Privacy
policy.

trustcert.ai is operated by TrustCert LLC (“TrustCert”, “we”, “us”) [entity name to be confirmed]. This policy describes what personal data we collect when you use the trustcert.ai service, how we use it, who we share it with, and the choices you have. It should be read together with our Terms of Service.

Account data. When you register we collect your email address, display name, and authentication credentials, managed through Firebase Authentication. If you sign in with a federated provider (such as Google or Microsoft), we receive your name and email from that provider.

Chat content. Your messages, conversation history, and the AI responses generated for you are stored in our database so you can return to past conversations.

Uploaded files. Documents, images, and audio you upload for analysis are stored in Google Cloud Storage and automatically deleted approximately 24 hours after upload.

Billing data. Payments are processed by Stripe. We store your subscription tier, Stripe customer and subscription identifiers, and billing status. We never see or store your full card number — that is handled entirely by Stripe.

Usage and security data. We record daily usage (credits), model and token usage per message, and signals from Google reCAPTCHA Enterprise and Firebase App Check used to protect the Service from abuse.

• to provide, operate, and secure the Service;
• to generate AI responses grounded in regulatory sources, including classifying queries to retrieve relevant compliance requirements;
• to manage subscriptions, billing, and usage allowances;
• to send transactional email — verification, research-completion notices, and account or billing notifications (via Resend);
• to prevent fraud, bots, and abuse;
• to comply with legal obligations.

We do not sell your personal data, and we do not use your content for advertising.

To generate responses, your messages and uploaded files are transmitted to Google’s Gemini API for processing. Anonymized, aggregate research derived from queries (for example, which regulations are frequently asked about) may be used to improve our curated regulatory corpus; this corpus contains regulatory information, not your personal data or documents. [Confirm description of Google API data-usage terms with counsel.]

We share data only with the processors needed to run the Service: Google Cloud Platform and Firebase (hosting, authentication, database, file storage), Google Gemini API (AI processing), Stripe (payments), Resend (transactional email), and Google reCAPTCHA Enterprise (abuse prevention). We may also disclose data where required by law or to protect our rights, and in connection with a merger or acquisition, subject to this policy.

This site is protected by reCAPTCHA Enterprise and the Google Privacy Policy and Terms of Service apply.

• Uploaded files: deleted automatically approximately 24 hours after upload.
• Chat history: retained until you delete the conversation or your account.
• Account data: retained while your account is active; deleted when you delete your account, except where we must retain records (for example, billing records) to meet legal obligations.

Deleting your account also cancels any active Stripe subscription.

Data is encrypted in transit (TLS) and at rest by our cloud providers. Access to production systems is restricted through identity-based access controls and service accounts with least privilege. Multi-factor authentication is available for your account and we recommend enabling it in account settings. No system is perfectly secure; notify us immediately if you suspect unauthorized access to your account.

You can view and update your profile, manage multi-factor authentication, and delete your account from your account settings. Depending on where you live, you may also have rights to access, correct, export, or erase your personal data, to object to or restrict processing, and to lodge a complaint with a supervisory authority. To exercise these rights, contact support@trustcert.ai. [Region-specific rights sections — GDPR, CCPA/CPRA, and similar — to be completed by counsel.]

We use cookies and browser storage for authentication session state, security tokens (Firebase App Check and reCAPTCHA Enterprise), and interface preferences such as your theme choice. We do not use third-party advertising or cross-site tracking cookies.

The Service is hosted on Google Cloud infrastructure in the United States. If you access the Service from outside the United States, your data is transferred to and processed in the United States. [Transfer mechanisms — for example, Standard Contractual Clauses for EEA/UK users — to be confirmed by counsel.]

The Service is intended for business and professional use and is not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it.

We may update this policy from time to time. For material changes we will give notice — for example by email or an in-product notice — before the changes take effect. The “Last updated” date above reflects the latest revision.

Privacy questions or requests: support@trustcert.ai [contact address, registered business address, and any data protection officer designation to be confirmed before publication].