Privacy Policy

Summary

This is the short version. The full policy is below — it spells out specifics, but this summary is binding.

• Your client conversations are private. Truesaid never publishes the chat content. Only the testimonial you explicitly approve, and the verbatim excerpts you choose to highlight, become public.
• We process limited personal data: your email (account), payment metadata via Stripe (we don't see card numbers), and the conversation files you upload.
• We don't sell, share, or rent your data. Not to advertisers, not to data brokers, not to anyone.
• We don't train AI models on your conversations. Anthropic's Claude API processes the chat to generate testimonials; per Anthropic's data terms, customer data is not used for training.
• You can delete everything, anytime. Account deletion removes all clients, testimonials, and verification pages immediately.

1. Who we are (data controller)

The data controller for the Truesaid Service (truesaid.com) is:

• Operator: Lorcabase FZCO
• Registered address: DSO IFZA, IFZA Properties, Dubai, United Arab Emirates
• Tax ID / VAT: VAT 105004214000003
• Country: United Arab Emirates
• Privacy contact: support@truesaid.com
• General support: via the support page

We act as the data controller for your account data (your email, profile, billing, sign-in metadata) and as the data processor for the conversation files and client information you upload. See section 8 for what that means.

2. What data we collect

2.1 Account data

• Your email address (required for the magic-link sign-in).
• Your display name and any profile information you choose to enter (optional).
• Authentication metadata: session tokens, last-login timestamp, IP at sign-in (for security).

2.2 Content you upload

• WhatsApp chat exports (.zip, .txt) and email threads (.eml / .mbox) you upload.
• Generated testimonials, verbatim excerpts, integrity-check results.
• Per-client metadata you provide (name, display setting: full / initials / hidden, tags, role, photo).

The original conversation files are stored at rest in Cloudflare's D1 database. Truesaid never publishes them; only the testimonial you explicitly approve becomes part of any public output.

2.3 Billing data

If you subscribe to the Pro plan, Stripe processes your payment. Truesaid receives only metadata (subscription status, plan, last-four-digits-of-card for display, renewal date). Card numbers, CVC, and full payment details never touch our database — they live exclusively inside Stripe.

2.4 Operational data

• Server logs (request paths, status codes, response times) — used for debugging and security.
• Cloudflare Web Analytics (privacy-respecting, no cookies, no fingerprinting).
• Rate-limit counters (anonymised by IP hash).

3. Why we process this data (legal bases under GDPR)

• Contract performance (Art. 6(1)(b) GDPR): we process your account + content data because you've signed up for the Service. Without it, we can't deliver Truesaid.
• Legitimate interest (Art. 6(1)(f) GDPR): server logs, security monitoring, fraud prevention, anti-abuse rate limiting.
• Legal obligation (Art. 6(1)(c) GDPR): tax and accounting records, response to lawful requests from competent authorities.
• Consent (Art. 6(1)(a) GDPR): you choose per testimonial whether to publish a client's name (full / initials / hidden). Publishing a client's full name requires you to obtain their consent — Truesaid's privacy controls let you record that consent state.

4. Who we share data with (subprocessors)

Truesaid uses these third parties, each chosen for their security and privacy posture. Each entry shows: name, location, purpose, and the categories of data they receive.

• Cloudflare, Inc. (USA, with EU edge nodes) — hosting (Workers compute, D1 database, AI Gateway proxy, asset delivery). Receives: all data routed through the Service. Bound by Cloudflare's Data Processing Addendum.
• Anthropic PBC (USA) — Claude API processes the conversation text to generate the polished testimonial and editorial summaries. Receives: conversation text + your prompt instructions. Per Anthropic's commercial terms, customer data is not used to train models.
• Resend Inc. (USA) — sends transactional email (magic-link sign-in, support replies, billing notices). Receives: your email address + email body content we generate.
• Stripe Inc. (USA, with EU/Ireland operations) — payment processing for the Pro plan. Receives: your name, email, billing address, card details (which never reach Truesaid). PCI-DSS Level 1 certified.

The current subprocessor list is the binding one. We notify active users by email at least 30 days before adding a new subprocessor that processes personal data, giving you time to object or terminate.

We do not share data with advertisers, data brokers, or third parties for any marketing purpose.

5. International data transfers

Truesaid is operated from United Arab Emirates and uses subprocessors located in the United States and at Cloudflare's global edge. Personal data of users worldwide may therefore be transferred across borders. Where the data subject is in the EU/EEA, UK, or another jurisdiction with cross-border transfer rules, transfers rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission and equivalent UK SCCs — used between Truesaid and each subprocessor that processes EU/EEA or UK personal data.
• The EU-US Data Privacy Framework certifications held by individual subprocessors (e.g. Cloudflare, Stripe), where applicable.
• Supplementary technical and organisational measures (HTTPS-only transport, encryption at rest, role-based access, ZIP integrity checks, DKIM verification).

For users resident in the United Arab Emirates, Truesaid processes personal data in accordance with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the "PDPL") and its implementing regulations.

6. How long we keep data (retention)

Data category	Retention period	Reason
Account data (email, profile)	Until you delete your account	Contract performance
Conversation files (.zip / .eml / .mbox)	Until you delete the client	Service delivery + verification chain
Generated testimonials, excerpts, verification IDs	Until you delete the client	Service delivery + ongoing verification
Magic-link tokens	15 minutes (or until used, whichever first)	Authentication security
Sessions	30 days idle, then expire	Authentication security
Server logs (request metadata)	30 days, then auto-purged	Debugging + security
Billing records (Stripe)	7 years (or as required by tax law)	Legal obligation
Backups (Cloudflare D1 snapshots)	Up to 35 days, then rotated out	Disaster recovery

Account deletion triggers immediate purge of every category except billing records (kept for tax compliance) and rotated-out backups (which expire automatically).

7. Your rights (GDPR + CCPA)

Under the GDPR (EU/EEA, UK) and the CCPA (California), you have the following rights:

• Access: request a copy of all data we hold about you.
• Rectification: correct inaccurate or incomplete data.
• Erasure ("right to be forgotten" / "right to delete"): delete your account and all associated data. Available immediately from your dashboard, no email required.
• Restriction: ask us to limit processing in specific cases.
• Portability: receive your data in a machine-readable format.
• Objection: object to processing based on legitimate interest.
• Withdraw consent: any consent you've given (e.g., publishing a client's full name) can be withdrawn at any time. Deletion of the testimonial removes it from every public surface immediately.
• Non-discrimination: we won't penalise you for exercising any of these rights.
• Lodge a complaint with the competent data-protection authority — for EU/EEA residents, your national supervisory authority; for UK residents, the ICO; for UAE residents, the UAE Data Office; for California residents, the California Privacy Protection Agency or the California Attorney General.

To exercise any right, email support@truesaid.com or use the support page. We respond within 30 days.

7.1 California residents (CCPA / CPRA)

If you reside in California, you have additional rights under the California Consumer Privacy Act (as amended by the CPRA):

• Right to know what categories of personal information we collect, the sources, the purposes, and the categories of third parties we share with — all detailed in sections 2 + 4 above.
• Right to delete — exercise via the dashboard ("Delete account") or by emailing privacy.
• Right to opt out of sale or sharing. We do not sell or share personal information as those terms are defined under the CCPA / CPRA. There is nothing for you to opt out of.
• Right to limit use of sensitive personal information. Truesaid does not use sensitive personal information for purposes beyond providing the Service.
• Right to non-discrimination for exercising any of the above.

8. Your clients' data (your responsibility as data controller)

When you upload a conversation, you are the data controller for the personal data within it (the client's name, message content, etc.). Truesaid is the data processor. This means:

• You must have a lawful basis to upload your client's conversation to Truesaid (typically: legitimate interest in maintaining a record of your business communications).
• Publishing a testimonial that identifies your client (full name) requires their consent. Truesaid's privacy controls (hidden / initials / full name) make consent enforceable per testimonial.
• If your client withdraws consent, you must delete the testimonial in Truesaid. The verification page stops resolving immediately.
• For regulated industries (legal, medical, financial), additional rules apply (HIPAA in the US, bar association rules, professional codes). Truesaid's privacy controls help compliance but don't replace your professional obligations.
• A Data Processing Agreement (DPA) is available on request for B2B users — email support@truesaid.com.

9. Security

• HTTPS everywhere; HTTP requests are redirected.
• Sessions: HTTP-only, Secure, SameSite=Lax cookies; magic-link tokens valid for 15 minutes; sessions revocable from your dashboard.
• No passwords stored — magic-link sign-in only.
• Rate limiting on authentication, generation, and public endpoints.
• Database access is restricted to the Truesaid worker via Cloudflare's bindings (no public ingress to D1).
• ZIP integrity checks + email DKIM verification ensure uploaded conversations have not been tampered with after the fact.
• Stripe webhook signatures verified and processed idempotently.

No system is perfectly secure. If you suspect a breach, email support@truesaid.com; we'll investigate and notify affected users within 72 hours of confirming a breach, as required by GDPR Art. 33-34.

10. Cookies

Truesaid uses minimal cookies. None are used for advertising or third-party tracking.

Cookie	Purpose	Duration	Type
vt_session	Keeps you signed in	30 days idle	Essential (first-party)
__cf_bm	Cloudflare bot management	30 minutes	Essential (third-party, Cloudflare)
cf_clearance	Cloudflare challenge clearance (only set if you fail a bot check)	30 minutes	Essential (third-party, Cloudflare)

Because all cookies we set are strictly necessary for security and authentication, no consent banner is required under the EU ePrivacy Directive (Art. 5(3)) for our EU/EEA users, nor under the equivalent rules in the UAE PDPL. If we ever introduce non-essential cookies (e.g., analytics that go beyond the privacy-respecting Cloudflare Web Analytics), this policy will be updated and a consent banner shown before any such cookie is set.

11. Children

Truesaid is not directed at children under 16. We do not knowingly collect data from minors. If you believe a minor has uploaded data to Truesaid, contact us and we'll delete the account immediately.

12. Automated decision-making

Truesaid uses Anthropic's Claude AI to generate testimonials and editorial summaries from your conversations. This is an automated process, but it does not produce "decisions producing legal or similarly significant effects" within the meaning of GDPR Art. 22 — the output is a draft testimonial that you (a human) review, edit settings on, and choose whether to publish. You always have the right to a human review by editing or deleting the output, or to ask us about how a particular generation was produced.

13. Changes to this policy

We update this policy when our practices change. The "last updated" date at the top reflects the latest version. Material changes (e.g., a new subprocessor, a change in legal basis) are notified via email to active accounts at least 30 days before they take effect.

14. Contact

For privacy enquiries, data subject requests, or any data-protection questions, email support@truesaid.com or use the support page with topic "Privacy / data deletion". We respond within 30 days, usually faster.