Privacy Policy

Last updated: January 07, 2026

1. Data Controller Identification

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our website located at https://trustedhumans.ai and related services (the "Service").

The Data Controller responsible for processing your personal data is:

  • Company Name: TRUSTED HUMANS, UNIPESSOAL LDA
  • Legal Form: Sociedade por Quotas (Unipessoal)
  • Registered Office: Ed. Millennium - Al. Dr. Miranda da Rocha, Loja 22, 4630-200 Marco de Canaveses, Portugal
  • Tax Identification Number (NIF): 518851184
  • VAT Number: PT518851184
  • Email: [email protected]

References to "we," "us," "our," or "Trusted Humans" throughout this Privacy Policy shall mean the above-identified entity.

2. Legal Framework

We process your personal data in accordance with:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation or "GDPR")
  • Portuguese Law No. 58/2019 of 8 August (implementing the GDPR in Portugal)
  • Portuguese Law No. 41/2004 of 18 August (as amended by Law No. 46/2012), concerning electronic communications privacy
  • Other applicable data protection legislation

3. Definitions

For the purposes of this Privacy Policy:

  • Personal Data: Any information relating to an identified or identifiable natural person ("Data Subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  • Processing: Any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  • Data Controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Data Processor: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Data Controller.
  • Data Subject: Any identified or identifiable natural person whose personal data is being processed.
  • Consent: Any freely given, specific, informed, and unambiguous indication of the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

4. Categories of Personal Data We Collect

4.1 Data You Provide Directly

When you register for an account, subscribe to our services, or contact us, we may collect:

  • Identification data: name, email address, telephone number
  • Account credentials: username, password (encrypted)
  • Billing information: billing address, VAT number (for business customers)
  • Communication data: content of messages sent to us
  • Profile information: company name, job title, profile picture

4.2 Data Collected Automatically

When you access our Service, we automatically collect certain technical information:

  • Device information: IP address, browser type and version, operating system
  • Usage data: pages visited, time and date of visits, time spent on pages, clickstream data
  • Location data: approximate geographic location based on IP address
  • Referral data: the website that referred you to our Service

4.3 Data from Third Parties

We may receive personal data from third parties, including:

  • Social login providers (Google, Facebook, GitHub, LinkedIn) if you choose to authenticate using these services
  • Payment processors for transaction verification
  • Analytics providers

4.4 Data Processed When Scanning Public Websites

As part of our verification and trust certification services, we scan publicly accessible websites and URLs submitted to our platform. During this process, we may incidentally collect and process personal data that is publicly available on these websites, including:

  • Names and professional titles displayed on company pages (e.g., "About Us", "Team" pages)
  • Professional email addresses published on websites
  • Images and photographs publicly displayed on websites
  • Professional social media profile links
  • Other publicly available professional information

Legal Basis for Website Scanning

We process this data based on our legitimate interest (Article 6(1)(f) GDPR) in providing trust verification services that help reduce fraud, increase transparency, and enable informed decisions about AI usage in online content. We have conducted a documented balancing test (legitimate interest assessment) to ensure that our interests do not override the fundamental rights and freedoms of the data subjects.

Our Balancing Test Considerations

Our legitimate interest assessment considers the following factors:

  • Purpose: To provide verification services that promote transparency and trust in the digital ecosystem, helping users identify AI-generated content and make informed decisions.
  • Necessity: Automated scanning of publicly available information is necessary to provide accurate, scalable verification services. Self-attestation alone would be insufficient to ensure reliability.
  • Data Minimization: We do not store complete website content. We extract and retain only the signals, metrics, and features necessary for our analysis. Raw content is processed transiently and not permanently stored.
  • Limited Exposure: Our public verification badges and certificates display only verification status, issuance date, scope, and certificate ID. We do not publish personal data of individuals found on scanned websites.
  • Security Measures: We implement strong security controls, access restrictions, and audit logging to protect any data processed during scans.
  • Transparency: We clearly disclose this processing in this Privacy Policy and provide easy contact mechanisms for questions or concerns.
  • Rights Facilitation: Data subjects can contact us to request information, correction, or removal of their data from our systems.

Retention of Scan Data

Data collected during website scans is retained as follows:

  • Raw scan content: Processed transiently and not permanently stored; deleted immediately after feature extraction
  • Extracted signals and metrics: Retained for the validity period of the verification certificate plus 30 days
  • Verification results and scores: Retained indefinitely to maintain verification history and enable historical lookups of certificate validity
  • Certificate records: Retained indefinitely for audit trail, verification history, and to allow third parties to verify the authenticity of issued certificates

5. Purposes and Legal Basis for Processing

We process your personal data for the following purposes, based on the corresponding legal grounds under Article 6 of the GDPR:

Purpose Legal Basis (GDPR Art. 6)
Provision and management of the Service Performance of contract (Art. 6(1)(b))
Processing payments and invoicing Performance of contract (Art. 6(1)(b))
User account management Performance of contract (Art. 6(1)(b))
Customer support Performance of contract (Art. 6(1)(b)); Legitimate interest (Art. 6(1)(f))
Service-related communications Performance of contract (Art. 6(1)(b))
Marketing communications Consent (Art. 6(1)(a))
Service improvement and analytics Legitimate interest (Art. 6(1)(f))
Fraud prevention and security Legitimate interest (Art. 6(1)(f))
Compliance with legal obligations Legal obligation (Art. 6(1)(c))
Defense of legal claims Legitimate interest (Art. 6(1)(f))
Website scanning and AI content verification Legitimate interest (Art. 6(1)(f))

Where we rely on legitimate interests as a legal basis, we have conducted and documented a balancing test (legitimate interest assessment) to ensure that your fundamental rights and freedoms do not override our interests. These assessments are reviewed periodically and updated when our processing activities change. You may request information about our balancing tests by contacting us using the details provided in Section 16.

6. Cookies and Similar Technologies

We use cookies and similar tracking technologies (such as pixels, local storage, and web beacons) to collect and store information about your interactions with our Service. Cookies are small text files placed on your device when you visit our website.

We classify cookies into the following categories: strictly necessary cookies (essential for the Service to function), functional cookies (for enhanced features and personalization), analytics cookies (to understand usage patterns), and marketing cookies (for relevant advertising, placed only with your consent).

In accordance with EU Directive 2002/58/EC (ePrivacy Directive) as transposed by Portuguese Law No. 41/2004, we obtain your consent before placing non-essential cookies on your device. You may manage your cookie preferences at any time through our cookie consent banner.

For comprehensive information about the specific cookies we use, their purposes, durations, and how to manage your preferences, please refer to our Cookie Policy.

7. Data Sharing and Recipients

7.1 Categories of Recipients

We may share your personal data with the following categories of recipients:

  • Service Providers: Third-party companies that perform services on our behalf, such as hosting, payment processing, analytics, email delivery, and customer support. These providers act as Data Processors and are contractually bound to process data only for specified purposes and in accordance with our instructions.
  • Payment Processors: We use PCI-DSS compliant payment processors (such as Stripe, Paddle, or Lemon Squeezy) to handle payment transactions. We do not store your complete payment card details.
  • Analytics Providers: We may use services such as Google Analytics to analyze Service usage. These providers may collect data about your use of our Service.
  • Legal and Regulatory Authorities: When required by law or to protect our legal rights.
  • Business Transferees: In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity.

7.2 Third-Party Service Providers

Our primary service providers include:

  • Hosting: Cloud infrastructure providers located within the European Economic Area (EEA) or with appropriate safeguards
  • Payment Processing: Stripe, Inc. (Privacy Policy: stripe.com/privacy)
  • Email Services: For transactional and marketing emails
  • Analytics: Google Analytics (with IP anonymization enabled where applicable), Microsoft Clarity (Privacy Policy: privacy.microsoft.com/en-us/privacystatement)

8. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA). When such transfers occur, we ensure appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:

  • Transfers to countries with an adequacy decision by the European Commission (Article 45 GDPR)
  • Standard Contractual Clauses approved by the European Commission (Article 46(2)(c) GDPR)
  • Binding Corporate Rules (Article 47 GDPR)
  • Certification mechanisms such as the EU-U.S. Data Privacy Framework

You may request a copy of the safeguards we have implemented by contacting us at the address provided below.

9. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. The retention period depends on the context of the processing and our legal obligations:

  • Account data: Retained for the duration of your account and for a period of 5 years thereafter for legal compliance purposes
  • Transaction data: Retained for 10 years in accordance with Portuguese commercial and tax law (Código Comercial, Article 40)
  • Marketing consent records: Retained for the duration of the consent plus 3 years
  • Analytics data: Aggregated and anonymized data may be retained indefinitely
  • Support communications: Retained for 3 years from the date of resolution
  • Website scan data: Raw content is processed transiently; extracted signals retained for the certificate validity period plus 30 days; verification results and certificate records retained indefinitely for historical verification purposes

Upon expiration of the applicable retention period, personal data will be securely deleted or anonymized.

10. Your Rights Under GDPR

As a Data Subject, you have the following rights under the GDPR. These rights are not absolute and may be subject to limitations under applicable law:

10.1 Right of Access (Article 15)

You have the right to obtain confirmation as to whether we process your personal data and, if so, to access that data along with information about the processing.

10.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data and to have incomplete data completed.

10.3 Right to Erasure ("Right to be Forgotten") (Article 17)

You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected, or when you withdraw consent.

10.4 Right to Restriction of Processing (Article 18)

You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of the data or object to processing based on legitimate interests.

10.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller, where processing is based on consent or contract and carried out by automated means.

10.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will cease processing your data for that purpose.

10.7 Right Not to be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except where such processing is necessary for a contract, authorized by law, or based on explicit consent.

10.8 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

10.9 How to Exercise Your Rights

To exercise any of these rights, please contact us using the contact details provided in Section 15. We will respond to your request within one (1) month of receipt. This period may be extended by two (2) further months where necessary, taking into account the complexity and number of requests.

We may request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights).

11. Data Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. These measures include:

  • Encryption of personal data in transit (TLS/SSL) and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and penetration testing
  • Employee training on data protection and security
  • Incident response procedures
  • Regular backups and disaster recovery procedures

Despite our efforts, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security of your personal data.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados - CNPD) within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR.

Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, in accordance with Article 34 of the GDPR, unless one of the exceptions applies.

13. Children's Privacy

Our Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and you become aware that your child has provided us with personal data, please contact us. If we become aware that we have collected personal data from a child under 16 without verification of parental consent, we will take steps to delete that information.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by:

  • Posting the updated Privacy Policy on this page with a new "Last updated" date
  • Sending you an email notification (for material changes)
  • Displaying a prominent notice on our Service

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.

15. Right to Lodge a Complaint

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR.

The supervisory authority in Portugal is:

  • Authority: Comissão Nacional de Proteção de Dados (CNPD)
  • Address: Av. D. Carlos I, 134 - 1.º, 1200-651 Lisboa, Portugal
  • Website: www.cnpd.pt
  • Email: [email protected]

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us at:

We will endeavor to respond to all legitimate requests within one (1) month. Occasionally, it may take us longer if your request is particularly complex or you have made multiple requests.