Privacy Policy

1. Introduction

This Privacy Policy explains how TrustReview Technologies Ltd. ("TrustReview", "we", "us", or "our") collects, uses, discloses, and safeguards personal data in connection with our AI-powered identity verification platform available at trustreview.ai and through our APIs, hosted verification flows, dashboards, and related services (together, the "Services").

TrustReview provides document verification, biometric liveness and face-match, and AML/PEP/sanctions screening that help our business clients meet their Know Your Customer ("KYC") and anti-money-laundering ("AML") obligations and prevent fraud. Because of the sensitivity of the data we handle — including government-issued identity documents and biometric data — we apply a privacy-by-design and privacy-by-default approach throughout our organisation.

This policy is written to be consistent with the EU General Data Protection Regulation (the "GDPR"), the UK GDPR and the Data Protection Act 2018, the California Consumer Privacy Act as amended by the California Privacy Rights Act (together, "CCPA/CPRA"), and other applicable data protection laws. Where a specific law grants you greater rights, that law prevails. Please read this policy together with our Cookie Policy and our Terms of Service.

A note on language. Throughout this policy, "personal data" and "personal information" are used interchangeably and mean any information relating to an identified or identifiable natural person. "Process" and "processing" mean any operation performed on personal data, such as collection, storage, use, disclosure, or deletion.

2. Who we are & our role (controller vs. processor)

TrustReview Technologies Ltd. is the legal entity responsible for the Services. Our role under data protection law depends on the category of data:

2.1 When we act as a data controller

We act as a data controller for personal data we determine the purposes and means of processing for ourselves. This includes:

Account and contact data for the administrators, developers, and team members who register for and use our dashboard and APIs on behalf of a business client.
Billing and commercial relationship data with our clients.
Data of website visitors, prospects, and people who contact our sales or support teams.
Operational, security, and audit logging we generate to run and protect the platform.

2.2 When we act as a data processor

We act as a data processor for the verification data we process on behalf of our business clients — the end-user identity and biometric data submitted into a verification flow. In this context, our business client is the data controller: they decide why a verification is performed, obtain the necessary legal basis and consent from their end users, and instruct us through their configuration and use of the Services. We process that data only on the client's documented instructions, as governed by our Data Processing Addendum.

If you are an end user being verified, the business you were interacting with — not TrustReview — is responsible for deciding how your verification data is used and for answering your data-subject requests in the first instance. We will assist them as required by law. Section 11 explains how to reach the right party.

3. Information we collect

We collect the categories of personal data below. The exact data processed in a verification flow is configured by the business client and may be more or less than the full list, depending on the checks they enable.

Category	Examples	Our role
Account data	Name, work email, password hash, organisation, role, API keys, dashboard preferences and audit trail	Controller
Identity & document data	Images and data extracted from government IDs (passports, driver's licences, national ID cards): full name, date of birth, document number, expiry, nationality, machine-readable zone (MRZ), address where present	Processor
Biometric data	Selfie/liveness video and still frames, facial geometry vectors used for liveness detection and document face-match, and the resulting match/liveness scores	Processor
Screening data	Identifiers used to query AML, PEP, and sanctions/watchlist sources, and the resulting match status and adverse-media findings	Processor
Device & usage data	IP address, device and browser type, operating system, language, approximate location (from IP), timestamps, signals used to detect spoofing, emulators, and presentation attacks, and product analytics events	Controller / Processor
Support communications	Emails, in-app messages, and ticket content you send to [email protected], including any attachments	Controller

We collect personal data directly from you (for example, when you register an account or submit a verification), automatically (for example, through logs and cookies — see our Cookie Policy), and from third parties acting on behalf of our clients or from the watchlist and adverse-media data providers we query during screening.

4. How we use information

We use personal data for the following purposes:

Providing the Services. To run document verification, biometric liveness and face-match, and AML/PEP/sanctions screening, return results to the relevant business client, and maintain dashboards, APIs, and verification flows.
Account administration. To create and manage client accounts, authenticate users, provision API access, and provide customer support.
Fraud prevention and platform integrity. To detect and prevent spoofing, deepfakes, presentation attacks, account takeover, and abuse of the Services, and to maintain immutable audit logs.
Security and reliability. To monitor, troubleshoot, and improve the availability, performance, and security of the Services.
Improving and developing the Services. To analyse aggregated and de-identified usage, measure accuracy, and improve our models — subject to the restrictions in Section 6 on biometric data.
Billing and commercial operations. To process subscriptions, manage renewals, and maintain financial records.
Communications. To send service, security, and transactional messages, and — where permitted and with any required consent — relevant product updates you can opt out of at any time.
Legal and compliance. To comply with our own legal obligations, respond to lawful requests, establish, exercise, or defend legal claims, and enforce our agreements.

5. Legal bases for processing

Where the GDPR or UK GDPR applies and TrustReview is the controller, we rely on the following legal bases under Article 6:

Performance of a contract (Art. 6(1)(b)) — to provide the Services to our clients and administer accounts.
Legitimate interests (Art. 6(1)(f)) — to secure the platform, prevent fraud, analyse aggregated usage, and develop our Services, balanced against your rights and freedoms.
Legal obligation (Art. 6(1)(c)) — to meet our own statutory, tax, accounting, and record-keeping duties and to respond to lawful requests.
Consent (Art. 6(1)(a)) — for non-essential cookies and optional marketing communications, which you may withdraw at any time.

For verification data where we act as a processor, the relevant legal basis is determined by the business client acting as controller. Because verification typically involves biometric data — a "special category" under Article 9 — that data may only be processed where an Article 9 condition is met. The conditions most relevant to identity verification are:

Explicit consent (Art. 9(2)(a)) — the end user has given explicit consent to the biometric processing, obtained by the controller.
Substantial public interest (Art. 9(2)(g)) — including fraud prevention and complying with KYC/AML obligations, on the basis of, and proportionate to, applicable law.
Establishment, exercise, or defence of legal claims (Art. 9(2)(f)) — where relevant.

It is the controller's responsibility to identify and document the applicable Article 9 condition and to capture explicit consent where required. TrustReview processes special-category data strictly on those documented instructions.

6. Biometric data & special categories

Biometric data warrants the highest level of care, and we treat it accordingly.

6.1 What we process and why

When a verification includes a liveness or face-match step, we capture a short selfie video and/or still frames and compute a facial-geometry representation (a template) used to (a) confirm a live human is present and resist presentation attacks, and (b) compare the live face against the photo on the government ID. The output returned to the business client is typically a pass/fail decision and confidence scores — not the underlying biometric template.

6.2 We process biometric data on instruction of business clients

We process biometric data solely as a processor on the documented instructions of the business client who initiated the verification. We do not determine why a person is verified, and we do not use a person's biometric data for our own independent purposes.

6.3 No training on biometric data without consent

We do not use end users' biometric data, facial images, or identity documents to train, retrain, or improve our machine-learning models unless the relevant controller and data subject have provided the necessary consent for that purpose. Model improvement that does occur is performed using lawfully obtained, consented, or synthetic and de-identified datasets. We never sell biometric data, and we never share it for cross-context behavioural advertising.

6.4 Retention limits

Biometric source media and templates are retained only as long as needed to complete the verification and for the limited period configured by the controller or required by law (see Section 9). By default, raw biometric media is deleted or irreversibly anonymised on a short cycle after a verification concludes, unless the controller has instructed a defined retention period to meet its own recordkeeping obligations.

Your jurisdiction may grant extra biometric rights. Some laws (for example, certain U.S. state biometric privacy statutes) impose specific notice, consent, and retention-schedule requirements. The business client is responsible for the end-user-facing notice and consent; we support these obligations through our processor controls and configurable retention.

We do not sell personal data. We share personal data only as described below.

7.1 Sub-processors

We engage carefully vetted sub-processors to provide infrastructure, cloud hosting, storage, email delivery, error monitoring, and customer-support tooling. Each sub-processor is bound by a written contract imposing data-protection obligations no less protective than those in our own agreements. A current list of sub-processors is available to clients on request to [email protected], and we provide advance notice of material changes as set out in our DPA.

7.2 Watchlist and adverse-media data providers

To perform AML/PEP/sanctions screening, we query third-party data providers that maintain sanctions lists, politically-exposed-person registers, and adverse-media databases. We send the minimum identifiers necessary to run the requested check and receive match results, which we return to the controller.

7.3 Within our corporate group and to service the relationship

We may share data with our affiliates and with professional advisers (legal, accounting, audit) where necessary to operate our business, in each case under appropriate confidentiality and data-protection terms.

7.4 Legal requests and protection of rights

We may disclose personal data where we believe in good faith that disclosure is required to comply with applicable law, a court order, or a valid request from a public authority; to enforce our agreements; or to protect the rights, property, or safety of TrustReview, our clients, or others. Where we receive a request relating to a client's verification data, we will, unless legally prohibited, direct the request to the client and notify them.

7.5 Business transfers

If TrustReview is involved in a merger, acquisition, financing, or sale of assets, personal data may be transferred as part of that transaction, subject to this policy and applicable law. We will notify affected parties where required.

8. International transfers

TrustReview operates globally, and personal data may be processed in, or accessed from, countries other than the one in which it was collected, including by our sub-processors. Whenever we transfer personal data out of the European Economic Area, the United Kingdom, or another jurisdiction with cross-border-transfer restrictions, we put in place a lawful transfer mechanism, including one or more of the following:

Transfers to countries the European Commission or UK authorities have recognised as providing an adequate level of protection.
The European Commission's Standard Contractual Clauses (SCCs) and, for UK transfers, the UK International Data Transfer Addendum (or the UK IDTA), supplemented by a transfer impact assessment and any necessary additional technical and organisational safeguards.
Other valid mechanisms permitted under applicable law.

You may request a copy of the relevant transfer mechanism (with commercial terms redacted) by contacting [email protected].

9. Data retention

We retain personal data only for as long as necessary for the purposes set out in this policy, including to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreements. For verification data we process as a processor, retention is governed by the controller's documented instructions and the configuration of the relevant flow. Indicative retention periods are below.

Data type	Indicative retention
Raw biometric media (selfie video/frames)	Deleted or irreversibly anonymised on a short cycle after the verification concludes (controller-configurable)
Identity & document data + verification results	As instructed by the controller for its KYC/AML recordkeeping (commonly up to several years to meet legal obligations)
Screening match results	Retained with the associated verification record per the controller's schedule
Account & contact data	For the life of the account and a reasonable period afterward to meet legal, tax, and audit requirements
Security & audit logs	Typically 12–24 months, longer where required for security or legal reasons
Support communications	Up to 24 months after the matter is resolved

When retention periods expire, we delete, anonymise, or aggregate the data so it can no longer be associated with you. Where deletion is not immediately feasible (for example, in encrypted backups), we isolate the data and protect it from further processing until deletion is possible.

10. Security

We maintain a comprehensive information-security program with administrative, technical, and physical safeguards designed to protect personal data against unauthorised access, alteration, disclosure, and destruction. Measures include:

Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256), with biometric media subject to additional protections.
Strict access controls based on least privilege, role-based permissions, mandatory multi-factor authentication for internal systems, and just-in-time access with full logging.
Network and application security including segmentation, secrets management, vulnerability scanning, dependency monitoring, and regular third-party penetration testing.
Monitoring and incident response with continuous logging, alerting, and a documented response plan; we notify affected controllers of personal-data breaches without undue delay and in line with our contractual and legal obligations.
Independent assurance. We maintain SOC 2 Type II and ISO/IEC 27001 programs and align our controls to recognised industry standards.

No method of transmission or storage is completely secure, but we work continuously to strengthen our defences and reduce risk.

11. Your rights

Depending on where you live and the applicable law, you may have some or all of the following rights regarding your personal data:

Access — to obtain confirmation of whether we process your data and a copy of it.
Rectification — to correct inaccurate or incomplete data.
Erasure ("right to be forgotten") — to request deletion in certain circumstances.
Restriction — to limit how we process your data in certain circumstances.
Portability — to receive certain data in a structured, commonly used, machine-readable format and, where feasible, have it transmitted to another controller.
Objection — to object to processing based on legitimate interests, and to object to direct marketing at any time.
Withdraw consent — where processing is based on consent, without affecting the lawfulness of prior processing.
Non-discrimination and (under CCPA/CPRA) the right to know, delete, correct, and to limit use of sensitive personal information.

We do not sell or "share" personal data as those terms are defined under CCPA/CPRA — that is, we do not sell personal information for monetary or other valuable consideration, and we do not share it for cross-context behavioural advertising. Accordingly, there is no "Do Not Sell or Share My Personal Information" action required, but you may still exercise your other rights.

How to exercise your rights. If you are an end user who was verified through a business that uses TrustReview, that business is the controller of your verification data; please direct your request to them. We will support them as required by law. For data where TrustReview is the controller, contact [email protected]. We may need to verify your identity before acting on a request. You also have the right to lodge a complaint with your local supervisory authority (for example, in the UK, the Information Commissioner's Office), though we'd welcome the chance to address your concern first.

12. Cookies

We use a small set of cookies and similar technologies that are strictly necessary to run the Services, plus optional functional, analytics, and security cookies. We do not use advertising or cross-site tracking cookies. For full details — including the categories of cookies, their purposes, and how to manage your preferences — please see our Cookie Policy.

13. Data Processing Addendum (DPA)

Because much of what we do is process personal data on behalf of our business clients, our relationship with each client is governed by a Data Processing Addendum that forms part of our Terms of Service.

13.1 Roles under the DPA

Under the DPA, the business client is the data controller for the end-user verification data and TrustReview is the data processor. The client decides the purposes and means of processing — including which checks to run, what consent and notices to provide to end users, and what retention to apply — and is responsible for ensuring it has a valid legal basis (and, for biometric data, a valid Article 9 condition) before submitting data to us.

13.2 Our processor commitments

In the DPA, TrustReview commits to:

Process personal data only on the controller's documented instructions, including for international transfers, unless required to do otherwise by law.
Ensure persons authorised to process the data are bound by confidentiality.
Implement appropriate technical and organisational security measures (see Section 10).
Engage sub-processors only under written terms providing equivalent protections, with notice of changes and a right to object.
Assist the controller, taking into account the nature of processing, in responding to data-subject requests and in meeting its security, breach-notification, and data-protection-impact-assessment obligations.
Notify the controller of a personal-data breach without undue delay.
At the controller's choice, delete or return personal data at the end of the engagement, subject to legal retention requirements.
Make available information necessary to demonstrate compliance and submit to audits as set out in the DPA.

Our standard DPA, including the applicable Standard Contractual Clauses and the current sub-processor list, is available to clients on request to [email protected].

14. Children's privacy

The Services are intended for use by businesses and their adult end users. They are not directed to children, and we do not knowingly create TrustReview accounts for, or market to, anyone under 18. Identity verification flows are typically deployed by clients to confirm that an end user is an adult or otherwise eligible for a regulated product; where a client uses TrustReview for age verification or age-gating, the client is responsible for configuring those checks lawfully and for handling any minors' data in accordance with applicable law (such as the GDPR's rules on children's data and the U.S. Children's Online Privacy Protection Act). If we learn that we have inadvertently processed a child's personal data as a controller without an appropriate legal basis, we will take steps to delete it.

15. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or the Services. When we make material changes, we will update the "Last updated" date above and, where appropriate, provide additional notice (for example, by email or an in-product notice). We encourage you to review this policy periodically. Your continued use of the Services after an update takes effect constitutes acceptance of the revised policy to the extent permitted by law.

16. Contact us & DPO

If you have questions, concerns, or requests about this policy or our handling of personal data, please reach out:

Privacy enquiries & data-subject requests: [email protected]
Data Protection Officer (DPO): [email protected]
Legal, DPA & sub-processor requests: [email protected]
Product support: [email protected]

You can also contact us through our contact page. We aim to respond to privacy enquiries within the timeframes required by applicable law.