GDPR Compliance

Our Commitment to GDPR

TruAddress is committed to protecting the privacy and rights of individuals in the European Union. We comply with the General Data Protection Regulation (GDPR) and provide tools to help our customers meet their own GDPR obligations.

Roles and Responsibilities

When We Are a Data Controller

We act as a data controller when processing:

• Account registration information
• Billing and payment data
• Marketing communications (with consent)

When We Are a Data Processor

We act as a data processor when you use our APIs to validate addresses. In this case, you are the data controller and we process data on your behalf according to your instructions.

Data Processing Agreements

We offer Data Processing Agreements (DPAs) to customers who require them for GDPR compliance. Our DPA includes:

• Standard Contractual Clauses (SCCs) for international transfers
• Technical and organizational security measures
• Sub-processor list and notification procedures
• Data breach notification commitments

To request a DPA, contact [email protected].

Lawful Basis for Processing

We process personal data under the following lawful bases:

| Purpose | Lawful Basis | |---------|--------------| | Account management | Contract performance | | Billing | Contract performance | | API request processing | Legitimate interest / Contract | | Security monitoring | Legitimate interest | | Marketing | Consent |

Your Rights Under GDPR

As a data subject, you have the right to:

Access

Request a copy of the personal data we hold about you.

Rectification

Request correction of inaccurate personal data.

Erasure

Request deletion of your personal data ("right to be forgotten").

Restriction

Request that we limit how we use your data.

Portability

Request your data in a portable, machine-readable format.

Object

Object to processing based on legitimate interest.

Withdraw Consent

Withdraw consent for marketing communications at any time.

To exercise these rights, contact [email protected]. We will respond within 30 days.

Data Transfers

TruAddress is based in the United States. For EU customers, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Supplementary measures as recommended by the EDPB

We do not transfer data to countries without adequate protection without appropriate safeguards.

Sub-Processors

We use the following sub-processors:

| Sub-Processor | Purpose | Location | |---------------|---------|----------| | Vercel | Infrastructure hosting | USA (EU option available) | | Stripe | Payment processing | USA | | Resend | Transactional email | USA | | Neon | Database hosting | USA (EU option available) |

We notify customers of sub-processor changes via email. You may object to new sub-processors within 30 days.

Data Retention

We retain personal data only as long as necessary:

• Account data: Duration of account + 30 days
• API logs: 30 days
• Billing records: 7 years (legal requirement)
• Marketing data: Until consent withdrawn

Security Measures

We implement appropriate technical and organizational measures:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Access controls and audit logging
• Regular security assessments
• Employee training and confidentiality agreements

See our Security page for details.

Data Breach Notification

In the event of a data breach affecting your personal data, we will:

• Notify affected customers within 72 hours
• Provide details of the breach and affected data
• Describe measures taken to address the breach
• Cooperate with supervisory authorities as required

EU Representative

For EU data subjects, our representative in the European Union is:

TruAddress EU Representative
[Address to be added]
Email: [email protected]

Contact Our DPO

For GDPR-related inquiries:

• Data Protection Officer: [email protected]
• Privacy Team: [email protected]

Updates

We review and update this policy regularly to ensure ongoing compliance. Material changes will be communicated via email.

Last updated: January 29, 2026