PRIVACY POLICY

TRUSTED ONLY, LLC

1.  Introduction

Trusted Only, LLC (“Trusted Only,” “we,” “our,” or “us”) is committed to protecting the privacy, confidentiality, and security of personal information. This Privacy Policy describes the types of personal data we collect and process, how we use and protect that data, and the rights available to individuals regarding their personal information.

This Policy applies to all visitors, users, customers, agents, homeowners, and other individuals (“Data Subjects”) whose personal data is processed through Trusted Only’s platform, services, and website (collectively, the “Services”).

By using or accessing our Services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with any part of this Policy, please discontinue your use of our Services and contact us at the information provided in Section 14.

This Policy should be read alongside our Acceptable Use Policy, which governs how customers and users may interact with the platform.

2.  Regulatory Compliance

Trusted Only implements safeguards and procedures designed to comply with all applicable data protection laws and regulations. Our platform has been designed and maintained to meet obligations under the following frameworks:

• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) – We respect the rights of California residents to access, correct, delete, and opt out of the sale or sharing of their personal information.
• EU General Data Protection Regulation (GDPR) – We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, and provide Data Subjects with the rights afforded under the GDPR.
• UK Data Protection Act 2018 – We process personal data in compliance with the UK’s post-Brexit data protection framework, which incorporates the retained EU GDPR into UK domestic law.
• Swiss Federal Act on Data Protection (nFADP) – We recognize and honor the enhanced protections required under Switzerland’s revised Federal Act on Data Protection for Swiss residents.
• Virginia Consumer Data Protection Act (CDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and Nevada SB 220 – We extend applicable privacy rights to residents of these states in accordance with each law’s requirements.
• CAN-SPAM Act and CASL – All commercial email communications comply with applicable email marketing laws, including opt-out and unsubscribe mechanisms.

Where applicable, Trusted Only operates as a “Data Processor” on behalf of its customers (“Data Controllers”) and enters into appropriate Data Processing Agreements (DPAs) to define the legal basis and obligations for such processing.

3.  Legal Basis for Processing (GDPR)

For individuals located in the European Economic Area (EEA), the United Kingdom, or Switzerland, Trusted Only processes personal data only where a valid legal basis exists under Article 6 of the GDPR. The applicable legal bases are:

Where processing is based on legitimate interests, you have the right to object. Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

4.  Information We Collect

The Trusted Only platform processes several categories of Customer Data. The following describes the personal data we may collect, including the categories of personal information collected in the preceding 12 months as required under the CCPA/CPRA:

4.1  Member and Agent Data

When individuals register as members or agents on the platform, Trusted Only may collect:

• Identifiers: full name, username, mailing address, email address, phone number.
• Professional information: employer name, job title, geographic location, professional license numbers.
• Financial information: credit card details and payment processing data, handled through PCI-DSS-compliant systems.
• Account credentials: usernames, passwords (stored in hashed form), and authentication tokens.

4.2  Homeowner and Contact Data

For homeowners and other contacts managed within the platform by our customers, Trusted Only may process the following on behalf of those customers:

• Identifiers and contact data: name, address, phone number, email address.
• Demographic information: age range, household composition, or other general demographic attributes.
• Personal interests and preferences: purchase history, marketing preferences, and interest categories.
• Internet and network activity: IP addresses, cookie identifiers, browser and device usage data, and location data derived from platform interactions.
• Financial information: transaction data and financial records relevant to the Services.
• Inferences: profiles drawn from the above to reflect preferences or behavior relevant to the platform’s functions.

4.3  Enhancement Data

Trusted Only collects usage history, performance statistics, and technical telemetry generated through platform operation. This Enhancement Data is used solely for internal analytical and product improvement purposes and may be made publicly available only on an aggregated and fully de-identified basis such that no individual can reasonably be identified.

4.4  Data Collected from Third-Party Sources

We may receive personal data from authorized third parties, including our customers (who input or upload data on behalf of their contacts), integration partners, and data enrichment providers where permitted by applicable law. Any such data is subject to the same protections described in this Policy.

4.5  Sensitive Data

4.6  Children’s Privacy

The Services are not directed to individuals under the age of 18, and we do not knowingly collect personal data from children. If we become aware that personal data from a child under 18 has been collected without verifiable parental consent, we will take prompt steps to delete such information. If you believe we may have collected data from a minor, please contact us immediately at privacy@trustedonly.com.

Trusted Only does not knowingly collect personal information from children under 13 as defined by the Children’s Online Privacy Protection Act (COPPA).

5.  How We Use Your Data

Trusted Only processes personal data for the following purposes only:

• Service Delivery: To provide, maintain, operate, and improve the core features and functionality of the Services.
• Account Management: To create and manage user accounts, authenticate users, and provide customer support.
• Billing and Payments: To process transactions, manage subscriptions, and handle invoicing.
• Communications: To send transactional messages, service notifications, and security alerts. Marketing communications are sent only with your consent and always include an easy opt-out mechanism.
• Analytics and Product Improvement: To analyze aggregated, de-identified Enhancement Data to understand usage patterns, diagnose issues, and improve platform functionality.
• Legal and Compliance: To comply with applicable laws, regulatory requirements, and enforceable legal processes.
• Security and Fraud Prevention: To detect, investigate, and prevent unauthorized access or activities that violate our Terms of Service.

We do not use personal data for automated individual decision-making (including profiling) that produces legal or similarly significant effects without human review. Where any such processing is introduced in the future, affected individuals will be informed and provided with applicable rights under GDPR Article 22.

6.  Data Sharing and Sub-processors

6.1  Authorized Sub-processors

To deliver the Services, Trusted Only engages authorized third-party service providers (“Sub-processors”) who process personal data strictly on our behalf and under our documented instructions. Each Sub-processor is bound by a written data processing agreement imposing data protection, security, and confidentiality obligations no less protective than those in this Policy.

A current, maintained list of Sub-processors — including their names, roles, and locations — is available at:

Sub-processor List: https://get.trustedonly.com/sub-processors/

Trusted Only will provide advance notice of any material changes to the Sub-processor list in accordance with applicable contractual obligations, giving customers the opportunity to object.

6.2  Professional Advisors

We may share personal data with professional advisors — including attorneys, accountants, auditors, and consultants — when reasonably necessary for them to perform services on our behalf. Such advisors are bound by confidentiality obligations.

6.3  Business Transfers

In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, personal data may be transferred as part of that transaction. Affected individuals will be notified in accordance with applicable law.

6.4  Legal Requirements

Trusted Only may disclose personal data if required to do so by law or in the good-faith belief that such disclosure is necessary to comply with a legal obligation, protect the rights or property of Trusted Only, or protect the personal safety of users or the public.

7.  International Data Transfers

Trusted Only is based in the United States. If you are located in the EEA, UK, Switzerland, or another jurisdiction with data transfer restrictions, please be aware that your personal data may be transferred to and processed in the United States and other countries where our Sub-processors operate.

We ensure that any cross-border transfer of personal data is subject to appropriate safeguards, including:

• Standard Contractual Clauses (SCCs): We rely on the European Commission’s approved Standard Contractual Clauses for transfers from the EEA to third countries, and the UK International Data Transfer Agreement (IDTA) for transfers from the UK.
• Adequacy Decisions: Where the destination country has been granted an adequacy decision by the European Commission or UK authorities, we may rely on that decision as a transfer mechanism.
• Supplementary Measures: Where required by applicable guidance, we implement supplementary technical and organizational measures to ensure an essentially equivalent level of protection.

For more information about the transfer mechanisms we use, or to obtain a copy of the relevant safeguards, please contact us at privacy@trustedonly.com.

8.  Security Measures and Certifications

Trusted Only maintains an industry-standard Information Security Policy and implements a comprehensive set of technical and organizational security controls to protect personal data. Our security infrastructure includes:

• ISO 27001 Certification – Third-party certified Information Security Management System (ISMS) meeting international standards.
• PCI-DSS Certification – Third-party certified compliance with the Payment Card Industry Data Security Standard for all payment data handling.
• SOC 2 Type I Audit Reports – Independent attestation of the suitability of the design of our security controls covering security, availability, and confidentiality.
• HIPAA Compliance Reports for Business Associates – Where applicable, Trusted Only maintains HIPAA compliance documentation and executes Business Associate Agreements (BAAs) for relationships involving protected health information.
• Encryption – All data is encrypted in transit using TLS 1.2 or higher, and at rest using industry-standard encryption protocols.
• Access Controls – Role-based access controls and multi-factor authentication requirements limit access to personal data.
• Ongoing Testing – We conduct regular vulnerability assessments, penetration testing, and security awareness training.

While we implement these robust safeguards, no system is completely impenetrable. We encourage users to protect their own information by using strong, unique passwords and keeping access credentials confidential.

9.  Security Incident Response

Trusted Only maintains a formal Security Incident Response Program to promptly identify, contain, and remediate security incidents and data breaches.

In the event of a breach resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data, Trusted Only commits to:

• Notifying affected customers without undue delay upon becoming aware of the incident.
• Where feasible, providing notification within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33 and other applicable regulatory requirements.
• Providing relevant details including the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach.

Notifications will be delivered to the primary contact email address on file for the affected customer account. Where applicable law requires direct notification to Data Subjects, we will cooperate to fulfill that obligation.

10.  Data Retention and Deletion

Trusted Only retains personal data only as long as necessary to fulfill the purposes outlined in this Policy, to perform under applicable service agreements, or as required by law.

10.1  Active Service Period

Customer Data is retained for the duration of the active service agreement. During this period, customers may access, correct, export, or delete data through the available platform controls, or by submitting a Data Erasure Request (see Section 11).

10.2  Post-Termination Schedule

Exceptions apply where Trusted Only is legally required to retain data for a longer period (e.g., for tax, audit, or regulatory compliance purposes). In such cases, data will be retained only to the extent legally required and isolated from active processing.

11.  Your Privacy Rights and How to Exercise Them

Trusted Only respects and supports the rights of Data Subjects under applicable privacy laws. Depending on your jurisdiction, you may have the following rights:

• Right to Access: Confirm whether we process personal data about you and obtain a copy of that data.
• Right to Correct / Rectification: Request correction of inaccurate or incomplete personal data (including under CPRA).
• Right to Erasure / Deletion: Request deletion of your personal data, subject to applicable legal retention obligations.
• Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format.
• Right to Restrict Processing: Request that we limit how we use your data under certain circumstances.
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
• Right to Limit Use of Sensitive Information (CPRA): California residents may direct us to limit the use of sensitive personal information.
• Right to Opt Out of Sale or Sharing (CCPA/CPRA): California residents may opt out of any sale or sharing of personal information for cross-context behavioral advertising. To exercise this right, visit: get.trustedonly.com/do-not-sell or contact us directly.
• Nevada Opt-Out Right: Nevada residents may opt out of the sale of covered information pursuant to Nevada SB 220 by contacting us at privacy@trustedonly.com.
• Right to Non-Discrimination: You will not receive discriminatory treatment for exercising any privacy right.

11.1  Submitting a Data Subject Request

To submit a Data Subject Request (DSR), including a request for data access, correction, or deletion, please use one of the following methods:

• Email: Complete a Data Erasure or Access Request by emailing privacy@trustedonly.com with the subject line “Privacy Request.”
• Online Form: Submit a request at get.trustedonly.com/privacy-request (when available).

We will respond within the timeframe required by applicable law — generally 30 to 45 days, with permitted extensions where needed. We may need to verify your identity before fulfilling a request.

Where Trusted Only processes data as a Data Processor on behalf of a customer, we will refer your request to that customer (as Data Controller) and provide commercially reasonable cooperation to assist in fulfilling it.

12.  Cookies and Tracking Technologies

Trusted Only’s website and platform use cookies, web beacons, pixel tags, and similar tracking technologies to enhance functionality, analyze usage, and deliver relevant content.

12.1  Types of Cookies We Use

• Strictly Necessary Cookies: Required for the platform to operate. These cannot be disabled without affecting core functionality.
• Performance and Analytics Cookies: Used to understand how visitors interact with our Services. Data collected is aggregated and anonymous.
• Functional Cookies: Enable enhanced features such as remembering user preferences and session information.
• Targeting and Marketing Cookies: Used to deliver relevant advertisements and measure their effectiveness. Set only with your explicit consent where required by law.

12.2  Do Not Track

Some browsers offer a “Do Not Track” (DNT) setting. At this time, our Services do not respond to DNT signals, as no universal standard for DNT has been established. We will update this section if our practices change.

12.3  Managing Your Cookie Preferences

You may control cookies through your browser settings or through our cookie consent management tool (where available). Disabling certain cookies may affect the functionality of the Services. For residents of the EU, UK, or other jurisdictions where consent is required, a cookie consent banner will be presented upon first visit. You may withdraw consent at any time by adjusting your cookie preferences.

13.  Third-Party Links and Services

Our Services may contain links to third-party websites, applications, or services that are not operated by Trusted Only. This Privacy Policy does not apply to those third-party services, and we are not responsible for the privacy practices of any third party. We encourage you to review the privacy policies of any third-party services you visit.

Where we integrate with third-party tools or APIs at your direction (e.g., CRM platforms, MLS data feeds), the third party’s own privacy terms govern the data exchanged through that integration.

14.  Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us through any of the following:

14.1  EU/UK Representative

If Trusted Only is required under GDPR Article 27 or the UK GDPR to designate a representative in the EEA or UK, that representative’s contact information will be published here and at get.trustedonly.com/legal. Please consult with legal counsel to determine whether a representative designation is required based on Trusted Only’s processing activities.

14.2  Supervisory Authority Complaints

If you are located in the EEA or UK and believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction. A list of EU supervisory authorities is available at https://edpb.europa.eu. The UK supervisory authority is the Information Commissioner’s Office (ICO) at https://ico.org.uk.

15.  Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the State of [INSERT STATE], United States, without regard to conflict of law principles, except where superseded by applicable federal or international data protection law (including the GDPR and UK GDPR where applicable).

Any disputes arising under this Policy that are not resolved informally shall be subject to the exclusive jurisdiction of the courts located in [INSERT JURISDICTION], unless otherwise required by applicable law.

16.  Changes to This Policy

Trusted Only reserves the right to update or modify this Privacy Policy at any time. When we make material changes, we will update the “Last Updated” date at the top of this document and, where required by law or contract, provide additional notice — such as via email to the primary account contact or a prominent in-platform notice.

Your continued use of the Services after the effective date of any revised Policy constitutes acceptance of the updated terms. We encourage you to review this Policy periodically.