Loading...
Loading...
You're trusting us with compliance-sensitive information. Here is exactly what happens to it.
The complete data flow — there is nothing outside this diagram:
Risk checker — stays in your browser
All 7 answers are classified client-side. Nothing is transmitted unless you request the checklist by email or share a result permalink (the permalink encodes answers, not your identity).
Checklist email — one record in EU Redis
If you enter your email, we store {email, tier, answers, timestamp} in Upstash Redis (EU) and send one checklist email via Resend. No drip campaign without consent, no resale.
Doc Pack — questionnaire input + generated documents
Your questionnaire answers and the generated documents are stored in Upstash Redis (EU) behind an unguessable token link. Payment details go to Paddle (merchant of record) — we never see card numbers.
Our hosting (Vercel) and data store (Upstash Redis) are configured for EU regions. Checker answers, checklist leads and Doc Pack questionnaire inputs are processed and stored there.
Classification is rule-based code — your answers are matched against the regulation's decision tree, not fed to a model. Document generation is deterministic templating. Your inputs are never used to train or fine-tune any AI model, ours or anyone else's.
Email us and we delete your lead record, questionnaire input and generated documents within 72 hours. No account required, no retention argument, no dark pattern.
All traffic is TLS. Stored data is encrypted at rest by our infrastructure providers (Vercel, Upstash — both encrypt at rest by default).
No data brokers, no ad networks, no 'partners'. The only third parties that touch your data are the processors below — each one necessary to run the product.
The free checker runs entirely in your browser — no answers are sent to us unless you request the email checklist. We only store what you explicitly submit.
Every third party that processes any of your data, and why:
| Provider | Purpose | Region |
|---|---|---|
| Vercel | Hosting & serverless functions | EU region (fra1) |
| Upstash | Redis data store (leads, orders) | EU region |
| Resend | Transactional email delivery | EU data residency available |
| Paddle | Payments (merchant of record) | UK/EU — they handle card data, we never see it |
| Plausible | Privacy-first analytics (no cookies, no personal data) | EU (Germany) |
Email hello@trustpacket.app from the address you used, with the subject "Data deletion request". We delete:
within 72 hours, and confirm by reply. Paddle retains transaction records they are legally required to keep as merchant of record (tax/invoicing) — that retention is theirs, not ours.
We are a small product, and honest scope beats impressive-sounding claims: we don't hold a SOC 2 report or ISO 27001 certificate today. What you get instead is a genuinely minimal attack surface — no user accounts, no passwords, no card data on our side, client-side classification, and a data inventory small enough to describe completely on one page.
Questions before buying? Email us — a human replies, usually within one business day.
Related reading