Datenschutzerklärung (Privacy Policy)
Last updated: 12/12/2025
1. Responsible Party (Verantwortlicher)
TrustPath UG (haftungsbeschränkt)
Stresemannstraße 123, 10963 Berlin c/o WeWork
Email: contact@trustpath.io
Represented by: Engin Yöyen
2. General Information on Data Processing
2.1 Scope of Personal Data Processing
We process personal data of our users only to the extent necessary to provide a functional website and our services. The processing of personal data occurs only with the user's consent. An exception applies in cases where prior consent cannot be obtained for factual reasons and the processing of the data is permitted by legal regulations.
2.2 Legal Basis for Processing Personal Data
Insofar as we obtain consent from the data subject for processing personal data, Art. 6(1)(a) EU General Data Protection Regulation (GDPR) serves as the legal basis.
For processing personal data necessary for the performance of a contract to which the data subject is a party, Art. 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations necessary for pre-contractual measures.
Insofar as processing of personal data is necessary to fulfill a legal obligation to which our company is subject, Art. 6(1)(c) GDPR serves as the legal basis.
In cases where vital interests of the data subject or another natural person require the processing of personal data, Art. 6(1)(d) GDPR serves as the legal basis.
If processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights, and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6(1)(f) GDPR serves as the legal basis for processing.
2.3 Data Deletion and Storage Duration
The personal data of the data subject will be deleted or blocked as soon as the purpose of storage ceases to apply. Storage may also occur if provided for by European or national legislators in EU regulations, laws, or other provisions to which the controller is subject. Data will also be blocked or deleted when a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfillment of a contract.
3. Data We Collect
3.1 User Authentication Data
When you create an account and log in to access our API service, we collect and process the following personal data:
- Email address (for account creation and login)
- Authentication credentials (managed by our third-party authentication provider)
- Login timestamps and session data
- API access tokens linked to your account
This data is necessary to provide you with access to our service and is processed under Art. 6(1)(b) GDPR (contract performance).
3.2 Usage Statistics
We collect usage statistics associated with your account to monitor service usage and prevent abuse. This includes:
- API usage metrics (number of requests, response times) per account
- Service performance data
- API request patterns and quotas
This data is necessary for billing, service provisioning, and abuse prevention under Art. 6(1)(b) and (f) GDPR.
3.3 Technical Data (Server Logs)
When you visit our website, our hosting provider automatically collects and stores information in server log files, which your browser automatically transmits to us. This includes:
- IP address (anonymized after 7 days)
- Browser type and version
- Operating system used
- Referrer URL
- Date and time of access
- HTTP status code
This data is not combined with other data sources. The legal basis for this temporary storage is Art. 6(1)(f) GDPR, based on our legitimate interest in ensuring system security and detecting abuse.
4. Third-Party Service Providers
We use the following third-party service providers to operate our service. These processors may have access to technical data as described below:
4.1 Authentication - Kinde
| Service Provider | Kinde Australia Pty Ltd |
| Address | Level 1, 349 Collins Street, Melbourne VIC 3000, Australia |
| Purpose | User authentication, identity management, secure login and session management |
| Data Processed | Email address, encrypted passwords, login timestamps, session tokens, IP addresses (for security), authentication metadata, user profile information (if provided) |
| Legal Basis | Art. 6(1)(b) GDPR (contract performance - necessary to provide account access) |
| Data Location | EU region (Frankfurt, Germany) - data stored in EU data centers with GDPR compliance |
| Retention Period | Active accounts: Duration of account existence Deleted accounts: 30 days retention then permanently deleted Login logs: 90 days |
| Privacy Policy | https://kinde.com/privacy |
| Security Standards | SOC 2 Type II certified, GDPR compliant, ISO 27001 certified |
4.2 Payment Processing - Paddle
| Service Provider | Paddle.com Market Limited |
| Address | Core B, Block 71, The Plaza, Park West, Dublin 12, Ireland |
| Purpose | Payment processing, subscription management, invoicing, VAT/tax handling |
| Data Processed | Payment information (credit card details, billing address), transaction data, invoice information. Paddle acts as Merchant of Record and processes all payment-related personal data directly. |
| Legal Basis | Art. 6(1)(b) GDPR (contract performance), Art. 6(1)(c) GDPR (legal obligation for invoicing and tax) |
| Data Location | EU (Ireland), with potential data transfers to USA under EU-US Data Privacy Framework |
| Retention Period | Transaction records retained for legal and tax compliance (typically 10 years under German tax law) |
| Privacy Policy | https://www.paddle.com/legal/privacy |
| DPA (Data Processing Agreement) | https://www.paddle.com/legal/gdpr |
Important: Paddle acts as the Merchant of Record for all transactions. This means Paddle directly collects and processes all payment and customer information. We (TrustPath UG) receive only API usage tokens and transaction notifications necessary to provision service access. We do not receive or store your payment details or personal billing information.
4.3 CDN & Security - Cloudflare
| Service Provider | Cloudflare, Inc. |
| Address | 101 Townsend Street, San Francisco, CA 94107, USA |
| Purpose | Content Delivery Network (CDN), DDoS protection, web application firewall, SSL/TLS encryption, performance optimization |
| Data Processed | IP addresses, HTTP headers, browser information, requested URLs, cookies, connection metadata, security threat data (for DDoS and attack mitigation) |
| Legal Basis | Art. 6(1)(f) GDPR (legitimate interest in website security, performance, and protection against cyber attacks) |
| Data Location | Global network with EU data centers; data transfers to USA under EU-US Data Privacy Framework |
| Retention Period | HTTP request logs: Maximum 30 days Security logs: Up to 30 days Analytics data: Varies by plan (aggregated data) |
| Privacy Policy | https://www.cloudflare.com/privacypolicy/ |
| DPA (Data Processing Agreement) | https://www.cloudflare.com/cloudflare-customer-dpa/ |
| Certifications | ISO 27001, ISO 27018, SOC 2 Type II, PCI DSS, GDPR compliant, EU-US Data Privacy Framework |
4.4 Cloud Infrastructure - Google Cloud Platform (GCP)
| Service Provider | Google Cloud EMEA Limited |
| Address | Gordon House, Barrow Street, Dublin 4, Ireland |
| Purpose | Hosting and operation of our email verification API service, compute infrastructure, data storage |
| Data Processed | Anonymous API usage statistics, server logs (IP addresses anonymized after 7 days), email verification requests (processed in memory, not permanently stored), technical performance metrics |
| Legal Basis | Art. 6(1)(b) GDPR (contract performance), Art. 6(1)(f) GDPR (legitimate interest in reliable service operation) |
| Data Location | EU region (europe-west3 - Frankfurt, Germany) |
| Retention Period | Server logs: 7 days (then anonymized) Usage statistics: Indefinitely (anonymized) Email verification requests: Not stored (processed in memory only) |
| Privacy Policy | https://cloud.google.com/privacy |
| DPA (Data Processing Agreement) | https://cloud.google.com/terms/data-processing-addendum |
| Certifications | ISO 27001, ISO 27017, ISO 27018, SOC 2/3, GDPR compliant |
5. Cookies and Tracking
We use cookies to provide essential website functionality and, with your consent, to improve your experience. Cookies are small text files stored on your device that help us remember your preferences and understand how you use our website.
We use the following types of cookies:
- Necessary cookies: Essential for website functionality, including authentication and session management (cannot be disabled)
- Analytics cookies: Optional cookies that help us understand how visitors use our website (requires your consent)
5.1 Google Tag Manager & Analytics (Optional)
We use Google Tag Manager (GTM) with consent mode to manage analytics tracking in a privacy-friendly manner. By default, all analytics and advertising tracking is disabled until you provide explicit consent.
When you accept analytics cookies through our cookie banner, we may use Google Analytics to:
- Understand how visitors use our website
- Measure website performance and user engagement
- Improve our services based on aggregate data
Data collected (only with your consent): Page views, session duration, referral sources, browser information, device type, and anonymized user behavior. IP addresses are anonymized.
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Privacy Policy: https://policies.google.com/privacy
Opt-out: You can withdraw consent at any time using the cookie icon in the bottom-left corner
5.2 Managing Your Preferences
You can manage your cookie preferences at any time using the cookie banner or by clicking the cookie icon in the bottom-left corner of any page. For detailed information about our use of cookies, please see our Cookie Policy.
Legal basis: Necessary cookies are processed under Art. 6(1)(b) and (f) GDPR. Analytics and other optional cookies are processed under Art. 6(1)(a) GDPR (consent) in compliance with the TTDSG (German Telecommunications-Telemedia Data Protection Act). We implement Google Consent Mode v2 to ensure compliance with GDPR requirements.
6. Your Rights as a Data Subject
Under the GDPR, you have the following rights:
6.1 Right to Confirmation and Access (Art. 15 GDPR)
You have the right to obtain confirmation as to whether personal data concerning you is being processed. If this is the case, you have the right to access this personal data and receive information about the purposes of processing, categories of data, recipients, and storage periods.
6.2 Right to Rectification (Art. 16 GDPR)
You have the right to obtain the rectification of inaccurate personal data concerning you without undue delay.
6.3 Right to Erasure ("Right to be Forgotten") (Art. 17 GDPR)
You have the right to obtain the erasure of personal data concerning you without undue delay, provided that one of the legal grounds applies (e.g., data no longer necessary, consent withdrawn, objection to processing).
6.4 Right to Restriction of Processing (Art. 18 GDPR)
You have the right to obtain restriction of processing under certain conditions (e.g., accuracy of data is contested, processing is unlawful but you oppose erasure).
6.5 Right to Data Portability (Art. 20 GDPR)
You have the right to receive personal data concerning you in a structured, commonly used, and machine-readable format and to transmit this data to another controller.
6.6 Right to Object (Art. 21 GDPR)
You have the right to object, on grounds relating to your particular situation, to processing of personal data based on Art. 6(1)(e) or (f) GDPR. We will then no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms.
6.7 Right to Withdraw Consent (Art. 7(3) GDPR)
If processing is based on your consent, you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
6.8 Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR)
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.
Competent supervisory authority for Germany:
Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
Graurheindorfer Str. 153
53117 Bonn, Germany
Website: https://www.bfdi.bund.de
7. Exercising Your Rights
To exercise any of your rights under the GDPR, please contact us at:
Email: contact@trustpath.io
Subject line: "GDPR Data Request - Email Verifier"
We will respond to your request within one month of receipt. In complex cases, this period may be extended by two additional months, about which we will inform you.
Please note: The personal data we store about you includes your email address (for authentication), login history, and API usage statistics linked to your account. You can request access to, correction of, or deletion of this data at any time. Account deletion will result in permanent removal of your data within 30 days.
8. Data Security
We use appropriate technical and organizational security measures to protect your data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Our security measures include:
- Encryption in transit (HTTPS/TLS)
- Encryption at rest for stored data
- Regular security updates and patches
- Access controls and authentication
- Regular security audits
- Data hosted in EU regions (GCP Frankfurt)
9. Changes to This Privacy Policy
We reserve the right to update this privacy policy to reflect changes in our data processing practices or legal requirements. The current version is always available at this URL. We recommend checking this page periodically for any changes. Significant changes will be prominently announced on our website.
10. Contact Information
For questions regarding data protection, please contact:
TrustPath UG (haftungsbeschränkt)
Stresemannstraße 123
10963 Berlin c/o WeWork
Germany
Email: contact@trustpath.io