Privacy Policy
TrustLoop ("we", "us", "our") is a limited company registered in the United Kingdom. We serve customers globally — including in the EU, the United States, and beyond. This Privacy Policy explains what personal data we collect, how we use it, and your rights regardless of where you are located.
As a UK-registered company, we comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 as our primary legal framework. Where we process data of EU residents, we also comply with the EU GDPR. Where applicable, we respect the rights of US residents under state privacy laws including the California Consumer Privacy Act (CCPA/CPRA).
By using TrustLoop at trustloop.live or our MCP proxy software, you agree to the practices described in this policy.
1 Who We Are
Data Controller: TrustLoop Ltd
Registered in: United Kingdom
Contact: privacy@trustloop.live
2 What Data We Collect
We collect the following categories of personal data:
| Category | Examples | Source |
|---|---|---|
| Account data | Name, email address, password (hashed) | You, when signing up |
| Billing data | Subscription plan, payment method (tokenised), invoice history | Stripe (payment processor) |
| Tool call logs | Timestamp, tool name, arguments, status (ALLOWED/BLOCKED/ERROR), result | Generated by your AI agents via the TrustLoop MCP proxy |
| Usage analytics | Pages visited, features used, session duration | Automatically, via our web infrastructure |
| Communications | Support emails, feedback submitted | You, when contacting us |
Tool call logs may contain data about the actions your AI agents perform. You control what tools are exposed to TrustLoop. Do not expose tools that process sensitive personal data unless you have a lawful basis to do so under UK GDPR.
3 How We Use Your Data
We process your data for the following purposes and legal bases:
| Purpose | Legal Basis |
|---|---|
| Providing the TrustLoop service (audit logging, governance enforcement) | Contract performance |
| Processing subscription payments | Contract performance |
| Sending transactional emails (receipts, security alerts) | Contract performance |
| Improving the product and fixing bugs | Legitimate interests |
| Complying with legal obligations (tax, regulatory) | Legal obligation |
| Sending product updates and newsletters (opt-in) | Consent |
We do not sell your data to third parties. We do not use your data for automated decision-making that produces legal or similarly significant effects.
4 Blockchain-Anchored Data
TrustLoop anchors SHA-256 hashes of your audit logs to a blockchain ledger for tamper-evidence. These hashes are cryptographic fingerprints — they do not contain personal data and cannot be reversed to reveal log contents.
Once a hash has been recorded on-chain, it is permanently and irreversibly stored on the blockchain. This is a deliberate feature of the service — it provides the immutability guarantee TrustLoop is built on. Because of this:
- Anchored hashes cannot be deleted or modified, even on request.
- The underlying log data (which does contain your data) is stored in our database and is subject to normal deletion rights.
- You should not configure TrustLoop in a way that causes personal data itself (rather than a hash of it) to be written to the blockchain.
5 Data Retention
- Account data: Retained for the duration of your subscription plus 12 months after closure, unless deletion is requested earlier.
- Tool call logs: Retained for 12 months by default. Business plan customers may configure custom retention periods.
- Billing records: Retained for 7 years as required by UK tax law.
- Blockchain hashes: Permanent and irreversible (see Section 4).
- Communications: Retained for 24 months.
6 Third-Party Services
We use the following sub-processors to deliver the service:
| Provider | Purpose | Data transferred |
|---|---|---|
| Supabase | Database and authentication hosting | Account data, tool call logs |
| Stripe | Payment processing | Billing data |
| Vercel | Website hosting | Usage analytics, IP address |
All sub-processors are contractually bound to process data only as instructed and in accordance with applicable data protection law. Where data is transferred internationally — including outside the UK or the EU — we ensure appropriate safeguards are in place, such as UK/EU adequacy decisions, Standard Contractual Clauses (SCCs), or equivalent mechanisms recognised under applicable law.
7 Cookies
Our website uses minimal cookies:
- Session cookies: Required for authentication. These expire when you close your browser.
- Preference cookies: Store your display settings. These persist for 12 months.
We do not use advertising, tracking, or third-party analytics cookies. We do not use cookie consent banners because we only use strictly necessary cookies that do not require consent under UK law.
8 Your Privacy Rights
Regardless of where you are located, you may exercise the following rights over your personal data by emailing privacy@trustloop.live. We will respond within 30 days.
- Right of access — Request a copy of the data we hold about you.
- Right to rectification — Ask us to correct inaccurate or incomplete data.
- Right to erasure — Request deletion of your data (subject to legal retention obligations and the blockchain exception in Section 4).
- Right to restrict processing — Ask us to pause processing of your data in certain circumstances.
- Right to data portability — Receive your data in a structured, machine-readable format.
- Right to object — Object to processing based on legitimate interests.
- Right to withdraw consent — Withdraw consent for marketing communications at any time.
UK & EU residents: You also have the right to lodge a complaint with a supervisory authority. UK residents may contact the Information Commissioner's Office (ICO). EU residents may contact the supervisory authority in their country of residence.
California residents (CCPA/CPRA): You have the right to know what personal information we collect and how it is used, the right to delete your personal information, the right to opt out of the sale of personal information (we do not sell personal information), and the right not to be discriminated against for exercising your rights. To submit a request, email privacy@trustloop.live.
All other jurisdictions: We extend the same core rights — access, correction, deletion, and objection — to all users globally, regardless of local law, as a matter of principle.
9 Data Security
We implement the following security measures to protect your data:
- All data in transit is encrypted using TLS 1.2 or higher.
- Database access is restricted by role-based access controls.
- Audit logs are cryptographically hashed to detect tampering.
- Passwords are hashed using industry-standard algorithms (bcrypt).
- Access to production systems is limited to authorised personnel only.
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority (including the ICO for UK residents) within 72 hours and notify affected users without undue delay.
10 Children's Privacy
TrustLoop is a developer tool intended for business use. We do not knowingly collect personal data from anyone under the age of 18. If you believe a minor has provided us with personal data, please contact us immediately at privacy@trustloop.live and we will delete it.
11 Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email. Continued use of TrustLoop after changes are published constitutes acceptance of the updated policy.
Questions about this policy?
If you have any questions, concerns, or requests regarding your personal data, please contact us directly:
TrustLoop Ltd
Email: privacy@trustloop.live
Website: trustloop.live
We aim to respond to all data-related enquiries within 5 business days.