Privacy Policy
How we handle firm and client data on Trustbook Pro.
Last updated: May 2026
1. Who we are
Trustbook AG ("Trustbook", "we", "us") is a Swiss company registered in Zurich. Trustbook Pro is the B2B surface of the Trustbook platform, designed for accounting firms and their clients to exchange documents securely. We are subject to the Swiss Federal Act on Data Protection (FADP / nDSG) and adhere to the principles of the EU GDPR.
2. The two parties on this platform
Trustbook Pro connects two parties:
- Firms — accounting firms, fiduciaries, brokers — who hold an account with us under a written agreement and pay for the service.
- Clients — the firm's own customers, who use the consumer Trustbook app to share documents with their firm.
For firm members, Trustbook is the data controller. For client data, the firm is the data controller and Trustbook acts as a data processor under the firm's instructions.
3. Data we collect
- Firm account data — firm name, country, contact email, member email addresses, role assignments.
- Documents — files uploaded by clients in response to requests, and files delivered by firms to clients. Encrypted at rest, Swiss-hosted.
- Messages — the body of messages exchanged between firm members and clients, encrypted at rest using Fernet.
- Operational metadata — request status, delivery timestamps, read receipts, audit logs of document access.
4. How we use the data
- To provide the secure document exchange (storage, transmission, access control).
- To send transactional emails (invitations, password resets, delivery notifications).
- To audit access for security and compliance.
We do not use firm or client data for advertising, model training, profiling, or any purpose beyond providing the service.
5. Storage & security
- All data is hosted in Zurich, Switzerland, on certified cloud infrastructure.
- Documents and messages are encrypted at rest. Sensitive fields (firm API keys, PII) are encrypted at the application layer using Fernet.
- Data in transit is protected with TLS 1.3.
- Authentication is delegated to a certified identity provider; we never see firm members' passwords.
- All document access is logged for audit.
6. Sharing
We do not sell or rent firm or client data. We share data with:
- Service providers — Swiss-region cloud hosting and a transactional email provider. All bound by data processing agreements.
- The other party in the link — files uploaded by a client to a firm's request are visible to that firm (that's the point); files delivered by a firm to a client are visible to that client.
- Legal authorities — only if required by Swiss law or a valid legal order.
7. Your rights
Under FADP and GDPR you have the right to access, correct, delete, or export your personal data. Firm admins can act on behalf of their firm. End clients should exercise their rights through their firm (the controller) or by contacting privacy@trustbook.ai directly if needed.
8. Retention
Firm data is retained for as long as the firm's account is active. When a firm's contract ends, all firm data and the underlying documents are permanently deleted within 30 days, subject to any legal retention obligations. Audit logs may be retained longer in anonymized form for security purposes.
9. Changes
We may update this policy from time to time. Material changes will be notified to firm admins by email. The latest version is always at pro.trustbook.ai/privacy/.
10. Contact
Trustbook AG, Zurich, Switzerland.
Email: privacy@trustbook.ai