Privacy Policy

TrustHelm (“we,” “us,” or “our”) operates the TrustHelm platform at trusthelm.ai. This Privacy Policy explains what information we collect, how we use it, how we protect it, and what rights you have over it.

We handle sensitive estate planning documents. We take that seriously. This policy is written in plain language because we believe you should understand exactly what happens with your data.

What information we collect

Information you provide directly

Account information. When you create an account, we collect your email address and name. If you sign up through an attorney referral link, we also record the referral connection between your account and that attorney's partner account.

Trust documents. When you upload trust agreements, amendments, wills, powers of attorney, financial statements, or other documents, we store those files in encrypted private storage. These documents may contain sensitive information including Social Security numbers, financial account details, beneficiary names, asset descriptions, and legal provisions.

Trust data you enter manually. If you add trust details, assets, duties, financial records, reminders, or other information without uploading documents, we store that information in your account.

Financial records. When you record income, expenses, distributions, or import entries from bank statements and brokerage documents, we store those financial records in your account.

TrustHelm Agent conversations. When you use the TrustHelm Agent feature, we store your conversation history (your questions and the AI responses) for up to 90 days so you can reference past conversations.

Payment information. When you subscribe to a paid TrustHelm plan, your payment is processed by Stripe. We do not store your credit card number, expiration date, or CVV on our servers. Stripe handles all payment data under their own PCI-DSS compliant security practices. We receive and store only your Stripe customer ID, subscription status, and billing history.

Communications. When you email us at support@trusthelm.ai or contact us through the site, we store that correspondence.

Information collected automatically

Usage data. We collect anonymous analytics about how you use TrustHelm, including pages visited, features used, and session duration. We use PostHog for this. This data helps us understand which features are valuable and where people get stuck.

Device and browser information. We collect your browser type, operating system, and screen size to ensure TrustHelm works correctly on your device.

IP address. We collect your IP address for security purposes, including rate limiting and fraud prevention. We use Upstash Redis for rate limiting on certain features.

Cookies. We use strictly necessary cookies for authentication and session management. We do not use advertising cookies, tracking cookies, or third-party marketing cookies. See the Cookies section below for details.

Information generated by our AI

AI-extracted data. When you upload a trust document and run an AI scan, our AI analyzes your document and extracts information including parties and roles, assets, fiduciary duties, key provisions, and trust structure. This extracted data is stored in your account. The AI also maps your extracted duties to your state's trust statutes using our 50-state compliance database.

AI financial extraction. When you import financial documents (bank statements, brokerage docs, tax forms), our AI extracts transaction data including dates, amounts, categories, and descriptions. This data is stored in your financial records.

How we use your information

We use your information for the following purposes and no others:

To provide the TrustHelm service. This includes storing your documents, running AI analysis, displaying your trust dashboard, tracking duties and reminders, maintaining financial records, and powering the TrustHelm Agent.

To process AI analysis. When you upload a document for AI scanning, we send that document to the Anthropic API for processing. Anthropic is our AI infrastructure provider. Your documents are processed and returned to us. Anthropic does not store your documents, does not use them to train AI models, and does not have ongoing access to your data. Each AI request is processed and discarded by Anthropic.

To send you transactional emails. We use Postmark to send account-related emails (password resets, magic link logins, subscription confirmations). We use Loops to send product-related behavioral emails (onboarding sequences, duty reminders, check-in notifications). You can unsubscribe from non-essential emails at any time.

To process payments. We use Stripe to handle subscription billing for paid TrustHelm plans.

To improve the product. We use anonymized, aggregated usage analytics to understand how people use TrustHelm and to prioritize improvements. We never use your trust documents, financial records, or personal data for product analytics.

To provide support. When you contact us, we use your information to respond to your questions and resolve issues.

To maintain security. We use IP addresses and access patterns to detect and prevent unauthorized access, abuse, and fraud.

How we protect your information

Encryption at rest. All data stored in our database and file storage is encrypted using AES-256 encryption at rest.

Encryption in transit. All data transmitted between your browser and our servers is encrypted using TLS 1.3.

Private storage. Uploaded documents are stored in private storage buckets that are not publicly accessible. Each file is accessible only to the authenticated user who owns it.

Row-level security. Our database enforces row-level security (RLS) on every table. This means that even at the database level, users can only access their own data. There is complete isolation between different users' accounts.

Access controls. Trust data can be shared with family members or advisors through TrustHelm's sharing feature, but only when you explicitly grant access. Shared users see only what you choose to share.

Infrastructure. TrustHelm runs on Vercel (application hosting) and Supabase (database, authentication, and file storage). Supabase is SOC 2 Type II compliant. All infrastructure is hosted in the United States.

AI processing security. Documents sent to Anthropic for AI analysis are transmitted over encrypted connections. Anthropic does not retain your documents after processing and does not use them for model training. Anthropic is a leading AI safety company with robust data handling practices.

How we share your information

We do not sell your personal information. We have never sold personal information and we will never sell personal information.

We do not share your data with advertisers. We do not display ads and we do not provide your information to advertising networks or data brokers.

We share information only in the following limited circumstances:

Service providers. We share data with the third-party services necessary to operate TrustHelm. These include:

• Anthropic: processes documents for AI analysis (data not retained after processing)
• Supabase: database, authentication, and file storage
• Vercel: application hosting
• Stripe: payment processing
• Postmark: transactional email delivery
• Loops: behavioral email automation
• PostHog: anonymized usage analytics
• Upstash: rate limiting infrastructure
• Cloudflare: bot protection (Turnstile)

Each of these providers processes data only as necessary to provide their service to us and under their own privacy and security commitments.

Attorney partner connections. If you sign up through an attorney's referral link, your attorney partner can see limited information: your name, email, trust name, and high-level life change notifications (if you opt in to sharing these). Your attorney partner cannot see your documents, financial records, duty details, asset values, or TrustHelm Agent conversations.

Legal requirements. We may disclose information if required by law, subpoena, court order, or government request. If this happens, we will notify you unless legally prohibited from doing so.

With your consent. We may share information with your explicit consent for purposes not listed here. We will always ask first.

Data retention

Account data. We retain your account data, trust documents, financial records, and all associated data for as long as your account is active.

TrustHelm Agent conversations. Conversations are retained for 90 days, then automatically archived. Archived conversations are accessible through your conversation history. You can delete individual conversations at any time.

After account deletion. When you delete your account, we initiate a 30-day cooling-off period during which your account is deactivated but your data is preserved. This protects against accidental deletion. After 30 days, we permanently delete all your data including documents, trust records, financial entries, and AI conversations. Deletion is irreversible after this point. We retain only a minimal audit log entry recording that the deletion occurred, for compliance purposes, for up to 24 months.

Payment records. Stripe retains payment records according to their own retention policies and legal requirements.

Cookies

TrustHelm uses only strictly necessary cookies:

Authentication cookies. These maintain your login session so you do not have to sign in on every page. They expire when you log out or after your session times out.

Security cookies. Cloudflare Turnstile uses a cookie for bot protection on certain features.

We do not use analytics cookies, advertising cookies, social media cookies, or any third-party tracking cookies. PostHog analytics is configured without cookies.

Your privacy rights

Rights for all users

Regardless of where you live, you have the following rights:

Access your data. You can view all of your trust data, documents, financial records, and account information through the TrustHelm dashboard at any time.

Export your data. You can export your data in PDF and CSV formats at any time through the TrustHelm dashboard. This is available on paid plans.

Delete your data. You can delete individual records, documents, or conversations at any time. You can delete your entire account through your account settings. Account deletion triggers the 30-day cooling-off period described above.

Correct your data. You can edit and update any information in your TrustHelm account at any time through the dashboard.

Unsubscribe from emails. You can unsubscribe from non-essential emails at any time using the unsubscribe link in any email. Transactional emails (login links, security alerts) cannot be unsubscribed from while your account is active.

Additional rights for California residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

Right to know. You have the right to request the specific categories and pieces of personal information we have collected about you. You can exercise this right by emailing support@trusthelm.ai.

Right to delete. You have the right to request deletion of your personal information. We will fulfill deletion requests within 45 days. You can exercise this right through your account settings or by emailing support@trusthelm.ai.

Right to opt out of sale. We do not sell your personal information. There is nothing to opt out of.

Right to non-discrimination. We will not discriminate against you for exercising any of your CCPA rights.

Categories of personal information we collect: Identifiers (name, email, IP address), financial information (trust asset details, financial records as entered by you), documents and records (uploaded trust documents), internet activity (usage analytics), and inferences (AI-extracted trust data).

Categories of personal information we sell: None. We do not sell personal information.

Categories of personal information we share for business purposes: We share data with our service providers as listed in the “How we share your information” section above, solely for operating the TrustHelm service.

Additional rights for European residents (GDPR)

If you are a resident of the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) provides you with additional rights:

Legal basis for processing. We process your data based on: your consent (when you create an account and upload documents), contractual necessity (to provide the TrustHelm service you signed up for), and legitimate interest (for security, fraud prevention, and service improvement).

Right to access. You can request a copy of all personal data we hold about you.

Right to rectification. You can request correction of inaccurate personal data.

Right to erasure. You can request deletion of your personal data, subject to any legal retention requirements.

Right to restrict processing. You can request that we limit how we use your data.

Right to data portability. You can request your data in a machine-readable format. Our CSV and PDF export features support this.

Right to object. You can object to our processing of your data based on legitimate interests.

Right to withdraw consent. You can withdraw your consent at any time by deleting your account.

Data transfers. TrustHelm's infrastructure is hosted in the United States. By using TrustHelm, your data is transferred to and processed in the United States. We rely on Standard Contractual Clauses and the data processing agreements of our infrastructure providers (Supabase, Vercel) to ensure appropriate safeguards for international data transfers.

To exercise any GDPR right, email support@trusthelm.ai. We will respond within 30 days.

Children's privacy

TrustHelm is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will delete that information promptly.

Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and post a notice on the TrustHelm dashboard before the changes take effect. Your continued use of TrustHelm after changes become effective constitutes acceptance of the updated policy.

Contact us

If you have questions about this Privacy Policy or your data, contact us:

Email: support@trusthelm.ai

TrustHelm
Birmingham, AL

This privacy policy is specific to the TrustHelm platform and its data practices. It is not legal advice.