TrustMint TrustMint

Privacy Policy

Last updated: March 26, 2026

1. Who We Are

TrustMint is a review collection platform operated by KADIVEL EOOD (UIC 208282493), a company registered in Bulgaria with its registered office at 9 Boris Rumenov Str, Sofia, Bulgaria, represented by Dimitar Valchanov ("we", "us", "our"). All data is hosted on EU servers. We act as a data processor on behalf of our business customers (the data controllers) when handling end-customer personal data.

2. Data We Collect

We collect only the minimum data necessary to provide our service:

  • Business users: email address, password (hashed), business name, logo, review platform URLs, billing information (processed by Stripe).
  • End customers: name, email address, phone number (optional), review feedback, consent timestamp.
  • Automatically collected: email open/click events, review page visits. We do not use third-party tracking cookies or analytics.
  • Google Contacts (optional): if you choose to import contacts via Google, we access your contact names, email addresses, and phone numbers through the Google People API. No other Google data is accessed.

3. How We Use Your Data

  • To send review request emails on behalf of businesses.
  • To display review landing pages.
  • To provide analytics and reporting to business users.
  • To process payments via Stripe.
  • To send transactional emails (account confirmation, password reset).
  • To import customer contacts from Google when you explicitly initiate the import.

4. Legal Basis for Processing

We process personal data under the following legal bases (GDPR Art. 6):

  • Contract performance: to provide the TrustMint service to business users.
  • Legitimate interest: to send review requests on behalf of businesses to their existing customers.
  • Consent: where required, consent is recorded with a timestamp in our consent log.

5. Data Retention

  • Business account data is retained for the duration of the account plus 30 days after deletion.
  • End-customer data is retained until the business user deletes it or the account is closed.
  • Billing records are retained as required by EU tax law (typically 7 years).
  • Email tracking data (opens, clicks) is retained for 12 months.

6. Data Sharing

We do not sell personal data. We share data only with:

  • Brevo (Sendinblue): email delivery (EU servers).
  • Stripe: payment processing (certified EU-US Data Privacy Framework).
  • Heroku / Salesforce: hosting infrastructure (EU region).

7. Google API Services

TrustMint offers an optional Google Contacts import feature that uses the Google People API. When you connect your Google account, we request read-only access to your contacts (contacts.readonly scope).

  • What we access: contact names, email addresses, and phone numbers only.
  • How it's used: imported contacts are added as customers in your TrustMint account so you can send them review requests. We do not use this data for any other purpose.
  • Storage: imported contact data is stored as customer records in your account. OAuth tokens are stored securely and used only to fetch contacts on your behalf.
  • Deletion: you can delete any imported customer from your account at any time. You can disconnect your Google account from Settings, which removes all stored tokens. When you delete your TrustMint account, all imported data and tokens are permanently deleted.
  • No sharing: Google user data is not shared with any third parties, except as required to deliver the TrustMint service (e.g. sending review request emails via our email provider).

TrustMint's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

8. Your Rights (GDPR)

As a data subject in the EU, you have the right to:

  • Access your personal data.
  • Rectify inaccurate data.
  • Erase your data ("right to be forgotten").
  • Restrict processing of your data.
  • Data portability - receive your data in a machine-readable format.
  • Object to processing based on legitimate interest.
  • Withdraw consent at any time.

End customers can unsubscribe from review requests using the link in every email. Business users can export or delete their data from the Settings page.

9. Cookies

We use only essential cookies required for the application to function (session management, CSRF protection). We do not use advertising, analytics, or third-party tracking cookies.

10. Security

All data is encrypted in transit (TLS 1.2+) and at rest. Passwords are hashed using bcrypt. We conduct regular security reviews and follow OWASP best practices.

11. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority. The competent authority for KADIVEL EOOD is the Commission for Personal Data Protection (CPDP), 2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia, Bulgaria - www.cpdp.bg.

12. Contact

For privacy-related inquiries or to exercise your rights, contact us at support@trustmint.co.