Privacy Policy

1. Introduction & Scope

Truthlocks, Inc. ("Truthlocks", "we", "us", or "our") is committed to protecting the privacy and security of individuals and organizations that interact with our platform. This Privacy Policy describes how we collect, use, store, disclose, and protect information when you access our websites, use our verification infrastructure, APIs, SDKs, console dashboard, consumer portal, or engage with our services (collectively, the "Services").

We operate under a privacy-by-design and security-first philosophy. Our systems are intentionally architected to minimize the collection and retention of personal data while enabling strong cryptographic verification and auditability. Wherever possible, Truthlocks enables users to maintain control over their data and verifiable proofs.

This Privacy Policy applies to all users of the Services, including Issuers (organizations issuing attestations), Consumers (individuals receiving or holding attestations), Verifiers (parties verifying attestations), website visitors, and prospective customers.

2. Information We Collect

2.1 Account & Registration Information

When you create an account, we collect identifying and business-related information, including:

• Full name (first and last)
• Work email address
• Company or organization name
• Business type and country of incorporation
• Professional role or title
• Phone number (optional)
• Billing address and payment information (processed by our payment processor)

2.2 Technical & Usage Data

We automatically collect certain technical information when you access the Services:

• IP addresses and geolocation data (country/region level)
• Device identifiers, browser type, and operating system
• Pages viewed, features used, and navigation paths
• API request logs (endpoint, method, response status, latency)
• Session duration and frequency of use
• Referring URLs and search terms used to find our site

2.3 Attestation & Verification Metadata

When you create, issue, or verify an attestation using the Truthlocks platform, we process and store metadata necessary for verification and auditability:

• Cryptographic hashes and digital signatures
• Attestation identifiers, schema types, and status (active, revoked, expired)
• Timestamps (issuance, expiry, revocation)
• Issuer identifiers and public key references
• Transparency log entries and Merkle tree inclusion proofs

Important: We do not store the underlying source data, raw claims, or payload content associated with an attestation unless you explicitly opt in to hosted storage or an enterprise service that requires it. Attestation claims are cryptographically sealed and only readable by authorized parties.

2.4 Communications Data

When you contact us through our website, email, or support channels, we collect the content of your communications, including your name, email address, company, and message content. For enterprise inquiries submitted through our contact form, we also collect the information provided (company name, business type, message).

2.5 Cookies & Tracking Technologies

We use essential cookies necessary for the operation of the Services (e.g., session management, CSRF protection). We may also use analytics cookies to understand how the Services are used and to improve user experience. You can manage cookie preferences through your browser settings.

We do not use third-party advertising cookies or sell personal data for advertising purposes.

3. How We Use Information

We use collected information for the following purposes:

• Service Delivery: Operate, maintain, and deliver the verification and attestation Services, including account management, authentication, and billing.
• Security & Integrity: Protect our systems against unauthorized access, abuse, fraud, and malicious activity. Detect and respond to security incidents.
• Compliance: Comply with applicable legal, regulatory, and contractual obligations, including audit requirements, subpoenas, and government requests.
• Communications: Send service updates, security notices, billing notifications, onboarding information, and respond to support requests.
• Improvement: Analyze usage patterns to improve the reliability, performance, and usability of the Services. Develop new features and services.
• Audit Trail: Maintain tamper-evident, cryptographically verifiable audit logs of all attestation operations for regulatory compliance and dispute resolution.

4. Legal Basis for Processing

For users in the European Economic Area (EEA), United Kingdom, and other jurisdictions that require a legal basis for processing personal data, we rely on the following:

• Contract Performance: Processing necessary to perform our contractual obligations to you (e.g., account management, service delivery, billing).
• Legitimate Interests: Processing necessary for our legitimate business interests, such as fraud prevention, security, analytics, and product improvement, provided these interests are not overridden by your rights.
• Legal Obligation: Processing necessary to comply with applicable laws, regulations, or legal process.
• Consent: Where required by law, we obtain your explicit consent before processing (e.g., for non-essential cookies or marketing communications). You may withdraw consent at any time.

5. Data Sharing & Disclosure

Truthlocks does not sell personal data. We may share information with third parties only in the following circumstances:

• Service Providers: Trusted vendors that assist in operating the Services (e.g., cloud infrastructure providers, payment processors, email delivery services). These providers are bound by contractual obligations to protect your data and use it only for the purposes we specify.
• Legal Requirements: When required by law, regulation, legal process, or government request (e.g., subpoenas, court orders, regulatory inquiries).
• Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your data may be transferred to the acquiring entity, subject to this Privacy Policy.
• With Your Consent: When you explicitly authorize us to share your information with a specified third party.
• Transparency Log: Attestation metadata recorded on the public Transparency Log is designed to be publicly verifiable. This metadata includes cryptographic hashes and identifiers but does not include personal data or claim content.

Sub-Processors

Our current sub-processors include:

• Amazon Web Services (AWS) — Cloud infrastructure, compute, storage (US regions)
• Amazon SES — Transactional email delivery
• Stripe — Payment processing

Enterprise customers may request the current list of sub-processors and will be notified of changes in advance.

6. Data Retention

We retain personal data only as long as necessary to fulfill the purposes described in this Privacy Policy, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods include:

• Account Data: Retained for the duration of your account and for thirty (30) days after account termination.
• API & Access Logs: Retained for ninety (90) days for security monitoring, then aggregated or deleted.
• Audit Logs: Retained for seven (7) years for compliance and regulatory purposes, consistent with financial and governance record-keeping requirements.
• Transparency Log Entries: Retained indefinitely as part of the append-only cryptographic ledger. These entries contain only metadata and cryptographic proofs, not personal data.
• Communications: Retained for two (2) years for customer support continuity, then archived or deleted.
• Billing Records: Retained for seven (7) years as required by tax and financial regulations.

7. Data Security

We implement industry-standard technical and organizational measures to protect your data, including:

• Encryption in Transit: All data transmitted to and from the Services is encrypted using TLS 1.2 or higher.
• Encryption at Rest: All stored data is encrypted using AES-256 encryption.
• Access Controls: Role-based access control (RBAC) with the principle of least privilege applied to all internal systems and employee access.
• Cryptographic Integrity: SHA-256 hash chains and Merkle trees ensure tamper-evident audit trails.
• Infrastructure Security: Services hosted on AWS with VPC isolation, private subnets, security groups, and automated patching.
• Monitoring: Continuous security monitoring, intrusion detection, and automated alerting for anomalous activity.
• Incident Response: Documented incident response procedures with defined escalation paths and notification timelines.

While we implement rigorous safeguards, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to protecting your data using commercially reasonable measures and industry best practices.

8. International Data Transfers

Truthlocks is headquartered in the United States. If you access the Services from outside the United States, your information may be transferred to, stored in, and processed in the United States or other countries where our service providers operate.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and/or the UK Information Commissioner's Office (ICO). Enterprise customers may request execution of SCCs as part of a Data Processing Agreement (DPA).

9. Data Sovereignty & Regional Residency

Truthlocks supports data sovereignty and regional data residency requirements. Enterprise customers may elect to restrict the storage and processing of account data, audit logs, and verification metadata to specific geographic regions, including but not limited to:

• United States (US-East, US-West)
• European Union (EU-Central, EU-West)
• Asia-Pacific (AP-Southeast)

These controls are designed to help organizations meet internal governance standards, regulatory obligations, and contractual data residency requirements.

10. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Under GDPR (EEA & UK)

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
• Restriction: Request restriction of processing under certain conditions.
• Data Portability: Request your data in a structured, machine-readable format.
• Objection: Object to processing based on legitimate interests or for direct marketing.
• Withdraw Consent: Withdraw previously given consent at any time.
• Lodge a Complaint: File a complaint with your local data protection authority.

Under CCPA/CPRA (California)

• Right to Know: Request information about the categories and specific pieces of personal data we collect, use, disclose, and sell.
• Right to Delete: Request deletion of your personal data.
• Right to Correct: Request correction of inaccurate personal data.
• Right to Opt Out: Opt out of the sale or sharing of personal data. Truthlocks does not sell personal data.
• Non-Discrimination: You will not be discriminated against for exercising your rights.

Under Other Frameworks

We respect data protection rights under other applicable frameworks, including Brazil's LGPD, Canada's PIPEDA, Australia's Privacy Act, and other regional data protection laws. If you are subject to any of these frameworks, please contact us to exercise your rights.

To exercise any of these rights, contact us at privacy@truthlocks.com. We will respond within thirty (30) days (or as required by applicable law). We may request verification of your identity before processing your request.

11. Children's Privacy

The Services are not directed to children under the age of 16 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact us at privacy@truthlocks.com.

12. Third-Party Services & Links

The Services may contain links to third-party websites or integrate with third-party services (e.g., payment processors, analytics providers). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

13. Data Breach Notification

In the event of a data breach that affects your personal data, we will notify you and applicable regulatory authorities in accordance with applicable law. Notifications will include:

• A description of the nature of the breach
• The categories and approximate number of records affected
• The likely consequences of the breach
• The measures taken or proposed to address the breach
• Contact information for further inquiries

Enterprise customers with executed DPAs may have additional notification commitments, including expedited timelines (e.g., 72 hours for GDPR-regulated customers).

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. Material changes will be communicated via email or through a prominent notice on our website at least thirty (30) days before they take effect.

We encourage you to review this Privacy Policy periodically. Your continued use of the Services after any changes constitutes your acceptance of the updated Privacy Policy.