Privacy Policy
Effective date: April 15, 2026
This Privacy Policy explains how TrustFront (“we”, “us”) collects, uses, and protects personal information. We comply with applicable privacy laws including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Brazilian Lei Geral de Proteção de Dados (LGPD).
1. Who we are
TrustFront is a free trust center builder. For privacy questions, contact hello@trustfront.io.
2. Information we collect
From account holders (you)
- Account data: name, email address, password (stored as a salted hash), profile picture (when signing in with Google).
- Organization data: company name, website URL, industry, contact email, primary brand color, logo.
- Trust center content: the security philosophy, badges, FAQs, controls, subprocessors, data matrix, and updates you publish.
- Uploaded files: documents you upload (SOC 2 reports, policies, etc.), stored on our server.
- Authentication metadata: session tokens, IP address at login.
From visitors of trust centers
- Page view metrics: visit counts, hashed IP fragment for rate limiting, timestamps. We do not use third-party analytics.
- Access requests: name, email, company, and reason a visitor provides when requesting access to a gated document.
- Subscriptions: email, name, and company when a visitor subscribes to updates.
Automatically
- Standard request logs (URL, user agent, timestamp) kept up to 90 days for security and abuse prevention.
- Essential session cookie to keep you logged in.
3. How we use your data
- Provide and operate the Service (creating your trust center, sending transactional emails, processing access requests).
- Generate AI-powered onboarding suggestions (your company name, industry, and website content are sent to our AI provider — see Subprocessors below).
- Improve the platform (aggregated metrics; we do not profile individuals).
- Send essential service emails (welcome, access-request notifications, password resets, security updates).
- Detect and prevent abuse, fraud, and security incidents.
- Comply with legal obligations.
We do not sell your personal data, do not show advertising, and do not use your trust center content to train AI models.
4. Legal bases (GDPR / LGPD)
- Performance of contract: account creation, providing the Service.
- Legitimate interest: security logging, abuse prevention, aggregated analytics.
- Consent: optional cookies, subscribing to marketing communications (where applicable).
- Legal obligation: tax, accounting, and law-enforcement requests.
5. Subprocessors
We share limited data with the following third parties strictly to operate the Service. Each is contractually bound to protect your data:
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| RackNerd | Server hosting | All platform data (encrypted at rest) | United States |
| Resend | Transactional email delivery | Recipient email, subject, body of system emails | United States |
| OpenAI | AI suggestions during onboarding | Company name, industry, public website content | United States |
| Sign-in (OAuth) and favicon CDN | Email, name, profile picture (only if you sign in with Google) | United States | |
| Hostinger | DNS management | DNS records (no personal data) | Lithuania / Global |
We will update this list before adding any new subprocessor that processes personal data.
6. International data transfers
Our servers and most subprocessors are located in the United States. By using the Service, you acknowledge that your data may be transferred and stored outside your country of residence. Where required, we rely on Standard Contractual Clauses or equivalent safeguards.
7. Data retention
- Account and trust center data: retained while your account is active.
- After account deletion: erased within 30 days, except where retention is required by law.
- Backups: retained for up to 30 days, then permanently deleted.
- Server access logs: 90 days.
- Analytics events on your trust center: retained while your account is active; you may purge them at any time from the editor.
8. Your rights
Subject to applicable law, you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate data (most fields are editable from the dashboard).
- Delete your account and associated data (Settings → Danger Zone).
- Portability: request a copy of your data in a machine-readable format.
- Object to or restrict certain processing.
- Withdraw consent where processing is based on consent.
- Lodge a complaint with your local data protection authority (EU residents: your national DPA; Brazilian residents: ANPD; California residents: California Attorney General).
To exercise any of these rights, email hello@trustfront.io. We respond within 30 days.
9. Cookies
We use only essential, first-party cookies required to keep you signed in and to maintain approved-document access tokens. We do not use advertising or cross-site tracking cookies. See our Cookie Policy for details.
10. Security
We protect your data with encryption in transit (TLS 1.3), encrypted credential storage (bcrypt-hashed passwords), restricted server access, daily backups, and continuous monitoring. No system is 100% secure; we recommend using a strong, unique password and, where supported by your identity provider, multi-factor authentication.
11. Children
TrustFront is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children.
12. Changes to this policy
We may update this policy from time to time. Material changes will be announced via email or the dashboard at least 14 days before taking effect. The “Effective date” at the top reflects the latest revision.
13. Contact
For privacy questions, requests, or complaints, contact us at hello@trustfront.io.