Skip to content
trusqo
Product
Use cases
KYC compliance AML compliance Fintech Property management Crypto exchanges Remittance
Pricing Docs Log in Book a demo Get started

Legal

Everything you need to know about how trusqo handles your data, our terms, and your rights.

Privacy policy Terms of service Data processing Sub-processors Cookie policy Contact

Last updated: 23 February 2026

Privacy policy

This policy explains how trusqo ("we", "us", "our") collects, uses, and protects personal data. It applies to visitors of our website (www.trusqo.com), users of our application (app.trusqo.com), and individuals whose data is processed through our document verification service.

Our role: controller vs. processor

We act in two capacities:

  • Data controller — for data we collect directly: your account information, website usage data, and billing details. We decide why and how this data is processed.
  • Data processor — for documents and personal data submitted through our verification service. Your organisation (our customer) is the data controller. We process this data only on your instructions and in accordance with our data processing terms.

What data we collect

Account data — when you create an account, we collect your name (or company name), email address, and authentication credentials. If you subscribe to a paid plan, our payment processor (Stripe) handles your payment details; we do not store card numbers.

Document data — when a verification request is submitted (by you or via API), we receive the uploaded document files (PDFs, images) and the reference data provided for matching (name, address, postcode). Our AI extraction system processes the documents to extract names, addresses, dates, and document types.

Usage data — we collect basic analytics about how you use our service: pages visited, features used, API calls made, and verification results. We do not use third-party tracking or advertising cookies.

Technical data — standard server logs including IP addresses, browser type, and timestamps. These are retained for security and debugging purposes.

Why we process your data

PurposeLegal basis (GDPR)
Provide the verification servicePerformance of contract (Art. 6(1)(b))
Manage your account and billingPerformance of contract (Art. 6(1)(b))
Send service notifications (verification results, account alerts)Performance of contract (Art. 6(1)(b))
Improve the service and fix bugsLegitimate interest (Art. 6(1)(f))
Prevent fraud and abuseLegitimate interest (Art. 6(1)(f))
Comply with legal obligationsLegal obligation (Art. 6(1)(c))

How long we keep your data

Data typeRetention period
Uploaded documents (files)90 days after verification, then permanently deleted
Verification results and extracted dataRetained while your account is active, deleted within 30 days of account closure
Account dataRetained while your account is active, deleted within 30 days of account closure
Server logs90 days
Billing records7 years (legal requirement)

AI processing disclosure

We use a large language model (LLM) API to extract information from uploaded documents. When a document is submitted for verification:

  • The document content is sent to our LLM provider's API for text extraction
  • Our LLM provider operates under a Data Processing Addendum (DPA) with zero data retention — document content is not stored by the provider or used to train their models
  • Extracted data (names, addresses, dates, document type) is returned to our service for matching
  • The final verification decision (approved, declined, needs review) is made by our matching algorithms, not by AI — the AI only extracts text from documents

No fully automated decisions with legal or significant effects are made by our service. The verification result is a data point for your own decision-making process.

International data transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), specifically:

  • LLM provider (United States) — for document text extraction, operated under a DPA with zero data retention and covered by Standard Contractual Clauses (SCCs). See sub-processors for the current provider
  • Stripe (United States) — for payment processing, covered by the EU-US Data Privacy Framework

We ensure all international transfers are protected by appropriate safeguards as required by GDPR Chapter V.

Your rights

Under GDPR, you have the right to:

  • Access your personal data and request a copy
  • Rectify inaccurate or incomplete data
  • Erase your data ("right to be forgotten")
  • Restrict processing in certain circumstances
  • Port your data to another service
  • Object to processing based on legitimate interest

To exercise any of these rights, email hey@trusqo.com. We will respond within 30 days.

If you believe we have not handled your data correctly, you have the right to lodge a complaint with your local data protection supervisory authority.

Note for end users: if your personal data was submitted to trusqo by one of our customers (e.g. a business verifying your proof of address), that business is the data controller. Please contact them directly to exercise your rights. We will assist them in fulfilling your request.

Terms of service

By creating an account or using the trusqo service, you agree to these terms. If you are using trusqo on behalf of an organisation, you are agreeing on behalf of that organisation.

The service

trusqo provides automated document verification for proof of address. You submit documents and reference data, and our service extracts information and compares it against your provided data, returning a verification result.

The service is provided "as is". While we strive for high accuracy, automated extraction is not infallible. You are responsible for determining how to act on verification results within your own compliance processes.

Account responsibilities

  • You must provide accurate account information
  • You are responsible for keeping your API keys and credentials secure
  • You are responsible for all activity under your account
  • You must notify us immediately if you suspect unauthorised access

Acceptable use

You may use trusqo only for legitimate business verification purposes. You must not:

  • Submit fraudulent or forged documents
  • Use the service for any illegal purpose
  • Attempt to reverse-engineer, scrape, or extract our algorithms or models
  • Submit documents without a lawful basis to process the personal data they contain
  • Exceed rate limits or attempt to disrupt the service

Your responsibilities as data controller

When you submit documents containing personal data to trusqo for verification, you act as the data controller. You are responsible for:

  • Having a valid legal basis (under GDPR or applicable law) to collect and process the documents you submit
  • Informing the individuals whose documents you submit about how their data will be processed, including by trusqo as your processor
  • Responding to data subject requests from those individuals
  • Conducting a Data Protection Impact Assessment (DPIA) where required

Billing and payments

Paid plans are billed monthly via Stripe. Prices are in euros (EUR) and exclude applicable taxes. You can upgrade, downgrade, or cancel your plan at any time from the dashboard. Cancellation takes effect at the end of the current billing period.

Checks that exceed your plan's included allowance are billed as overage at the per-check rate shown on your plan.

Intellectual property

trusqo owns all rights to the service, including the software, API, dashboard, algorithms, and documentation. You retain ownership of all data you submit. We claim no ownership of your documents or verification results.

Limitation of liability

To the maximum extent permitted by law:

  • trusqo is not liable for indirect, incidental, special, consequential, or punitive damages
  • Our total liability for any claim arising from the service is limited to the amount you paid us in the 12 months preceding the claim
  • We are not liable for decisions you make based on verification results
  • We do not guarantee 100% accuracy of document extraction or matching

Termination

You may close your account at any time. We may suspend or terminate your account if you violate these terms, with notice where practicable. Upon termination:

  • Your access to the service will cease
  • Uploaded documents will be deleted within 30 days
  • Verification results will be deleted within 30 days
  • We will retain billing records as required by law

Changes to these terms

We may update these terms from time to time. Material changes will be notified via email at least 30 days in advance. Continued use of the service after changes take effect constitutes acceptance.

Governing law

These terms are governed by the laws of Bulgaria. Any disputes will be resolved in the courts of Bulgaria.

Legal entity: Ohrid 19, Varna 9000, Bulgaria, 205469135

Data processing

This section describes how trusqo processes personal data on behalf of our customers, in accordance with GDPR Article 28.

Scope of processing

AspectDetail
Subject matterAutomated verification of proof of address documents
DurationFor the term of the customer's subscription, plus a 30-day deletion period
Categories of data subjectsIndividuals whose documents are submitted for verification (typically customers or clients of our business customers)
Types of personal dataNames, addresses, postcodes, document images, issue dates, document types

Our obligations as processor

  • We process personal data only on your documented instructions (i.e., through the API and dashboard functionality you use)
  • All personnel with access to personal data are bound by confidentiality obligations
  • We implement appropriate technical and organisational security measures (see below)
  • We will not engage new sub-processors without providing you notice and the opportunity to object
  • We assist you in responding to data subject requests and fulfilling your GDPR obligations
  • Upon termination, we delete all personal data within 30 days unless retention is required by law

Security measures

  • All data in transit is encrypted with TLS 1.2+
  • Uploaded documents are stored in isolated, access-controlled directories
  • API keys are hashed; authentication uses secure OAuth 2.0 flows
  • Access to production systems is restricted and logged
  • Regular security reviews and dependency updates

Breach notification

In the event of a personal data breach, we will notify affected customers without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include the nature of the breach, the data affected, likely consequences, and the measures taken to address it.

Data retention and deletion

Uploaded document files are automatically deleted 90 days after the verification is completed. Verification results and extracted data are retained while your account is active and deleted within 30 days of account closure. You can request earlier deletion of specific verification requests through the dashboard or by contacting us.

Sub-processors

We use the following third-party sub-processors to deliver the trusqo service. We have Data Processing Agreements in place with each.

Sub-processorPurposeLocation
StripePayment processing and subscription managementUnited States
GoogleOAuth authentication (sign-in)United States
OpenAILLM-powered text extraction from documents (zero data retention)United States
AnthropicLLM-powered text extraction from documents (zero data retention)United States
Google (Gemini)LLM-powered text extraction from documents (zero data retention)United States

We may use one or more of the LLM providers listed above for document extraction at any given time. All LLM providers operate under a Data Processing Addendum with zero data retention — document content is not stored by the provider or used to train models. We will notify customers via email before adding sub-processors not already listed here. If you object to a new sub-processor, you may terminate your subscription before the change takes effect.

Cookie policy

Our website and application use a minimal set of cookies, all of which are strictly necessary for the service to function. We do not use analytics, advertising, or tracking cookies.

CookiePurposeDuration
next-auth.session-tokenAuthentication session — keeps you signed inSession (30 days)
next-auth.csrf-tokenSecurity — prevents cross-site request forgerySession
next-auth.callback-urlAuthentication flow — redirect after sign-inSession

Since all cookies are strictly necessary for the service to function, no consent banner is required under the ePrivacy Directive. We do not set any cookies on the marketing website (www.trusqo.com) — cookies are only used in the application (app.trusqo.com).

Contact

For privacy-related questions, data subject requests, or to report a security concern:

Email: hey@trusqo.com

We aim to respond to all privacy requests within 30 days.

trusqo
Product Pricing Docs Blog Legal Company Tools Log in
hey@trusqo.com
© 2026 trusqo