PRIVACY POLICY

1. INTRODUCTION AND DATA CONTROLLER

Welcome to TrustKey. We are committed to protecting your personal data and your right to privacy. This Privacy Policy explains how we collect, use, and securely store your information when you use our website (https://trustkeyapp.com) and our digital legacy services.

Under the General Data Protection Regulation (GDPR — Regulation (EU) 2016/679), the Data Controller for your information is the natural person identified in our Legal Notice (an individual self-employed operator, autónomo, established in Spain). For any privacy-related inquiries, or to exercise your rights, you can contact us directly at [email protected].

This Policy applies to all users globally. The GDPR standards described herein are applied as a baseline to all users, regardless of their country of residence, as they represent the highest standard of privacy protection we operate under.

2. OUR PRIVACY ARCHITECTURE: ZERO READABLE ACCESS AND SECURE RECOVERY

TrustKey is built on a high-security End-to-End Encryption (E2EE) architecture designed to protect your privacy to the maximum extent technically possible. It is important to understand the precise scope of this protection:

Your Vault Data (Contents): The contents of any emergency messages or files you upload are encrypted locally on your device before reaching our servers. TrustKey administrators have no technical means to read, decrypt, or access the contents of your stored data. (Important note: File names and file sizes are stored as unencrypted metadata to allow for file management and listing — see Section 3).

Our Access & Recovery System: We do not store your Master Key in plain text. To prevent total and irreversible data loss in the event you forget your password, our system employs an automated cryptographic escrow via AWS Key Management Service (KMS). This recovery mechanism can only be triggered automatically by you through a verified, multi-step process (e.g., via a secure, time-limited email token sent to your registered address). TrustKey staff cannot manually initiate, override, or bypass this automated recovery process, nor can they use it to access your data on their own initiative. This is not a backdoor; it is a strictly user-controlled automated safety net.

In summary: TrustKey has zero access to the readable content of your vault. We operate on the principle of minimum necessary data access at all times.

3. WHAT DATA DO WE COLLECT?

We only collect data that is strictly necessary to provide our service, process payments, and ensure platform security.

• Account Data: Your email address (which acts as your username) and cryptographic hashes of your passwords (Main Password and Alert Password). We never store your passwords in plain text.
• Third-Party Data (Safety Contacts): Email addresses of the individuals you designate as "Safety Contacts" (see Section 6 for full details).
• Security and Technical Data: IP addresses, browser User-Agent strings, and login timestamps. This data is collected automatically to prevent fraud, enforce rate limits, and detect unauthorized access attempts.
• Payment Data: We do not process or store your credit card or banking information. All payments are securely handled by our payment processor, Stripe. We only store a Stripe reference ID (Customer ID) and the status of your subscription to grant you access to premium features.
• File Metadata: While the contents of your uploaded files are strictly end-to-end encrypted on your device, we store basic unencrypted metadata in our database to operate the service. This includes the original file names, file sizes, and upload timestamps. We strongly advise you not to include sensitive information in your file names, as these are stored as plain-text metadata.

4. LEGAL BASIS AND PURPOSE OF PROCESSING

We process your personal data under the following lawful bases established by Article 6 of the GDPR:

• Contractual Necessity (Art. 6.1.b): To create your account, provide the "dead man's switch" service, and manage your subscription.
• Service Communications — Strictly Non-Commercial (Art. 6.1.b): To send emails that are strictly necessary for the operation of the service (such as MFA codes, countdown reminders, and security/duress alerts) and essential administrative updates (such as changes to our Terms or new subscription plans). TrustKey does not use your email for commercial marketing or third-party promotional campaigns.
• Legitimate Interest (Art. 6.1.f): To maintain the security of our platform, detect fraudulent logins, and prevent abuse.
• Legal Obligation (Art. 6.1.c): To maintain financial records for tax purposes and comply with applicable European and Spanish laws.

5. THIRD-PARTY SERVICE PROVIDERS AND DATA LOCATION

We do not sell, rent, or trade your personal data. We only share the minimum necessary data with the following trusted service providers to operate our infrastructure:

• AWS (Amazon Web Services) — EU Infrastructure: We use AWS to host our database and AWS Key Management Service (KMS) to manage the automated cryptographic escrow. Our AWS infrastructure is hosted exclusively within European Union (EU) data centres. As a result, no international transfer of personal data outside the European Economic Area (EEA) takes place in connection with AWS. AWS processes data as a Data Processor on our behalf and is contractually bound by a Data Processing Agreement (DPA) compliant with GDPR requirements.
• Stripe: For secure payment processing. Stripe operates as an independent Data Controller for the financial data it processes. Stripe's processing of your financial data is governed by their own Privacy Policy and their standard DPA, which includes Standard Contractual Clauses (SCCs) for any transfers outside the EEA.
• Cloudflare (CDN & Bot Protection): We use Cloudflare to manage our domain, provide CDN services, and run Cloudflare Turnstile (a privacy-preserving alternative to traditional CAPTCHAs). Cloudflare may process requests globally as part of its network infrastructure. Cloudflare is certified under EU-U.S. Data Privacy Framework and operates under SCCs where applicable. Turnstile does not use tracking cookies or harvest personal data for advertising purposes.
• Email Delivery: Secure SMTP servers hosted within the EU to deliver account confirmations, security alerts, and automated notifications to you and your Safety Contacts.

6. THIRD-PARTY RIGHTS (SAFETY CONTACTS)

As part of our service, you may provide us with the email addresses of third parties ("Safety Contacts"). Upon designation, we will immediately send them a notification informing them of this designation and explaining their rights.

Pre-Activation Wellness Checks: To prevent the accidental release of your data if you simply forget to log in, our system follows a staggered warning process. We will first send multiple reminder emails to you. If you remain unresponsive, we will send preliminary emails to your Safety Contacts asking them to check on your well-being. These preliminary emails do not contain any encrypted data or access links.

Opt-outs and Data Deletion: Safety Contacts have the right under GDPR (and UK GDPR for UK residents) to object to, or request the deletion of, their personal data at any time by clicking the secure opt-out link provided in our notifications. TrustKey will immediately and permanently remove their data from our systems upon such a request. It is the User's sole responsibility to ensure they maintain active and willing Safety Contacts by periodically logging in to review their account status.

7. DATA RETENTION AND DELETION

• Active Accounts: We retain your data for as long as your account is active and your subscription is maintained.
• Service Activation (The "Switch"): If your dead man's switch timer expires and your emergency data is delivered to your Safety Contacts, we will retain this encrypted data for a period of 30 days to provide your contacts with sufficient time to access and download your legacy. After this 30-day window, all your account data, encrypted files, and Safety Contact records will be permanently and irreversibly deleted from our servers.
• Reversal of Activation: If the switch is activated but you subsequently log in to your TrustKey account, the emergency state is immediately cancelled and all access links provided to your Safety Contacts are instantly revoked.
• Manual Account Deletion: If you manually delete your account, your data and files will be permanently and immediately deleted from our active databases.
• Legal Retention: We may retain basic transactional data (such as Stripe invoice logs) for up to 6 years to comply with Spanish tax and accounting laws (Ley 58/2003, General Tributaria).

8. YOUR PRIVACY RIGHTS

As a user of TrustKey, you have the following rights. EEA and UK residents enjoy these rights under GDPR / UK GDPR respectively. We extend these same rights as a matter of policy to all users globally:

• Right of Access (Art. 15 GDPR): You can request a copy of the personal data we hold about you.
• Right to Rectification (Art. 16 GDPR): You can update your email or Safety Contacts directly from your dashboard at any time.
• Right to Erasure — "Right to be Forgotten" (Art. 17 GDPR): You can request the deletion of your account and all associated data at any time.
• Right to Restrict Processing & Portability (Art. 18 & 20 GDPR): You can request that we limit how we use your data, or ask for a machine-readable copy of your personal data.
• Right to Object (Art. 21 GDPR): You can object to the processing of your personal data where we rely on legitimate interests as the legal basis.

To exercise any of these rights, please contact us at [email protected]. We will respond within the timeframes required by applicable law (generally 30 days).

9. SUPERVISORY AUTHORITIES AND COMPLAINTS

If you believe your privacy rights have been violated, you have the right to lodge a complaint with the relevant supervisory authority in your country:

• Spain and EEA residents: Spanish Data Protection Agency (Agencia Española de Protección de Datos — AEPD) at www.aepd.es. EEA residents may also contact the supervisory authority in their own country of residence.
• United Kingdom residents: Information Commissioner's Office (ICO) at ico.org.uk. TrustKey processes the personal data of UK residents in compliance with the UK GDPR (as retained in UK law by the European Union (Withdrawal) Act 2018).
• Other countries: Users outside the EEA and UK may contact us directly at [email protected]. We will make every reasonable effort to address your concerns in accordance with the GDPR standards applied globally by this service.