Privacy Policy

Last updated - May 28, 2026

This Privacy Policy is intended to inform users of the trustdata.tech website and the TrustData service of how their personal data is collected, processed and protected, in accordance with Regulation (EU) 2016/679 of 27 April 2016 (GDPR) and the French Data Protection Act No. 78-17 of 6 January 1978, as amended (loi Informatique et Libertés).

Data Controller: TRUSTDATA, SARL with a share capital of €1,000.00 - 7 rue Cail, 75010 Paris - SIREN: 931 119 333 - [email protected]

1. Data Protection Officer (DPO)

The Data Protection Officer may be contacted at:

Email: [email protected]
Postal address: TRUSTDATA - DPO, 7 rue Cail, 75010 Paris, France

The DPO is the point of contact for any question relating to the processing of your personal data and the exercise of your rights.

2. Data Collected

Data collected directly from you

CategoryExamples
Identification dataFirst name, last name, professional email address
Professional dataCompany name, job title, industry
Connection dataIP address, connection logs, browser type
Payment dataCard details (processed exclusively by Stripe; never stored by TrustData)
Usage dataPages visited, features used, configuration preferences
Communication dataContent of support exchanges, contact requests

Data collected on behalf of our clients (data processing)

As part of the Service, TrustData collects and processes data on behalf of its clients (advertisers, agencies) acting as data controllers. For these processing activities, TrustData acts as a data processor within the meaning of Article 28 of the GDPR. The terms of this data processing are governed by the Data Processing Agreement (DPA).

3. Legal Bases and Purposes of Processing

PurposeLegal basis (Art. 6 GDPR)Retention period
Client account management and provision of the ServicePerformance of a contract (Art. 6.1.b)Duration of contract + 3 years
Billing and accountingLegal obligation (Art. 6.1.c)10 years
Customer supportPerformance of a contract (Art. 6.1.b)Duration of contract + 1 year
Marketing communications (newsletters)Consent (Art. 6.1.a)Until withdrawal of consent or 3 years of inactivity
Service improvement and statisticsLegitimate interest (Art. 6.1.f)26 months maximum
B2B commercial prospectingLegitimate interest (Art. 6.1.f)3 years after last contact
Compliance with legal obligationsLegal obligation (Art. 6.1.c)As required by applicable law
Cookie and tracker managementConsent (Art. 6.1.a)13 months maximum (CNIL)
Service security (logs, intrusion detection)Legitimate interest (Art. 6.1.f)12 months

4. Retention Periods

Personal data is retained for the period strictly necessary for the purposes for which it is processed, in accordance with the table above.

Upon expiry of these periods, data is deleted or irreversibly anonymised.

Upon termination of the contract, Client Data is retained for thirty (30) days to allow for export, then deleted.

5. Recipients of Data

Sub-processors

Sub-processorRoleLocationTransfer safeguards
Hetzner Online GmbHApplication hostingHelsinki, Finland (EU)Data within the EU
Cloudflare, Inc.CDN, DDoS protection, DNSUnited StatesStandard Contractual Clauses (SCCs)
Stripe, Inc.Payment processingUnited StatesStandard Contractual Clauses (SCCs)
ResendTransactional email deliveryUnited StatesStandard Contractual Clauses (SCCs)

TrustData never sells its users' personal data to third parties.

6. Connected advertising and analytics platforms

When a Client connects a third-party advertising or analytics account to the Service (Google, Meta, TikTok, LinkedIn, Pinterest, Snapchat, Shopify, Stripe), TrustData ingests data from those platforms on behalf of the Client and the user who authorised the connection. This processing is governed by the DPA and by each provider's own platform terms.

OAuth authorisation and credential storage

  • Connections use the OAuth 2.0 authorisation flow. The user explicitly grants TrustData access on the provider's consent screen, where every requested scope is listed.
  • OAuth refresh tokens are encrypted at rest (AES-128-CBC + HMAC-SHA256, Fernet) and stored exclusively on EU servers (Hetzner, Helsinki).
  • The user may revoke access at any time from the property Data sources page in the Service, or from the provider's own account security settings. Revocation immediately deletes the stored token.

Google Workspace, Google Ads, GA4, GTM, Search Console

ScopePurpose
`.../auth/adwords`Read Google Ads performance (spend, clicks, conversions) to compute ROAS and attribution; and - where the Client opts in - upload conversions back via Enhanced Conversions / Offline Conversion Imports
`.../auth/analytics.readonly`Read GA4 property configuration (streams, events, conversions, custom dimensions) for tracking audit and drift detection
`.../auth/tagmanager.readonly`Read Google Tag Manager container configuration (tags, triggers, variables) for tracking audit
`.../auth/webmasters.readonly`Read Search Console performance (queries, pages, clicks, impressions) for SEO and GEO analysis

TrustData's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, Google user data:

  • is used only to provide or improve user-facing features prominent in the Service;
  • is not transferred to third parties except as necessary to provide or improve those features, to comply with applicable law, or as part of a merger, acquisition or sale of assets with notice to users;
  • is not used or transferred for serving advertisements, including retargeting, personalised or interest-based advertising;
  • is not sold to any party;
  • is not read by humans, except (a) with the user's affirmative agreement, (b) where necessary for security purposes (such as investigating abuse), (c) to comply with applicable law, or (d) for internal operations where the data has been aggregated and anonymised.

Meta (Facebook, Instagram) Marketing APIs

TrustData requests access to ad accounts (`ads_read`) and business assets (`business_management`) to import campaign performance, audience and conversion data on behalf of the authorising business, and - where the Client opts in - to send conversion events back via the Meta Conversions API (see "Server-side conversion uploads" below).

Meta Platform Data is processed in accordance with the Meta Platform Terms and the Developer Data Use Policy. TrustData does not use Meta Platform Data for its own advertising, does not sell it, and honours user data-deletion requests via the dedicated endpoint: https://app.trustdata.tech/legal/data-deletion.

TikTok Business and Marketing APIs

TrustData requests access to TikTok Ads (`ad.list`, `report.read`, `audience.read`) on behalf of authorising advertisers, to import campaign performance and audience insights, and - where the Client opts in - to send conversion events back via the TikTok Events API. TikTok data is processed in accordance with the TikTok for Business Terms and is not used for TrustData's own advertising, nor resold to third parties.

Other connected platforms

LinkedIn Ads, Pinterest, Snapchat, Shopify, Stripe and similar connectors follow the same model: OAuth access scoped to the data needed for the requested features, EU storage, no resale, no use for TrustData's own advertising, deletion of credentials and ingested data upon disconnection.

Server-side conversion uploads (opt-in)

Where the Client explicitly enables it, TrustData can send conversion events back to the connected advertising platforms - Google Ads (Enhanced Conversions / Offline Conversion Imports), Meta (Conversions API), TikTok (Events API), and equivalent endpoints on other platforms - to improve the advertiser's measurement and bidding.

  • This feature is off by default. The Client activates it per connector from the Service.
  • The data uploaded is limited to conversion events from the Client's own website or app (e.g. purchase, lead, sign-up) and the identifiers required by the platform (hashed email, hashed phone, click identifier, IP, user agent). It does not include data received from another connected platform.
  • User-identifier fields are hashed (SHA-256) client-side or in transit, in line with each platform's specification.
  • The legal basis is the Client's instruction under the DPA; the Client is responsible for obtaining the appropriate consent from data subjects (e.g. via a Consent Management Platform) before activation.
  • Deactivation in the property Data sources page stops uploads immediately. Data already received by the advertising platform is governed by that platform's policies and is no longer under TrustData's control.

7. International Data Transfers

Client Data (data collected through the Service on behalf of our clients) is hosted exclusively within the European Union, on Hetzner servers in Helsinki, Finland.

Certain technical sub-processors (Cloudflare, Stripe, Resend) are located in the United States. Transfers are governed by the Standard Contractual Clauses (SCCs) adopted by the European Commission (implementing decision 2021/914 of 4 June 2021).

A Transfer Impact Assessment has been carried out for each sub-processor located outside the EU. You may obtain a copy of the safeguards by contacting our DPO at [email protected].

8. Data Security

TrustData implements appropriate technical and organisational measures to protect personal data, including:

  • Encryption of data in transit (TLS 1.2+) and at rest
  • Role-based access control (RBAC)
  • Access logging and monitoring
  • Regular backups
  • Periodic security testing

9. Your Rights

In accordance with Articles 15 to 22 of the GDPR, you have the following rights:

RightDescription
Right of access (Art. 15)Obtain confirmation that your data is being processed and receive a copy
Right to rectification (Art. 16)Have inaccurate or incomplete data corrected
Right to erasure (Art. 17)Request deletion of your data, subject to legal obligations
Right to restriction (Art. 18)Request restriction of processing in certain circumstances
Right to data portability (Art. 20)Receive your data in a structured, machine-readable format
Right to object (Art. 21)Object to processing based on legitimate interest
Withdrawal of consentWithdraw your consent at any time

To exercise your rights: [email protected] or by post to TRUSTDATA - DPO, 7 rue Cail, 75010 Paris.

We undertake to respond within one (1) month of receiving your request.

10. Right to Lodge a Complaint with the Supervisory Authority

If you consider that the processing of your data constitutes a breach of the GDPR, you may lodge a complaint with the CNIL (French data protection authority):

CNIL - 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
Website: https://www.cnil.fr - Phone: +33 1 53 73 22 22

11. Cookies and Trackers

For detailed information on the cookies used and to manage your preferences, please consult our Cookie Policy.

12. Policy Changes

TrustData reserves the right to amend this Privacy Policy at any time. Any material change will be notified to users by email or via a notification within the Service. The date of last update is indicated at the top of this document.

13. Contact

For any question relating to this Privacy Policy:

Email: [email protected]
Address: TRUSTDATA - DPO, 7 rue Cail, 75010 Paris, France