Trust SquaredStart Applicationarrow_forward

Legal

GDPR Notice

Last updated: 1 June 2025  ·  Applies to: UK & EU residents

shield

This notice explains how Trust Squared handles the personal data of individuals in the United Kingdom and European Union, in compliance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR 2016/679), and the Data Protection Act 2018.

1. Data Controller

Trust Squared is the data controller for personal data collected through trust-squared.site. As data controller, we determine the purposes and means by which your personal data is processed.

You may contact us regarding any data protection matter at:

Email: support@trust-squared.site

Subject line: Data Protection Request

2. What Personal Data We Process

We process the following categories of personal data:

  • Basic identity data: full name, email address, phone number, country, and region
  • Professional data: field of expertise, credentials, years of experience, career summary, LinkedIn URL
  • Identity documents: government-issued photo ID (driver's licence or passport), selfie photograph
  • Uploaded documents: CV or resume
  • Technical data: IP address, browser information, and session data collected automatically

Identity documents are classified as sensitive data under our internal handling policy and are subject to additional access controls and encryption measures beyond our standard data security practices.

3. Legal Bases for Processing

We rely on the following legal bases under Article 6 and Article 9 of the UK/EU GDPR:

  • Article 6(1)(b) — Contractual necessity: processing your application data is necessary to take steps prior to entering into a contributor agreement
  • Article 6(1)(f) — Legitimate interests: verifying eligibility, maintaining platform security, and preventing fraud
  • Article 6(1)(a) — Consent: for processing your identity documents and biometric-adjacent data (selfie with ID). You may withdraw consent at any time without affecting the lawfulness of prior processing
  • Article 6(1)(c) — Legal obligation: where processing is required to comply with applicable law

4. How Long We Keep Your Data

We apply the following retention schedules:

  • Unsuccessful applications: personal data and uploaded documents are deleted within 12 months of the application decision
  • Approved contributors: data is retained for the duration of the contributor relationship and for 3 years thereafter, in line with standard contractual limitation periods
  • Identity documents: deleted within 6 months of identity verification being completed, unless a longer period is required by law
  • Financial records: retained for 7 years as required by tax legislation
  • Technical logs: retained for 90 days for security purposes

5. Your Rights Under GDPR

As a UK or EU resident, you have the following rights. We will respond to all requests within one calendar month.

visibility

Right of Access (Art. 15)

Request a copy of all personal data we hold about you, including information about how it is used and shared.

edit

Right to Rectification (Art. 16)

Request correction of any inaccurate or incomplete personal data we hold about you.

delete

Right to Erasure (Art. 17)

Request deletion of your personal data where it is no longer necessary, consent is withdrawn, or you object to processing. Subject to legal retention obligations.

block

Right to Restrict (Art. 18)

Request that we limit our use of your data in certain circumstances, such as while a dispute about accuracy is resolved.

move_down

Right to Portability (Art. 20)

Receive your personal data in a structured, commonly used, machine-readable format (e.g. JSON or CSV) and have it transferred to another controller.

do_not_disturb

Right to Object (Art. 21)

Object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds.

undo

Right to Withdraw Consent

Withdraw your consent to process identity documents at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

gavel

Right to Complain

Lodge a complaint with the relevant supervisory authority: the ICO in the UK (ico.org.uk) or your national DPA in the EU.

To exercise any of these rights, email support@trust-squared.site with the subject “Data Rights Request” and we will respond within 30 days.

6. International Data Transfers

Personal data may be stored and processed in the United States (via our cloud infrastructure providers). Where we transfer data outside the UK or EEA, we rely on one or more of the following safeguards:

  • UK adequacy regulations under section 17A of the Data Protection Act 2018
  • Standard Contractual Clauses (SCCs) approved by the European Commission or the UK ICO
  • The International Data Transfer Agreement (IDTA) for transfers from the UK

Copies of the applicable safeguards are available on request by emailing us.

7. Automated Decision-Making

We do not make solely automated decisions — including profiling — that produce legal or similarly significant effects on individuals. All application assessments involve human review before any decision is communicated to you.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or alteration. These measures include:

  • AES-256 encryption of all files at rest
  • TLS encryption for all data in transit
  • Role-based access controls limiting data access to authorised personnel only
  • Regular access logging and security reviews
  • Credential rotation policies for all system integrations

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and, where required, notify the ICO or relevant supervisory authority within 72 hours.

9. Supervisory Authority

If you are based in the United Kingdom, the relevant supervisory authority is:

Information Commissioner's Office (ICO)

Website: ico.org.uk

Helpline: 0303 123 1113

If you are based in the EU, you have the right to complain to the data protection authority in your member state.

10. Updates to This Notice

We may revise this GDPR Notice from time to time to reflect changes in law, our processing activities, or our business practices. The date at the top of this page will always reflect when the notice was last updated. For significant changes affecting your rights, we will provide direct notification by email.