Privacy Policy

Privacy Summary

TrustVault operates under the privacy framework of pocketOne Ltd. We are committed to protecting your privacy and processing personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Categories of Personal Data Processed

We process the following categories of personal data, depending on your interaction with our website and services:

1.1 Website Visitors

• Technical Data: IP address, browser type, operating system, referring URL, pages visited, access times
• Cookies: As described in our Cookie Policy

1.2 Contact Inquiries

• Contact Information: Name, organization, email address, phone number
• Communication Content: Subject matter, message content, correspondence history

1.3 Service Users

For organizations using TrustVault services, personal data processing depends on the specific service arrangement and is governed by separate contractual agreements. Processing may include:

• Technical Identifiers: User IDs, system identifiers, certificate subject information
• Audit Information: Timestamps, actions performed, system access logs
• Certificate Subject Data: Information included in certificate requests (e.g., organization, common name, email)

2. Purposes and Legal Bases

We process personal data for the following purposes and based on the following legal bases:

3. Data Recipients and Transfers

3.1 Internal Recipients

Personal data is accessible only to employees and contractors who require access to perform their duties, subject to strict confidentiality obligations and access controls.

3.2 External Recipients

We may share personal data with the following categories of recipients:

• Technical Service Providers: Hosting, infrastructure, and security service providers operating under data processing agreements
• Professional Advisors: Legal, accounting, and consulting firms bound by confidentiality obligations
• Public Authorities: Where required by law or in response to lawful requests

3.3 International Transfers

TrustVault infrastructure is primarily hosted within the European Union. Where personal data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, including:

• European Commission adequacy decisions for the recipient country
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Binding Corporate Rules or other approved transfer mechanisms

4. Retention Periods

We retain personal data only for as long as necessary for the purposes for which it was collected:

• Website Logs: Typically 90 days, unless required longer for security investigations
• Contact Inquiries: Duration of correspondence plus 12 months, unless longer retention is required for contract performance
• Service Data: Duration of service relationship plus retention periods required by applicable law or certificate lifecycle requirements (e.g., certificate audit logs may be retained for 7-10 years)
• Legal Compliance: As required by applicable law (e.g., accounting records, audit trails)

5. Data Subject Rights

Under GDPR, you have the following rights regarding your personal data:

• Right of Access (Article 15): Obtain confirmation whether we process your personal data and receive a copy
• Right to Rectification (Article 16): Request correction of inaccurate personal data
• Right to Erasure (Article 17): Request deletion of personal data in certain circumstances
• Right to Restriction of Processing (Article 18): Request limitation of processing in certain circumstances
• Right to Data Portability (Article 20): Receive personal data in a structured, commonly used format and transmit it to another controller
• Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing
• Rights Related to Automated Decision-Making (Article 22): Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects (we do not currently engage in such processing)

Exercising Your Rights: To exercise these rights, please contact us via our contact page. We will respond within one month, extendable by two additional months for complex requests.

Limitations: Some rights may be limited by legal obligations or other lawful grounds. For example, we may be required to retain certain audit logs for certificate lifecycle compliance.

6. Security Measures

We implement appropriate technical and organizational measures to protect personal data, including:

• HSM-backed encryption for cryptographic operations
• Transport encryption (TLS/HTTPS) for data in transit
• Encryption at rest for sensitive data
• Access controls and authentication mechanisms
• Regular security assessments and monitoring
• Segregated environments for development, testing, and production
• Employee training on data protection

7. Cookies and Tracking Technologies

We use cookies and similar technologies as described in our separate Cookie Policy. Essential cookies are necessary for website functionality; other cookies require your consent.

8. Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those websites. We encourage you to review their privacy policies.

9. Children's Privacy

Our services are not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete it.

10. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. The "Last Updated" date at the top indicates when changes were last made. We encourage you to review this policy periodically.

11. Contact and Complaints

For questions or concerns about this Privacy Policy or our data processing practices, please contact:

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of alleged infringement.