Privacy Policy

1. Controller and Data Protection Officer

Data Controller (Responsible Party):
Sascha Wohlert
TrustedBoosts
Grüner Weg 5
94133 Röhrnbach, Germany
Email: mail@trustedboosts.com

Data Protection Inquiries: For all data protection matters, please contact us at mail@trustedboosts.com with "Data Protection" in the subject line.

2. Overview of Data Processing

We process personal data in connection with our review management services, including reputation optimization, review response management, and analytics. This policy explains what data we collect, how we use it, and your rights.

Key Information:

• We process data necessary for service delivery and legal compliance
• Data is processed based on contract fulfillment and legitimate interests
• We implement appropriate technical and organizational measures
• Data retention periods are limited and purpose-specific
• International transfers include appropriate safeguards
• We maintain comprehensive data processing records
• Regular privacy impact assessments are conducted

3. Legal Basis for Processing

We process personal data based on the following legal bases under GDPR Article 6:

• Contract Performance (Art. 6(1)(b)): Service delivery, account management, billing, review management
• Legitimate Interests (Art. 6(1)(f)): Business operations, fraud prevention, system security, service improvement
• Legal Obligations (Art. 6(1)(c)): Tax records, accounting, legal compliance, regulatory reporting
• Consent (Art. 6(1)(a)): Marketing communications, optional cookies, newsletter subscriptions
• Vital Interests (Art. 6(1)(d)): Emergency situations, system security incidents, data breach response
• Public Task (Art. 6(1)(e)): Compliance with court orders, law enforcement requests

Special Categories: We do not intentionally collect special categories of personal data (racial origin, political opinions, religious beliefs, health data, etc.). If such data is inadvertently collected, it will be deleted immediately.

4. Data We Collect

4.1 Customer Account Data

• Personal Information: Full name, email address, phone number, company position
• Business Information: Company name, industry sector, website URL, business address, VAT number
• Account Credentials: Platform usernames, API keys, access tokens (encrypted at rest)
• Payment Data: Billing address, payment method details (processed securely by payment providers)
• Communication Records: Support tickets, emails, chat logs, call recordings (with consent)
• Verification Data: Identity verification documents, business registration proofs

4.2 Review Management Data

• Platform Data: Trustpilot profiles, Google Business listings, review content, ratings, metadata
• Customer Feedback: Review texts, customer names, feedback dates, response histories
• Analytics Data: Review trends, response rates, score improvements, competitor benchmarks
• Strategy Data: Campaign settings, response templates, automation rules, optimization parameters
• Performance Metrics: Conversion rates, engagement statistics, improvement tracking

4.3 Technical and Website Data

• Website Usage: IP addresses, browser types, device information, session data, page views
• System Logs: Access logs, error logs, security events, performance metrics, API usage
• Cookies and Tracking: Functional cookies, analytics cookies, preference settings, session management
• Location Data: Country-level location information for service delivery and compliance

4.4 Communication and Support Data

• Support Interactions: Help desk tickets, live chat conversations, phone call logs
• Feedback and Surveys: Service feedback, satisfaction surveys, improvement suggestions
• Marketing Communications: Newsletter subscriptions, promotional preferences, engagement tracking

5. How We Use Your Data

5.1 Service Delivery and Management

• Account setup, configuration, and ongoing management
• Review monitoring, analysis, and response management
• Strategy development, implementation, and optimization
• Performance reporting, analytics, and dashboard provision
• Customer support, technical assistance, and troubleshooting
• Platform integration, API management, and automation
• Service customization and personalization

5.2 Business Operations and Legal Compliance

• Payment processing, billing, and financial management
• Fraud prevention, security monitoring, and risk assessment
• Legal compliance, regulatory reporting, and record keeping
• Service improvement, optimization, and quality assurance
• Staff training, performance evaluation, and quality control
• Contract management and relationship administration

5.3 Communications and Marketing

• Service notifications, updates, and important announcements
• Platform policy changes and compliance updates
• Technical support communications and system alerts
• Marketing communications and promotional offers (with explicit consent)
• Legal notices, contract updates, and regulatory communications
• Customer satisfaction surveys and feedback collection

6. Data Sharing and Transfers

6.1 Third-Party Service Providers

We share data with carefully vetted processors under strict data processing agreements (DPAs):

• Review Platforms: Trustpilot, Google Business, Yelp (for legitimate service delivery)
• Payment Processors: Stripe, PayPal, bank payment systems (for secure payment processing)
• Cloud Infrastructure: Vercel, MongoDB Atlas, AWS (for hosting and secure data storage)
• Communication Services: Email providers, SMS services, phone systems (for customer communications)
• Analytics and Monitoring: Google Analytics, internal analytics tools (for service optimization)
• Security Services: Cybersecurity providers, monitoring services (for data protection)

6.2 International Data Transfers

Some service providers are located outside the EU/EEA. We ensure adequate protection through:

• Standard Contractual Clauses (SCCs): EU-approved contracts for data transfers
• Adequacy Decisions: Transfers to countries with EU-recognized data protection
• Binding Corporate Rules (BCRs): For multinational service providers
• Additional Safeguards: Encryption, access controls, and supplementary measures
• Transfer Impact Assessments: Regular evaluation of transfer risks and safeguards

6.3 Legal Disclosures and Authorities

We may disclose data when legally required or necessary:

• Court orders, subpoenas, legal processes, and law enforcement requests
• Protection of our rights, property, safety, or that of others
• Prevention, investigation, or prosecution of fraud or illegal activities
• Compliance with regulatory requirements and supervisory authority requests
• National security or public safety requirements

7. Data Retention and Deletion

Retention Principles: We retain data only as long as necessary for the original purposes, legal requirements, legitimate business needs, or until you request deletion (where legally permissible).

7.1 Specific Retention Periods

• Customer Account Data: Duration of business relationship + 3 years (contractual claims)
• Transaction and Billing Records: 10 years (German tax law requirements - AO/HGB)
• Communication Records: 3 years after last business contact
• Review Management Data: Duration of service + 2 years (performance analysis)
• Technical Logs and Security Data: 12 months (security monitoring and incident response)
• Marketing Data: Until consent withdrawn + 1 year (legitimate interests)
• Legal Compliance Data: As required by applicable laws (varies by data type)

7.2 Secure Deletion Process

Upon expiration of retention periods, data is securely deleted using:

• Industry-standard data wiping and overwriting techniques
• Cryptographic erasure for encrypted data
• Physical destruction of storage media when necessary
• Verification and certification of deletion processes
• Backup systems inclusion in deletion procedures (within 90 days)

8. Your Comprehensive Data Protection Rights

Under GDPR and German data protection law, you have extensive rights:

8.1 Core GDPR Rights

• Right of Access (Art. 15 GDPR): Request comprehensive information about your personal data
• Right to Rectification (Art. 16 GDPR): Correct inaccurate or incomplete personal data
• Right to Erasure (Art. 17 GDPR): Request deletion of personal data ("right to be forgotten")
• Right to Restrict Processing (Art. 18 GDPR): Limit how we process your data
• Right to Data Portability (Art. 20 GDPR): Receive data in structured, machine-readable format
• Right to Object (Art. 21 GDPR): Object to processing based on legitimate interests or direct marketing
• Rights Related to Automated Decision-Making (Art. 22 GDPR): Protection from solely automated decisions

8.2 Consent Management

• Withdrawal of Consent: Easily withdraw consent for marketing, cookies, or optional processing
• Granular Consent: Separate consent for different processing purposes
• Opt-out Mechanisms: Unsubscribe links, account settings, preference centers
• Processing Continuation: Withdrawal doesn't affect lawfulness of previous processing

8.3 How to Exercise Your Rights

Contact Information: Send detailed requests to mail@trustedboosts.com with "Data Subject Request" in the subject line. Please include:

• Full name and email address associated with your account
• Specific right(s) you want to exercise
• Detailed description of your request
• Identity verification information (copy of ID may be required for security)
• Preferred format for data portability requests

Response Timeline: We respond within 30 days, extendable to 60 days for complex requests (with advance notification and explanation).

Free of Charge: Rights exercise is generally free. Excessive or manifestly unfounded requests may incur reasonable administrative fees.

9. Comprehensive Data Security

We implement state-of-the-art security measures to protect your data:

9.1 Technical Security Measures

• Encryption: AES-256 encryption at rest, TLS 1.3 for data in transit
• Access Controls: Multi-factor authentication, role-based access control (RBAC)
• Network Security: Advanced firewalls, intrusion detection/prevention systems
• Monitoring: 24/7 security monitoring, automated threat detection and response
• Backup Systems: Regular encrypted backups with geographic redundancy
• Vulnerability Management: Regular security testing, patch management
• Secure Development: Security-by-design principles, code reviews

9.2 Organizational Security Measures

• Staff Training: Regular data protection and cybersecurity training
• Access Management: Principle of least privilege, regular access reviews
• Incident Response: Documented procedures for security breaches and data incidents
• Vendor Management: Due diligence, security assessments, contractual safeguards
• Regular Audits: Internal and external security assessments, penetration testing
• Compliance Monitoring: Continuous compliance monitoring and improvement

10. Cookies and Tracking Technologies

10.1 Cookie Categories

• Strictly Necessary: Essential for website functionality and security
• Functional: Remember preferences, settings, and user choices
• Analytics: Understand usage patterns, performance metrics, and optimization
• Marketing: Deliver relevant advertising and track campaign effectiveness (consent required)

10.2 Cookie Management and Control

You can control cookies through multiple methods:

• Cookie consent banner settings and preference center
• Browser settings and privacy controls
• Opt-out tools for specific analytics and advertising services
• Account dashboard settings for logged-in users
• Third-party privacy tools and browser extensions

11. Children's Privacy Protection

Age Restrictions: Our services are intended exclusively for businesses and individuals 18 years or older. We do not knowingly collect, process, or retain personal data from children under 16 years of age.

Immediate Action: If we become aware of any data collection from children, we will immediately delete such data and take measures to prevent future collection.

Parental Rights: Parents or guardians who believe we have inadvertently collected their child's data should contact us immediately.

12. Data Breach Notification and Response

Comprehensive Breach Response: In case of a personal data breach:

• Authority Notification: We notify supervisory authorities within 72 hours when required by law
• Individual Notification: We notify affected individuals when there's high risk to rights and freedoms
• Detailed Information: Notifications include nature of breach, likely consequences, and mitigation measures
• Remedial Actions: Immediate steps to contain breach and prevent future incidents
• Documentation: We maintain comprehensive records of all data breaches for regulatory compliance
• Continuous Improvement: Post-incident analysis and security enhancements

13. Privacy Policy Updates and Changes

Regular Updates: We may update this Privacy Policy to reflect:

• Changes in our services, business practices, or data processing activities
• New legal or regulatory requirements and compliance obligations
• Enhanced security measures, technologies, or data protection practices
• Industry best practices and privacy standard improvements
• Feedback from users, regulators, or privacy advocates

Notification Process: We provide advance notice of material changes via email, prominent website notice, or account notifications. Continued use after effective date constitutes acceptance of updated terms.

Version Control: We maintain historical versions of our Privacy Policy for transparency and compliance purposes.

14. Supervisory Authority and Complaints

Right to Lodge Complaints: You have the right to lodge a complaint with a data protection supervisory authority, particularly in your country of residence, workplace, or where the alleged infringement occurred.

German Supervisory Authority:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach, Germany
Phone: +49 981 180093-0
Email: poststelle@lda.bayern.de
Website: www.lda.bayern.de

European Data Protection Board: For cross-border issues, you may also contact the European Data Protection Board at edpb.europa.eu

15. Contact Information and Data Protection Officer

Primary Contact for Data Protection:
Email: mail@trustedboosts.com
Subject Line: "Data Protection Inquiry"

Business Contact:
Sascha Wohlert
TrustedBoosts
Grüner Weg 5
94133 Röhrnbach, Germany
Email: mail@trustedboosts.com

Response Commitment: We respond to privacy inquiries within 5 business days for initial acknowledgment and within 30 days for complete responses.