as a customer to process data about your own end users or employees, you are the controller and we are the processor. Our processing of that data is governed by our Data Processing Addendum. This Privacy Policy describes how we process data for which we are the controller — primarily account and billing data, marketing data, and product telemetry.
Information we collect
We collect the following categories of information:
Information you provide directly
- Account data: your name, work email address, password (stored as a one-way hash), company name, and role.
- Billing data: billing address, VAT/tax ID, and payment-method metadata. Card numbers are handled by our payment processor and never touch our servers.
- Customer Content: the documents you upload to your Knowledge Base (security policies, SOC2 reports, AI risk registers, privacy policies, etc.) and the vendor questionnaires you process. We treat Customer Content as confidential and process it strictly to provide the Service. See our DPA for details.
- Communications: emails, support tickets, and feedback you send us.
Information collected automatically
- Usage data: pages viewed, features used, timestamps, and high-level interaction patterns. Used to debug, secure, and improve the Service.
- Device and log data: IP address, browser type and version, operating system, referring URL, and approximate location derived from IP. Retained as part of standard server logs.
- Cookies and similar technologies: see Section 12.
We do not intentionally collect special categories of data (health, biometrics, political opinions, etc.). If your Knowledge Base contains such data, you must have a lawful basis to upload it and you remain the controller — see our DPA.
How we use information
We use information for the following purposes:
- Providing the Service: processing your Knowledge Base, drafting answers to your questionnaires, generating citations and confidence scores, and exporting results.
- Account management: creating, securing, and supporting your account.
- Billing and tax compliance: processing payments, issuing invoices, and meeting accounting obligations.
- Security and fraud prevention: detecting abuse, denial-of-service attempts, credential stuffing, and unauthorized access.
- Product improvement: analyzing aggregated, de-identified usage data to improve features. We do not use Customer Content to train AI models. Ever.
- Communications: sending you transactional emails (receipts, security alerts, service notices) and, with your consent or where permitted, product updates.
- Legal compliance: responding to lawful requests, enforcing our Terms, and protecting our rights and the rights of others.
Legal bases (GDPR)
If you're in the EU, UK, or another jurisdiction with similar laws, we rely on the following legal bases:
- Contract: to provide the Service you've signed up for.
- Legitimate interests: to secure the Service, prevent fraud, improve the product (using aggregated data), and communicate with you about your account. We've assessed these interests against your rights and concluded they do not override them.
- Consent: for optional analytics cookies and marketing emails, where required. You can withdraw consent at any time.
- Legal obligation: to meet tax, accounting, and other statutory requirements.
AI processing and no training on your data
TrustReply uses third-party large-language-model (LLM) APIs — currently the Anthropic Claude API — to draft answers from your Knowledge Base. We call these APIs in stateless mode: each request is independent, and the provider does not retain prompts or completions beyond what is required to return the response and apply abuse monitoring.
Your Customer Content is never used to train any model— not ours, not Anthropic's, and not any other third party's. This is contractually enforced with our LLM provider and is a foundational commitment of TrustReply.
AI-generated drafts are drafts. They may contain errors, omissions, or hallucinations. You are responsible for reviewing every draft before submitting it to a customer, vendor, auditor, or regulator. Our Terms of Service describe this responsibility in more detail.
Sub-processors
We use the following sub-processors to deliver the Service. We require each of them to provide at least the same level of data protection as we do.
| Sub-processor | Purpose | Region |
|---|---|---|
| Anthropic, PBC | LLM API for drafting answers (stateless) | United States |
| Supabase, Inc. | Database, storage, and authentication | United States / EU |
| Vercel, Inc. | Application hosting and CDN | United States / Global |
| Resend, Inc. | Transactional email delivery | United States |
| Stripe, Inc. (when enabled) | Payment processing and billing | United States / Global |
| Plausible Analytics (or equivalent) | Privacy-respecting product analytics (no cookies, no PII) | EU |
We'll give at least 30 days' notice before adding or replacing a sub-processor that handles Customer Content. See our DPA for the sub-processor objection process.
Data retention
We retain information only as long as we need it for the purposes set out in this policy or as required by law.
- Account data: for the life of your account, plus up to 90 days after deletion to allow account recovery and to satisfy tax/legal requirements.
- Customer Content (KB documents, questionnaires, drafts): retained while your account is active. On account closure, we delete or anonymize within 30 days unless legal hold applies.
- Billing records: retained for 7 years to comply with tax law.
- Server logs: retained for up to 90 days for debugging and security forensics.
- Backup snapshots: retained up to 30 days on a rolling basis. Deleted content is purged from backups within that window.
Security measures
We implement technical and organizational measures appropriate to the risk, including:
- AES-256 encryption at rest for Customer Content and credentials.
- TLS 1.2+ encryption in transit for all connections.
- Row-level security in our Postgres database so your tenant data is isolated from other tenants by default.
- Principle-of-least-privilege access controls; production access is limited to personnel who require it and is logged.
- Password hashing via industry-standard, slow, salted algorithms.
- Regular dependency scanning and security review of code changes.
- Sub-processors selected and contracted in line with industry standards (SOC2 / ISO 27001 where applicable).
No system is perfectly secure. If a security incident affects your data, we'll notify you in line with applicable law (and within 72 hours where required by the GDPR — see our DPA).
Your rights
Depending on where you live, you may have the following rights:
- Access: request a copy of your personal data.
- Rectification: ask us to correct inaccurate or incomplete data.
- Deletion: ask us to delete your data, subject to lawful retention exceptions.
- Portability: request your data in a structured, machine-readable format.
- Objection / restriction: object to processing based on legitimate interests, or ask us to restrict processing.
- Withdraw consent: where we rely on consent, withdraw it at any time without affecting prior processing.
- Lodge a complaint: with your local data protection authority. We'd prefer you contact us first so we can address it.
- For California residents (CCPA/CPRA): the right to know, delete, correct, and opt out of “sale” or “sharing” of personal information. We do not sell or share personal information as defined under California law.
To exercise any of these rights, email us at privacy@trustreply.app. We'll respond within 30 days (or sooner where required).
International data transfers
TrustReply is operated from the United States, and our sub-processors are located in the United States and the EU. When we transfer personal data from the EU/EEA, the UK, or Switzerland to a country without an adequacy decision, we rely on appropriate safeguards including the European Commission's Standard Contractual Clauses (SCCs) and supplementary measures where required. Our DPA incorporates the SCCs by reference.
Children's privacy
TrustReply is not intended for, and we do not knowingly collect personal data from, anyone under 18. If you believe we have inadvertently collected such data, contact us and we'll delete it.
Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we'll notify you by email or via in-product notice at least 14 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance.
Contact us
For questions about this Privacy Policy or to exercise your rights, contact:
privacy@trustreply.app
If you're in the EU or UK and we're required to appoint a representative, we will update this section with their contact details.
Questions about this policy?
Email us at privacy@trustreply.app. We'll respond within 5 business days.