Security & privacy

The principle

The whole reason Truesaid exists is that fake testimonials are easy and verifiable testimonials are rare. Privacy is not optional here — if your clients can't trust that their conversation stays private, you can't use Truesaid at all. Everything on this page follows from that.

This page is the canonical reference for how Truesaid handles your data. It's deliberately long because regulated industries — lawyers, doctors, accountants, therapists, financial advisors — read this page line by line before signing up. Bookmark it; we keep it current.

What stays private

Your conversation never gets published.

The chat content stays private

Truesaid never publishes the original messages. Only the testimonial you explicitly approve, the verbatim quotes you choose to highlight, and high-level metadata appear publicly.

Verification page — non-sensitive only

The public verification page (the one the QR code points to) shows: import date, source language, message count, integrity score. It does not show the chat, the client's phone number, or any private details.

Name display you control

For each client you can show their full name, just initials (e.g. J. P. B.), or hide the name entirely (blurred in exports and widgets) — your choice per client.

Right to delete

Delete a client and Truesaid drops everything: the imported chat, the testimonial, the excerpts, and the public verification page. The verification URL stops resolving.

Compliance

Built for regulated industries.

Truesaid's privacy-by-default architecture (chat never published, hidden-name controls, immediate deletion) maps cleanly to the major regulatory regimes. The summaries below are factual; they are not legal advice. For matters specific to your practice, consult your regulator and your lawyer.

GDPR (EU / EEA / UK)

Lawful basis for processing: contract performance + legitimate interest + consent (where required for full-name publishing). Data subject rights honoured immediately. Cross-border transfers covered by Standard Contractual Clauses. You are the controller; Truesaid is the processor. A Data Processing Addendum is available on request via the support page.

LOPDGDD (Spain)

Spanish data-protection rules (LOPDGDD + GDPR). Health data and other special-category data must use hidden-name mode by default. We hold AEPD-aligned records of processing.

CCPA / CPRA (California)

Right to know, right to delete, right to correct, right to opt out of sale (we do not sell data — full stop). Right to limit use of sensitive personal information honoured.

HIPAA (United States, healthcare)

Truesaid is HIPAA-friendly in design (chat content private, hidden-name anonymisation, instant deletion) but we do not currently sign Business Associate Agreements (BAAs). Use hidden-name mode and avoid Protected Health Information for any patient testimonial. Contact us if a BAA is on your timeline.

UK GDPR + Data Protection Act 2018

Same posture as GDPR. SRA solicitors and GMC doctors should still consult their professional body's advertising rules; Truesaid's privacy controls (hidden-name, initials, full-name) make compliance enforceable per testimonial.

Sector-specific advertising rules

Bar associations (CGAE, ABA, SRA, CCBE), medical councils (CGCOM, GMC, AHPRA), accounting bodies (ICAEW, AICPA), psychology bodies (APA, BPS, COP) each set their own rules. The persona pages (/for/<profession>) summarise the relevant regimes per sector.

Encryption & infrastructure

Where your data lives — and how it's protected.

In transit

TLS 1.3 enforced everywhere. HTTP requests are automatically redirected to HTTPS at Cloudflare's edge. Strict-Transport-Security headers prevent downgrade attacks. Modern cipher suites only.

At rest

Cloudflare D1 (our database) encrypts data at rest using AES-256. Magic-link tokens are stored hashed; we never see the plaintext after issuance. Stripe payment details never touch our database.

Cloudflare edge

DDoS protection, WAF (Web Application Firewall), bot detection, rate limiting on every public endpoint. Routine threats stop at Cloudflare's edge before reaching our application code.

Authentication

Magic-link sign-in only — no passwords. Each link is single-use and expires after 15 minutes. Sessions are HTTP-only secure cookies, revocable from your dashboard. Rate-limited at 5 sign-in emails per minute per IP.

Generation pipeline

Testimonial generation calls Anthropic's Claude API via Cloudflare's AI Gateway. Anthropic's API data-handling terms apply; per their policies, customer data is not used to train models.

How verification works

The integrity checks behind the badge

"Verified" isn't a marketing word here. It's a chain of concrete checks Truesaid runs on the original file, recorded with the testimonial.

CRC checksums

Every entry in the WhatsApp ZIP export has a CRC-32 checksum. Truesaid recomputes them; if a single byte was tampered with, the check fails and the file is rejected.

Structure validation

The WhatsApp export has a strict structure (timestamp prefix per line, contact format, attachment naming). Truesaid parses it strictly and surfaces any anomaly.

DKIM signature (email)

For email .eml imports, Truesaid extracts the DKIM cryptographic signature and re-verifies it against the sender domain's current DNS record. Passing DKIM proves the message body wasn't altered after the sending mail server signed it.

Faithful synthesis

Truesaid writes a polished testimonial from the conversation — but only from what the client actually said. Prompts forbid invention, paraphrasing-of-something-not-said, attributing claims the client didn't make, and combining unrelated lines. The testimonial is a synthesis (not a literal quote); the verbatim excerpts are 100% literal.

Timestamped quotes

Verbatim quotes keep their original timestamp from the chat and are stored with their position so they can be cross-checked.

Permanent verification URL

Each testimonial has a stable URL of the form /verify/<id>. The URL outlives social-media reshares and stays accessible until you delete the client.

Subprocessors

Every third party in the data path.

Truesaid uses these third parties to deliver the service. Each is selected for its security and privacy posture and operates under a written agreement. None receive data they don't need to perform their function.

Cloudflare (USA / global edge)

Hosting (Workers, D1 database, AI Gateway, KV, Rate Limiting, Web Analytics). Cloudflare's Data Processing Addendum applies. Data is stored at Cloudflare's edge nodes globally; D1 is region-pinned per the database configuration.

Anthropic (USA)

Claude API processes the conversation to generate the polished testimonial and extract verbatim quotes. Per Anthropic's data-handling terms, customer data is not used to train models. The conversation passes through the API only during generation.

Resend (USA)

Sends transactional email: magic-link sign-in messages, support replies, billing confirmations. Email content includes only the magic link or your support message. Resend does not retain message content beyond standard mail-system caching.

Stripe (USA / Ireland)

Payment processing for the Pro plan. Stripe is PCI-DSS Level 1 certified. Card numbers and full payment details never touch Truesaid's database; we receive only subscription status and last-four-digits-of-card metadata.

We notify users at least 30 days before adding or changing a subprocessor, via email to active accounts.

Incident response

What happens if something goes wrong.

Security is a process, not a guarantee. If we confirm a personal-data breach affecting your account, we follow a defined playbook:

Contain — stop the breach, rotate credentials, isolate affected systems.
Assess — determine which accounts and which data categories are affected.
Notify — affected users via the email associated with their account, within 72 hours of confirming the breach (GDPR requirement).
Report — to the relevant supervisory authority (AEPD in Spain, ICO in UK, etc.) where required by law.
Remediate — root-cause fix, regression test, post-mortem published if material.

Cloudflare and Anthropic have their own incident-response procedures for the layers they operate. We coordinate with them when an issue spans the stack.

Data retention

How long we keep things, exactly.

Account data

Until you delete your account. Deletion is immediate from the dashboard.

Conversation files + generated testimonials

Until you delete the client. Deletion is immediate; no soft-delete, no recovery window, no archive.

Magic-link tokens

15 minutes maximum. Single-use; consumed on first click.

Sessions

Until you sign out or revoke them from the dashboard. HTTP-only secure cookies.

Server logs

30 days. Used for debugging and security analysis. Anonymised by IP hash where feasible.

Billing records

As required by tax law (typically 7 years). Stripe holds transaction-level details; Truesaid keeps subscription metadata.

Security & privacy FAQ

Questions we get asked the most.

For other questions, the general FAQ covers product-level topics; for legal text, see Privacy Policy and Terms of Service.

Is Truesaid GDPR-compliant?

Yes. Truesaid is operated from the European Union and treats every data flow under GDPR. You are the data controller for the conversations you upload; Truesaid is the data processor. We support the full set of data-subject rights (access, rectification, erasure, portability, restriction, objection, consent withdrawal). Cross-border transfers to subprocessors based outside the EU rely on Standard Contractual Clauses and / or adequacy frameworks where applicable.

Is Truesaid HIPAA-compliant for medical practices?

Truesaid is HIPAA-friendly by design (the chat content stays private, hidden-name mode anonymises the patient, deletion is immediate), but we do not currently sign Business Associate Agreements (BAAs) — you should treat Truesaid as a non-BAA tool and use hidden-name mode with no Protected Health Information for any patient testimonial. If your practice requires a BAA, contact us to discuss the roadmap.

What encryption does Truesaid use?

TLS 1.3 in transit for every connection (Cloudflare's edge enforces this — HTTP is automatically redirected to HTTPS). Cloudflare D1 (our database) encrypts data at rest using AES-256. Magic-link tokens are stored hashed (never in plaintext). Stripe payment data never touches Truesaid's database; Stripe is PCI-DSS Level 1 certified.

How long do you keep my data?

Account data: until you delete your account. Conversation files and generated testimonials: until you delete the client (deletion is immediate, no soft-delete or recovery window). Server logs: 30 days, then automatically purged. Magic-link tokens: 15 minutes maximum. Sessions: until you sign out or revoke them. Billing records: as required by tax law (typically 7 years).

Who has access to my conversations inside Truesaid?

You. Truesaid's operators do not access user conversations as a normal-operations matter. Access for debugging or support is request-driven and audited. We do not have a 'training pipeline' that reads user data. Anthropic's Claude API processes conversations during testimonial generation but does not retain them for training (per Anthropic's API data-handling terms).

What happens if Truesaid has a data breach?

Under GDPR, we notify affected users within 72 hours of confirming a personal-data breach. We notify you via the email associated with your account, describe what happened, what data was affected, and what we're doing about it. Cloudflare handles the underlying infrastructure and has its own breach-response procedures.

Do you do penetration testing or security audits?

Truesaid is in beta. We run static analysis on every deploy and rely on Cloudflare's edge-level DDoS, WAF, and bot-detection. A formal penetration test is on the roadmap before the formal v1 launch. The integrity checks (CRC, ZIP signature, DKIM) are themselves a continuous adversarial check on the inputs you upload.

Can I delete my account and all data immediately?

Yes. Account deletion is immediate from your dashboard. It removes: your user record, every client you imported, every conversation file, every testimonial, every excerpt, every widget you created, every public profile entry. The verification URLs stop resolving immediately. There is no undo and no recovery.

Will my client testimonials show up in Google search?

Only if you publish them on your public profile page (verydash.com/u/your-id) and you don't disable indexing. Per-account, you can toggle off indexability and the sitemap will exclude you. Per-testimonial, deletion stops everything: search engines reindex within days, the verification URL stops resolving in milliseconds.

What happens if my client asks to be removed from a published testimonial?

Delete that client in Truesaid. Within milliseconds: the public verification page returns 'verification not found', every embeddable widget hides the entry, every cached image with a QR code now points to a dead URL. Search engine cache lingers for days but the live URL is gone. This is the GDPR-compliant withdrawal-of-consent path.

Are you registered as a data processor in any jurisdiction?

Yes — we maintain GDPR-compliant data-processing records. For privacy enquiries, formal data-subject requests, or to ask for a Data Processing Addendum (DPA), use the support page with topic 'Privacy / data deletion'.

What about Stripe — is my payment information secure?

Truesaid never sees your card number. Stripe handles payment processing entirely; we receive only metadata (subscription status, last-four-digits-of-card for display). Stripe is PCI-DSS Level 1 certified — the industry standard for card-handling security.