TrialShield
Sign inStart free
// Privacy

Privacy Policy

Last updated: March 22, 2026

01

Overview

TrialShield ("we", "us", "our") is committed to protecting the privacy of our customers and the end-users whose data is processed through our API. This Privacy Policy explains what data we collect, how we use it, and your rights.

02

Data we collect

Customer account data

When you create an account, we collect your email address and password (hashed). This data is stored in our authentication provider (Supabase) and is used solely for account access.

API evaluation data

When you send requests to the TrialShield API, we process the following data about your end-users:

  • Email addresses — hashed (SHA-256) before storage; used for disposable email detection, breach checks, and duplicate detection
  • IP addresses — hashed before storage; used for VPN/proxy/TOR detection, geolocation, and abuse reputation checks
  • Phone numbers — hashed before storage; used for VOIP detection and carrier lookup
  • Device fingerprints — hashed before storage; used for device uniqueness and headless browser detection
  • Behavioral data — signup velocity, session patterns; used for bot detection

Payment card data (via Stripe integration)

If you enable the Stripe integration, TrialShield receives webhook events from Stripe containing card metadata. We store card fingerprints, BINs (hashed), last 4 digits, brand, funding type, country, AVS results, and Stripe Radar level. We never store full card numbers, CVCs, or expiration dates.

KYC data (when used)

If a customer enables KYC verification, we temporarily store the document image and selfie that the end-user submits. Cryptographic hashes are kept for cross-tenant reuse detection. Raw images are automatically purged after 30 days.

03

How we use data

All data processed through the API is used exclusively for:

  • Calculating risk scores and generating fraud signals
  • Detecting duplicate accounts and coordinated abuse
  • Building identity graphs for abuse network identification
  • Providing analytics and reporting in your dashboard

We do not sell, share, or transfer end-user data to any third parties. Data is only used within the context of your TrialShield account.

04

Data minimization and hashing

TrialShield follows a strict data minimization policy. All personally identifiable information (PII) — including email addresses, IP addresses, phone numbers, device fingerprints, and card data — is hashed using SHA-256 before being stored in our database. We do not store raw PII.

05

GDPR compliance

TrialShield is designed to be fully compliant with the General Data Protection Regulation (GDPR). We act as a Data Processor on behalf of our customers (the Data Controllers).

// Right to erasure

We provide a dedicated DELETE endpoint for GDPR-compliant user data deletion. Customers can programmatically delete all data associated with a specific end-user from our database.

DELETE /api/v1/users/{userId}
Header: X-API-Key: your_api_key

Right to access

End-users can request access to the data TrialShield holds about them through their service provider (our customer). Customers can retrieve user data via the API and provide it to the requesting individual.

Data portability

Customers can export their data at any time through the TrialShield API. All data is available in standard JSON format.

Legal basis for processing

TrialShield processes data under the "legitimate interest" legal basis (Article 6(1)(f) GDPR) — specifically, the legitimate interest of preventing fraud and abuse.

06

CCPA compliance

For California residents: TrialShield does not sell personal information. We process data solely for the purpose of fraud detection on behalf of our customers. California residents may exercise their rights under the CCPA by contacting us or their service provider.

07

Data retention

Risk evaluation data is retained for 90 days by default, after which it is automatically purged. KYC raw images are purged after 30 days; cryptographic hashes are kept indefinitely for cross-tenant reuse detection. Customers can request immediate deletion at any time using the DELETE endpoint. Account data is retained for the duration of the account and deleted within 30 days of account closure.

08

Data security

We implement the following security measures:

  • All data in transit is encrypted via TLS 1.3
  • All PII is hashed (SHA-256) before storage
  • API keys are hashed and never stored in plaintext
  • Database access is restricted to service-level credentials
  • Rate limiting and abuse detection on all endpoints
  • Audit logging for all data access operations
09

Third-party services

TrialShield uses the following third-party services:

  • Supabase — database and authentication
  • Vercel — hosting and deployment
  • Creem — payment processing for subscriptions
  • Resend — transactional email delivery

We do not share end-user evaluation data with any of these providers. They only process customer account, billing, and notification data as needed for their services.

10

Cookies

TrialShield uses only essential cookies required for authentication and session management. We do not use tracking cookies, analytics cookies, or advertising cookies.

11

Changes to this policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The "Last updated" date at the top reflects the most recent revision.

12

Contact

For privacy-related questions, data deletion requests, or to exercise your rights, contact us at tomascorzo1203@gmail.com.