Privacy at TruVault means restraint.

What We Collect

When you submit a report, we collect:

• your email address and a hash of your phone number (for identity verification);
• the report content you provide (encrypted at rest);
• subject identifiers you enter — phone, email, or social media URL (stored as one-way hashes only);
• any evidence files you choose to attach;
• a timestamp and legal confirmation record.

When you search, we collect your email address (for one-time verification) and a hash of the identifier you search. We do not log search history linked to your identity.

Lawful Basis for Processing

We process your personal data on the following lawful bases:

• Consent — you explicitly agree to these terms and our data practices before submitting a report or accessing My Reports.
• Legitimate interests — operating a secure, abuse-resistant reporting platform and detecting misuse.
• Legal obligation — retaining records where required by applicable law.

Report content may constitute special category data under GDPR (such as information relating to health, sexual life, or criminal allegations). We process this data solely on the basis of your explicit consent, given at the time of submission.

How We Use It

Your information is used to:

• verify that a reporter is a real person;
• let reporters access and manage their own submissions;
• detect when separate verified reports relate to the same person;
• send private access, verification, and match notifications;
• prevent spam, abuse, and malicious use of the platform.

What We Do Not Do

• We do not publish report content.
• We do not create public profiles of reported people.
• We do not reveal reporter identities to reported people (except under valid legal process — see Law Enforcement & Legal Process below).
• We do not share report details between reporters.
• We do not sell, rent, or license personal data.
• We do not use advertising cookies or tracking pixels.
• We do not use personal data for automated decision-making or profiling.

Your Rights

Depending on your location, you may have the right to:

• Access — request a copy of personal data we hold about you;
• Rectification — request correction of inaccurate data;
• Erasure — request deletion of your data ("right to be forgotten");
• Portability — receive your data in a structured, machine-readable format;
• Objection — object to processing based on legitimate interests;
• Withdraw consent — at any time, without affecting prior processing.

To exercise any of these rights, contact legal@gotruvault.com. We aim to respond within 30 days.

If you are located in the European Union or European Economic Area and believe we have not handled your data lawfully, you have the right to lodge a complaint with your local data protection supervisory authority. If you are in the United Kingdom, you may contact the Information Commissioner's Office (ICO) at ico.org.uk. If you are in India, you may contact the Data Protection Board of India once operational under the Digital Personal Data Protection Act 2023.

Cookies and Local Storage

TruVault uses a single session cookie (tc_reports_session or tc_search_session) to maintain your verified access for up to 6 hours. This cookie is strictly necessary for the platform to function and does not track you across other websites.

We do not use advertising cookies, analytics cookies, or any third-party tracking. The only external service loaded on the platform is Cloudflare Turnstile (bot protection), which operates under Cloudflare's own privacy policy.

Data Transfers

TruVault uses third-party service providers to operate the platform. These providers are based in the United States and may process personal data in jurisdictions outside the EEA or UK. For each provider, we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum, as the lawful transfer mechanism under GDPR Article 46.

Each provider has entered into a Data Processing Agreement (DPA) with TruVault, binding them to process personal data only as instructed, implement appropriate technical and organisational security measures, and not use data for their own commercial purposes. Providers and their roles are:

• Supabase, Inc. (United States) — database hosting and encrypted file storage. DPA and SCCs in place. Supabase processes data only as needed to store and retrieve records on our behalf.
• Resend, Inc. (United States) — transactional email delivery (OTP codes and notifications). DPA and SCCs in place. Email addresses are transmitted solely to deliver platform messages.
• Twilio, Inc. (United States) — SMS verification. DPA and SCCs in place. Phone numbers are transmitted solely to deliver one-time verification codes and are not retained by Twilio beyond message delivery.
• Cloudflare, Inc. (United States) — bot protection (Turnstile) and content delivery. DPA and SCCs in place. Cloudflare processes request metadata to detect and block automated abuse.
• Upstash, Inc. (United States) — Redis-based rate limiting and abuse prevention. IP addresses and session identifiers are processed ephemerally to enforce rate limits. No personally identifiable data is persisted in Redis beyond the rate-limit window. DPA in place.

To request a copy of the relevant DPA or SCC documentation for any provider, contact legal@gotruvault.com.

Protection Commitments

Report content is sealed using strong encryption before it is stored — the same standard used by financial institutions and government systems worldwide. Even we cannot read it. Subject identifiers are stored in a transformed form that allows matching but prevents anyone from reading the original value, even if the database were accessed without authorisation.

Your own verification details are never stored in a readable form. Access to reporter records requires verified identity. Public users cannot browse reports, inspect identities, or open evidence files.

Retention

Active reports are retained while they are live on the platform. Withdrawn reports are removed from search matching immediately and deleted from our systems within 90 days unless retention is required for legal compliance, abuse prevention, or active dispute resolution.

Verification OTPs are invalidated within 10 minutes. Session cookies expire after 6 hours of inactivity. Security logs are retained for 12 months.

Voices

The Voices section allows anonymous submission of personal statements without creating an account. When a Voice is submitted, we collect the submission text and the submitter's IP address. The IP address is used only for rate limiting and CAPTCHA verification; it is not linked to the published content and is not retained beyond 90 days.

Published Voices are completely anonymous. No name, account, or identifier is stored alongside a published Voice.

Law Enforcement & Legal Process

We may disclose personal data — including reporter identity — in response to a valid court order, subpoena, search warrant, or other legally binding demand from a competent authority. We will comply with such demands where required by applicable law.

Where we are legally permitted to do so, we will attempt to notify the affected reporter before complying, so they may seek legal protection. We are not obligated to notify where prohibited by law or court order.

We may also disclose data where we believe in good faith that disclosure is necessary to: (a) comply with a legal obligation; (b) protect the rights, property, or safety of TruVault, our users, or the public; or (c) detect, prevent, or address fraud, abuse, or security issues.

Emergency Safety Disclosure

In circumstances where we have a good-faith belief that there is an imminent risk of serious harm or death to any person, we may disclose relevant information to law enforcement or emergency services without a court order and without prior notice. This override is applied narrowly and only in genuine emergency situations.

We may also be legally obligated to report content relating to the sexual abuse or exploitation of minors to the relevant authorities, regardless of any confidentiality obligations.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by the GDPR.

Where a breach is likely to result in a high risk to you personally — for example, exposure of encrypted report content or reporter identity — we will notify you directly without undue delay. Notifications will describe the nature of the breach, the likely consequences, and the steps we are taking to mitigate it.

Business Transfers

If TruVault is involved in a merger, acquisition, asset sale, or change of control, your personal data may be transferred as part of that transaction. In such a case, we will ensure the receiving party is bound by data protection obligations at least as protective as those described in this policy, and we will notify users of any material change to how their data is handled.

If TruVault ceases operations, we will securely delete all personal data within 90 days of closure, unless retention is required by law.

Minimum Age

TruVault is intended for adults. By submitting a report or accessing My Reports, you confirm that you are at least 18 years old. We do not knowingly collect personal data from minors. If you believe a minor has submitted data, contact us at legal@gotruvault.com for immediate removal.

California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights over your personal information, including the right to know what personal information we collect, the right to delete it, and the right to opt out of sale. TruVault does not sell personal information.

To exercise your CCPA rights, contact legal@gotruvault.com. We will not discriminate against you for exercising any of these rights.

Data Controller

For the purposes of applicable data protection law, including the EU GDPR, UK GDPR, and India's Digital Personal Data Protection Act 2023, the data controller responsible for your personal data is the operator of TruVault. For all data protection enquiries, contact:

Email: legal@gotruvault.com
Response time: within 30 days

If you are located in the European Economic Area and TruVault does not have an establishment in the EU, you may also contact your local data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.

No Data Protection Officer (DPO) has been formally appointed at this time. All data protection enquiries are handled directly at legal@gotruvault.com.

Grievance Officer (India)

In accordance with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the Digital Personal Data Protection Act, 2023, a Grievance Officer has been designated for TruVault.

If you have a complaint, concern, or grievance regarding the processing of your personal data or any content on the platform, you may contact the Grievance Officer at:

Email: legal@gotruvault.com
Response time: within 24 hours of receipt; resolution within 15 days

Complaints must include your name, contact details, and a description of the grievance. We will acknowledge receipt and work to resolve your complaint within the timeframe prescribed by applicable law.