TrustWorks Privacy Notice
Last updated in January 1st, 2026
Document identification and control
Definitions
Who we are
Data Processing Agent
How we collect and use your personal data
Lawful Bases for Processing Personal Data
Processors and Sub-processors
International Transfers of Personal Data
Cookies, trackers and similar technologies
Artificial Intelligence (AI)
Security Measures
How long we retain your personal data
No sale of personal data
Data Subject Rights
Data Protection Officer (DPO)
Changes to this Privacy Notice
Document identification and control:
Document type: External Notice / Privacy Policy
Version: 2.0
Status: Approved
Last updated: 1 January 2026
Scope: TrustWorks Website and Platform
Target audience: Users and Visitors
Document classification: Public
Definitions
For the purposes of this Privacy Notice, the terms below have the meanings set out here.
Definitions
This is some text inside of a div block.
Personal data processed
Purpose of processing
ANPD (Brazilian Data Protection Authority)
The federal public authority responsible for overseeing, implementing and enforcing compliance with the Brazilian General Data Protection Law (LGPD) throughout Brazil, with regulatory, supervisory and enforcement powers, as well as an advisory role on data protection matters.
Artificial Intelligence (AI)
Technologies used to assist platform users with specific tasks, in an optional and supportive manner, and subject to human oversight.
Automated Decision-Making
A decision made solely on the basis of automated processing of personal data that produces legal effects concerning a data subject or similarly significantly affects them.
Cookies and Trackers
Technologies used to collect information about browsing activity, usage and interaction with the website, including measurement and marketing cookies.
California Consumer Privacy Act (CCPA)
A California state privacy law that grants residents rights over their personal data, including the right to know, access and delete personal data, to opt out of the sale or sharing of personal data, and to be free from discrimination for exercising these rights.
Customer / Customer Organisation
The legal entity that engages TrustWorks’ services and determines the purposes and means of the processing of personal data carried out within the context of the platform.
Data Controller
The natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processor
A natural or legal person, public authority, agency or other body that processes personal data on behalf of the data controller.
Data Protection Officer (DPO)
The individual appointed by the data controller and, where applicable, the data processor, to act as a contact point between the controller, data subjects and the relevant Data Protection Authorities.
Data Sharing
The communication, transfer or granting of access to personal data between public bodies, or between public and private entities, for specific purposes and in accordance with applicable legal or contractual authorisation.
Data Subject
A natural person to whom the personal data being processed relates.
Data Subject Rights
The set of rights granted to data subjects under the LGPD and the GDPR, including the right of access, rectification, erasure, portability, objection and the right to request a review of automated decisions.
European Data Protection Authorities
Independent public authorities responsible for supervising, guiding and ensuring the application of the GDPR within the Member States of the European Union, including handling complaints, conducting investigations and imposing corrective measures and sanctions where applicable.
GDPR
The General Data Protection Regulation of the European Union.
Information Security
The set of practices, measures and controls aimed at protecting confidentiality, integrity and availability of information, including personal data.
International Data Transfer
The transfer or making available of personal data outside the country in which the data subject is located or outside the jurisdiction where the data is processed, including transfers to servers or service providers located in other countries, in accordance with applicable data protection laws such as the GDPR and LGPD.
Lawful Basis
The legal ground that permits the processing of personal data, as provided under the LGPD and the GDPR, such as consent, performance of a contract, legal obligation or legitimate interests, and which must be appropriate to the specific purpose of the processing.
LGPD
The Brazilian General Data Protection Law (Law No. 13,709/2018).
Personal Data
Any information that relates to an identified or identifiable individual, either on its own or when combined with other data.
Processing of Personal Data
Any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, restriction, erasure or destruction.
RoPA
A documented record of personal data processing activities required under Article 30 of the GDPR and expressly provided for under Article 37 of the LGPD, as part of the accountability principle.
Special Category Personal Data
A specific category of personal data that includes information revealing racial or ethnic origin, religious or philosophical beliefs, political opinions, trade union membership, and data concerning health, sex life, genetic or biometric data, as defined under applicable data protection laws.
Standard Contractual Clauses (SCCs / CCPs)
Contractual mechanisms used to ensure an adequate level of protection for international data transfers, in accordance with the GDPR and the LGPD, including Brazilian Standard Contractual Clauses approved under ANPD Resolution No. 19/2024.
Sub-processor
A natural or legal person engaged by the data processor to carry out specific personal data processing activities on behalf of the data controller, always in accordance with the controller’s documented instructions, through the processor, and subject to contractual obligations relating to confidentiality, security and purpose limitation.
Technical and Operational Data
Information necessary for the operation of the platform, such as logs, infrastructure data, monitoring information and error records.
TrustWorks
QueryLayer S.L. (trading as TrustWorks), the legal entity responsible for operating the TrustWorks website and platform, which may act as a data controller or a data processor depending on the context of the personal data processing, as stated in the section 4.
TrustWorks Platform
The application accessible via app.trustworks.io, used by customer organisations to manage privacy and artificial intelligence governance.
Usage Data
Information relating to the use of the website or the platform, such as interactions, metrics, session statistics and events.
User
A natural person authorised by the customer organisation to access and use the TrustWorks platform.
Visitor
A natural person who accesses the TrustWorks website without necessarily holding an account or having a contractual relationship with TrustWorks.
Website
The TrustWorks corporate website, used for the presentation of services, marketing activities, communications and engagement with users and visitors.
Who we are
TrustWorks is a company specialised in privacy management and artificial intelligence (AI) governance solutions. This Privacy Notice explains how TrustWorks processes personal data in connection with its activities.
We operate the TrustWorks SaaS platform (https://app.trustworks.io/) and the TrustWorks website (https://www.trustworks.io/).
Controller entity (Spain): QueryLayer S.L. (trading as TrustWorks)
Controller entity (Brazil): TrustWorks LTDA.
Address (Spain): Calle de L'historiador Diago, 3, 46007, Valencia, Spain
Address (Brazil): Avenida Paulista, nº 352, Conj. 76–77, Bela Vista, São Paulo/SP, CEP 01310-905, Brazil
Applicable law (EU context): EU General Data Protection Regulation (GDPR)
Applicable law (Brazil context): Brazilian General Data Protection Law (LGPD – Law No. 13,709/2018)
Data Processing Agent
A. TrustWorks as a Data Processor
In the context of its platform and privacy management and AI governance services, TrustWorks primarily acts as a data processor, processing personal data on behalf of, and in accordance with the instructions of, the customer organisations that use the platform.
In these circumstances:
the customer organisation acts as the data controller;
TrustWorks processes personal data solely to enable the delivery of the contracted platform functionalities; and
the purposes of, and decisions regarding, the processing are determined by the customer.
As a result, where personal data is processed within the TrustWorks platform and services, the exercise of data subject rights (such as access, rectification or erasure) must be directed to the customer organisation that has engaged TrustWorks, as it is responsible for responding to such requests in its capacity as data controller.
B. TrustWorks as a Data Controller
TrustWorks acts as a data controller when it processes personal data in connection with its own activities, including, but not limited to:
operation and management of the website;
marketing and commercial communications;
sales activities and customer relationship management;
events, newsletters and institutional communications; and
limited and proportionate processing necessary to ensure the improvement, security, stability and protection of the platform, such as performance monitoring, abuse prevention, fault detection and ensuring the proper functioning of services.
In these situations, TrustWorks determines the purposes and means of the processing and assumes full responsibility under the GDPR, the LGPD and other applicable data protection laws, including ensuring the protection of data subject rights and the implementation of appropriate security and governance measures.
How we collect and use your personal data
When you access our website, contact us, or use the TrustWorks platform and services, we collect and process personal data in a limited and proportionate manner, always for specific, explicit and legitimate purposes.
The personal data we process, and the purposes for which it is used, depend on how you interact with TrustWorks, as outlined below.
A. TrustWorks Website
Usage data and trackers
To analyse browsing activity, access metrics and improve the website
Device information
To measure campaign performance and analyse conversions
Address and email address
To respond to enquiries, requests and commercial communications
First and last name
To manage commercial relationships and leads
Browsing and interaction data
To support advertising, marketing activities and performance measurement
Session data
To analyse user behaviour and optimise the user experience
Data submitted via forms
To manage contact requests, surveys and institutional communications
B. TrustWorks Platform (app.trustworks.io)
Application usage data
To analyse usage, improve platform features and enhance the user experience
Technical and operational data
To host, process and operate the platform
Monitoring and error data
To detect faults and ensure platform stability and security
Data provided through support requests
To provide customer support, technical assistance and user communications
Interaction and event data
To prevent spam, misuse and unauthorised use of the platform
Vendor, RoPA and risk-related documentation data
To generate summaries and insights through AI-assisted functionalities, including the analysis of vendor documentation, records of processing activities (RoPA) and risk-related information, in order to support privacy management and governance activities
Lawful Bases for Processing Personal Data
When processing personal data, TrustWorks relies on specific lawful bases to ensure that each processing activity is carried out in a lawful, fair and transparent manner, as required under the GDPR and the LGPD.
The applicable lawful basis depends on:
the type of personal data processed;
the purpose of the processing; and
the context of the relationship with the data subject (for example, website visitor, platform user, customer or business partner).
Lawful basis
Consent
Legal reference
LGPD art. 7º, I | GDPR art. 6(1)(a)
How it is used by TrustWorks/ Purpose
Sending marketing communications and newsletters, and the use of non-essential cookies on the website
Lawful basis
Legitimate interest
Legal reference
LGPD art. 7º, IX | GDPR art. 6(1)(f)
How it is used by TrustWorks/ Purpose
Operation, security and improvement of the website and platform; analytics; fraud prevention; management of commercial relationships; use of AI-assisted functionalities for purposes such as meeting recording and summarisation, where applicable and with prior information to participants; sending emails and communications that may be relevant to the data subject, always subject to appropriate safeguards and with the possibility to opt out at any time
Lawful basis
Performance of a contract
Legal reference
LGPD art. 7º, V | GDPR art. 6(1)(b)
How it is used by TrustWorks/ Purpose
Provision of the TrustWorks platform services, creation and management of user accounts, and handling pre-contractual requests
Lawful basis
Legal obligation
Legal reference
LGPD art. 7º, II | GDPR art. 6(1)(c)
How it is used by TrustWorks/ Purpose
Compliance with applicable legal and regulatory obligations or requirements imposed by competent authorities
Lawful basis
Establishment, exercise or defence of legal claims
Legal reference
LGPD Art. 7(VI)
How it is used by TrustWorks/ Purpose
Establishment, exercise or defence of rights in judicial, administrative or arbitration proceedings
Processors and Sub-processors
TrustWorks shares personal data with third-party service providers where this is necessary for the operation of the website, the platform and the delivery of the contracted services. Such third parties act as data processors or sub-processors, as applicable, and are subject to appropriate contractual data protection obligations.
A. TrustWorks Website
Third parties
Google Ad Manager, Google Ads, LinkedIn
Purpose of engagement
Delivery and measurement of advertising campaigns
Personal data processed
Usage data, conversion data, cookies and trackers, device information
International Data Transfer
USA
Third parties
Google Analytics 4, Clearbit, Piwik PRO
Purpose of engagement
Google Analytics 4, Clearbit, Piwik PRO
Personal data processed
Usage data, session statistics, cookies and trackers
International Data Transfer
USA
Third parties
Hotjar
Purpose of engagement
Behaviour analysis and user experience optimisation
Personal data processed
Browsing data, session data, interactions, cookies and trackers
International Data Transfer
USA
Third parties
HubSpot CRM, HubSpot Email, HubSpot Lead Management
Purpose of engagement
Communications, marketing activities and customer relationship management
Personal data processed
First and last name, email address, usage data, cookies and trackers
International Data Transfer
USA
Third parties
Typeform
Purpose of engagement
Collection of information voluntarily provided by users
Personal data processed
Email address
International Data Transfer
USA
Third parties
Webflow
Purpose of engagement
Website hosting and operation
Personal data processed
Usage data, technical access data
International Data Transfer
USA
B. TrustWorks Platform (app.trustworks.io)
Third parties
Amazon Web Services (AWS), Google App Engine
Purpose of engagement
Platform hosting, processing and operation
Personal data processed
Technical data, usage data, access logs
International Data Transfer
Ireland
Third parties
Sentry
Purpose of engagement
Error detection, fault monitoring and platform stability
Personal data processed
Technical data, logs, error information
International Data Transfer
USA
Third parties
Help Scout
Purpose of engagement
Management of support requests and communications
Personal data processed
Data provided by users, email address, account identifiers
International Data Transfer
USA
Third parties
Pendo, User Guiding
Purpose of engagement
Usage analytics and platform experience improvement
Personal data processed
Usage data, interaction events
International Data Transfer
USA
Third parties
Google reCAPTCHA
Purpose of engagement
Spam prevention and protection against misuse
Personal data processed
Interaction data, cookies and trackers, usage data
International Data Transfer
USA
Third parties
OpenAI
Purpose of engagement
Document summarisation and insight extraction through AI-assisted functionalities
Personal data processed
Content submitted for analysis, associated metadata
International Data Transfer
USA
International Transfers of Personal Data
TrustWorks transfers personal data to other countries, in particular to the United States and Ireland, where this is necessary for the operation of the platform, security purposes, abuse prevention, user support and the provision of specific functionalities, such as infrastructure services, monitoring tools and AI-assisted features.
To ensure an adequate level of protection for personal data transferred internationally, TrustWorks relies on appropriate legal transfer mechanisms as required under applicable data protection laws, including:
Standard Contractual Clauses (SCCs) adopted pursuant to Article 46 of the GDPR, where applicable;
Standard Contractual Clauses approved by the Brazilian Data Protection Authority (ANPD) under the LGPD, in accordance with ANPD Resolution No. 19/2024; and
contractual arrangements with service providers that impose obligations relating to confidentiality, security and purpose limitation.
In addition to these contractual safeguards, TrustWorks implements appropriate technical and organisational measures to protect personal data transferred internationally, including access controls, encryption, logical data segregation, continuous monitoring and periodic risk assessments.
Cookies, trackers and similar technologies
TrustWorks uses cookies, trackers and similar technologies on its website to measure usage, analyse user behaviour and support marketing activities, always in a proportionate manner and in line with the purposes described in this Privacy Notice.
You can manage your preferences, accept, refuse or withdraw consent at any time through the cookie banner and the settings made available on the website, as further detailed in the TrustWorks Cookie Policy.
Artificial Intelligence (AI)
TrustWorks make artificial intelligence (AI)-assisted functionalities available within its platform in order to support users in specific tasks related to privacy management and governance.
The use of AI functionalities is optional and takes place exclusively at the initiative of the user (user-driven). The activation and use of these functionalities are subject to the guidelines defined by the customer organisation, which is responsible for the management, authorisation and supervision of users enabled to access AI features within the platform, as well as for the actions performed by those users, in accordance with the contractual terms applicable between TrustWorks and the customer organisation.
A. AI Provider
TrustWorks’ AI functionalities rely on models provided by OpenAI, integrated through a corporate (Enterprise) account and secure APIs, and used exclusively for inference purposes, meaning the generation of outputs in response to specific user requests.
B. Data protection and security
No use of data for model training: Data processed within the TrustWorks platform is not used to train, fine-tune or improve AI models, either by TrustWorks or by the AI provider.
Enterprise account and contractual controls: AI functionalities are accessed via an Enterprise account, with contractual safeguards ensuring that data:
is not reused for the provider’s own purposes;
is not retained for model training; and
is processed solely to generate the requested output.
Limited and controlled processing: Only the data strictly necessary for the user’s request is processed, on a targeted and transient basis.
Information security: Personal data processed in connection with AI is subject to the same technical and organisational security measures applied across the TrustWorks platform, including encryption, access controls, logical environment segregation and monitoring.
Human oversight: AI-generated outputs are assistive in nature and do not replace human decision-making. Users remain responsible for reviewing, validating and determining how any AI-generated information is used.
The use of artificial intelligence by TrustWorks is aligned with its internal AI policies, applicable data protection laws and recognised governance best practices, and is continuously reviewed to ensure security, transparency and regulatory compliance.
Security Measures
TrustWorks implements appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration, disclosure or any other form of unlawful or inappropriate processing, in accordance with applicable laws and recognised information security best practices.
The security measures implemented by TrustWorks comprise multiple layers of protection, including:
Data handling and encryption: Personal data is protected through encryption both at rest and in transit.
Access control: Access to information systems is granted in accordance with the principle of least privilege, with Multi-Factor Authentication (MFA) applied to privileged access.
Logging and monitoring: Relevant activities, exceptions and security events are logged, monitored and reviewed. Attempts at unauthorised access are detected and investigated.
Vulnerability management: Regular vulnerability assessments and penetration tests are conducted, with identified risks remediated based on appropriate prioritisation criteria.
Operational security: Secure system operations are ensured through documented procedures, environment segregation (such as development and production), change management and capacity management.
Training and awareness: Employees receive regular information security awareness training, supported by ongoing communications regarding best practices and individual responsibilities.
TrustWorks maintains an Information Security Management System (ISMS) that consolidates these measures and supports the continuous management of information security risks. The ISMS is aligned with recognised international standards, and TrustWorks is certified under ISO/IEC 27001 and SOC 2, demonstrating its commitment to robust information security controls and governance.
Further information and details about our security programme are available at:
How long we retain your personal data
TrustWorks retains personal data only for as long as necessary to fulfil the specific purposes for which it was collected, as described in this Privacy Notice, and in accordance with the GDPR, the LGPD and other applicable data protection laws.
Personal data is retained for as long as:
it is necessary for the provision of services or for the operation of the website or platform;
it is necessary for the provision of services or for the operation of the website or platform;
it is required to comply with legal, regulatory or contractual obligations.
When personal data is no longer necessary or relevant for the purposes for which it was collected, or when the data subject exercises their rights in accordance with applicable law, TrustWorks will delete or anonymise the personal data, unless its continued retention is necessary for:
the establishment, exercise or defence of legal claims in judicial, administrative or arbitration proceedings;
compliance with legal or regulatory obligations; or
compliance with court orders or requests from competent authorities.
No sale of personal data
TrustWorks does not sell personal data relating to users, customers or visitors of its website or platform, as the concept of “sale” is defined under applicable privacy laws, including US state privacy legislation such as the California Consumer Privacy Act (CCPA) and similar regulations.
Where personal data is shared, this is done solely for the purposes described in this Privacy Notice, such as operating the website and platform, providing services, analytics, marketing activities, security, and compliance with legal obligations. In all cases, personal data is shared only with service providers that are subject to appropriate contractual data protection obligations.
TrustWorks does not authorise third parties to use personal data for their own independent purposes that are incompatible with those described in this Privacy Notice, nor does it transfer control of personal data for commercialisation or resale purposes.
Data Subject Rights
TrustWorks respects and complies with the rights of data subjects as set out in applicable data protection laws, including the GDPR and LGPD. Please note that the availability and scope of certain rights may vary depending on the applicable legislation and the specific circumstances of the processing.
Confirmation of processing
You can request confirmation as to whether TrustWorks processes your personal data.
Right of access
You can request access to the personal data we process about you, as well as information on how and for what purposes such data is used.
Right to rectification
You can request the correction of inaccurate, incomplete or outdated personal data.
Right to erasure, anonymisation or restriction
You can request the erasure, anonymisation or restriction of personal data that is unnecessary, excessive, processed in breach of applicable law, or where there is no longer a valid lawful basis for the processing.
Right to data portability
Where applicable, you can request that your personal data be transferred to another service or product provider, subject to applicable legal requirements and the protection of trade and industrial secrets.
Right to information on data sharing
You can request information about the public or private entities with which your personal data is shared.
Right to information about consent
You have the right to be informed about the possibility of not providing consent and the potential consequences of such a decision, where consent is the relevant lawful basis.
Right to withdraw consent
Where processing is based on consent, you can withdraw your consent at any time, without affecting the lawfulness of processing carried out prior to the withdrawal.
Right to object
You can object to the processing of your personal data where it is based on legitimate interests, subject to applicable legal grounds.
Automated decision-making and profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except where permitted by law and subject to appropriate safeguards.
Right to request a review of automated decisions
Where applicable, you can request a review of decisions taken solely on the basis of automated processing that affect your interests.
Right to lodge a complaint
You can lodge a complaint with the Brazilian Data Protection Authority (ANPD) or with the competent European Data Protection Authority, depending on the applicable jurisdiction.
To exercise any of the rights listed above, please access the following link: [link to be inserted here]
Data Protection Officer (DPO)
TrustWorks has appointed a Data Protection Officer (DPO) in accordance with the requirements of the GDPR and the LGPD.
The DPO acts as an independent point of contact between TrustWorks, data subjects and the competent data protection authorities, and performs their duties autonomously.
The main responsibilities of the DPO include:
advising TrustWorks and its employees on personal data protection obligations and best practices;
receiving and handling communications from data protection authorities; and
overseeing and supporting matters related to data protection governance and regulatory compliance.
The DPO does not replace the data subject request channels already identified in this Privacy Notice for the exercise of rights. However, the DPO may be contacted in relation to issues of governance, compliance and supervision of personal data processing activities.
Contact details of the TrustWorks Data Protection Officer
Global DPO
Name: Padraig O'Leary
Email: dpo@trustworks.io
Brazil context
In line with guidance issued by the Brazilian Data Protection Authority (ANPD), TrustWorks has designated, in addition to its principal DPO, a substitute Data Protection Officer for Brazil:
Name: Ana Carolina Teles Maciel
Email: dpobrasil@trustworks.io
Changes to this Privacy Notice
TrustWorks updates this Privacy Notice from time to time to reflect changes in its personal data processing practices, its services, or applicable legal and regulatory requirements.
The date of the most recent update is always indicated at the beginning of this document. We therefore recommend that you review this date regularly to stay informed of any changes.
Where changes are material and may significantly affect data subjects or their rights, TrustWorks will provide a prominent notice on its website to ensure transparency and appropriate communication.
Full privacy notice
For more details, read our complete privacy notice.