Trusted Rw
Privacy Policy
Last updated:
Version 3.0. Applies to all Trusted Rw users globally
1. Who We Are and What This Policy Covers
Trusted Rw is a digital trust and reputation platform headquartered in Kigali, Rwanda. We provide verified business profiles, transparent review infrastructure, identity checks, and community tools that help consumers and businesses make informed decisions.
This Privacy Policy applies to all personal data we collect, use, store, and share when you access or use the Trusted Rw website, mobile interface, and related services. It covers every touchpoint: account registration, Google Sign-In, reviews, surveys, live sessions, marketplace interactions, payment processing, and any future features.
By using our platform, you enter a mutual relationship with us. This policy describes not only your obligations but the specific, binding commitments we make to you in return for your trust. We are accountable to these commitments.
2. Our Commitments to You
We do not treat privacy as a compliance checkbox. These are our standing obligations to every user:
- We will collect only data that is necessary, proportionate, and has a clear purpose
- We will never sell your personal data to any third party, for any reason
- We will never use your data for advertising profiling beyond the platform itself
- We will tell you clearly what data we collect and why, in plain language
- We will honour your deletion, correction, and portability requests within legally required timeframes
- We will notify you promptly in the event of a data breach that affects your information
- We will keep this policy current and notify you of material changes before they take effect
- We will provide a clear, easy process for exercising your rights, with no runaround
3. Legal Basis for Processing
We process your personal data on the following legal grounds, consistent with Rwanda Law No. 058/2021 on Protection of Personal Data and Privacy, and aligned with international standards:
| Legal Basis | When We Rely on It |
|---|---|
| Contractual necessity | Processing required to create and operate your account, deliver services you request, and fulfil platform features |
| Legitimate interests | Platform security, fraud prevention, abuse detection, aggregated analytics to improve service quality, where your interests and rights are not overridden |
| Legal obligation | Compliance with Rwandan law, tax obligations, court orders, and regulatory requirements |
| Consent | Optional features such as marketing communications, optional profile enhancements, and third-party service integrations you choose to connect |
| Vital interests | In rare circumstances where processing is necessary to protect safety of a person |
4. What Data We Collect and Why
4.1 Account and Identity Data
| Data Element | Why We Collect It | Legal Basis |
|---|---|---|
| Name and display name | Identify you across the platform, display your profile | Contract |
| Email address | Account security, login, notifications, support | Contract |
| Password (hashed) | Secure access authentication | Contract |
| Profile photo | Optional avatar display in account context | Consent |
| Account type (individual/business) | Tailor features and interface to your use case | Contract |
| Business identity details | Business profile verification and trust scoring | Contract / Legitimate interest |
4.2 Google Sign-In Data
When you choose to sign in using Google, we receive limited data from Google solely for authentication. This data is governed by a specific purpose limitation:
| Google Data Element | Purpose | Retained? |
|---|---|---|
| Email address | Account identification and secure sign-in | Yes, as account identifier |
| Display name | Profile identity display in the product interface | Yes, as profile field |
| Profile picture URL | Optional avatar in account context | Only if user keeps it |
| Google ID | Unique partner identifier to prevent account confusion | Yes, as account link key |
| OAuth access token | Completing the sign-in handshake only | No, discarded after authentication |
We do not use Google Sign-In data for advertising, profiling, or purposes beyond secure authentication. Google sourced data is handled in accordance with Google API Services User Data Policy, including purpose limitation and data minimisation requirements.
4.3 Activity and Usage Data
| Data Element | Why We Collect It |
|---|---|
| Reviews, ratings, and comments | Core platform functionality, public trust content |
| Survey and poll responses | Platform research and business intelligence features |
| Messages and communications | Live session, direct message, and chat functionality |
| Payment transaction records | Order processing, invoicing, and fraud prevention |
| Device and browser type | Security fingerprinting and abuse detection |
| IP address and session data | Security logging, rate limiting, geographic fraud signals |
| Feature usage patterns | Service improvement through anonymised analytics |
5. How We Use Your Data
Beyond the specific purposes listed above, we use your personal data to:
- Operate, maintain, and improve all platform features and services
- Authenticate your identity and protect your account from unauthorised access
- Process payments, manage subscriptions, and handle refund or dispute requests
- Send service-critical notifications, security alerts, account changes, billing updates
- Send optional marketing communications, only where you have given explicit consent
- Detect, investigate, and prevent fraud, abuse, and violations of our policies
- Comply with applicable law, respond to lawful requests from authorities, and enforce our legal rights
- Produce anonymised, aggregated analytics that do not identify you personally
We do not use personal data for automated decision-making that produces legal or similarly significant effects on you without human review. Where profiling is used to surface platform recommendations or trust scores, it operates on aggregated patterns, not surveillance of individuals.
6. Cookies and Similar Technologies
We use cookies and similar technologies for the following purposes:
| Cookie Type | Purpose | Can You Opt Out? |
|---|---|---|
| Session cookies | Maintain your authenticated session securely | No, essential for service |
| Security cookies | CSRF protection, abuse prevention, rate limiting | No, essential for security |
| Preference cookies | Remember your settings (theme, language, layout) | Yes, via cookie settings |
| Analytics cookies | Understand how users navigate the platform (anonymised) | Yes, via cookie settings |
| Authentication hint cookies | Remember your last sign-in method to streamline login | Yes, cleared via account settings |
For full details on cookies, including duration and third-party cookies, see our Cookie Policy.
7. Data Sharing and Disclosure
We do not sell, rent, or trade your personal data. We share your information only in the following limited circumstances:
| Recipient | What We Share | Why |
|---|---|---|
| Service providers | Minimum data necessary for their function | Cloud hosting, email delivery, payment processing, security services, all bound by data processing agreements |
| Payment processors | Transaction identifiers and amount | Completing payment operations securely |
| Law enforcement or courts | Data specified in a lawful order | Legal obligation, we review all requests for validity and scope |
| Business buyers (merger/acquisition) | User data as part of business assets | Legitimate interest, you will be notified and given a reasonable period to act |
| Public platform content | Reviews, ratings, public profile fields | This is the nature of public trust content, governed by your privacy settings |
We challenge overly broad or legally deficient data requests. When permitted by law, we will notify you before complying with legal demands affecting your data.
8. International Data Transfers
Trusted Rw operates from Rwanda. Some service providers, including cloud infrastructure and email systems, may process data in other jurisdictions. When we transfer your data internationally, we ensure appropriate safeguards are in place, including:
- Data processing agreements with all third-party service providers
- Standard contractual clauses recognised by applicable data protection authorities
- Limiting transfers to jurisdictions with adequate data protection frameworks
- Regular review of third-party security and compliance certifications
9. How We Protect Your Data
We apply layered technical and organisational safeguards appropriate for a trust platform handling sensitive identity and commercial data:
- Encryption in transit: TLS 1.2 or higher for all data exchanges between your browser and our servers
- Encryption at rest: sensitive files and certain personal data fields are stored encrypted
- Password security: all passwords hashed using modern adaptive algorithms; plaintext passwords are never stored
- Role-based access control: staff access to personal data is restricted to roles with a legitimate operational need
- Audit logging: security events, data access events, and account changes are logged and monitored
- Session security: HttpOnly, SameSite, and Secure flags applied to authentication cookies
- Rate limiting and abuse controls: automated protections against credential stuffing, brute force, and scraping
- Regular security reviews: internal code reviews and periodic independent assessment of security controls
No system can guarantee absolute security. If you believe your account has been compromised, contact us immediately at security@trusted.rw.
10. Data Retention
We keep personal data only for as long as necessary to fulfil the purpose for which it was collected, meet legal obligations, or resolve disputes.
| Data Category | Retention Period | Basis |
|---|---|---|
| Active account data | While the account remains active | Contract |
| Deleted account data | Up to 30 days post-deletion request, then purged | Operational / Legal |
| Payment and transaction records | 7 years from transaction date | Rwanda tax and financial law |
| Security and audit logs | 12 months from event date, then anonymised | Legitimate interest / Legal obligation |
| Session and authentication cookies | Expire per cookie settings (session to 30 days) | Contract |
| Google sign-in linkage | Deleted when account deletion is completed | Contract |
| Backup copies | Overwritten within 90 days on standard rotation cycles | Operational |
| Legal hold data | Until hold is lifted, then as per standard schedule | Legal obligation |
When retention periods expire, data is either securely deleted, anonymised (making it no longer personal data), or pseudonymised for aggregated analytics only.
11. Your Rights
You have the following rights over your personal data. These are genuine rights, not aspirational language. We will respond to valid requests within thirty days, or notify you promptly if more time is needed.
| Your Right | What It Means | How to Exercise |
|---|---|---|
| Access | Obtain a copy of the personal data we hold about you | Privacy Dashboard (instant download) or privacy@trusted.rw |
| Rectification | Correct inaccurate or incomplete personal data | Account settings (most fields) or privacy@trusted.rw |
| Erasure | Request deletion of your account and associated personal data | Privacy Dashboard (immediate self-service) or privacy@trusted.rw |
| Portability | Receive your data in a structured, machine-readable format | Privacy Dashboard (JSON export, instant download) |
| Restriction | Restrict how we process your data while a complaint or dispute is active | privacy@trusted.rw |
| Objection | Object to processing based on legitimate interests (including direct marketing) | Privacy Dashboard (consent preferences) or privacy@trusted.rw |
| Withdraw consent | Where processing is based on consent, withdraw it at any time | Privacy Dashboard (consent preferences, instant effect) |
| Complain | Lodge a complaint with a competent data protection authority in Rwanda or your country of residence | Contact Rwanda Utilities Regulatory Authority (RURA) or equivalent |
Exercise your rights instantly from your Privacy and Compliance Dashboard
Download your data, update consent preferences, and delete your account without contacting us.
Go to Privacy DashboardWe will not charge you for exercising these rights except where requests are manifestly unfounded or excessive. We will not penalise you for making privacy requests, and we will never treat a rights request as grounds for account restriction.
12. Account and Data Deletion Process
You can delete your account at any time through the Privacy and Compliance Dashboard or by contacting privacy@trusted.rw. Our deletion process is as follows:
- Your account record and directly linked profile data are queued for deletion immediately upon confirmed request
- Google token revocation is attempted when a live authorisation token exists
- Active sessions are invalidated and authentication cookies are cleared
- Your public reviews and content become anonymised, the content may remain on platform records it refers to, but is no longer attributable to you
- Payment records required by law are retained separately for the legally mandated period only
- All personal data not subject to legal hold is purged within thirty days of confirmed deletion request
- Backup copies are overwritten on standard rotation schedules (maximum 90 days)
- We will confirm completion of deletion to you by email
Deletion is irreversible. We cannot recover your account or data once deletion has been completed.
13. Children's Privacy
Trusted Rw is not directed at children under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a person under 16 without appropriate consent, we will delete it promptly. If you believe a child's data has been submitted to our platform, contact us at privacy@trusted.rw.
14. Changes to This Policy
We will update this Privacy Policy as our practices evolve, as required by law, or to reflect new features. When we make material changes:
- We will update the "Last updated" date at the top of this page
- We will post a prominent notice on the platform for at least 30 days before the changes take effect
- We will notify registered users by email for changes that materially affect their privacy rights
- Continued use of the platform after the effective date constitutes acceptance of the updated policy
If you do not agree with material changes, you may delete your account before the effective date. We will not apply new purposes to data collected before the change without seeking fresh consent.
15. Google User Data Policy Commitment
Our handling of data received via Google Sign-In is governed by the Google API Services User Data Policy. Specifically: (a) we access only the minimum data required for authentication; (b) we use Google user data solely for authentication and the features the user directly requests; (c) we do not transfer Google user data to third parties except as required to provide the requested service, comply with law, or protect against fraud; (d) we do not use Google user data for advertising; (e) we allow human access to Google user data only for security purposes and where you have given explicit permission.
16. Additional Policy References
- Security Policy: detailed controls for lifecycle management, retention, deletion, and technical protection standards
- Cookie Policy: full details on cookies, tracking technologies, and opt-out mechanisms
- Terms of Service: your rights and responsibilities when using the platform
17. Contact for Privacy Matters
We take every privacy inquiry seriously. Contact us for any question, concern, or request related to your personal data:
Privacy team: privacy@trusted.rw
Legal team: legal@trusted.rw
Security incidents: security@trusted.rw
Location: Kigali, Rwanda
Response commitment: We will acknowledge your inquiry within 3 business days and provide a substantive response within 30 days.
18. Version and Change History
Version: 3.0
Effective date:
Change note: Comprehensive rewrite with mutual commitments, legal basis table, expanded data mapping, international transfer safeguards, full rights catalogue, and updated retention schedule. Rwanda Law No. 058/2021 alignment confirmed.