Privacy Policy

This Privacy Policy applies to personal information TrustFill AI collects through our website at trustfillai.com and related websites (collectively, the "Websites"), as well as through our AI-powered security questionnaire automation platform (the "Services") and various interactions you may have with us, including customer service inquiries, events, and communications.

A separate agreement governs the provision of TrustFill AI's subscription services to customers (the "Subscription Agreement"), including the processing of personal information contained in the data customers upload to the Services ("Customer Data"). When TrustFill AI processes Customer Data on behalf of a customer as a processor, that processing is governed by our Data Processing Addendum, not this Privacy Policy.

This Privacy Policy does not apply to third-party applications, software, products, or services that integrate with our Services ("Third-Party Services"), even if they are accessible through our platform.

We use your personal information for the following purposes:

• Provide and Maintain Services. To operate, deliver, and improve our AI-powered security questionnaire automation platform, including processing your documents, generating responses, and maintaining your knowledge base.
• Account Management. To create and manage your account, process payments, send invoices, and provide customer support.
• Improve and Develop. To analyze usage patterns, diagnose technical issues, conduct research, and develop new features and services. We may use aggregated and de-identified data for these purposes.
• Communications. To send you service-related notices, security alerts, billing reminders, and updates about our Services. With your consent, we may also send marketing communications.
• Security and Fraud Prevention. To detect, prevent, and respond to fraud, abuse, security incidents, and other harmful activities.
• Legal Compliance. To comply with applicable laws, regulations, legal processes, and governmental requests.
• Personalization. To tailor your experience, including providing relevant content recommendations and customizing the Services to your preferences.

TrustFill AI uses artificial intelligence and machine learning technologies to provide our core Services. This section describes how we use AI in connection with your data:

• Document Processing. When you upload security documents to your knowledge base, our AI systems analyze and extract relevant information to build a searchable knowledge repository. This processing is performed on your behalf as a data processor.
• Response Generation. Our AI generates responses to security questionnaire questions by referencing your uploaded knowledge base. Each response includes source citations and confidence scores for transparency and auditability.
• No Training on Customer Data. We do not use your Customer Data (uploaded documents, questionnaires, or generated responses) to train our AI models or improve our algorithms. Your data remains isolated within your workspace.
• Human Review. All AI-generated responses are presented for human review before finalization. Our platform includes approval workflows that allow your team to review, edit, approve, or reject any AI-generated content.
• Audit Trail. We maintain a complete audit trail of all AI processing activities, including which documents were referenced, confidence scores, and any human modifications made to AI-generated responses.

We may share your personal information in the following circumstances:

• Service Providers. We share information with third-party vendors who perform services on our behalf, such as payment processing (Stripe), cloud hosting, analytics, and customer support. These providers are contractually obligated to use your information only as directed by us.
• Webhook Integrations. If you configure webhook integrations (such as Slack, Jira, or Salesforce), certain event data will be transmitted to those third-party services as directed by you. You are responsible for the privacy practices of those services.
• Team Members. Information within your team workspace is shared among authorized team members as configured by your team administrator.
• Trust Profile. If you enable a public Trust Profile, certain compliance metrics (compliance score, document coverage, framework certifications) will be publicly accessible. No Customer Data or document contents are exposed through the Trust Profile.
• Legal Requirements. We may disclose information if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect the rights, property, or safety of TrustFill AI, our users, or others.
• Business Transfers. In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control.
• With Your Consent. We may share your information for other purposes with your explicit consent.

We use cookies and similar technologies (such as web beacons, pixels, and local storage) to collect information about your browsing activity and to distinguish you from other users. This helps us provide you with a better experience and allows us to improve our Services.

You can manage your cookie preferences through your browser settings. Please note that disabling certain cookies may affect the functionality of our Services.

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Regular security assessments and penetration testing
• Access controls and role-based permissions
• Secure cloud infrastructure with SOC 2 Type II certified providers
• Employee security training and background checks
• Incident response procedures and breach notification protocols
• Regular data backups and disaster recovery planning

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to maintaining industry-standard protections.

We retain your personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Specifically:

• Account Data. Retained for the duration of your account and for a reasonable period thereafter to comply with legal obligations and resolve disputes.
• Customer Data. Retained for the duration of your subscription. Upon termination or expiration, Customer Data is deleted within 90 days unless you request earlier deletion or we are required by law to retain it.
• Usage and Log Data. Generally retained for up to 24 months for analytics and security purposes, then aggregated or deleted.
• Audit Logs. Retained for a minimum of 12 months to support compliance and security audit requirements.

Depending on your location and applicable law, you may have the following rights regarding your personal information:

• Access. Request a copy of the personal information we hold about you.
• Correction. Request correction of inaccurate or incomplete personal information.
• Deletion. Request deletion of your personal information, subject to certain legal exceptions.
• Portability. Request a copy of your personal information in a structured, commonly used, machine-readable format.
• Restriction. Request that we restrict the processing of your personal information under certain circumstances.
• Objection. Object to the processing of your personal information for direct marketing or where we rely on legitimate interests.
• Withdraw Consent. Where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
• Opt-Out of Marketing. You may opt out of marketing communications at any time by clicking the "unsubscribe" link in our emails or contacting us directly.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within the timeframe required by applicable law.

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights regarding your personal information.

Categories of Personal Information Collected. In the preceding 12 months, we have collected the following categories of personal information: identifiers (name, email, IP address), commercial information (subscription and billing records), internet or network activity (usage data, browsing history), professional information (job title, company), and inferences drawn from the above.

Right to Know and Delete. You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, and to request deletion of your personal information.

Right to Opt-Out of Sale/Sharing. We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes.

Non-Discrimination. We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, contact us at [email protected] or use the contact information provided in Section 15.

If you are located in the European Economic Area (EEA), Switzerland, or the United Kingdom, the following additional terms apply to our processing of your personal data under the General Data Protection Regulation (GDPR) and UK GDPR.

Legal Bases for Processing. We process your personal data based on the following legal bases: (a) performance of a contract with you; (b) our legitimate interests (such as improving our Services, preventing fraud, and marketing); (c) your consent; and (d) compliance with legal obligations.

Data Controller. TrustFill AI, Inc. is the data controller for personal data collected through our Websites and in connection with our business operations. When we process Customer Data on behalf of our customers, we act as a data processor.

Your Rights. In addition to the rights described in Section 9, you have the right to lodge a complaint with your local supervisory authority if you believe our processing of your personal data violates applicable law.

Data Protection Officer. For questions about our data protection practices, please contact our Data Protection Officer at [email protected].

TrustFill AI is based in the United States. If you access our Services from outside the United States, your personal information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

For transfers of personal data from the EEA, Switzerland, or the UK to the United States, we rely on appropriate safeguards, including Standard Contractual Clauses approved by the European Commission and the UK Information Commissioner's Office, as applicable.

We participate in and comply with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce. For more information, visit https://www.dataprivacyframework.gov.

Our Services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe we have collected information from a child under 16, please contact us at [email protected].

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by updating the "Last Updated" date at the top of this page and, where required by law, provide additional notice (such as via email or a prominent notice on our Websites).

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of our Services after any changes constitutes your acceptance of the updated Privacy Policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

If you are located in the EEA, Switzerland, or the UK and have concerns about our data processing that we have not been able to resolve, you have the right to lodge a complaint with your local data protection authority.