TrustRoom.io
Log inStart free
Legal

Privacy Policy

Last updated: June 10, 2026

1. Who we are & scope

TrustRoom (the “Service”) is operated by Signus Solutions Inc. (“TrustRoom,” “we,” “us,” or “our”). The Service lets organizations (“Customers”) publish a hosted trust center, manage security and compliance information, and grant reviewers access to gated documentation.

This Privacy Policy explains how we collect, use, disclose, and protect personal data when you visit trustroom.io, create an account, use the Service, or interact with a trust center hosted on the Service. It does not cover Customers’ own privacy practices — see Section 13.

2. Our roles (controller vs. processor)

TrustRoom as controller

We act as a data controller for: account registration data, billing data, marketing and website analytics data, support communications, and data we process to secure and improve the Service.

TrustRoom as processor

We act as a data processor on behalf of our Customers for content Customers upload to their trust centers (including compliance documents) and for personal data submitted by visitors to a Customer’s trust center — for example access requests, NDA acceptance records, and document download activity. For that data, the Customer is the controller and this processing is governed by our agreement with the Customer. A data processing addendum (DPA) is available on request at privacy@trustroom.io.

3. Information we collect

Information you provide

  • Account data — name, work email, password hash (we never store plaintext passwords), and organization details (company name, subdomain, branding).
  • Customer content — documents, certifications, FAQs, updates, subprocessor lists, and other materials you publish or store in your trust center, which may incidentally contain personal data.
  • Access-request data — when you request access to a trust center: your name, work email, company, title, stated reason, and the documents requested.
  • NDA acceptance records — when you accept a clickwrap NDA: your typed name, acceptance timestamp, IP address, and browser user-agent, retained as evidence of acceptance.
  • Communications — messages you send us (e.g., sales inquiries via our contact form, support email).
  • Billing data — processed by our payment processor (Stripe); we store plan, subscription status, and invoice metadata, not full card numbers.

Information collected automatically

  • Usage and log data — IP address, browser type, pages viewed, referring URLs, timestamps, and actions taken in the Service.
  • Cookies — strictly necessary session cookies. See Section 12.

Information from third parties

  • Sign-in providers — if you sign in with Google, we receive your name and email address from Google.
  • Imported trust-center data — if you ask us to migrate an existing public trust center, we collect the publicly available content of that page on your instruction.

4. How we use information

  • Provide, operate, and maintain the Service, including hosting trust centers and delivering gated documents to approved requesters;
  • Process access requests and record NDA acceptance on behalf of Customers;
  • Create and manage accounts, authenticate users, and provide single sign-on;
  • Process payments, manage subscriptions, and send transactional emails (e.g., access-request notifications, approval emails, invites);
  • Provide AI-assisted features (e.g., extracting certifications from documents you upload) — content submitted to these features is processed by our AI subprocessor solely to provide the feature and is not used by us to train models;
  • Monitor, secure, and debug the Service, prevent fraud and abuse, and enforce our Terms of Service;
  • Understand product usage in aggregate to improve the Service;
  • Comply with legal obligations and respond to lawful requests.

We do not sell personal data, and we do not use Customer content for advertising.

6. Sharing & subprocessors

We share personal data only with:

  • Service providers (subprocessors) — vendors that host and support the Service under contractual confidentiality and data-protection obligations, currently including: cloud hosting and content delivery, managed PostgreSQL database hosting, transactional email delivery (Resend), payment processing (Stripe), AI processing for AI-assisted features (Anthropic), and sign-in (Google, where you choose Google sign-in).
  • Customers — if you submit an access request or accept an NDA on a Customer’s trust center, that information is disclosed to the Customer whose trust center you used.
  • Professional advisers and authorities — where required by law, to protect rights and safety, or in connection with an audit, financing, merger, or acquisition (with notice where legally permitted).

A current list of subprocessors is available on request at privacy@trustroom.io.

7. International transfers

We are a U.S. company and process data in the United States. Where we transfer personal data from the EEA, UK, or Switzerland, we rely on appropriate safeguards, including the European Commission’s Standard Contractual Clauses (and the UK Addendum) with our subprocessors, together with supplementary technical measures such as encryption in transit and at rest.

8. Data retention

  • Account data — retained while your account is active and for a reasonable period thereafter to comply with legal obligations;
  • Customer content and visitor data processed for Customers — retained per the Customer’s instructions; deleted or returned following account termination, subject to a short backup-rotation window;
  • NDA acceptance records — retained for the Customer for as long as the Customer requires them as evidence of acceptance;
  • Billing records — retained as required by tax and accounting law;
  • Logs — retained for a limited period for security and debugging.

9. Security

We apply technical and organizational measures appropriate to the risk, including encryption in transit (TLS) and at rest, scoped and time-limited access links for gated documents, password hashing (scrypt), least-privilege access controls, and logging. No method of transmission or storage is 100% secure; we cannot guarantee absolute security. We will notify affected parties of personal-data breaches as required by applicable law.

10. Your privacy rights

Depending on your location, you may have rights to access, correct, delete, restrict, or port your personal data, to object to certain processing, and to withdraw consent. You can exercise these rights by emailing privacy@trustroom.io. We will respond within the timeframe required by law. You also have the right to lodge a complaint with your supervisory authority.

If your personal data was submitted to a Customer’s trust center, we may redirect your request to that Customer (the controller) and will assist them in responding.

11. US state privacy rights

Residents of California and other US states with comprehensive privacy laws have rights to know, access, correct, delete, and obtain a portable copy of their personal information, and to opt out of “sales,” “sharing,” and certain targeted advertising. We do not sell or share personal information as those terms are defined under the CCPA/CPRA, and we do not use sensitive personal information for purposes requiring a right to limit. We do not discriminate against you for exercising your rights. Authorized agents may submit requests on your behalf with proof of authorization.

12. Cookies

We use only strictly necessary cookies: a session cookie to keep you signed in and short-lived cookies to complete flows such as sign-in and imports. We do not use advertising or cross-site tracking cookies. Because these cookies are essential, they cannot be disabled while using the Service; you can clear them in your browser at any time.

13. Visitors to customer trust centers

Trust centers hosted on the Service (e.g., yourcompany.trustroom.io or trustroom.io/t/yourcompany) belong to our Customers. When you submit an access request, accept an NDA, or download documents there, the Customer is the controller of that data and their privacy practices apply. Contact the Customer directly with privacy questions about their trust center; we will assist them as their processor.

14. Children

The Service is a business product and is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it.

15. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version with a revised “Last updated” date and, for material changes, provide additional notice (such as email or an in-product notice). Your continued use of the Service after changes take effect constitutes acceptance.

16. Contact us

Signus Solutions Inc. — privacy inquiries: privacy@trustroom.io · legal notices: legal@trustroom.io