Legal

Everything you need to know about how trusqo handles your data, our terms, and your rights.

Last updated: 23 February 2026

Privacy policy

This policy explains how trusqo ("we", "us", "our") collects, uses, and protects personal data. It applies to visitors of our website (www.trusqo.com), users of our application (app.trusqo.com), and individuals whose data is processed through our document verification service.

Our role: controller vs. processor

We act in two capacities:

Data controller — for data we collect directly: your account information, website usage data, and billing details. We decide why and how this data is processed.
Data processor — for documents and personal data submitted through our verification service. Your organisation (our customer) is the data controller. We process this data only on your instructions and in accordance with our data processing terms.

What data we collect

Account data — when you create an account, we collect your name (or company name), email address, and authentication credentials. If you subscribe to a paid plan, our payment processor (Stripe) handles your payment details; we do not store card numbers.

Document data — when a verification request is submitted (by you or via API), we receive the uploaded document files (PDFs, images) and the reference data provided for matching (name, address, postcode). Our AI extraction system processes the documents to extract names, addresses, dates, and document types.

Usage data — we collect basic analytics about how you use our service: pages visited, features used, API calls made, and verification results. We do not use third-party tracking or advertising cookies.

Technical data — standard server logs including IP addresses, browser type, and timestamps. These are retained for security and debugging purposes.

Why we process your data

Purpose	Legal basis (GDPR)
Provide the verification service	Performance of contract (Art. 6(1)(b))
Manage your account and billing	Performance of contract (Art. 6(1)(b))
Send service notifications (verification results, account alerts)	Performance of contract (Art. 6(1)(b))
Improve the service and fix bugs	Legitimate interest (Art. 6(1)(f))
Prevent fraud and abuse	Legitimate interest (Art. 6(1)(f))
Comply with legal obligations	Legal obligation (Art. 6(1)(c))

How long we keep your data

Data type	Retention period
Uploaded documents (files)	90 days after verification, then permanently deleted
Verification results and extracted data	Retained while your account is active, deleted within 30 days of account closure
Account data	Retained while your account is active, deleted within 30 days of account closure
Server logs	90 days
Billing records	7 years (legal requirement)

AI processing disclosure

We use a large language model (LLM) API to extract information from uploaded documents. When a document is submitted for verification:

The document content is sent to our LLM provider's API for text extraction
Our LLM provider operates under a Data Processing Addendum (DPA) with zero data retention — document content is not stored by the provider or used to train their models
Extracted data (names, addresses, dates, document type) is returned to our service for matching
The final verification decision (approved, declined, needs review) is made by our matching algorithms, not by AI — the AI only extracts text from documents

No fully automated decisions with legal or significant effects are made by our service. The verification result is a data point for your own decision-making process.

International data transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), specifically:

LLM provider (United States) — for document text extraction, operated under a DPA with zero data retention and covered by Standard Contractual Clauses (SCCs). See sub-processors for the current provider
Stripe (United States) — for payment processing, covered by the EU-US Data Privacy Framework

We ensure all international transfers are protected by appropriate safeguards as required by GDPR Chapter V.

Your rights

Under GDPR, you have the right to:

Access your personal data and request a copy
Rectify inaccurate or incomplete data
Erase your data ("right to be forgotten")
Restrict processing in certain circumstances
Port your data to another service
Object to processing based on legitimate interest

To exercise any of these rights, email privacy@trusqo.com. We will respond within 30 days.

If you believe we have not handled your data correctly, you have the right to lodge a complaint with your local data protection supervisory authority.

Note for end users: if your personal data was submitted to trusqo by one of our customers (e.g. a business verifying your proof of address), that business is the data controller. Please contact them directly to exercise your rights. We will assist them in fulfilling your request.

Terms of service

By creating an account or using the trusqo service, you agree to these terms. If you are using trusqo on behalf of an organisation, you are agreeing on behalf of that organisation.

The service

trusqo provides automated document verification for proof of address. You submit documents and reference data, and our service extracts information and compares it against your provided data, returning a verification result.

The service is provided "as is". While we strive for high accuracy, automated extraction is not infallible. You are responsible for determining how to act on verification results within your own compliance processes.

Account responsibilities

You must provide accurate account information
You are responsible for keeping your API keys and credentials secure
You are responsible for all activity under your account
You must notify us immediately if you suspect unauthorised access

Acceptable use

You may use trusqo only for legitimate business verification purposes. You must not:

Submit fraudulent or forged documents
Use the service for any illegal purpose
Attempt to reverse-engineer, scrape, or extract our algorithms or models
Submit documents without a lawful basis to process the personal data they contain
Exceed rate limits or attempt to disrupt the service

Your responsibilities as data controller

When you submit documents containing personal data to trusqo for verification, you act as the data controller. You are responsible for:

Having a valid legal basis (under GDPR or applicable law) to collect and process the documents you submit
Informing the individuals whose documents you submit about how their data will be processed, including by trusqo as your processor
Responding to data subject requests from those individuals
Conducting a Data Protection Impact Assessment (DPIA) where required

Billing and payments

Paid plans are billed monthly via Stripe. Prices are in euros (EUR) and exclude applicable taxes. You can upgrade, downgrade, or cancel your plan at any time from the dashboard. Cancellation takes effect at the end of the current billing period.

Checks that exceed your plan's included allowance are billed as overage at the per-check rate shown on your plan.

Intellectual property

trusqo owns all rights to the service, including the software, API, dashboard, algorithms, and documentation. You retain ownership of all data you submit. We claim no ownership of your documents or verification results.

Limitation of liability

To the maximum extent permitted by law:

trusqo is not liable for indirect, incidental, special, consequential, or punitive damages
Our total liability for any claim arising from the service is limited to the amount you paid us in the 12 months preceding the claim
We are not liable for decisions you make based on verification results
We do not guarantee 100% accuracy of document extraction or matching

Termination

You may close your account at any time. We may suspend or terminate your account if you violate these terms, with notice where practicable. Upon termination:

Your access to the service will cease
Uploaded documents will be deleted within 30 days
Verification results will be deleted within 30 days
We will retain billing records as required by law

Changes to these terms

We may update these terms from time to time. Material changes will be notified via email at least 30 days in advance. Continued use of the service after changes take effect constitutes acceptance.

Governing law

These terms are governed by the laws of Bulgaria. Any disputes will be resolved in the courts of Bulgaria.

Legal entity: Ohrid 19, Varna 9000, Bulgaria, 205469135

Data processing

This section describes how trusqo processes personal data on behalf of our customers, in accordance with GDPR Article 28.

Scope of processing

Aspect	Detail
Subject matter	Automated verification of proof of address documents
Duration	For the term of the customer's subscription, plus a 30-day deletion period
Categories of data subjects	Individuals whose documents are submitted for verification (typically customers or clients of our business customers)
Types of personal data	Names, addresses, postcodes, document images, issue dates, document types

Our obligations as processor

We process personal data only on your documented instructions (i.e., through the API and dashboard functionality you use)
All personnel with access to personal data are bound by confidentiality obligations
We implement appropriate technical and organisational security measures (see below)
We will not engage new sub-processors without providing you notice and the opportunity to object
We assist you in responding to data subject requests and fulfilling your GDPR obligations
Upon termination, we delete all personal data within 30 days unless retention is required by law

Security measures

All data in transit is encrypted with TLS 1.2+
Uploaded documents are stored in isolated, access-controlled directories
API keys are hashed; authentication uses secure OAuth 2.0 flows
Access to production systems is restricted and logged
Regular security reviews and dependency updates

Breach notification

In the event of a personal data breach, we will notify affected customers without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include the nature of the breach, the data affected, likely consequences, and the measures taken to address it.

Data retention and deletion

Uploaded document files are automatically deleted 90 days after the verification is completed. Verification results and extracted data are retained while your account is active and deleted within 30 days of account closure. You can request earlier deletion of specific verification requests through the dashboard or by contacting us.

Sub-processors

We use the following third-party sub-processors to deliver the trusqo service. We have Data Processing Agreements in place with each.

Sub-processor	Purpose	Location
Stripe	Payment processing and subscription management	United States
Google	OAuth authentication (sign-in)	United States
OpenAI	LLM-powered text extraction from documents (zero data retention)	United States
Anthropic	LLM-powered text extraction from documents (zero data retention)	United States
Google (Gemini)	LLM-powered text extraction from documents (zero data retention)	United States

We may use one or more of the LLM providers listed above for document extraction at any given time. All LLM providers operate under a Data Processing Addendum with zero data retention — document content is not stored by the provider or used to train models. We will notify customers via email before adding sub-processors not already listed here. If you object to a new sub-processor, you may terminate your subscription before the change takes effect.

Our website and application use a minimal set of cookies, all of which are strictly necessary for the service to function. We do not use analytics, advertising, or tracking cookies.

Cookie	Purpose	Duration
`next-auth.session-token`	Authentication session — keeps you signed in	Session (30 days)
`next-auth.csrf-token`	Security — prevents cross-site request forgery	Session
`next-auth.callback-url`	Authentication flow — redirect after sign-in	Session

Since all cookies are strictly necessary for the service to function, no consent banner is required under the ePrivacy Directive. We do not set any cookies on the marketing website (www.trusqo.com) — cookies are only used in the application (app.trusqo.com).

Contact

For privacy-related questions, data subject requests, or to report a security concern:

Email: privacy@trusqo.com
General enquiries: hello@trusqo.com

We aim to respond to all privacy requests within 30 days.