Privacy Policy
Last updated: 17 July 2026 · Version 2.0
1. Controllers
For the processing of personal data described in this Policy, the controllers are:
TRUSECURE S.R.L.
Registered office: Sat Bobu, Com. Scoarţa, Judeţ Gorj, Romania
Trade register: Nr. Reg. Com. J2024046859004
CUI: 50991058
VAT: RO50991058
Email: privacy@trusecure.co
Trusecure Ltd
Registered office: 65 London Wall, London, EC2M 5TU, England
Company Number: 15164704
Email: privacy@trusecure.co
The two entities act as joint controllers in respect of processing carried out through trusecure.co for marketing and contact-form purposes under Art. 26 GDPR and Art. 26 UK GDPR, with a Joint Controller Arrangement available on request setting out their respective responsibilities. TRUSECURE S.R.L. is the sole controller in respect of processing carried out within Resilience Fabric.
2. Scope
This Policy describes how the controllers process personal data in connection with:
- the operation of the website trusecure.co;
- the marketing, sale and provision of Resilience Fabric;
- the Resilience Sprint consulting engagement.
Where the controller processes personal data on behalf of a customer inside Resilience Fabric, the customer is the controller and TruSecure is the processor. That processing is governed by the Data Processing Addendum, not this Policy.
3. Data Protection Officer
Neither controller is required by GDPR Art. 37 or UK GDPR Art. 37 to appoint a Data Protection Officer, as no processing carried out as a core activity involves either (a) large-scale processing of special categories of data under GDPR Art. 9, or (b) large-scale regular and systematic monitoring of data subjects. The contact in section 1 acts as the responsible person for data protection enquiries.
4. Data categories, purposes and legal bases
| Purpose | Categories of personal data | Legal basis under GDPR / UK GDPR Art. 6 |
|---|---|---|
| Responding to your inquiry via the contact form | Name, email address, message content | Art. 6(1)(f) — legitimate interest in responding to enquiries |
| Customer account and contractual relationship | Name, email address, employer, role | Art. 6(1)(b) — performance of a contract |
| Provision of Resilience Fabric | Account data, Customer Content | Art. 6(1)(b) — performance of a contract |
| Invoicing and tax | Invoicing data | Art. 6(1)(c) — legal obligation (Romanian tax law, UK tax law) |
| Direct marketing of similar services to existing customers | Name, email, employer | Art. 6(1)(f) — legitimate interest; opt-out at any time |
| Newsletter subscription | Email address | Art. 6(1)(a) — consent |
| Security, fraud prevention, defence of claims | Log data | Art. 6(1)(f) — legitimate interest |
5. Recipients — sub-processors
Recipients are listed in the Sub-processor List. They act as processors on the controllers' instructions, except where law requires otherwise.
6. International transfers
- Within EU/EEA: no transfer mechanism required.
- EU ↔ UK: transfers between Romania and the UK are covered by the EU Commission's adequacy decision (Implementing Decision (EU) 2021/1772, as renewed).
- Transfers outside EU/EEA to any third country where TruSecure considers a sub-processor to process data: covered by the Standard Contractual Clauses (Decision (EU) 2021/914) supplemented by a Transfer Impact Assessment, or by UK IDTA Addendum for outbound UK transfers. None of the currently listed sub-processors is established outside the EEA.
7. Retention
Personal data is retained for as long as necessary for the purpose, taking into account applicable legal retention periods (e.g. Romanian accounting law requires retention of invoicing data for 10 years). Detailed retention windows are documented in the controllers' internal register of processing activities under GDPR Art. 30.
8. Your rights
Subject to the conditions in GDPR Art. 12–22 (or UK GDPR Art. 12–22 for data of UK data subjects), you have the right to:
- access your personal data (Art. 15);
- rectify inaccurate personal data (Art. 16);
- erase your personal data (Art. 17);
- restrict processing (Art. 18);
- receive your personal data in a portable format (Art. 20);
- object to processing based on Art. 6(1)(e) or (f) (Art. 21).
You may withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
To exercise these rights, contact privacy@trusecure.co. The controllers will respond within one month, extendable by two further months for complex requests under Art. 12(3).
9. Right to lodge a complaint
Without prejudice to any other remedy, you have the right to lodge a complaint with the supervisory authority for your habitual residence, place of work, or place of the alleged infringement. For Romania this is the Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP). For the United Kingdom this is the Information Commissioner's Office (ICO). The relevant supervisory authority depends on the data subject's location.
10. Cookies
Information on cookies is in the Cookie Policy.
11. Automated decision-making
The controllers do not make automated decisions producing legal effects on natural persons in the context of this Website. Service-level automated processing is described in the AI Transparency Statement.
12. Changes
Material changes are notified by email where you have an active customer relationship, and otherwise by an updated "Last updated" date and a changelog at the foot of this page.
13. Versioning
This Policy is at Version 2.0. Earlier versions are archived on request.
