TrustReply
TrustReply

Privacy Policy

Last updated: 6 May 2026

Who we are

TrustReply, operated by Ben Gowers, a sole trader based in England & Wales. For the purposes of UK GDPR and the Data Protection Act 2018, we are the data controller for personal data you give us through this service.

What we collect

  • Account data — your email address (used for magic-link sign-in) and your plan.
  • Customer content — the policies you write into the policy library and the questionnaires you upload, plus any drafts and edits you make.
  • Billing data — when you subscribe, Stripe processes your payment. We store your Stripe customer ID and subscription status; we never see or store your card details.
  • Operational logs — minimal request logs (timestamps, status codes, anonymised IPs) for security and debugging.

How we use it

We use your data to run the service: authenticate you, draft answers from your policies, store your work, bill you, and respond to support requests. We do not sell your data, we do not use your content to train AI models, and we do not share it for advertising.

Subprocessors

We use a small set of trusted providers to deliver the service. Each is contractually bound to protect your data:

  • Supabase — Postgres database, authentication, and file storage (EU region).
  • Anthropic — AI model that drafts answers from your policy library. Anthropic does not use API inputs or outputs to train its models by default.
  • Stripe — subscription billing and customer portal.
  • Vercel — hosting and content delivery.
  • Resend (where configured) — transactional email delivery.

Where your data is stored

Customer content is stored in our Supabase project (EU region). Some subprocessors (Anthropic, Stripe, Vercel) may process data in the United States or other regions; transfers rely on Standard Contractual Clauses or equivalent safeguards.

Retention

We keep your policies and questionnaires for as long as your account is active. When you delete an item it is removed from active databases promptly and from backups within 30 days. When you close your account, we delete your customer content within 30 days, except where we're required to keep limited records (for example, billing data we need to retain for tax purposes).

Security

Data in transit is encrypted with TLS. Data at rest is encrypted by our infrastructure providers. Our database enforces row-level security so a signed-in user can only read and write their own rows. We never expose service keys to the browser.

Your rights

Under UK GDPR you have the right to access, correct, export, and delete your personal data, to restrict or object to processing, and to lodge a complaint with the Information Commissioner's Office (ico.org.uk). To exercise any of these rights, email support@trustreply.co.uk.

Cookies

We use a single first-party session cookie to keep you signed in. We do not use advertising or analytics cookies on the marketing site.

Changes

We'll update this page when our practices change and notify active users by email if a change is material.

Contact

Privacy questions or requests: support@trustreply.co.uk.