Your privacy powers our platform. Here's the short, clear version of what we collect, why, and how we protect it.
TrustedApp Privacy Policy
Last updated: September 7, 2025
Only Founders, Inc. d/b/a "TrustedApp" ("TrustedApp," "we," "us," "our")
380 C Street, Hayward, CA 94541, USA
Contact: nate@trustedapp.co
1) Scope
This Privacy Policy explains how we collect, use, disclose, and retain personal data when you use trustedapp.co, app.trustedapp.co, and any site or service that links to this Policy (the "Services"). By using the Services, you agree to this Policy.
2) Roles & responsibility (controller vs. processor)
Controller (most of the time). We act as an independent controller for account data, profiles, usage logs, product communications, payments and payouts administration, safety/abuse prevention, and analytics.
Processor / joint controller (some research). When a Provider commissions interviews/calls/surveys and we process Expert deliverables to fulfill that engagement, we may act as a processor (or joint controller) for that narrow purpose under our Data Processing Addendum (DPA) (available on request).
If anything here conflicts with a signed DPA, the DPA governs for processor-mode activities.
3) What we collect
Account & Auth. Name, email, password hash, role (Expert/Provider), and optional SSO identifiers (e.g., LinkedIn, Google if enabled).
Profile. Title, company, bio, skills/domain expertise, location region, LinkedIn URL, profile photo.
Verification. Phone number for OTP; LinkedIn URL for profile verification; payout/KYC data handled by our payments partner (we don't store full card/bank numbers).
Transactions. Bookings, invoices, payout status, tax/VAT IDs (where applicable).
Usage & Device. IP address, approximate location, device/browser type, timestamps, feature interactions, logs.
Session Content (optional). Call recordings, transcripts, notes, surveys, attachments you submit.
Marketing (optional). UTM parameters, email engagement if you opt in.
Sources. You; your device; Providers; public sources; integrated services you connect (e.g., LinkedIn OAuth); optional business enrichment.
We do not intentionally collect sensitive categories such as precise geolocation, health data, or government IDs unless required for compliance by a payments/KYC provider.
4) Why we use data (and legal bases for EEA/UK)
Provide the Services. Account creation, authentication, matching, scheduling, payments/payouts, and support. (Contract; Legitimate interests.)
Safety & integrity. Prevent abuse, fraud, spam; secure accounts and infrastructure. (Legitimate interests; Legal obligation.)
Automated matching (AI). We use LLM-assisted ranking to help Providers discover relevant Experts. Providers make final selections. You may opt out of AI ranking (manual matching may be slower). (Legitimate interests; opt-out available.)
Communications. Transactional emails/SMS (e.g., OTP, receipts, policy updates) and product updates if you subscribe. (Contract; Consent.)
Improvement & analytics. Diagnose performance, enhance accuracy, and improve workflows. We train internal models on aggregate/de-identified data only. We do not use your personal data to train third-party foundation models. (Legitimate interests.)
Compliance. Tax, accounting, auditing, lawful requests, and enforcing terms. (Legal obligation.)
5) "Notice at Collection" (CPRA)
| Category | Examples | Purpose(s) | Retention |
|---|---|---|---|
| Identifiers | Name, email, phone (OTP), SSO IDs | Auth, account, security, communications | Account lifetime + 24 months inactivity, then delete/anonymize |
| Commercial info | Bookings, invoices, payout records | Provide Services, accounting | 7 years (tax/audit) |
| Internet/activity | IP, device/browser, logs, usage | Security, analytics, improvement | ≤ 30 days for logs; analytics per Section 13 |
| Professional info | Title, company, expertise | Matching, profiles, discovery | Account lifetime + 24 months inactivity |
| Audio/visual | Call recordings, transcripts | Research engagements (optional) | 36 months or earlier on request |
| Inferences (limited) | Match scores/tags | Suggest relevant matches | Account lifetime or until opt-out |
We do not sell personal information. We may "share" personal information for cross-context behavioral advertising only if you opt-in to non-essential cookies/pixels; you can opt out at any time (see Section 11).
6) Phone numbers, messaging & OTP
We process your phone number and messaging metadata (timestamps, country/carrier codes, delivery status, error codes) for authentication, fraud prevention, and account-security notifications.
Processor: Twilio (USA/EU regions as configured). We share only what's needed to send and deliver the message.
Content: OTP codes and brief transactional text (e.g., "TrustedApp code 123-456"). We don't use phone numbers for marketing without your separate opt-in.
Retention: We keep phone numbers for your active account and minimal messaging metadata for a limited period to investigate abuse/disputes, then delete or de-identify. (Twilio retains its own logs per its policy.)
Your controls: You can opt out by replying STOP (or disable phone verification where supported). You can also email us to delete your number; note this may disable SMS login.
Legal bases (EEA/UK): contract (account security) and legitimate interests (fraud/abuse prevention).
International transfers: safeguarded by vendor transfer mechanisms (see "International transfers").
7) Cookies & similar tech
Essential (auth, security, payments) — always on.
Analytics (e.g., privacy-centric tools; or Google Analytics if enabled) — to measure usage and improve performance.
Marketing pixels — load only if you opt-in; we honor your choices.
Manage preferences anytime via "Cookie Settings" in the footer. We currently do not respond to DNT signals but respect your in-product cookie choices.
8) Recordings, transcripts, and content
Recording a session requires the consent of all participants. You may request deletion of a specific recording/transcript (subject to legal/audit constraints and any Provider's lawful needs). If you do not want to be recorded, decline recording or leave the session.
9) How we disclose information (processors & recipients)
We disclose personal data to service providers under contracts with confidentiality, security, and use restrictions. Typical processors include:
Payments & Payouts: Stripe (incl. Connect/KYC)
Hosting/Infra: Vercel (on AWS)
Auth & Database: Supabase
Email: Resend
SMS/OTP: Twilio
Scheduling: Cal.com
Search: Algolia
Business Enrichment (optional): Clearbit
Analytics: Privacy-centric analytics; Google Analytics only with consent
Single Sign-On: LinkedIn; Google (if enabled)
Legal & safety. We may disclose data to comply with law, protect rights/safety, or in a merger/acquisition.
Sub-processors page. We maintain a current list at /subprocessors (or will provide it by email if the page is not yet live).
10) International transfers
Where required, we rely on Standard Contractual Clauses (SCCs) and vendor technical/organizational measures for cross-border transfers.
11) Your choices
AI matching opt-out. Ask us to exclude your profile from LLM-assisted ranking.
Email preferences. Unsubscribe links are included in non-essential emails.
Cookie controls. Use "Cookie Settings" in the footer to turn analytics/marketing on/off.
"Do Not Sell or Share." Use the footer link to opt out of cross-context behavioral advertising (if any non-essential pixels are enabled).
12) Your rights
Depending on where you live, you may have rights to access, correct, delete, restrict/object to certain processing, and port your data.
California (CPRA) & other U.S. states. You may request to know, access, correct, delete, and opt out of sale/share/targeted advertising. We will not discriminate for exercising rights. If we deny your request, you may appeal by replying to our decision email; we'll respond within 45 days.
EEA/UK/Switzerland. You have rights to access, rectification, erasure, restriction/objection, and portability; you may lodge a complaint with your local supervisory authority.
How to exercise rights. Email nate@trustedapp.co with the subject "Privacy Request." We must verify your identity (e.g., email confirmation, logged-in request). You may use an authorized agent per applicable law.
Response times. We aim to respond within 30 days (extendable once if reasonably necessary).
13) Retention
We keep data only as long as needed for the purposes described, then delete or de-identify it.
Account & profile: Active account + 24 months of inactivity
Financial records (invoices, payouts): 7 years (tax/audit)
Recordings & transcripts: 36 months or earlier upon approved request
Security logs & backups: ≤ 30 days (longer if investigating abuse)
Marketing contacts: Until you unsubscribe or 24 months of no engagement
14) Security
We use industry-standard safeguards: encryption in transit and at rest; least-privilege access; MFA for admin access; audit logging; and periodic security testing and reviews. No method of transmission or storage is 100% secure.
15) Children
The Services are not directed to children under 16 (or the age required by your jurisdiction). Do not use the Services if you are under the applicable age.
16) Third-party sites
The Services may link to third-party sites or services. Their privacy practices are governed by their own policies.
17) Changes to this Policy
We will post updates here and notify account holders of material changes at least 14 days before they take effect. Continued use after the effective date means you accept the changes.
18) Contact
Questions, requests, or complaints: nate@trustedapp.co
Postal: Only Founders, Inc., 380 C Street, Hayward, CA 94541, USA
© 2025 Only Founders, Inc. d/b/a TrustedApp. All rights reserved.
Your privacy powers our platform.