Privacy Policy

Last updated: March 22, 2026

1. Overview

TrialShield ("we", "us", "our") is committed to protecting the privacy of our customers and the end-users whose data is processed through our API. This Privacy Policy explains what data we collect, how we use it, and your rights.

2. Data We Collect

2.1 Customer Account Data

When you create an account, we collect your email address and password (hashed). This data is stored in our authentication provider (Supabase) and is used solely for account access.

2.2 API Evaluation Data

When you send requests to the TrialShield API, we process the following data about your end-users:

Email addresses — hashed (SHA-256) before storage; used for disposable email detection, breach checks, and duplicate detection
IP addresses — hashed before storage; used for VPN/proxy/TOR detection, geolocation, and abuse reputation checks
Phone numbers — hashed before storage; used for VOIP detection and carrier lookup
Device fingerprints — hashed before storage; used for device uniqueness and headless browser detection
Behavioral data — signup velocity, session patterns; used for bot detection

2.3 Payment Card Data (via Stripe Integration)

If you enable the Stripe integration, TrialShield receives webhook events from Stripe containing card metadata. We store:

Card fingerprint (Stripe's unique identifier) — hashed
BIN (first 6 digits) — hashed
Last 4 digits, card brand, funding type, issuing country
CVC/AVS verification results
Stripe Radar risk level

We never store full card numbers, CVCs, or expiration dates. All card fingerprints are hashed before storage.

3. How We Use Data

All data processed through the API is used exclusively for:

Calculating risk scores and generating fraud signals
Detecting duplicate accounts and coordinated abuse
Building identity graphs for abuse network identification
Providing analytics and reporting in your dashboard

We do not sell, share, or transfer end-user data to any third parties. Data is only used within the context of your TrialShield account.

4. Data Minimization and Hashing

TrialShield follows a strict data minimization policy. All personally identifiable information (PII) — including email addresses, IP addresses, phone numbers, device fingerprints, and card data — is hashed using SHA-256 before being stored in our database. We do not store raw PII. This means that even in the event of a data breach, the stored data cannot be used to identify individuals.

5. GDPR Compliance

TrialShield is designed to be fully compliant with the General Data Protection Regulation (GDPR). We act as a Data Processor on behalf of our customers (the Data Controllers).

5.1 Right to Erasure (Right to be Forgotten)

We provide a dedicated DELETE endpoint for GDPR-compliant user data deletion. Customers can programmatically delete all data associated with a specific end-user from our database by calling:

DELETE /api/v1/users/{userId}
Header: X-API-Key: your_api_key

This endpoint permanently removes all risk events, identity anchors, payment fingerprints, device data, and any other records associated with the specified user. The deletion is irreversible and takes effect immediately.

5.2 Right to Access

End-users can request access to the data TrialShield holds about them through their service provider (our customer). Customers can retrieve user data via the API and provide it to the requesting individual.

5.3 Data Portability

Customers can export their data at any time through the TrialShield API. All data is available in standard JSON format.

5.4 Legal Basis for Processing

TrialShield processes data under the "legitimate interest" legal basis (Article 6(1)(f) GDPR) — specifically, the legitimate interest of preventing fraud and abuse. Our customers are responsible for ensuring they have the appropriate legal basis to share end-user data with TrialShield.

6. CCPA Compliance

For California residents: TrialShield does not sell personal information. We process data solely for the purpose of fraud detection on behalf of our customers. California residents may exercise their rights under the CCPA by contacting us or their service provider.

7. Data Retention

Risk evaluation data is retained for 90 days by default, after which it is automatically purged. Customers can request immediate deletion at any time using the DELETE endpoint described above. Account data is retained for the duration of the account and deleted within 30 days of account closure.

8. Data Security

We implement the following security measures:

All data in transit is encrypted via TLS 1.3
All PII is hashed (SHA-256) before storage
API keys are hashed and never stored in plaintext
Database access is restricted to service-level credentials
Rate limiting and abuse detection on all endpoints
Audit logging for all data access operations

9. Third-Party Services

TrialShield uses the following third-party services:

Supabase — database and authentication
Vercel — hosting and deployment
Creem — payment processing for subscriptions

We do not share end-user evaluation data with any of these providers. They only process customer account and billing data as needed for their services.

10. Cookies

TrialShield uses only essential cookies required for authentication and session management. We do not use tracking cookies, analytics cookies, or advertising cookies.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The "Last updated" date at the top reflects the most recent revision.

12. Contact

For privacy-related questions, data deletion requests, or to exercise your rights, contact us at tomas@trialshield.dev.