Effective Date: 11/30/2025
Last Updated: 10/31/2025
Change summary (10/31/2025): We clarified roles (controller vs. processor), named core providers (Stripe, AWS, Sectigo, AWS CloudWatch), added retention windows, and included U.S. state privacy rights. See the announcement for details.
Trusted Signatures (“Trusted Signatures,” “TS,” “we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and protect personal information in connection with our Services. Capitalized terms not defined here have the meanings given in our Terms of Service.
Scope. This Policy covers personal information we process when you visit our websites, create an account, use the Services, or interact with us. Roles.
We collect the following categories of information:
(a) Account & billing. Name, email address, organization name, billing contacts, subscription details, transaction metadata. We do not collect or store full payment card numbers or CVV; these are collected and processed by our payment provider (Stripe). We may receive limited payment metadata (e.g., last four digits, card type, expiration month/year, tokens, transaction outcomes).
(b) Service & API usage. We log API requests for auditing, security, and usage tracking. This may include your IP address, timestamps, API key identifiers, PDF digest, and requested operations.
(c) Document metadata (no PDFs). Where required, we process and may retain non-content metadata such as SHA-256 digests, timestamps, certificate serial numbers/issuer, validation outcomes, and signer identity fields you instruct us to apply—strictly for verification, audit, and fraud-prevention purposes. We never upload or store your PDF documents.
(d) Identity products (Publisher Identity). For AATL OrgID and EU Advanced OrgID onboarding and lifecycle, we may collect organization identity data you provide (e.g., business name, addresses, registration numbers, authorized contacts, and proof documents) to coordinate with Certificate Authorities (CAs) and Registration Authorities (RAs).
(e) Support & communications. Messages, tickets, diagnostics, and related metadata.
(f) Website & device data. Cookies and similar technologies for essential operations, security, and analytics (see §8).
We use information to: (a) provide, secure, and operate the Services (contract/legitimate interests); (b) authenticate and manage accounts, keys, and entitlements (contract/legitimate interests); (c) prevent abuse, fraud, and security incidents; investigate errors (legitimate interests/legal obligations); (d) issue and manage organization certificates for Identity products with CAs/RAs/TSA/OCSP/CRL services (contract/legal obligations/legitimate interests); (e) process payments and comply with tax, accounting, and regulatory requirements (legal obligations/contract); (f) provide support and communicate about updates, billing, and policy changes (contract/legal obligations); (g) improve the Services and develop features (legitimate interests); and (h) send optional product and event communications (consent where required; you may opt out).
We do not sell or rent personal information. We disclose limited information as follows: (a) Service providers/subprocessors. Cloud hosting, security/monitoring, analytics, support, and payment processing—bound by confidentiality and data-protection terms. (b) Payments (Stripe). We disclose necessary billing and transaction data to Stripe to process payments, prevent fraud, and handle disputes. Stripe’s processing of payment card data is governed by its own terms and privacy notices. (c) Trust services for signing/validation. Where applicable, to CAs/RAs, time-stamping authorities (TSA), and revocation/validation services (OCSP/CRL) to issue, validate, suspend, or revoke certificates and timestamps per program rules. (d) Compliance & safety. To comply with laws, lawful requests, or to protect rights, safety, and the integrity of the Services. (e) Business transfers. In a merger, acquisition, or asset transfer, in accordance with applicable law.
A current list of core subprocessors is available on request.
We keep personal information only as long as necessary for the purposes in this Policy or as required by law. Illustratively:
(a) account and billing records: up to 7 years for tax/accounting/contract compliance;
(b) security and API logs: typically 12–24 months (longer if needed for investigations, regulatory, or audit purposes);
(c) document-verification metadata (no PDFs): retained for the life of the account and a reasonable period thereafter to support audit trails and dispute resolution, unless law or program rules require a different period.
You may request deletion of account data; we may retain data we must keep for legal, security, or operational reasons.
We use industry-standard technical and organizational measures (encryption in transit/at rest where applicable, access controls, audit logging, network protections). API keys and sensitive metadata are stored securely with restricted access. No system is 100% secure; we cannot guarantee absolute security.
Depending on your location, you may have rights to access, correct, delete, or port your personal information, and to object to or restrict certain processing. You may also: (a) update account details in the dashboard or by contacting us; (b) opt out of non-essential marketing emails; (c) request a copy of personal information we hold about you; (d) where processing is based on consent, withdraw consent (this does not affect prior processing). To exercise these rights, contact us at privacy@trusted-signatures.com. If you are an end user of a TS customer, please direct your request to that customer; we will support them in our processor/service-provider role.
We use strictly necessary cookies to operate the site and Services and may use analytics to understand usage and improve performance. You can control cookies via browser settings; disabling cookies may affect functionality. We do not respond to “Do Not Track” signals.
We operate in the United States. If you access the Services from outside the U.S., you consent to transferring and processing your information in the U.S. For EEA/UK/Swiss data, we rely on appropriate safeguards (e.g., Standard Contractual Clauses) and will enter a DPA upon request.
The Services are for business use and are not directed to individuals under 18. We do not knowingly collect personal information from children.
(a) Roles. We act as a service provider/processor for customer content and as a business/controller for account, billing, and site interactions. (b) Sales/sharing. We do not sell personal information and do not share it for cross-context behavioral advertising. (c) Rights. You may have rights to know, delete, and correct certain personal information, and to not be discriminated against for exercising rights. Submit requests to privacy@trusted-signatures.com. (d) Disclosures. Categories collected align with §2; sources include you/your organization, your devices, and our service providers; purposes are in §3; disclosures are in §4.
(a) No PDF storage. TS does not upload or store your PDF documents for Publisher sealing; we may process and retain non-content document digests and verification metadata for audit and fraud-prevention. (b) Identity products. For Publisher Identity (AATL OrgID / EU Advanced OrgID), identity data you supply is used to coordinate with CAs/RAs and related trust services for issuance, revalidation, suspension, or revocation. CA/RA decisions and program rules (e.g., AATL/EU trust lists) govern lifecycle outcomes. (c) Long-term validation (LTV). If you instruct TS to attach OCSP/CRL and/or RFC 3161 timestamps, associated third-party validation metadata may be processed and retained to support verification.
Our websites may link to third-party sites or services. Their privacy practices are governed by their policies.
We may update this Policy from time to time. Material changes will be notified via the Services or by email to your account contacts and take effect on the date stated in the notice (or, if none is stated, upon posting with an updated “Last Updated” date). Your continued use after the effective date constitutes acceptance. If you do not agree, you must stop using the Services.
Privacy questions or requests: privacy@trusted-signatures.com Postal Address: Trusted Signatures, 4 Saint Albans Rd W, Hopkins, MN 55305 For legal notices, you may also contact michelle@trusted-signatures.com and brad@trusted-signatures.com