Privacy Policy

Introduction

Welcome to TrustMind This Privacy Policy explains how TrustMind, Inc. ("TrustMind", "we", "us", or "our") collects, uses, shares, and protects information in relation to our software-as-a-service platform designed to help automate responses to security questionnaires (the "Service"). This policy applies to visitors to our website trustmind.com and registered users of the Service (collectively, "Users" or "you").

Your privacy is important to us. By using our Service, you agree to the collection, use, disclosure, and procedures this Privacy Policy describes. Please read this policy carefully. If you do not agree with this policy, please do not access or use the Service.

This Privacy Policy does not apply to the data processing practices of our customers ("Customers"), who use our Service to manage their own security questionnaire responses. Our Customers are responsible for their own privacy policies governing the data they control.

What Information We Collect

We collect information to provide and improve our Service. The types of information we collect depend on your interaction with us:

Information You Provide Directly

Account Information: When you register for an account, we collect your first and last name, business email address, and your company name. We use this to create and manage your account and facilitate login.

Questionnaire Data: To use the core functionality of the Service, you will upload files containing security questionnaires and potentially the corresponding answers or related documentation ("Questionnaire Content"). You are responsible for the content you upload. While the primary purpose is not to process personal information within this Questionnaire Content, it could inadvertently contain personal data depending on what you choose to upload. We process this data solely to provide the Service as instructed by you or your organization.

Internal Routing Information: Your organization's administrator may associate your user account internally with specific topics or areas of expertise (e.g., 'legal', 'engineering') to help route specific questionnaire items within the Service.

Communications: If you contact us directly (e.g., for support or inquiries via [email protected]), we may collect your name, email address, and the contents of your message.

Information Collected Automatically

Usage Data: When you use the Service or visit our website, we automatically collect information about your interaction and device using tools like PostHog. This may include your IP address, browser type, operating system, device identifiers, pages viewed, features used, actions taken within the platform, referring URLs, and timestamps.

Cookies and Similar Technologies: We use cookies (small text files stored on your device) and similar tracking technologies to operate and administer our Service, gather usage data, and manage preferences. We use:

  • Essential Cookies: Necessary for the Service to function (e.g., authentication, security).
  • Analytics Cookies (e.g., PostHog): Help us understand how Users interact with the Service so we can improve it.
  • Marketing Cookies: We plan to use marketing cookies to help us promote our Service. You will be able to manage your preferences for non-essential cookies. (Further details in the section titled Your Rights and Choices).

How We Use Your Information

We use the information we collect for various purposes, including:

Providing and Maintaining the Service: To operate the TrustMind platform, authenticate users, process your Questionnaire Content to automate responses, and fulfill our contractual obligations to our Customers.

Internal Routing: To facilitate the direction of specific questionnaire items requiring manual input to the relevant user within your organization, based on the internal routing information associated with user accounts.

Improving the Service:
  • To analyze usage patterns and trends (using tools like PostHog) to understand how the Service is used, troubleshoot issues, and enhance user experience.
  • Our team may manually review the context of questions and generated answers (derived from Questionnaire Content) on an aggregated or sample basis to improve the quality and accuracy of our underlying prompts and answer generation logic for future use. We do not use your Questionnaire Content to train artificial intelligence models.
Benchmarking:

(Future Feature) We plan to use Questionnaire Content on an anonymized and aggregated basis to generate industry benchmarks regarding security controls (e.g., "X% of companies your size have Y control"). This benchmarking data, when available, will be provided to platform users to offer context to help them understand the relevance of questions asked to them by their own customers. Individual company data will not be revealed in these benchmarks. Participation in contributing data to these benchmarks will be required to access the benchmarking insights, and we plan to offer an opt-out mechanism.

Communication: To send you essential service-related communications (e.g., account verification, technical notices, security alerts, administrative messages) as well as information to help optimize your use of the platform. You may opt-out at any time.

Security and Fraud Prevention: To monitor for and prevent potentially prohibited or illegal activities, enforce our Terms of Service, and protect the security and integrity of the Service and our users.

Legal Compliance: To comply with applicable laws, regulations, legal processes, or governmental requests.

How We Share Your Information

We do not sell your personal information. We share information only in the circumstances described below:

Service Providers: We engage trusted third-party companies and individuals to perform services on our behalf (e.g., hosting, data processing, analytics, security, artificial intelligence processing, customer support, communication). These providers have access to your information only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose. Our key service providers include:
  • Cloud Infrastructure (e.g., Amazon Web Services - AWS)
  • Web Application Hosting (e.g., Cloudflare)
  • Analytics Providers (e.g., PostHog)
  • AI Model Providers & Routing (e.g., OpenAI, Anthropic, OpenRouter)
  • Development & Operations Tools (e.g., Langchain/Langsmith)
  • Backend Service Hosting (e.g., Google Firebase)

Within Your Organization: Information associated with your account, including your name, email, and any internal routing designations, may be visible to others within your company's TrustMind account to manage users and workflow. Questionnaire Content uploaded by users within your organization is accessible to other authorized users from your organization within the Service.

Future Integrations: We plan to offer integrations with third-party services (e.g., Slack). If you choose to connect TrustMind to such services, we will share information with them only as necessary to enable the integration, based on your authorization. The use of information by these third-party services will be governed by their own privacy policies.

Business Transfers: If TrustMind is involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your information may be sold or transferred as part of such a transaction as permitted by law and/or contract. The successor entity would continue to be bound by the promises made in this Privacy Policy, or you would be notified of any material changes.

Legal Requirements: We may disclose information if required to do so by law or in the good faith belief that such action is necessary to (i) comply with a legal obligation, (ii) protect and defend the rights or property of TrustMind, (iii) act in urgent circumstances to protect the personal safety of users of the Service or the public, or (iv) protect against legal liability. While we consider it unlikely given the nature of the data primarily processed, we will comply with valid legal requests.

Data Security

We take the security of your information seriously and implement technical and organizational measures designed to protect it from unauthorized access, disclosure, alteration, and destruction. These measures include:

Encryption: We use industry-standard TLS encryption for data in transit between you and the Service. Data at rest is also encrypted.

Data Minimization: We strive to collect only the information necessary to provide and improve the Service.

Secure Infrastructure: We leverage the robust security infrastructure and practices of our cloud service providers (e.g., AWS, Cloudflare, Google).

Access Controls: We implement access controls to limit internal access to data based on job function and necessity.

However, please be aware that no security measures are perfect or impenetrable. While we strive to use commercially acceptable means to protect your information, we cannot guarantee its absolute security. You are also responsible for maintaining the security of your account credentials.

Data Retention

We retain information for different periods depending on its nature and the purpose for which it was collected:

Account Information: We retain your name, email address, and company name for as long as your account is active or as needed to provide you with the Service. If you request account deletion, we will delete this information subject to any legal obligations or legitimate operational needs (e.g., for audit trails or security logs, often in an aggregated or anonymized form). (Currently, account closure is handled via request to [email protected]).

Questionnaire Content: We retain the Questionnaire Content you upload for as long as your account is active or as needed to provide the Service, including maintaining historical context for answering questionnaires and for developing future anonymized benchmarking features. Crucially, authorized users within your organization can delete uploaded Questionnaire Content at any time through the Service interface. Upon deletion by you, the content is removed from our active systems according to our standard procedures.

Usage and Analytics Data: We retain automatically collected usage data and analytics information for as long as necessary for the purposes described in this policy, such as service improvement, security analysis, and reporting. This data may be aggregated or anonymized over time.

We will delete or anonymize your information when it is no longer needed for the purposes outlined in this policy, unless a longer retention period is required or permitted by law.

Your Rights and Choices

Depending on your location and applicable laws (such as GDPR for users in the European Economic Area/UK, or CCPA/CPRA for California residents), you may have certain rights regarding your personal information. We provide you with the following choices and mechanisms to exercise control over your information:

Access and Correction: You can access and update certain account information (like your name and email address) directly through your account settings within the Service. For other requests to access information we hold about you, please contact us.

Deletion:
  • Account Deletion: You can request the deletion of your user account by contacting us at [email protected]. Please note that deleting your account will remove your personal information, subject to our retention policies above.
  • Questionnaire Content Deletion: Authorized users within your organization can delete uploaded Questionnaire Content at any time directly through the Service interface.

Data Portability: You may have the right to request a copy of the personal information we hold about you in a structured, machine-readable format. As noted, most substantive data within the service (Questionnaire Content) originates from you, but you can contact us to request data portability.

Opt-Out of Communications: You can opt-out of receiving promotional or marketing emails from us at any time by following the unsubscribe instructions provided in those emails. You will continue to receive essential service-related and administrative communications necessary for your use of the Service.

Cookie Preferences: You will be able to manage your preferences for non-essential cookies (Analytics, Marketing) through a consent management tool on our website/Service. You can also typically control cookies through your browser settings.

Benchmarking Opt-Out (Future): When our anonymized benchmarking feature is launched, we plan to provide users with the ability to opt-out of having their organization's anonymized data contribute to the aggregate benchmarks. Participation in the benchmarking program is required to view the benchmarking insights.

Basis for Processing (EEA/UK Users): If you are located in the European Economic Area (EEA) or the United Kingdom (UK), our legal basis for collecting and using the personal information described above will depend on the information concerned and the specific context. We normally collect personal information from you only where we need it to perform a contract with you (or your organization), where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms (e.g., providing, securing, and improving the Service), or where we have your consent (e.g., for marketing communications or non-essential cookies).

Exercising Your Rights: To exercise any rights you may have under applicable privacy laws that are not manageable directly through the Service, please contact us at [email protected]. We may need to verify your identity before processing your request. We will respond to your request within the timeframe required by applicable law. We will not discriminate against you for exercising your privacy rights.

Cookies and Tracking Technologies

As mentioned above, we use essential cookies (for functionality and security) and analytics cookies (e.g., PostHog, to understand usage) and we plan to implement marketing cookies in the future. You will be able to manage your consent and preferences for non-essential cookies via a consent management tool when available. Most web browsers allow you to control cookies through their settings preferences.

International Data Transfers

TrustMind is based in the United States (incorporated in Delaware, operating from California), and the Service is primarily hosted and operated in the United States using service providers like AWS and Cloudflare. If you are accessing the Service from other regions (like the EEA or UK), your information will be transferred to, stored, and processed in the United States.

We take appropriate safeguards to protect your information in accordance with this Privacy Policy when it is transferred. For transfers of personal information from the EEA, UK, or Switzerland, we rely on mechanisms such as Standard Contractual Clauses or adequacy decisions, where applicable, as provided by our third-party service providers.

Children's Privacy

The Service is not directed to individuals under the age of 13 (or 16 in certain jurisdictions like the EEA/UK). We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child without verification of parental consent, we will take steps to delete that information. If you believe we might have any information from or about a child, please contact us at [email protected].

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make changes, we will notify you by revising the "Last Updated" date at the top of this policy. If we make material changes that significantly alter your privacy rights, we will provide additional notice, such as sending an email notification or displaying a prominent notice within the Service prior to the change becoming effective. We encourage you to review this Privacy Policy periodically to stay informed about our information practices.

Contact Information

If you have any questions, comments, or concerns about this Privacy Policy or our data practices, or if you wish to exercise your privacy rights, please contact us at: [email protected]