Privacy Policy
Last Updated: June 17, 2026
TrustHelm (“we,” “us,” or “our”) operates the TrustHelm platform at trusthelm.ai. This Privacy Policy explains what information we collect, how we use it, how we protect it, and what rights you have over it.
We handle sensitive estate planning documents. We take that seriously. This policy is written in plain language because we believe you should understand exactly what happens with your data.
What information we collect
Information you provide directly
Account information. When you create an account, we collect your email address and name. If you sign up through a professional's referral link, or if a professional or firm is connected to your trust, we record the connection between your account and that professional or firm.
Trust documents. When you upload trust agreements, amendments, wills, powers of attorney, financial statements, or other documents, we store those files in encrypted private storage. These documents may contain sensitive information including Social Security numbers, financial account details, beneficiary names, asset descriptions, and legal provisions.
Trust data you enter manually. If you add trust details, assets, duties, financial records, reminders, or other information without uploading documents, we store that information in your account.
Financial records. When you record income, expenses, distributions, or import entries from bank statements and brokerage documents, we store those financial records in your account.
Connected financial account data. TrustHelm Premium lets you connect your financial accounts to help verify trust funding and keep your financial records current. This connection is provided through Plaid Inc. When you connect an account, we receive account information on a read-only basis, which may include the financial institution's name, the account name and type, account balances, and the name or names on the account. We cannot move money or initiate transactions on any connected account. Connecting an account is optional and requires your explicit consent, including acknowledgment of Plaid's End User Privacy Policy at plaid.com/legal.
TrustHelm Agent conversations. When you use the TrustHelm Agent feature, we store your conversation history (your questions and the AI responses) for up to 90 days so you can reference past conversations.
Payment information. When you subscribe to a paid TrustHelm plan, your payment is processed by Stripe. We do not store your credit card number, expiration date, or CVV on our servers. Stripe handles all payment data under their own PCI-DSS compliant security practices. We receive and store only your Stripe customer ID, subscription status, and billing history.
Communications. When you email us at support@trusthelm.ai or contact us through the site, we store that correspondence.
Information collected automatically
Usage data. We collect anonymous analytics about how you use TrustHelm, including pages visited, features used, and session duration. We use PostHog for this. This data helps us understand which features are valuable and where people get stuck.
Device and browser information. We collect your browser type, operating system, and screen size to ensure TrustHelm works correctly on your device.
IP address. We collect your IP address for security purposes, including rate limiting and fraud prevention. We use Upstash Redis for rate limiting on certain features.
Cookies. We use strictly necessary cookies for authentication and session management. We do not use advertising cookies, tracking cookies, or third-party marketing cookies. See the Cookies section below for details.
Information generated by our AI
AI-extracted data. When you upload a trust document and run an AI scan, our AI analyzes your document and extracts information including parties and roles, assets, fiduciary duties, key provisions, and trust structure. This extracted data is stored in your account. The AI also maps your extracted duties to your state's trust statutes using our compliance database covering all 50 states and the District of Columbia.
AI financial extraction. When you import financial documents (bank statements, brokerage docs, tax forms), our AI extracts transaction data including dates, amounts, categories, and descriptions. This data is stored in your financial records.
How we use your information
We use your information for the following purposes and no others:
To provide the TrustHelm service. This includes storing your documents, running AI analysis, displaying your trust dashboard, tracking duties and reminders, maintaining financial records, and powering the TrustHelm Agent.
To verify trust funding and maintain financial records. When you choose to connect a financial account, we use Plaid to securely retrieve account information on a read-only basis. We use this information to help verify whether assets are titled in your trust and to populate your financial records. You can disconnect a connected account at any time.
To process AI analysis. When you upload a document for AI scanning, we send that document to the Anthropic API for processing. Anthropic is our AI infrastructure provider. Your documents are processed and returned to us. Anthropic does not store your documents, does not use them to train AI models, and does not have ongoing access to your data. Each AI request is processed and discarded by Anthropic.
To send you transactional emails. We use Postmark to send account-related emails (password resets, email code logins, subscription confirmations). We use Loops to send product-related behavioral emails (onboarding sequences, duty reminders, check-in notifications). You can unsubscribe from non-essential emails at any time.
To process payments. We use Stripe to handle subscription billing for paid TrustHelm plans.
To improve the product. We use anonymized, aggregated usage analytics to understand how people use TrustHelm and to prioritize improvements. We never use your trust documents, financial records, or personal data for product analytics.
To provide support. When you contact us, we use your information to respond to your questions and resolve issues.
To maintain security. We use IP addresses and access patterns to detect and prevent unauthorized access, abuse, and fraud.
How we protect your information
Encryption at rest. All data stored in our database and file storage is encrypted using AES-256 encryption at rest.
Encryption in transit. All data transmitted between your browser and our servers is encrypted using TLS 1.3.
Private storage. Uploaded documents are stored in private storage buckets that are not publicly accessible. Each file is accessible only to the authenticated user who owns it.
Row-level security. Our database enforces row-level security (RLS) on every table. This means that even at the database level, users can only access their own data. There is complete isolation between different users' accounts.
Access controls. Trust data can be shared with family members or advisors through TrustHelm's sharing feature, but only when you explicitly grant access. Shared users see only what you choose to share.
Infrastructure. TrustHelm runs on Vercel (application hosting) and Supabase (database, authentication, and file storage). Supabase is SOC 2 Type II compliant. All infrastructure is hosted in the United States.
AI processing security. Documents sent to Anthropic for AI analysis are transmitted over encrypted connections. Anthropic does not retain your documents after processing and does not use them for model training. Anthropic is a leading AI safety company with robust data handling practices.
Connected-account security. When you connect a financial account, the access credentials for that connection are stored encrypted using Supabase Vault and are never written to our application logs. Connections are read-only, and TrustHelm cannot move money or initiate transactions.
How we share your information
We do not sell your personal information. We have never sold personal information and we will never sell personal information.
We do not share your data with advertisers. We do not display ads and we do not provide your information to advertising networks or data brokers.
We share information only in the following limited circumstances:
Service providers. We share data with the third-party services necessary to operate TrustHelm. These include:
- Anthropic: processes documents for AI analysis (data not retained after processing)
- Supabase: database, authentication, and file storage
- Vercel: application hosting
- Stripe: payment processing
- Postmark: transactional email delivery
- Loops: behavioral email automation
- PostHog: anonymized usage analytics
- Upstash: rate limiting infrastructure
- Cloudflare: bot protection (Turnstile)
- Plaid: secure, read-only connection to your financial institutions for account verification and financial data (subject to Plaid's End User Privacy Policy at plaid.com/legal)
- Sentry: error monitoring and diagnostics
Each of these providers processes data only as necessary to provide their service to us and under their own privacy and security commitments.
People and professionals you give access to. You control who has access to each of your trusts and what they can see. When you invite someone, you choose their access level.
Co-trustees, successor trustees, and others you grant edit or view access can see the trust's contents according to that access level, which can include documents, assets, financial information, and duties.
Professionals you connect to a trust (such as an attorney, CPA, financial advisor, or insurance agent) have view (read-only) access by default, which lets them see documents, assets, financial information, and duties, but not change them. An admin can grant a professional edit access at the time of invitation or later. You can broaden, narrow, or revoke a professional's access at any time.
Beneficiaries you invite receive a restricted view by default. They can see who is involved and that the trust is being actively managed, but not financial values, documents, or the AI agent, unless you choose to share more.
You can change or revoke any person's access at any time from your sharing settings. If you signed up through a professional's referral link, a connection between your account and that professional or their firm is recorded, and the access rules above apply.
Legal requirements. We may disclose information if required by law, subpoena, court order, or government request. If this happens, we will notify you unless legally prohibited from doing so.
With your consent. We may share information with your explicit consent for purposes not listed here. We will always ask first.
Data retention
Account data. We retain your account data, trust documents, financial records, and all associated data for as long as your account is active.
Connected financial accounts. While an account is connected, we retain the information retrieved from it to provide the service. When you disconnect an account, or when you delete your account, we remove the connection from Plaid and delete the stored access credentials and the associated connection data.
TrustHelm Agent conversations. Conversations are retained for 90 days, then automatically archived. Archived conversations are accessible through your conversation history. You can delete individual conversations at any time.
After account deletion. When you delete your account, we initiate a 30-day cooling-off period during which your account is deactivated but your data is preserved. This protects against accidental deletion. After 30 days, we permanently delete all your data including documents, trust records, financial entries, and AI conversations. Deletion is irreversible after this point. We retain only a minimal audit log entry recording that the deletion occurred, for compliance purposes, for up to 24 months.
Payment records. Stripe retains payment records according to their own retention policies and legal requirements.
Cookies
TrustHelm uses only strictly necessary cookies:
Authentication cookies. These maintain your login session so you do not have to sign in on every page. They expire when you log out or after your session times out.
Security cookies. Cloudflare Turnstile uses a cookie for bot protection on certain features.
We do not use analytics cookies, advertising cookies, social media cookies, or any third-party tracking cookies. PostHog analytics is configured without cookies.
Your privacy rights
Rights for all users
Regardless of where you live, you have the following rights:
Access your data. You can view all of your trust data, documents, financial records, and account information through the TrustHelm dashboard at any time.
Export your data. You can export your data in PDF and CSV formats at any time through the TrustHelm dashboard. This is available on paid plans.
Delete your data. You can delete individual records, documents, or conversations at any time. You can delete your entire account through your account settings. Account deletion triggers the 30-day cooling-off period described above.
Correct your data. You can edit and update any information in your TrustHelm account at any time through the dashboard.
Unsubscribe from emails. You can unsubscribe from non-essential emails at any time using the unsubscribe link in any email. Transactional emails (login links, security alerts) cannot be unsubscribed from while your account is active.
Additional rights for California residents (CCPA)
If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:
Right to know. You have the right to request the specific categories and pieces of personal information we have collected about you. You can exercise this right by emailing support@trusthelm.ai.
Right to delete. You have the right to request deletion of your personal information. We will fulfill deletion requests within 45 days. You can exercise this right through your account settings or by emailing support@trusthelm.ai.
Right to opt out of sale. We do not sell your personal information. There is nothing to opt out of.
Right to non-discrimination. We will not discriminate against you for exercising any of your CCPA rights.
Categories of personal information we collect: Identifiers (name, email, IP address), financial information (trust asset details, financial records you enter, and account information retrieved from financial accounts you choose to connect), documents and records (uploaded trust documents), internet activity (usage analytics), and inferences (AI-extracted trust data).
Categories of personal information we sell: None. We do not sell personal information.
Categories of personal information we share for business purposes: We share data with our service providers as listed in the “How we share your information” section above, solely for operating the TrustHelm service.
Additional rights for European residents (GDPR)
If you are a resident of the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) provides you with additional rights:
Legal basis for processing. We process your data based on: your consent (when you create an account and upload documents), contractual necessity (to provide the TrustHelm service you signed up for), and legitimate interest (for security, fraud prevention, and service improvement).
Right to access. You can request a copy of all personal data we hold about you.
Right to rectification. You can request correction of inaccurate personal data.
Right to erasure. You can request deletion of your personal data, subject to any legal retention requirements.
Right to restrict processing. You can request that we limit how we use your data.
Right to data portability. You can request your data in a machine-readable format. Our CSV and PDF export features support this.
Right to object. You can object to our processing of your data based on legitimate interests.
Right to withdraw consent. You can withdraw your consent at any time by deleting your account.
Data transfers. TrustHelm's infrastructure is hosted in the United States. By using TrustHelm, your data is transferred to and processed in the United States. We rely on Standard Contractual Clauses and the data processing agreements of our infrastructure and service providers, including Supabase, Vercel, Anthropic, Stripe, and Plaid, to ensure appropriate safeguards for international data transfers.
To exercise any GDPR right, email support@trusthelm.ai. We will respond within 30 days.
Children's privacy
TrustHelm is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will delete that information promptly.
Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and post a notice on the TrustHelm dashboard before the changes take effect. Your continued use of TrustHelm after changes become effective constitutes acceptance of the updated policy.
Contact us
If you have questions about this Privacy Policy or your data, contact us:
Email: support@trusthelm.ai
TrustHelm
Birmingham, AL
This privacy policy is specific to the TrustHelm platform and its data practices. It is not legal advice.