Privacy Notice

How we collect, use, and protect your personal data

Last updated: 05.11.2025

1. About Trustflo

Moxie Agency AB ("Trustflo", "we", "us") provides governance and compliance software and related services. This Privacy Notice explains how we process personal data when you:

  • visit our public websites (the "Site");
  • use our cloud software and related services under an executed order (the "Service"); or
  • engage with our marketing and events ("Communications").

This Notice covers Trustflo's processing as controller. When we process Customer Data in the Service on your behalf, we act as processor and the Data Processing Agreement (DPA) attached to your Order applies.

2. Controller contact details

Moxie Agency AB (Trustflo)
Org. no. 559463-3157
Registered office: Torupsgårdsvägen 16 16, 277 36 Vitaby
Email: team@trustflo.ai
Website: https://www.trustflo.ai/

Supervisory authority: Integritetsskyddsmyndigheten (IMY), Sweden.

3. What data we process as controller

We process limited data needed to operate the Site, manage our relationship with you, and run the Service at an administrative level.

Identity & contact (when you interact with us): name, work email, phone (optional), employer, role, country.

Administrative account & authentication (only for customer admins/users under an Order or invited to a workspace): workspace/tenant identifier, role/permissions, SSO settings and identifiers from your IdP, and minimal access/audit metadata necessary to operate and secure the Service (e.g., login events, MFA status). Content- or record-level activity tied to Customer Data is handled under the DPA.

Commercial & billing (only for customer admins under an Order): subscription tier, invoices, payment status, billing contact. Card data is handled by our PCI-compliant payment processor; we do not store full card numbers.

Usage, device & diagnostics (Site and Service): UI interactions, feature activation, crash/diagnostic reports, IP address, timestamps, device/OS/browser, language, and approximate location inferred from IP. We configure telemetry to the minimum needed for reliability, security, and improvement, and use aggregated/pseudonymised analytics where feasible.

Support & feedback: tickets and attachments, emails/chats, call notes, survey responses (incl. NPS), and problem reports.

Marketing & preferences (Site and Communications): newsletter preferences, event/webinar registrations, downloads, campaign UTM data, consent and suppression records (to honour your choices).

Cookies and similar technologies: strictly necessary cookies for operation; analytics/advertising cookies only with consent (see Section 11).

Customer Data in the Service (e.g., data-flow maps, RoPA records, AI system registers) is processed under the DPA where you are controller and Trustflo is processor.

4. Sources

You directly: forms, contracts, support tickets/chats, meetings and events.

Your organisation/admin: user-provisioning details for invited users (e.g., name, work email, role).

Identity provider (if SSO enabled): only the attributes required for authentication/authorisation.

Device/browser: technical signals generated when you access the Site/Service (see cookies in Section 11).

Consent & preference tools: our cookie banner/consent manager and email subscription centre (consent and suppression records).

Service providers: hosting, authentication, payments (billing metadata only, never full card numbers), CRM/marketing, support, email delivery, and, where consented, analytics/advertising.

We do not buy personal data from data brokers.

Site visitors (no Order). By default we create technical and security logs and set necessary cookies to operate a secure, functional Site. If you submit a form, we process what you provide to respond. Analytics and advertising run only with your consent via our cookie banner.

5. Purposes and legal bases

We process personal data only where a lawful basis applies:

Provide and secure the Site (serve pages, prevent abuse, diagnose issues): legitimate interest and, where applicable, legal obligations.

Create and administer admin accounts; operate the Service at an administrative level (controller data only): contract (Terms/Order).

Billing and collections (customer admins under an Order): contract and legal obligations (tax/audit).

Customer support and service communications (e.g., outage notices, ticket handling): contract/legitimate interest.

Product reliability, diagnostics, and improvement (low-privacy telemetry, crash reports, aggregated analytics): legitimate interest; where ePrivacy requires consent (e.g., analytics cookies on the Site), we rely on consent.

Direct marketing (newsletters, webinars, downloads): consent (opt-in) where required by law; otherwise legitimate interest with an opt-out.

Consent and preference management (recording consent, honoring opt-outs/suppressions): legitimate interests and legal obligations (ePrivacy/GDPR accountability).

Compliance and enforcement (comply with law, respond to lawful requests, enforce Terms): legal obligations/legitimate interests.

Processing of Customer Data in the Service is performed as data processor under the DPA.

6. Processing as processor (Customer Data)

When you use the Service, you control what Customer Data is submitted. We process it only to provide the Service and as instructed in the DPA (subject matter, duration, categories, security, subprocessors, international transfers, and deletion/return). If you need to exercise data subject rights for Customer Data, contact your organisation's administrator; we assist them under the DPA.

7. Disclosures and recipients

We share personal data, where relevant, with:

Service providers/subprocessors (hosting, authentication, email, support, analytics, payments) bound by confidentiality, purpose limitation, and security terms;

Professional advisers (legal, tax, audit) under confidentiality;

Corporate transaction counterparties (merger, acquisition, reorganisation) subject to safeguards;

Authorities where required by law or to protect rights, safety, and security.

We do not sell personal data.

8. International transfers

We are based in Sweden and primarily process personal data in the EU/EEA. Some service providers may be located outside your country, including outside the EU/EEA (for example, in the United States).

When personal data is transferred outside the EU/EEA, we use appropriate safeguards to ensure an adequate level of protection, including:

Adequacy decisions adopted by the European Commission, where available.

Standard Contractual Clauses (SCCs) issued by the European Commission (including the relevant modules), together with transfer risk assessments and, where appropriate, supplementary technical and organisational measures (e.g., encryption in transit and at rest, access controls, minimisation).

EU–US Data Privacy Framework (DPF) certification for US recipients that participate; otherwise SCCs (plus supplementary measures) apply.

Derogations under GDPR Article 49 only where strictly necessary (e.g., your explicit consent or to establish, exercise, or defend legal claims).

For Customer Data processed in the Service, international transfers and safeguards are governed by the DPA attached to your Order.

9. Retention

We retain personal data only as long as needed for the purposes above or as required by law.

Site & marketing records: typically up to 24 months after your last interaction or until you withdraw consent/opt out (minimal suppression records retained thereafter).

Security/server logs: typically up to 12 months, longer only to investigate incidents or meet legal duties.

Administrative account & billing records (controller): for the contract term and up to 6 months after end, unless longer is needed to comply with law or establish/exercise/defend legal claims.

Customer Data (processor): deleted or returned per the DPA; in any case, we delete personal data in the Service no later than 6 months after the Order ends, unless otherwise agreed or required by law.

10. Your rights

Under GDPR, you may request access, rectification, erasure, restriction, portability, and object to processing (including direct marketing). Where processing relies on consent, you may withdraw it at any time. You also have the right to lodge a complaint with IMY or your local supervisory authority.

To exercise rights for data we control, contact team@trustflo.ai. For Customer Data in the Service, please contact your organisation; we will assist them under the DPA.

11. Cookies and similar technologies

We use strictly necessary cookies to operate the Site and Service. We use analytics and, on public pages, advertising/retargeting cookies only with your consent via our cookie banner/consent manager. You can change your preferences at any time. Where supported, we honour Global Privacy Control (GPC) signals as an opt-out for marketing cookies.

12. Security

We implement appropriate technical and organisational measures, including encryption in transit and at rest, access controls and audit logging, least-privilege and MFA for administrators, vulnerability management, secure development and change controls, incident response, and business continuity and backups. High-risk subprocessors are security-assessed and contractually bound.

13. Children

The Site and Service are not intended for children under 16. We do not knowingly collect personal data from children. If you believe a child has provided data, contact us and we will delete it.

14. Changes to this Notice

We may update this Notice from time to time. We will post the updated version with a new "Last updated" date and, where changes are material, provide additional notice (for example, a banner or email).

15. Contact

Questions about this Notice or our privacy practices?

Email: team@trustflo.ai
Postal: Torupsgårdsvägen 16 16, 277 36 Vitaby (Attn: Privacy)