Privacy Policy
Last updated 2026-05-06
This policy describes what TrustAtlas collects, how it is used, and the choices you have. We aim to collect the minimum needed to run the service and to be specific about every third party that touches your data.
What we collect
We split data into three categories:
Account data (only if you register)
- Email address (required)
- Password (stored as a PBKDF2 hash with a per-user salt; we never see the plaintext)
- Name and company name (optional, set during registration)
- Subscription tier and billing status (free, professional, enterprise)
Activity data (only if you act on the site)
- Saved vendors and watchlist entries (only if you click Save or Add to watchlist)
- Risk-weight profiles you create
- Login timestamps for session continuity
Technical data (visitors and authenticated users)
- Server access logs (IP address, request path, user agent, timestamp) retained ≤ 30 days for security and abuse prevention
- browserStorage (no third-party cookies): a single localStorage entry holding your auth token if you sign in
What we do not collect
- No third-party analytics SDKs (no Google Analytics, no Segment, no Mixpanel)
- No advertising trackers
- No fingerprinting beyond what is in standard server access logs
- No social media share-button trackers (the share popover opens an intent URL only when you click it)
How we use your data
- Authentication and session continuity — match you to your saved vendors, watchlist, and risk-weight profiles
- Notifications — send the watchlist alerts you have explicitly opted in to (default-off; configurable per-vendor in your dashboard)
- Billing — manage your subscription if you upgrade to a paid plan
- Service operation — uptime monitoring, abuse prevention, security review of access logs
We do not sell or rent personal data. We do not use your data to train AI models.
Third-party processors
The following sub-processors receive specific subsets of your data in the course of providing the service:
- Cloudflare — hosts the application (Workers, Pages, D1, KV, R2). Sees all request data including IP and request body.
- Stripe (only if you upgrade to a paid plan) — processes payment card data. We never see your full card number; Stripe returns a customer ID we associate with your account. Stripe's privacy policy at stripe.com/privacy.
- Mailgun (only if you opt in to email alerts) — sends transactional emails (watchlist alerts, weekly digest). Sees your email address and the alert content. Mailgun's privacy policy at mailgun.com/privacy-policy.
Your rights
Regardless of where you live, you may:
- Access your account data — visible on the dashboard
- Correct your name, company, and email — from account settings
- Delete your account and all associated data — email privacy@trustatlas.com and we will action within 30 days
- Export your saved vendors, watchlist, and weight profiles as JSON — email the same address
- Opt out of all email contact — toggle off in dashboard or unsubscribe link in any email
If you live in the EU/EEA/UK, GDPR rights including data portability and the right to lodge a complaint with your supervisory authority apply. If you live in California, CCPA rights including right to know, delete, and opt out apply.
Data residency
The application database is hosted on Cloudflare D1 in the EWR (Newark, NJ) region by default. Cloudflare may replicate to other regions for redundancy. Email is processed by Mailgun's US infrastructure. Stripe processes payment data in its US infrastructure with cross-border transfers governed by Stripe's own GDPR-compliant DPA.
Children
TrustAtlas is intended for procurement, IT, and security professionals. We do not knowingly collect data from anyone under 16. If you believe a minor has registered, email privacy@trustatlas.com and we will delete the account.
Changes to this policy
Material changes will be announced via email to active users and noted at the top of this page with a new Last updated date. Continued use after a change indicates acceptance.
Contact
Questions about this policy or your data: privacy@trustatlas.com