This Privacy Policy provides the information required by Articles 13 and 14 of the UK and EU General Data Protection Regulation ("GDPR") when we process personal data relating to visitors to trustrespond.ai and users of the TrustRespond service.
1. Who is responsible (data controller)?
The data controller for personal data processed in connection with this website and the TrustRespond service is the operator of TrustRespond.ai. For privacy requests, contact us at info@trustrespond.ai. For contractual and regulatory correspondence, contact info@trustrespond.ai.
We have not appointed a Data Protection Officer (DPO) where not required by Article 37 GDPR; you may address all privacy enquiries to info@trustrespond.ai. Postal address for formal notices is provided on request to info@trustrespond.ai.
2. What we process, why, and legal bases
We process personal data only for specific purposes and on a lawful basis under Article 6 GDPR.
| Purpose | Categories of data | Legal basis |
|---|---|---|
| Providing the TrustRespond product (accounts, questionnaires, exports, Trust Center) | Account and profile data; customer content you upload; usage and technical logs tied to your workspace | Performance of a contract (Art. 6(1)(b)); occasionally legitimate interests in securing the service (Art. 6(1)(f)) |
| Website delivery, security, fraud prevention | IP address, device and browser data, security logs | Legitimate interests (Art. 6(1)(f)) and, where applicable, legal obligation (Art. 6(1)(c)) |
| Product analytics (if you accept non-essential cookies) | Pseudonymous usage metrics as described in our Cookie Policy | Consent (Art. 6(1)(a)) |
| Marketing communications (if you opt in) | Contact details, preferences | Consent (Art. 6(1)(a)) |
| Compliance, disputes, record-keeping | Relevant account and communications data | Legitimate interests and legal obligations (Art. 6(1)(c) and (f)) |
3. AI-assisted processing
TrustRespond uses AI to suggest answers to security questionnaire cells based on your uploaded policies and similar context you provide. This is assistive: it does not replace your review. You remain responsible for approving content before export or sharing. We do not use personal data in this pipeline for decisions that produce legal or similarly significant effects solely by automated means without human involvement. See also our AI system information page for transparency under the EU AI Act.
4. Recipients and subprocessors
We use trusted infrastructure and service providers (for example hosting, database, authentication, and email). They process data only on our instructions and under appropriate data processing terms. A current list of categories is available on request; key providers include cloud hosting and database services (data may be processed in the EEA and, where disclosed, other regions with appropriate safeguards).
5. Transfers outside the EEA
Where personal data is transferred to countries not covered by an adequacy decision, we use appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) and supplementary measures where required. You may request a copy of relevant safeguards by contacting info@trustrespond.ai.
6. How long we keep data
We retain personal data only as long as necessary for the purposes above: for example, for the lifetime of your account plus a limited period for backups, legal claims, and accounting unless a longer period is required by law. Specific retention periods can be provided on request for your use case.
7. Your rights
Under GDPR you have the right to:
- Access your personal data (Art. 15)
- Rectification (Art. 16)
- Erasure in certain cases (Art. 17)
- Restriction of processing (Art. 18)
- Data portability, where applicable (Art. 20)
- Object to processing based on legitimate interests (Art. 21)
- Withdraw consent at any time, without affecting prior lawful processing (Art. 7(3))
To exercise your rights, email info@trustrespond.ai. You may also lodge a complaint with your local supervisory authority.
8. Whether you must provide data
Where processing is necessary to perform our contract with you, failure to provide required account or billing data may mean we cannot provide the service. Other fields may be voluntary as indicated in the product.
9. Cookies and similar technologies
We use cookies and similar technologies as described in our Cookie Policy. Non-essential analytics are only activated after you consent via our cookie banner.
10. Changes
We may update this policy and will adjust the "Last updated" date. Material changes will be communicated as appropriate (for example by email or in-product notice).