Privacy Policy

What we process depends on which tier you use.

Tier 1 (free) — we process:

• A live selfie captured in your browser
• Liveness keyframes — short images captured during the active liveness challenge (head turns, blink) to confirm you're a real human and not a recording or AI-generated face
• Your email address (for account access)
• Your chosen handle and any profile links you add to your page

Tier 2 ($6/month) adds:

• A photo of your government-issued ID
• Your Stripe customer and subscription identifiers (so we can match webhook events to your account)
• The list of domains you allowlist for embedding the Tier 2 badge on your own site

Across all tiers, we also collect:

• Per-link click counts on your public page (an integer per link, no IP addresses, user agents, or visitor identifiers)
• First-touch UTM parameters (utm_source / utm_medium / utm_campaign / utm_content / utm_term) if you arrived from one of our ads — used only for our own ad-cohort measurement
• OAuth tokens, when you connect a GitHub, Reddit, or Twitch account to verify a profile link — used once to read your username from that provider's “me” endpoint, then discarded

Your ID image, selfie, and liveness keyframes are stored in an access-restricted Cloud Storage bucket while a member of our team reviews your submission. Review typically completes within 24 hours and the bucket auto-deletes anything older than 7 days regardless of review status. After your review completes, we permanently delete from our servers:

• Your ID document image (Tier 2)
• Your selfie image
• Your liveness keyframes
• Your full name (Tier 2)
• Your exact date of birth (Tier 2)
• Your ID document number (Tier 2)
• Your address (Tier 2)

What we permanently retain depends on your tier.

Tier 1 retention:

• Your credential ID (TMK-YYYY-NNNNN-X format)
• Your chosen handle (public)
• An irreversible biometric feature (face embedding) — used only to prevent duplicate credentials
• Your profile links, theme choice, and per-link click counts
• Credential issue date

Tier 2 retention adds:

• Your age range (e.g., 25–34), never your exact age
• Your jurisdiction (country only)
• An HMAC-SHA256 hash of name+DOB+jurisdiction — salted with a secret pepper, used only to detect duplicate verification attempts
• Your Stripe customer and subscription identifiers
• Your embed-domain allowlist

If you cancel your Tier 2 subscription, the Tier-2-only fields above (age range, jurisdiction, name hash, embed domains) are cleared and your credential is re-signed as a Tier 1 credential. Your handle, links, theme, and click counts stay put.

We retain one irreversible mathematical representation of your face — a numerical vector, not an image — stored in our biometric index in Google BigQuery. This vector:

• Cannot be used to reconstruct your original photo
• Is stored in an access-restricted dataset with audit logging on every query
• Is used solely to enforce our “one credential per person” guarantee
• Is deleted when you delete your credential

The active liveness challenge: during sign-up, we ask you to turn your head and blink while your camera captures short keyframes. We use these to confirm a live human is in front of the camera (rather than a static photo, screen recording, or AI-generated face). The keyframes are verified server-side via face embeddings, then deleted from Cloud Storage along with your other raw images within 7 days.

Residents of Illinois (USA) are not currently eligible for TrustMark verification due to the Illinois Biometric Information Privacy Act (BIPA). We're working on a BIPA-compliant consent flow and expect to support Illinois residents in the future.

To deliver TrustMark, we use:

• Stripe — Tier 2 subscription billing, refunds, and the Billing Portal that lets you manage your subscription
• Google Cloud (Vertex AI) — multimodal embedding generation for the uniqueness check
• Google Cloud (Firebase + Firestore + Cloud Storage) — authentication, database, and short-term encrypted image storage
• Google Cloud (BigQuery) — long-term storage of the face-embedding index for sybil detection and an append-only audit log
• Google Cloud (Cloud KMS) — manages the ECDSA P-256 signing key used to sign your credential
• Resend — transactional email (verification status notifications)

These providers process your data on our behalf under their respective data processing agreements. They may not use your data for any purpose other than providing services to TrustMark.

When you click “Verify” on a GitHub, Reddit, or Twitch link in your profile, we redirect you to that provider so you can grant us read-only access to your username. We use the OAuth access token once— to call the provider's “me” endpoint and confirm the username matches the link you added — then we discard the token. We never store, refresh, or reuse it.

We do not use third-party analytics, tracking pixels, or advertising cookies. The only thing we store in your browser is a session token from Firebase Authentication (so you stay logged in) and, briefly, any UTM parameters from the URL you arrived on so we can attribute your eventual signup to the right ad campaign. UTM parameters are kept in your browser's sessionStorage until you sign up, then attached to your credential record and used only for our own internal cohort analysis.

When someone views your public link page or queries your credential, they see only:

• That your credential is valid (or revoked)
• Your verification tier (1 or 2)
• Your handle, profile photo (if you uploaded one), profile links, and theme
• Tier 2 only: your age range and jurisdiction (country)

Viewers never receive your name, photo of your ID, exact age, address, or any other PII.

Under GDPR, CCPA, and similar privacy laws, you have the right to:

• Access — see what data we hold about you
• Delete — remove your credential and all associated data (self-service from your account page)
• Export — receive a copy of your data
• Object — contact us to opt out of processing

Exercise these rights via the account page or by emailing privacy@trustmark.app.

Your data is encrypted in transit (TLS) and at rest (Cloud KMS). Credentials are cryptographically signed using ECDSA P-256 keys managed by Google Cloud KMS. We follow industry best practices for access control and audit logging.

We'll notify you by email if we make material changes to this policy. Continued use of TrustMark after changes constitutes acceptance of the updated policy.

Privacy questions: privacy@trustmark.app
General support: support@trustmark.app