Privacy Policy

This is a plain-English summary. The legally binding text is in the sections below.

• We collect the personal data you give us when you request a demo, sign up for an account, or use the platform.
• We use it to deliver the service, support you, secure the platform, and comply with our own legal obligations.
• We don't sell your personal data. We don't share it with advertisers.
• We host customer data in your selected region (EU, UK, US, India, Switzerland) wherever possible.
• You have rights — access, correction, erasure, portability, objection — and we honour them on request.

TrustWays AI is a multi-framework compliance platform operated by Ailoitte Technologies. The data controller for personal data collected via this website + the platform is Ailoitte Technologies.

For privacy queries, reach our Data Protection Officer at dpo@trustways.ai.

We collect personal data in three contexts:

(a) Marketing site visitors. When you browse trustways.ai we collect log data (IP address, user agent, pages visited, referrer) and analytics cookies (see Cookie Policy).

(b) Demo requests + sales contact. When you submit the demo form we collect name, work email, company, role, country, company size, frameworks of interest, the message you send us, plus UTM parameters and the referring page.

(c) Platform users. When you (or your employer) signs up for an account we collect name, email, password (hashed), role, organisation membership, authentication metadata (login timestamps, IP, MFA status), audit-log entries for every action you take in the platform. We do not ingest the contents of your AI systems or training data — only the metadata you choose to document.

We use personal data to:

• Operate, support, and improve the TrustWays AI platform.
• Route and respond to demo requests + contact us submissions.
• Send service emails (security alerts, billing, account state) — never marketing without opt-in.
• Detect and prevent fraud, abuse, and security incidents.
• Comply with our own legal obligations (tax records, audit retention).

We rely on the following lawful bases:

• Contract (Art. 6(1)(b)) — to provide the platform and support to the customer organisation you belong to.
• Legitimate interest (Art. 6(1)(f)) — to operate, secure, and improve the service; to respond to your demo enquiries; to keep records of activity for our own legal protection.
• Legal obligation (Art. 6(1)(c)) — to retain transactional records for tax and audit purposes.
• Consent (Art. 6(1)(a)) — for non-essential cookies and marketing emails.

We share personal data with carefully selected processors who help us run the service. Every processor is bound by a written data processing agreement with us. The full list lives on our subprocessors page.

We do not sell personal data. We do not share personal data with advertisers or ad networks.

You select your data-residency region at sign-up — EU, UK, US, India, or Switzerland. We honour the selection wherever the underlying infrastructure permits.

Where personal data must cross borders (e.g. for engineering support or subprocessor operations), we use the appropriate safeguards: the EU Standard Contractual Clauses (2021/914) for transfers out of the EEA, the UK IDTA or UK Addendum for UK transfers, Swiss SCCs for FADP transfers, and India's Sec. 16 list-based approach for DPDP transfers.

Demo request data is retained for 24 months unless you ask us to delete it sooner. Active customer-account data is retained for the lifetime of your subscription + 90 days after termination, after which it is deleted unless legal retention applies (e.g. SEBI's 5-year AI/ML I/O log retention).

Depending on your jurisdiction you have rights to access, correct, delete, port, restrict, and object to processing of your personal data. To exercise these rights, email dpo@trustways.ai. We respond within 30 days (60 days in justified cases under GDPR Art. 12).

California consumers have additional rights under the CCPA / CPRA (right to know, right to delete, right to correct, right to opt-out of sale/share, right to limit SPI use). We do not sell or share personal data in the CCPA sense.

You can also lodge a complaint with your supervisory authority — the ICO (UK), the lead DPA under GDPR, the FDPIC (Switzerland), the Data Protection Board of India, or the California AG / CPPA.

We maintain technical and organisational measures appropriate to the risk — encryption in transit + at rest, multi-tenant isolation, audit logging, MFA, principle of least privilege, regular vulnerability scanning. See our security overview for the full picture.

The TrustWays AI platform is a B2B SaaS product for compliance professionals. We do not knowingly collect personal data of children under 16 (or the equivalent local age threshold).

We update this policy from time to time. Material changes are notified by email to all active platform admins at least 30 days before they take effect. The "Effective" date at the top reflects the most recent change.

For privacy questions, exercising rights, or any concern about how we handle your data, email dpo@trustways.ai. For other queries: hello@trustways.ai.