DeliverTrust
$50/mo
← Back to home

Privacy Policy

Last updated: 2026-06-09

This Privacy Policy describes how Security Minded Solutions, LLC (DBA SecurityMinded) collects, uses, stores, and shares personal information in connection with DeliverTrust (the “Service”). It covers four kinds of people: visitors to the marketing site at www.delivertrust.io, people who join our early-access waitlist, tenant administrators who sign in to the admin app at app.delivertrust.io, and visitors to a customer’s public Trust Page.

1. Information we collect

From marketing-site visitors:

  • Standard server logs (IP, user agent, requested URL) retained for 30 days for security and abuse detection.
  • If you accept analytics cookies via the consent banner, we set Google Analytics 4 cookies (_ga, _ga_*) to understand how visitors use the site. We do not set these cookies until you have explicitly accepted. See § 5 below.

From waitlist signups:

  • The email address you enter on the “Join the waitlist” form. We store this with the timestamp of your signup and a source tag (e.g. delivertrust) in a Firestore database we operate on Google Cloud.
  • The waitlist endpoint receives standard request metadata (IP, user agent) which is written to our server logs (30-day retention, § 6) but is not stored alongside the email in the waitlist record itself.
  • That’s it. We do not require your name, your company, or your role to join the waitlist.

From the contact form (when live):

  • Whatever you enter in the contact form: typically your name, work email, an optional company name, and the message you write. Stored alongside a timestamp and the standard request metadata above.
  • Until the in-product contact form ships, the “Contact” link in the footer is a standard mailto: link that opens your email client. When you email us that way we receive whatever your message contains (from-address, subject, body, any attachments) in our support inbox at support@delivertrust.io, hosted on Google Workspace.

From tenant administrators (post-launch):

  • Account profile: name, work email, company, role.
  • Billing details processed by our payment processor (Stripe). We do not store credit-card numbers ourselves.
  • Authentication telemetry: sign-in timestamps, IP, device fingerprint (last 90 days only).
  • Anything you publish through the admin app (Overview, Controls, Subprocessors, Documents, branding, workflow copy). This is your content; see the Terms of Service for the responsibility model.

From visitors to a Customer’s Trust Page (post-launch):

  • If they submit the access-request form: full name, work email, company, and their stated relationship (customer / prospect / partner).
  • If they accept the NDA: the email address they verified, a hash of the NDA text they were shown, and a timestamp. The visitor session cookie is stored as a hash so the raw token never lands in our database.
  • If they download a gated document: the document id, the visitor session email, and the timestamp. This is used for audit on behalf of the Customer.

When a visitor submits the access-request form, a notice at the point of collection links these Terms of Service and this Privacy Policy and identifies the Customer (the vendor whose Trust Page it is) as the organization handling the request. SecurityMinded processes that visitor information as a data processor on behalf of the Customer, who is the data controller. Our legal bases for the processing are the performance of the Customer’s document-sharing request the visitor initiated and the legitimate interest of the visitor, the Customer, and SecurityMinded in vetting and fulfilling access requests and maintaining an audit trail. Where consent is the applicable basis, submitting the form constitutes that consent. Visitor data-rights requests are directed to the Customer - see § 7.

2. How we use this information

  • Waitlist: email you when DeliverTrust is ready for new customers, and (occasionally) ask follow-up questions about what you’re hoping for. We don’t use waitlist emails for any other product or for paid marketing.
  • Provide the Service: authenticate sign-ins, render Trust Pages, gate documents, fan out notifications you’ve configured.
  • Audit + abuse detection: detect unusual access patterns, investigate incidents.
  • Billing: charge subscription fees through our payment processor.
  • Customer support: respond to your tickets, communicate operational changes.
  • Product improvement: aggregate, de-identified analytics about feature usage. We do not sell personal information.

3. How we share information

We share personal information only with the third-party processors required to operate the Service:

  • Google Cloud Platform - hosting (Cloud Run, Firestore, GCS, Pub/Sub, KMS, Cloud CDN).
  • Google Identity Platform - admin sign-in.
  • SendGrid (Twilio) - transactional email delivery (magic-link verification, admin notifications you configure, and the launch-day waitlist email).
  • Stripe - payment processing (for paid plans).
  • Slack - internal team notification when someone joins the waitlist (just the email + timestamp).
  • Google Analytics 4 - usage analytics (see § 5.1), only after you accept the cookie consent banner.
  • Google Workspace - inbound email at support@delivertrust.io; outbound replies go via SendGrid.

Notification actions you configure in the workflow editor (Slack incoming webhook, generic JSON webhook) send visitor data to systems youoperate or you’ve authorized. SecurityMinded does not control or audit those downstream receivers.

We may disclose personal information in response to a lawful court order or subpoena. Where legally permissible we will notify the affected Customer first.

4. Encryption + storage

All Customer tenant data (uploaded documents and metadata) is encrypted at rest under a per-tenant Cloud KMS key under SecurityMinded’s control, with 90-day automatic key rotation. On tenant deletion the key is disabled and scheduled for destruction within 30 days, after which the encrypted data is cryptographically irrecoverable. Data in transit is TLS 1.2+ end-to-end.

Waitlist email addresses live in a separate Firestore database from any Customer tenant data and are encrypted at rest with Google-managed keys.

5. Cookies

We use the following cookies across the DeliverTrust surfaces:

  • delivertrust_cookie_consent (strictly necessary): stores your cookie-consent preference. Scoped to .delivertrust.io so your decision is shared across all our subdomains (www, app, dev) and you only need to consent once.
  • __Host-dt_session (strictly necessary): admin session cookie. HttpOnly, Secure, SameSite=Lax, host-only to app.delivertrust.io, 7-day TTL, cleared on sign-out.
  • __Host-trust_session (strictly necessary): visitor session set by the public Trust Page NDA accept flow. HttpOnly, Secure, SameSite=Lax, host-only to the tenant’s public host, 30-day fixed lifetime so visitors don’t re-request access for every download. Functional only; not used for tracking.
  • OAuth state cookies (strictly necessary): transient cookies used during the login process to prevent cross-site request forgery. Automatically deleted after login completes.
  • _ga, _ga_* (performance, opt-in): Google Analytics 4 cookies used to help us understand how visitors use our website and application. These are only set after you provide explicit consent via the cookie consent banner.

If you do not want cookies used, you can typically remove or reject cookies via your browser settings. Many browsers are set to accept cookies until you change your settings. For more information, visit www.allaboutcookies.org.

We also store small amounts of data in your browser’s localStorage (not cookies) to remember your last-accessed tenant and per-user UI preferences. localStorage is scoped to a single host and is never used for cross-site tracking.

5.1 Analytics cookies (Google Analytics)

We use Google Analytics 4 (GA4) to help us understand how visitors interact with our website and admin application. Analytics cookies are only set after you provide explicit consent. You will be presented with a cookie consent banner the first time you visit any DeliverTrust surface, giving you the choice to accept or decline analytics tracking.

We use Google’s Consent Mode v2 (advanced). Before you decide, the GA4 tag loads with all consent signals set to denied, which means no cookies are written and no personal identifiers are sent. Google still receives a small number of cookieless pings (page views without any identifier) so it can produce aggregate, anonymous traffic estimates and model conversions. If you decline, we stay in this state permanently. If you accept, we flip the analytics signal to granted and the cookies described above are set on your next page view.

If you consent to analytics cookies, Google Analytics collects:

  • Pages you visit and time spent on each page
  • How you arrived at our site (referral source)
  • Your approximate geographic location (country / city level)
  • Device and browser information
  • Anonymized interaction data (IPs are masked before storage via GA4’s built-in IP anonymization)

We use cross-domain tracking to understand user journeys across www.delivertrust.io, app.delivertrust.io, and dev.delivertrust.io. This helps us improve the experience across the marketing site, admin app, and dev twin.

Managing your consent:

  • You can change your cookie preferences at any time in the DeliverTrust admin app under Settings → General → Cookie Preferences.
  • If you decline cookies or later revoke consent, we will delete any analytics cookies that were previously set.
  • Your consent choice is stored in a cookie shared across all delivertrust.io subdomains and is remembered on future visits.

We record your consent decision (accept or decline) along with a timestamp for compliance purposes. This consent log may include your anonymized IP address and browser user-agent string, and is retained per the “Server logs” line in § 6.

For more information about how Google processes data, see Google’s Privacy Policy and Google Analytics Data Practices.

6. Data retention

  • Waitlist email addresses: retained until launch or until you ask to be removed, whichever comes first. After launch we delete the waitlist record once you create an account (or after 12 months if you don’t).
  • Tenant content (documents, controls, subprocessors, overview, workflow): retained as long as your account exists. Permanently removed within 30 days of tenant deletion (see Terms of Service § 10).
  • Access-request records and NDA acceptances: retained as long as your account exists so you have audit history. Removed with the rest of the tenant on deletion.
  • Server logs: 30 days.
  • Billing records: retained as required by tax and accounting law (typically 7 years), even after tenant deletion.

7. Your rights

Depending on where you live, you may have the right to:

  • Request a copy of the personal information we hold about you.
  • Request correction or deletion of your personal information.
  • Object to or restrict certain processing.
  • Withdraw consent for processing where consent was the legal basis.

To exercise any of these rights, email privacy@delivertrust.io and we will respond within 30 days. To remove yourself from the waitlist, the same email address works - just say “please remove me from the waitlist.”

Once the product is live, tenant administrators will be able to directly delete most of their data through Settings → General → Danger Zone in the admin app.

Visitor requests to a Customer’s Trust Page should generally be directed to that Customer (the data controller). SecurityMinded acts as a data processor for visitor data on the Customer’s behalf.

8. International transfers

DeliverTrust is operated from the United States. If you access the Service from outside the United States, you understand that your data is transferred to and stored in the United States. Where required, we rely on Standard Contractual Clauses or other lawful mechanisms.

9. Children

The Service is not directed at children under 16, and we do not knowingly collect personal information from them.

10. Changes to this Policy

We may update this Policy. Material changes will be notified by email to the account contact (or, pre-launch, to your waitlist email) at least 30 days before they take effect. The latest version is always available at /legal/privacy.

11. Contact

Privacy questions and data-rights requests: privacy@delivertrust.io. Security incidents: security@delivertrust.io. General support: support@delivertrust.io.