TrustCompass ("we", "us") helps organisations operate continuous compliance programs. This policy explains what personal data we process, why, and the rights you have under GDPR, NDPR, and similar regimes.
Data we process
- Account data: name, work email, organisation, role.
- Authentication metadata: sign-in timestamps, IP address (hashed), session tokens.
- Workspace content: evidence, controls, vendor and incident records uploaded by you.
- Diagnostic logs: error reports and aggregated usage events used to keep the service reliable.
Legal bases
Contract performance for delivery of the service; legitimate interest for security monitoring and product improvement; consent for optional analytics; and legal obligation where law requires retention.
Sharing
We share data only with sub-processors strictly required to operate the platform (hosting, transactional email, AI gateway). We never sell personal data.
Retention
Workspace content is retained for the lifetime of your subscription plus 30 days after termination, after which it is permanently deleted. You may export or delete data at any time from settings.
Your rights
You can request access, rectification, deletion, portability, restriction, or objection. Submit a verified request via our data subject form or email privacy@trustcompass.io.
Contact
Data Protection Officer — dpo@trustcompass.io