Effective Date: December 1, 2025
Truepic Inc. (“Truepic,” “we,” “us,” or “our”) is a U.S.-based Software as a Service (SaaS) company that provides a digital provenance and authenticity platform (the “Service”) to our business customers (“Customers”). Our Service enables Customers to establish the digital provenance and authenticity of content uploaded by their end users (“End Users”) through our mobile web or native application (the “App”), which End Users can open in a mobile web browser or download from app stores such as the Apple App Store and Google Play Store or access via a web-based interface.
We are committed to protecting your privacy and handling personal information in compliance with applicable laws, including the laws of all 50 U.S. states (such as the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”), and other applicable state privacy laws), the Gramm-Leach-Bliley Act (“GLBA”), the General Data Protection Regulation (“GDPR”) in the European Union, the UK GDPR, and Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) along with provincial privacy laws (e.g., Quebec’s Act respecting the protection of personal information in the private sector).
In most cases, we act as a data processor (or “service provider” under some U.S. laws) for our Customers, who are the data controllers (or “businesses” under some U.S. laws) responsible for the personal information contained in content uploaded by End Users through the App. We process this information solely on behalf of and as instructed by our Customers and we implement appropriate technical and organizational measures to protect the data we process on behalf of our Customers.
In some cases, we act as a data controller. We act as data controller when we collect and process contact information and account details of our customers and prospective customers, when we collect and process information about visitors to our website, when we process personal information for our own business purposes, such as billing, fraud prevention, and service improvements, and when we collect and use analytics data related to the performance and usage of our App and Service. In these instances, we determine the purposes and means of processing and comply with all applicable controller obligations under relevant privacy laws.
This Privacy Policy explains what information we collect and process, and how we collect, use, disclose, and protect personal information. It applies to information we collect through the Service, the App, our website, and other interactions. “Personal information” means any information that identifies or relates to a natural person or sometimes referred to as an identifiable individual.
If you are an End User, your use of the App and submission of content is also governed by the privacy policy of the Customer on whose behalf you are using the Service. Our Customers are responsible for obtaining necessary consents and providing privacy notices to their End Users. For questions about a Customer’s data practices, contact them directly.
By using the Service or App, you agree to the practices described in this Privacy Policy. If you do not agree to the practices described in this Privacy Policy, do not use the Service or App.
We collect the following types of personal information:
When Acting as a Data Processor
When processing data on behalf of our Customers, we may collect and process:
When Acting as a Data Controller
When acting as a data controller, we may collect and process:
We use personal information for the following purposes:
When Acting as Data Processor
When Acting as Data Controller
Additional Uses
We rely on one, some, or all of following legal bases for processing personal information:
We do not sell personal information. We share information with the following categories of recipients:
Sub-processors and Service Providers
We engage various sub-processors and service providers to assist us in providing our services, including:
We maintain a current list of all sub-processors we use, which is at trust.truepic.com/subprocessors. We conduct due diligence on all sub-processors to ensure they provide sufficient guarantees to implement appropriate technical and organizational measures to meet the requirements of applicable privacy laws. We enter into agreements with our sub-processors that impose data protection obligations consistent with this Privacy Policy and applicable law.
International Sub-processors
As a U.S.-based company providing services globally, we may use sub-processors outside the United States, EEA, UK, and Canada. For any sub-processor processing personal data subject to GDPR, UK GDPR, or Canadian privacy laws that is located in a country without an adequacy decision, we ensure appropriate safeguards are in place through:
Customers may request copies of relevant data transfer mechanisms by contacting us at the contact information provided at the end of this Policy.
The SCCs and other transfer mechanisms provide data subjects with enforceable rights and effective legal remedies, including:
We use cookies, web beacons, pixels, and similar tracking technologies on our website and App to enhance functionality and analyze usage.
Strictly Necessary Cookies: Necessary for the functioning of our services
Performance Cookies: Help us understand how visitors interact with our services
Functional Cookies: Remember your settings and preferences
Targeting Cookies: Track your browsing habits to deliver targeted advertising
You can manage your cookie preferences by:
Please note that disabling certain cookies may limit the functionality of our services.
Do Not Track Signals: Some browsers include a “Do Not Track” (DNT) feature that signals to websites that you do not want your online activities tracked. Currently, there is no universal standard for how DNT signals should be interpreted. We do not currently respond to DNT signals, but you can use the cookie preference tools described above to manage tracking
Website and Service Analytics
We use analytics tools to collect information about how users interact with our Service, including:
This information helps us improve our Service, understand user behavior, and optimize user experience. Analytics data is typically aggregated and anonymized.
Our App is available through mobile web browsers and various app stores, such as Apple App Store and Google Play Store or access via a web-based interface. Your use of our App is also subject to the applicable app store’s terms of service and privacy policies. Our privacy practices are disclosed in app store listings as required, and you can review it before downloading the App.
Our App may request the following permissions:
Our App uses third-party Software Development Kits (SDKs) for various purposes: analytics (e.g., track app usage, performance, and user engagement), performance monitoring (e.g., detect and diagnose app crashes and performance issues), and authentication (secure user authentication). All SDK providers are bound by data processing agreements and are required to handle data in accordance with applicable privacy laws.
When you use our App, we may collect information through device identifiers, SDKs, server logs, and local storage on your device.
In addition to the information described in Section 1, our App may collect:
We may update our App from time to time. Updates may include changes to data collection practices. Continued use of the App after updates constitutes acceptance of any changes.
Our Service uses automated processing and algorithms to authenticate photos and videos. This processing may include authentication analysis, to verify the authenticity and integrity of uploaded photos and videos, and fraud detection, to identify potentially fraudulent or manipulated content.
Human Oversight and Review
While our authentication processes are largely automated, we maintain human oversight:
Rights Related to Automated Decisions
If you are subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you, in certain jurisdictions the data controller must give you the right to:
As a data processor for End User data, we will work with the relevant Customer to facilitate these rights.
No Sensitive Data Profiling
Our Service does not use automated decision-making or profiling for decisions involving sensitive personal information (as defined in Section 1).
When using data for AI training purposes, we implement the following safeguards:
We do not share personal information with external parties for the purpose of training their AI models.
We implement reasonable security measures, including encryption, access controls, firewalls, and regular audits, to protect personal information. However, no system is entirely secure, and we cannot guarantee that data breaches will never occur.
Processor Obligations
When acting as a data processor, we will notify our Customers without undue delay after becoming aware of a personal data breach. We will provide our Customers with sufficient information to meet their own notification obligations and cooperate with Customers in their breach response efforts.
Controller Obligations
When a breach affects personal information for which we are the data controller (Customer and prospective customer information), we will notify follow applicable law with respect to all notification requirements, including:
Customers may request deletion of their accounts at any time by contacting your designated account manager.
End Users should contact the relevant Customer to request deletion of their data, as Customers are the data controllers. We will assist Customers in processing End User deletion requests. End Users may also contact us directly at the contact email at the end of this Policy if they are unable to reach the Customer, and we will make reasonable efforts to forward the request to the appropriate Customer.
End User Data (As Data Processor)
We retain End User data according to our Customers’ instructions and our agreements with them. Customers may delete End User data at any time through the Service or by contacting us. Upon termination of a Customer account, we will delete or return End User data as specified in our agreement with the Customer, typically within 90 days unless legally required to retain it longer.
Customer, Prospective Customer, and Business Data (As Data Controller)
We retain Customer, Prospective Customer, and Business data for as long as necessary to:
Marketing data is retained until you opt out or withdraw consent.
Rights Regarding End User Data
If you are an End User, you should direct requests regarding your personal data to the relevant Customer (the data controller). We will assist Customers in responding to such requests as required by law.
Rights Regarding Customer and Prospective Customer Data
Depending on your location and applicable law, you may have the following rights:
To exercise these rights, contact us at the contact information at the end of this Policy. We will respond to requests within the timeframes required by applicable law. We may need to verify your identity before processing your request. In some cases, we may need to limit or deny your request if permitted or required by law, or if we cannot verify your identity.
Truepic Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Truepic Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Truepic Inc. has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
Our Service is not directed to children under 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children of any age. If we learn we have collected information from a child under the applicable age of consent without parental consent, we will delete it promptly.
Our website, Service or App may link to third-party sites or integrate third-party services that are not operated or controlled by us, including:
We are not responsible for the privacy practices, content, or security of any third-party websites or services. These third parties have their own privacy policies and terms of service, which may differ from ours
If you choose to authenticate using third-party services, you will be directed to the third party’s website to complete authentication. We will receive only the information you authorize the third party to share with us. We recommend reviewing the privacy policy of any third-party authentication service before using it.
Our Service may allow Customers to integrate with third-party applications and services. When Customers enable such integrations, data may be shared with the integrated third-party service according to the Customer’s configuration. We are not responsible for our Customer’s or any third party’s data practices, so we recommend you review all applicable privacy policies and notifications.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the updated Privacy Policy on our website and update the “Last Updated” date. For material changes, we will provide additional notice, such as by email or through a prominent notice in the Service. We encourage you to review this Privacy Policy periodically to stay informed about our privacy practices. Your continued use of our services after the revised policy becomes effective indicates your acceptance of the updated terms.
If you have a complaint about our privacy practices, please contact us using the information provided at the end of this Policy. We will make every effort to respond to your complaint within 30 days.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Truepic Inc. commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.
Truepic Inc’s compliance with the DPF is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.
In certain jurisdictions and under certain conditions, you may invoke binding arbitration to resolve complaints not resolved by other mechanisms, as described in Annex I of the DPF Principles.
In accordance with the DPF, Truepic Inc. is also liable for onward transfers to third parties that process personal information in a way that does not follow the DPF unless Truepic Inc. was not responsible for the event giving rise to any alleged damage.
For questions, requests, or complaints, please contact our Data Protection Representative: Tom Payne.
This Policy is governed by the laws of the State of California in the United States of America, without regard to the conflicts of law principles thereof.