Privacy Policy

Last updated: March 2026

1. Data Controller

TrustFlow SL ("TrustFlow", "we", "us") is the data controller for personal data processed through our website and the data processor for data submitted via our API.

Email: privacy@trust-flow.dev

2. Data We Collect

2.1 Account Data (Controller)

  • Name and email address (at signup)
  • API key hash (we never store your plaintext key)
  • Billing information (processed by Stripe; we don't store card details)
  • Plan and usage history

2.2 Transaction Data (Processor)

Data you submit via the API for risk evaluation:

  • Transaction amount, currency, category
  • Merchant identifier
  • User identifier (as defined by you)
  • User balance and limits (optional)
  • Custom metadata (optional)

2.3 Technical Data

  • IP addresses (for rate limiting and security; retained 30 days)
  • API request logs (endpoint, response time, status code)
  • Error logs for debugging

3. Legal Basis for Processing (GDPR Art. 6)

  • Account data — Contract performance (Art. 6.1.b)
  • Transaction data — Contract performance + Legitimate interest (Art. 6.1.b, 6.1.f)
  • Billing data — Contract + Legal obligation (Art. 6.1.b, 6.1.c)
  • Technical/security logs — Legitimate interest (Art. 6.1.f)

4. How We Use Your Data

  • To provide the risk evaluation Service
  • To enforce rate limits and prevent abuse
  • To generate usage reports and billing
  • To improve our risk scoring algorithms (aggregated, anonymized only)
  • To comply with legal obligations

5. Data We Do NOT Collect

  • We do NOT require or store end-user PII (names, addresses, phone numbers)
  • We do NOT store payment card numbers (Stripe handles this)
  • We do NOT use tracking cookies or advertising pixels
  • We do NOT sell your data to third parties

6. Data Sharing

We share data only with:

  • Stripe — For payment processing (governed by Stripe's DPA)
  • Cloud hosting provider — For infrastructure (with DPA in place)
  • Law enforcement — Only when legally required

7. Data Retention

  • Account data — Duration of account + 5 years (legal obligation)
  • Transaction evaluations — 90 days (Free), 1 year (Pro), custom (Enterprise)
  • API request logs — 30 days
  • Security/audit logs — 1 year
  • Billing records — 7 years (Spanish tax law)

8. Data Security

  • All API communication encrypted via TLS 1.2+
  • API keys stored as SHA-256 hashes
  • Webhook secrets stored as SHA-256 hashes
  • Infrastructure hardened with security headers (HSTS, CSP, X-Frame-Options)
  • Access to production systems restricted to authorized personnel

9. International Transfers

  • Our primary infrastructure is located in the EU (Ireland/Madrid)
  • If data is transferred outside the EU, we ensure adequacy decisions or Standard Contractual Clauses are in place

10. Your Rights (GDPR)

You have the right to:

  • Access — Request a copy of your data
  • Rectification — Correct inaccurate data
  • Erasure — Request deletion of your data ("right to be forgotten")
  • Portability — Receive your data in a machine-readable format
  • Restriction — Limit how we process your data
  • Objection — Object to processing based on legitimate interest
  • Withdraw consent — Where consent is the legal basis

To exercise these rights, email privacy@trust-flow.dev. We respond within 30 days.

11. Data Protection Officer

For data protection inquiries: dpo@trust-flow.dev

12. Supervisory Authority

You may file a complaint with the Spanish Data Protection Agency (AEPD):

  • Website: www.aepd.es
  • Address: C/ Jorge Juan, 6, 28001 Madrid

13. Changes

We will notify you of material changes via email at least 30 days in advance.