Legal

Privacy Policy

Last updated: 3 June 2026

TrustRoute (“we”, “us”) operates the TrustRoute mobile application, Business Suite (API, dashboard, scan tools), and related services. This policy explains what we collect, why, and your choices.

1. Principles

• Separation: Public identity is your @handle; phone numbers are used for verification and private infrastructure, not broadcast to other users.
• Minimization: We collect data needed for trust, safety, and delivery — not for unrelated advertising profiles.
• Consent for business messaging: Businesses may message you only after QR-based subscription and your explicit approval.

2. Information we collect

Account & identity: Phone number (verified via OTP), @handle, display name, optional avatar, verification artifacts (device integrity signals, liveness session metadata, government ID verification status where enabled).

Trust & safety: Trust score and tier, connection modes (unknown/temporary/trusted/blocked), call and message attempt metadata, report/block events, ML feature aggregates (behavioral signals, not raw message content for model training unless stated in-product).

Communications: Message content and media you send (stored to deliver services; voice calls use WebRTC with encryption in transit; call quality metrics you submit).

Contacts: Contact hashes or tokens for discovery — we do not upload full address books in plaintext where hashed discovery is implemented.

Business subscribers: If you approve a business, we store subscription status, channel memberships, and delivery state.

Device: FCM push tokens, app version, OS, IP address at API access (security and rate limiting).

Business customers: Company name, GSTIN/CIN where provided, contact email, API key hash (never stored in plaintext after issuance), channel and message operational data.

3. How we use information

• Provide calling, messaging, status, and company updates
• Enforce permission tiers, rate limits, and anti-abuse ML
• Verify businesses and deliver opted-in business messages
• Improve reliability, debug incidents, and comply with law

4. Sharing

We do not sell personal data. We share with:

• Service providers: hosting, SMS/OTP (e.g. MSG91), push (FCM), object storage (e.g. S3), analytics strictly for operations
• Other users: @handle, display name, trust tier signals, and content you send to them
• Businesses you approved: subscription and delivery metadata necessary to message you
• Legal: when required by valid law or to protect safety

5. Retention

We retain account data while your account is active. Status media may expire per product rules (e.g. 24 hours). Logs and security records retained for limited periods. You may request deletion subject to legal holds and fraud prevention.

6. Security

API keys stored hashed; TLS in transit; role-separated admin tools; rate limiting. No system is perfect — report issues to security@trustroute.app.

7. Your rights

Depending on jurisdiction you may access, correct, delete, or export data, and withdraw business subscriptions in-app. Contact hello@trustroute.app.

8. Children

TrustRoute is not directed at children under 13 (or higher local age). We do not knowingly collect their data.

9. International transfers

Data may be processed in India and where our cloud providers operate, with appropriate safeguards.

10. Changes

We will post material changes here and update the date above.

11. Contact

hello@trustroute.app · See also Terms of Service.