Privacy Policy
Privacy Policy
Last updated: September 16, 2025
IMPORTANT NOTICE: This German version constitutes the legally binding document. The English version serves only as a reference. In case of conflicts or ambiguities between the versions, the German version takes precedence.
German Version: Datenschutzerklärung
Related Documents:
- Data Processing Agreement (DPA) - Regulates data processing on behalf of our customers (Processor role)
- Terms of Service - Regulates the overall relationship between the parties
IMPORTANT: The Data Processing Agreement (DPA) takes precedence over this Privacy Policy when it comes to processing end-user data on behalf of our customers.
1. Introduction
Trusted Accounts SW FlexCo ("we", "our" or "us") is committed to protecting your privacy and the secure handling of your personal data. This Privacy Policy explains how we collect, use, process and protect your data when you use our services, including Trusted Captcha, Trusted SDK, Trusted Verify, WordPress Plugin, our Developer Console and all other components or services we offer. We believe that privacy and security are fundamental rights. We have designed our services and practices to respect and protect these rights at every level of our operations.
This Privacy Policy applies to all users of our website, API services and SaaS platforms. It describes how we collect, process, store and share your personal information in connection with our services. The scope of this policy varies depending on your relationship with us: whether you are a direct customer, an end user who encounters our service on a customer's platform, or a visitor to our website.
IMPORTANT DISTINCTION: Different Data Processing Roles
This Privacy Policy addresses different situations in which we process personal data. Depending on the context, we may take on different roles:
🔵 SITUATION 1: We are the Data Controller
- When this applies: When you interact directly with us, e.g.:
- You create a customer account with us
- You visit our website (www.trustedaccounts.org)
- You use our Developer Console
- You contact us for support
- You are our direct SaaS customer
- What this means: We determine the purposes and means of data processing and are responsible for compliance with data protection laws.
🟡 SITUATION 2: We are the Data Processor
- When this applies: When you use our services on a customer's website or app and we only act on the customer's instructions, e.g.:
- You see our Trusted Captcha on a customer website
- You use Trusted Verify on a customer platform
- You interact with our SDKs in a customer application
- What this means: The customer (website operator) is the data controller and determines why and how your data is processed. We only process your data according to their instructions.
🟠 SITUATION 3: We are Joint Controllers
- When this applies: When we pursue our own purposes in addition to customer instructions, e.g.:
- We use data for our fraud database to improve security
- We use data for product improvements and service optimization
- We create anonymized analyses for our score network
- We use data for our own security research and threat analysis
- What this means: We share responsibility with the customer. The customer remains responsible for their purposes, we are responsible for our own purposes.
2. Who we are & Contact Information
Controller:
- Company: Trusted Accounts SW FlexCo
- Legal form: Flexible Company (FlexCo / Flexible Kapitalgesellschaft)
- Registered office: Götzis, Austria
- Business address: Vorarlberger Wirtschaftspark 1, 6840 Götzis, Austria
- Website: www.trustedaccounts.org
- General contact: contact@trustedaccounts.org
Data Protection Officer:
- Name: Ludwig Thoma
- Email: privacy@trustedaccounts.org
- Title: Data Protection Officer
3. Understanding Your Relationship to Our Services
3.1 Role Responsibilities Overview
| Your Situation | Our Role | Who is responsible? | What data? |
|---|---|---|---|
| You are our direct customer | Data Controller | We | Account data, billing, support |
| You visit our website | Data Controller | We | Website usage, cookies |
| You use our services on a customer website (customer instructions only) | Data Processor | The customer | Only technical security data |
| You use our services on a customer website (with own purposes) | Joint Controllers | Customer + We | Technical data + fraud database, product improvement |
| You use our services on customer platforms | Data Processor/Joint | Customer + We (depending on purpose) | Minimal technical data + own purposes |
3.2 Important Distinctions
- As Data Controller: We determine purpose and means of processing, are responsible for compliance
- As Data Processor: We only process according to customer instructions, no own purposes
- As Joint Controllers: We share responsibility - the customer for their purposes, we for our own purposes (fraud database, product improvement, etc.)
- End User Rights: For customer platforms, contact the website operator, not us
4. Data Categories We Collect
4.1 Account Data & Authentication
We collect account data and authentication information to ensure secure access to our services. This includes account data, profile information, authentication tokens and session data required to maintain secure user sessions. We also collect multi-factor authentication preferences and security settings to enhance account protection and provide a personalized user experience.
4.2 Billing & Payment Information
Our billing and payment processing includes collecting payment method details that are securely processed by our payment processors. We maintain billing history, invoices and tax identification information to comply with our legal obligations and maintain transparent financial records. All payment data is encrypted and processed according to PCI DSS standards to ensure maximum security.
4.3 Communication Data
We maintain comprehensive records of all communications with our users, including support tickets, correspondence, feature requests and feedback. This data helps us provide better customer service and improve our services. For marketing communications, we only send materials to users who have given explicit consent, and users can unsubscribe from such communications at any time.
4.4 Device & Network Information
To ensure service security and optimize performance, we collect technical information including IP addresses, geolocation data, browser properties, device specifications and network connection details. This information helps us detect and prevent fraudulent activities, optimize service delivery and ensure compliance with regional requirements. When you use our services via a mobile device, this may include information such as your mobile device type, your mobile device's unique ID, your mobile device's IP address, your mobile operating system, your mobile internet browser type, unique device IDs and other diagnostic data.
4.5 Analytics & Usage Data
We collect comprehensive analytics and usage data to monitor service performance and improve user experience. This includes service usage patterns, performance metrics, error logs and debugging information. We use this data to identify areas for improvement, optimize service delivery and ensure system stability across all customer environments. This usage data may include information such as your computer's Internet Protocol address, browser type, browser version, the sections of our services you visit, the time and date of your visit, the duration you spend in those sections, unique device IDs and other diagnostic data.
🟡 DATA WE COLLECT AS DATA PROCESSOR
4.6 End User Data Processing (Processor Role)
Note: The detailed provisions for data processing on behalf of our customers (Processor role) are regulated in our Data Processing Agreement (DPA), which takes precedence over this Privacy Policy.
🎯 MINIMAL DATA APPROACH - Security Detection, not Identification
Our Goal: We collect only the minimal data that helps us detect whether it is a genuine user or to identify threats. Our focus is exclusively on security detection and threat prevention.
For detailed information on end user data processing, see our Data Processing Agreement (DPA).
🟠 DATA WE COLLECT AS JOINT CONTROLLERS
4.7 Own Purposes in Addition to Customer Instructions
When we pursue our own purposes in addition to customer instructions, we collect additional data for our fraud database, which contains anonymized behavioral patterns and threat indicators to improve our security algorithms. We also use aggregated usage data for product improvement and optimization of our services as well as for developing new features. Our score network benefits from anonymized analyses to improve our scoring algorithms. Additionally, we use anonymized data for security research to explore new threats and security vulnerabilities.
Regarding our own purposes, we rely on legitimate interests that serve to improve security, product development and fraud prevention. All data is anonymized before use for own purposes to ensure data protection. We inform our customers transparently about our own purposes and ensure that they are informed about these additional processing activities.
4.8 Automated System Detection Data
We implement advanced detection mechanisms to identify and filter automated systems and non-human interactions. This includes collecting and analyzing behavioral patterns that help us distinguish between legitimate human users and automated scripts, bots or other non-human systems to ensure fair service usage and prevent abuse. This data is processed anonymously and used exclusively for security and service optimization purposes.
5. Legal Bases for Processing
Note: For data processing on behalf of our customers (Processor role), the legal bases and provisions of our Data Processing Agreement (DPA) apply.
We process your data based on several legal bases to ensure compliance with applicable data protection laws. Contract fulfillment serves as the primary basis for processing data required to provide our services and fulfill our contractual obligations. Legitimate interests justify processing for service improvements, security enhancements and fraud prevention, always balanced with your fundamental rights and freedoms.
Legal obligations require us to process certain data to comply with applicable laws, regulations and regulatory requirements. For marketing communications and optional features, we rely on the granted consent as a legal basis and ensure that users have given explicit, informed and voluntary permission for such processing activities.
6. Specific Data Processing Activities
6.1 Service Provision and Maintenance
We process your data to provide our core services, including Trusted Captcha, Trusted SDK, Trusted Verify, WordPress Plugin, Developer Console and all other components we offer. This includes account management, service delivery, performance monitoring and technical support. We also process data to maintain service availability, optimize performance and ensure system stability across all customer environments.
6.2 Security and Fraud Prevention
Your data is processed to maintain the security of our services and protect against fraudulent activities. This includes authentication and access control, threat detection and response, compliance monitoring and security incident investigation. We use advanced analytics and machine learning techniques to identify potential security threats while maintaining strict data protection standards.
6.3 Analytics and Service Improvement
We process usage data and analytics information to continuously improve our services. This includes performance optimization, feature development based on user needs, improving user experience and monitoring service quality. All analytics are conducted in a data protection-friendly manner, with personal data anonymized or aggregated where possible.
6.4 Compliance and Legal Obligations
We process certain data to comply with our legal and regulatory obligations, including tax compliance, financial reporting, data protection compliance and regulatory audits. This processing is limited to the necessary data required to fulfill these obligations and is carried out in accordance with applicable laws and regulations.
6.5 Communication and Support
We process your contact information and communication data to provide customer support, send important service announcements and respond to your inquiries. For marketing communications, we only process data for users who have given explicit consent, and users retain the right to withdraw this consent at any time.
7. Data Sharing & Disclosure
7.1 Service Providers
We may only share data with carefully selected third parties who help us provide our services. These providers include payment processors for secure financial transactions, hosting and infrastructure services for reliable service delivery, customer support systems for responsive support and analytics services for service improvement. All service providers are bound by strict contractual obligations to protect your data and use it only for specified purposes.
7.2 Legal Requirements
We may disclose existing data if required by applicable laws and regulations, court orders, legal proceedings, government investigations or regulatory compliance requirements. Such disclosures are only made to the extent required and in accordance with legal obligations, while we always ensure that we protect your data protection rights to the maximum extent possible under the given circumstances.
7.3 Business Transfers
In the event of a merger, acquisition or sale of assets, your data may be transferred as part of the transaction. We will inform you in advance of such material changes, preserve your rights under this Privacy Policy and transfer them to the new entity.
8. Data Protection Measures
8.1 Technical Safeguards
We implement comprehensive technical security measures to protect your data. This includes encryption of data in transit with industry-standard encryption algorithms, encryption of sensitive data at rest with AES-256 encryption, multi-factor authentication for all account access, security assessments to identify and remediate vulnerabilities and monitoring systems that contribute to protecting our infrastructure. We use TLS 1.3 for data in transit to ensure your information remains protected at all times.
8.2 Organizational Measures
Our organizational security measures include comprehensive employee training on data protection principles and best practices, strict access controls with role-based permissions that ensure employees only access data necessary for their job functions, well-defined incident response procedures for handling security events and regular security assessments to evaluate and improve our security posture. All employees must sign confidentiality agreements and complete regular data protection and security training.
8.3 Data Breach Response
In the event of a suspected data breach, we have established comprehensive response procedures that include immediate investigation of the incident, prompt notification of affected individuals and relevant authorities as required by applicable law, implementation of corrective measures to prevent future occurrences and thorough documentation and analysis to learn from each incident and improve our security measures. Our incident response team monitors security events 24/7 and responds to critical incidents as quickly as possible, typically within 4 hours during business hours.
8.4 Security Monitoring and Assessment
We conduct security monitoring across our systems and infrastructure using industry-standard tools and practices. This includes vulnerability scans and security analyses to identify potential risks. We conduct regular security assessments to ensure our security measures remain effective. All security findings are promptly addressed and remediated according to our security policies.
8.5 Access Control and Authentication
We implement access controls to ensure that only authorized employees can access your data. This includes role-based access control systems, multi-factor authentication for administrative access and secure credential management. We maintain access logs and monitor suspicious or unauthorized access attempts with response procedures for all detected security incidents.
9. Data Storage & Deletion
9.1 Retention Periods
We generally only store the relevant data of our website visitors and users for as long as is necessary to ensure the functionality of the website and as required for our content and services.
In addition to fulfilling the purposes set out in this Privacy Policy, legal, accounting and reporting retention obligations that create the framework for the duration of data collection must also be considered.
Contact information transmitted for marketing purposes is only stored with your consent and only until you unsubscribe or, as described in this Privacy Policy, withdraw your consent.
The information you provide to us regarding your mobile phone number is encrypted by us and not passed on to third parties or affiliated companies, otherwise the data subject will be informed in advance and their consent will be obtained. This information is kept secure with us until you revoke it.
We store any communication content (e.g. email correspondence) until the expiry of the statutory limitation periods (usually 3 years), insofar as it is necessary for the assertion or defense of claims. For training purposes, we anonymize the content before further use.
If potential misuse of our service is detected or if processing is necessary to protect the legitimate interests of our company or a third party and the interests, fundamental rights and fundamental freedoms of the data subject do not override the first-mentioned interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis for processing.
For our business customers in particular:
Depending on the business customer and depending on the security level, the data collected from business customers is retained for the duration of the service plus 1 year for security measures. Billing records are retained for seven years to comply with tax documentation requirements. Analytics data is retained in anonymized form for service improvement purposes.
For our website visitors in particular:
Information generated by the use of technical tools such as cookies or analytics software is deleted as soon as possible. For a limited period - at most up to one year after the respective cookie expires - this information can generally be stored in anonymized and aggregated form. This anonymized and aggregated information is not linked to you, your household, an IP address or other personal data.
9.2 Deletion Rights
You have the right to request deletion of your account and the personal data concerning you at any time. We will process the deletion within thirty days of receiving your request and ensure that all personal data is permanently removed from our systems. Certain data may be retained for legal compliance purposes, while anonymized data may be retained for service improvement and analytics purposes. If more time is required for deletion due to the scope of processing (maximum 90 days), we will inform you of the reason and the extension period.
10. Your Data Protection Rights
10.1 Access & Portability
Note: For end users whose data we process on behalf of our customers (Processor role), the data subject rights and procedures of our Data Processing Agreement (DPA) apply. In such cases, please contact the respective customer (data controller) who is responsible for processing your requests.
You have the right to request access to all personal data we have about you, including information about how we process your data and for what purposes. You can also request that your data be provided in a portable, machine-readable format that allows you to transfer your information to another service provider. We will verify the accuracy and completeness of your data and provide you with comprehensive information about our processing activities. We will respond to access requests within one month of receipt, although this period may be extended by up to two additional months for complex requests.
10.2 Correction & Deletion
You have the right to request correction of incorrect personal data we have about you. We will process such requests immediately and ensure that all corrections are made without undue delay. You also have the right to request deletion of your data, subject to our legal obligations to retain certain information. Additionally, you may object to processing based on legitimate interests, and we will evaluate such objections in accordance with applicable law. We will respond to correction and deletion requests within one month, with the same extension possibilities for complex requests.
10.3 Restriction & Objection
You may object to automated decision-making processes that significantly affect you, and we will provide human review of such decisions. For marketing communications, you may withdraw consent at any time, and we will immediately implement such communications. We will respond to restriction and objection requests within one month.
10.4 Request Procedures and Verification
To exercise your data protection rights, you can contact us through one of the methods listed in the Contact and Complaints section. We may ask you to provide additional information to verify your identity before processing your request, particularly for sensitive data or if we have legitimate doubts about your identity. This verification process helps protect your privacy and prevent unauthorized access to your personal data.
10.5 Response Times and Extensions
We are obligated to respond promptly to all data protection rights requests. In most cases, we will respond within one month of receiving your request. For complex requests or if we receive multiple requests from the same person, we may extend this period by up to two additional months. We will inform you of any such extension and explain the reasons for the delay within one month of receiving your request.
10.6 Right to Lodge Complaints
In addition to contacting us directly, you have the right to lodge a complaint with your local data protection authority if you believe that our processing of your personal data violates applicable data protection laws. We encourage you to contact us first to resolve concerns, but you are not obligated to do so before filing a complaint with the relevant supervisory authority.
11. Subcontractors & International Data Transfers
Note: For data transfers in the context of data processing on behalf of our customers (Processor role), the provisions of our Data Processing Agreement (DPA) apply.
11.1 Current Subcontractors
We work with the following subcontractors to provide our services. We enter into data protection terms with each provider, including Standard Contractual Clauses (where applicable), and evaluate technical and organizational measures:
| Provider | Purpose | Services | Data Categories | Location | Transfer Mechanism | Notes |
|---|---|---|---|---|---|---|
| DigitalOcean, LLC | Hosting, Storage | SaaS; Security | Account data; Security logs; Traffic metadata | EU | In-Region | Storage in EU |
| MongoDB, Inc. | Database hosting, Storage | SaaS; Security | Account data; Security logs; Traffic metadata | EU | In-Region | Storage in EU |
| Google LLC | Analytics (GA4), Ads/Conversion | Website | Online IDs, Event data | US/EU | EU–US DPF; SCCs as fallback | GA4 linked with Google Ads; Consent Mode v2 |
| Webflow, Inc. | Website Hosting/CMS | Website | Online IDs, Website content | US | EU–US DPF; SCCs as fallback | Marketing website only |
| Hotjar Ltd. | Product experience analytics | Website/App | Usage and device data | EU (IE) | In-Region | Data stored in Ireland |
| Albacross Nordic AB | Company/Visitor identification | Website | Online IDs, Company data | EU | In-Region / SCCs (if transfer) | Lead scoring and identification |
| HubSpot, Inc. | CRM & Marketing automation | Website/Marketing | Online IDs, Contact and campaign data | US/EU | EU–US DPF; SCCs as fallback | Marketing and sales automation |
| Mixpanel, Inc. | Product analytics (App) | SaaS/App | Usage events, Online IDs | US/EU | EU–US DPF; SCCs as fallback | App usage analytics |
| Stripe Payments Europe / Stripe, Inc. | Payments & Risk | SaaS | Billing tokens, Invoices, Risk signals | EU/US | EU entity; DPF for US; SCCs as fallback | Strictly necessary cookies |
| Cookiebot (Usercentrics A/S) | Consent management | Website | Consent logs, Preferences, Online IDs | EU | In-Region | Google-certified CMP; TCF v2.2 support |
11.2 Transfer Mechanisms
We primarily process data within the European Economic Area to ensure maximum protection under EU data protection laws. For international transfers, we implement appropriate safeguards, including:
- Standard Contractual Clauses (SCCs): We use the EU Commission-approved SCCs (2021/914) for all international data transfers
- EU-US Data Privacy Framework: For transfers to certified US organizations, including UK and Swiss extensions
- Adequacy Decisions: For transfers to jurisdictions with equivalent data protection standards
- In-Region Processing: Where possible, we keep data within the EU/EEA to minimize international transfers
11.3 Transfer Impact Assessments
We conduct Transfer Impact Assessments (TIAs) for all international data transfers to ensure adequate protection. These assessments evaluate:
- Local laws and practices in the destination country
- Technical and organizational measures of the recipient
- Additional required safeguards
- Ongoing monitoring and review mechanisms
11.4 Data Localization
We strive to keep EU data within the European Economic Area whenever possible:
- Primary Infrastructure: Our core services are hosted on DigitalOcean and MongoDB infrastructure within the EU
- Data Residency: Customer data and security logs are stored in EU data centers
- Encryption: All data transfers use encryption in transit and at rest
- Monitoring: We continuously monitor data flows and transfer compliance
12. Cookies & Tracking Technologies
12.1 Essential Cookies
Essential cookies are required for the basic functionality of our services and cannot be disabled. These include authentication and session management cookies that maintain your login status, security cookies that prevent fraud and ensure secure access, and functionality cookies that enable core service functions and performance optimization.
12.2 Analytics Cookies
Analytics cookies help us understand how our services are used and identify areas for improvement. These cookies collect information about service usage patterns, performance metrics and user experience factors. The collected data is used to optimize service delivery, improve user interface design and ensure that our services meet the evolving needs of our users.
12.3 Marketing Cookies
Marketing cookies are used to measure the effectiveness of our marketing campaigns and deliver personalized content. These cookies track user engagement metrics, campaign performance and user preferences to ensure that marketing communications are relevant and valuable. Users can opt out of marketing cookies while maintaining access to essential service functions.
12.4 Do Not Track Signals
Although we respect your privacy preferences and strive to honor Do Not Track signals set by your browser, we currently cannot respond to Do Not Track signals. This is due to the technical complexity of implementing such responses across our diverse service offerings and the need to maintain essential security and fraud prevention functions. Nevertheless, we offer comprehensive opt-out mechanisms for all non-essential tracking and processing activities, and you can contact us directly to exercise your data protection rights and preferences.
12.5 Specific Cookies We Use
We use cookies from various service providers to effectively deliver our services:
| Cookie Provider | Purpose | Cookie Type | Retention Period | Data Categories | Legal Basis |
|---|---|---|---|---|---|
| Trusted Accounts | Authentication, Session management, Security | Essential | Session / 1 year | Session tokens, Security settings | Necessary for service delivery |
| Google Analytics (GA4) | Website analytics, Conversion tracking | Analytics | 14 months | Usage patterns, Page views, Events | Consent (via Cookiebot) |
| Google Ads | Conversion tracking, Remarketing | Marketing | Up to 540 days | Ad interactions, Conversion events | Consent (via Cookiebot) |
| Webflow | Website hosting, CMS functionality | Functional | Session / 1 year | Website preferences, Content delivery | Legitimate interest |
| Hotjar | User experience analytics, Heatmaps | Analytics | 12 months | User interactions, Session recordings | Consent (via Cookiebot) |
| Albacross | Company identification, Lead scoring | Marketing | 12 months | Company data, Visitor identification | Consent (via Cookiebot) |
| HubSpot | CRM, Marketing automation, Chat | Marketing/Functional | 13 months | Contact interactions, Chat sessions | Consent (via Cookiebot) |
| Mixpanel | Product analytics (App usage) | Analytics | 12 months | Feature usage, User journeys | Consent (via Cookiebot) |
| Stripe | Payment processing, Fraud prevention | Essential | Session / 1 year | Payment tokens, Fraud signals | Necessary for service delivery |
| Cookiebot | Consent management, Preferences | Essential | 12 months | Consent choices, Preferences | Necessary for legal compliance |
| Cloudflare | Website security, Performance optimization | Essential | 1 day | Security tokens, Performance data | Necessary for service delivery |
| Sentry | Error monitoring, Performance tracking | Analytics | Session | Error logs, Performance metrics | Legitimate interest |
| Spotify | Music integration, Functionality | Functional | Session / 1 year | Music preferences, Integration data | Consent (via Cookiebot) |
12.6 Cookie Consent Management
We use Cookiebot (Usercentrics A/S) as our Consent Management Platform (CMP) to manage your cookie preferences. Cookiebot is Google-certified and supports the Transparency & Consent Framework (TCF) v2.2. Through our cookie banner, you can:
- Accept or reject non-essential cookies
- Manage your preferences by cookie category
- Withdraw consent at any time
- View detailed information about each cookie
12.7 Cookie Management and Preferences
You retain full control over your cookie preferences through several methods:
Through our cookie banner: Click on the cookie settings icon (usually in the bottom corner) to change your preferences at any time.
Through browser settings: Most browsers allow you to change your cookie settings to notify you when you receive a cookie, disable existing cookies or automatically reject cookies. Please note that disabling certain cookies may affect your experience using our services, as some features and services may not function properly.
Through opt-out links: Many of our analytics and marketing partners offer direct opt-out mechanisms:
- Google Analytics: Google Analytics Opt-out
- Google Ads: Google Ad Settings
- Hotjar: Hotjar Opt-out
Depending on your operating system, you may not be able to delete or block all cookies, and browser settings that block cookies may have no effect on non-cookie tracking technologies.
13. Child Protection
Our services are not intended for direct use by children under 13 years of age, and we do not knowingly collect personal data from children under this age. When our services are used on third-party platforms, the platform operator is responsible for compliance with child protection laws.
14. Third-Party Services and Analytics
14.1 Google Analytics Integration
We use Google Analytics to track website traffic and evaluate service performance. Google Analytics collects data about user interactions with our services, such as page views, session duration and user behavior patterns. This information helps us improve our services and user experience. Google may use the collected data to contextualize and personalize ads in its advertising network, however, we do not share your personal data with Google for advertising purposes. For additional information about Google's privacy practices, please visit the Google Privacy Terms website: https://policies.google.com/privacy?hl=en. We also recommend reviewing Google's policy on protecting your data: https://support.google.com/analytics/answer/6004245.
14.2 Payment Processing Services
We integrate with trusted payment processors to securely process financial transactions. These processors collect and process payment information according to PCI DSS standards and their own privacy policies. We do not store complete payment card information on our servers, ensuring that sensitive financial data remains protected by industry-leading security measures. All payment processors are bound by strict contractual obligations to protect your data and maintain confidentiality.
14.3 Cloud Infrastructure Providers
Our services are hosted on cloud infrastructure provided by trusted providers who maintain strict security standards and compliance certifications. These providers process data only for the purpose of hosting our services and are bound by strict contractual obligations to protect your data and maintain confidentiality. We maintain comprehensive agreements with all infrastructure providers that include data protection obligations, security requirements and audit rights.
14.4 Customer Support and Communication Services
We use third-party services for customer support, communication and collaboration. These services include help desk systems, email delivery services and communication platforms. All such services are carefully selected based on their security standards and data protection obligations. We ensure that these providers process your data only for the specific purposes we have authorized and maintain appropriate security measures.
14.5 Data Processing Restrictions
All third-party service providers are contractually prohibited from using your data for purposes other than providing the specific services for which we have engaged them. They are obligated to implement appropriate technical and organizational security measures, maintain confidentiality of your data and grant us audit rights to verify compliance with these obligations. We regularly review and evaluate all third-party providers to ensure they continue to meet our security and data protection standards.
15. Changes to This Policy
15.1 Update Process
We may update this Privacy Policy regularly to reflect changes in our data processing practices, legal requirements or service offerings. Material changes that significantly affect how we process your data will be communicated via email and prominently published on our website. Continued use of our services after such changes constitutes acceptance of the updated policy.
Note: Changes to our Data Processing Agreement (DPA) are made according to the procedures established there and take precedence over this Privacy Policy for data processing on behalf of our customers (Processor role).
15.2 Notification Methods
We use multiple notification methods to ensure users are informed about material policy changes. This includes email notifications for all registered users, website announcements and updates, notifications through our Developer Console and direct communication with enterprise customers for critical changes that may affect their operations.
16. Contact & Complaints
16.1 Data Protection Requests
We maintain dedicated channels for handling data protection concerns and requests. You can contact us by email at privacy@trustedaccounts.org.
16.2 Supervisory Authority
You have the right to lodge complaints with your local data protection authority if you believe that our processing of your personal data violates applicable data protection laws.
17. Additional Information
17.1 Related Documents
This Privacy Policy works in conjunction with several related documents that provide additional details on specific aspects of our data processing activities. These include our Terms of Service, which regulate the overall relationship between the parties, and our Data Processing Agreement (DPA), which details our data processing obligations under EU law and takes precedence over this Privacy Policy for the Processor role.
17.2 Compliance and Standards
We are committed to maintaining high standards for data protection and security. We regularly review and update our practices to ensure continued compliance with applicable laws and regulations, including GDPR, CCPA and other relevant data protection standards.