PRIVACY POLICY

OVERVIEW & SCOPE

This Privacy Policy describes how TRST CYBER ("TRST," "we," "us," or "our") collects, uses, discloses, and protects information when you visit our website at trstxcyber.com, use our free security scanning tools, submit inquiry forms, or engage our professional cybersecurity services.

We are a cybersecurity operations firm headquartered at 5762 Bolsa Ave. Unit 101, Huntington Beach, CA 92649. We provide Managed Detection & Response (MDR), enterprise cybersecurity, personal protection services, digital forensics, AI governance advisory, ISO compliance, CISO/CIO services, and cyber insurance facilitation.

This policy applies to all data collected through our website, including our email breach scanner, domain recon scanner, contact forms, and any related Netlify-hosted pages. By using our site, you acknowledge you have read and understood this policy.

DATA WE COLLECT

Information You Provide Directly

Contact & Lead Forms

When you submit our contact forms (form IDs: recon-lead, brief, personal-recon-lead), we collect the information you enter: name, email address, phone number, company name, job title, and any details you include in free-text message fields.

Email Breach Scanner

When you use our free email breach scanner, we collect the email address you enter to query against known breach databases. We do not permanently store the email addresses entered into the scanner.

Domain Recon Scanner

When you use our free domain recon scanner, we collect the domain name you enter to perform external reconnaissance queries. We do not permanently store the domain names entered into the scanner.

Service Engagements

When you engage TRST CYBER for professional services (MDR, forensics, compliance, etc.), we collect the information necessary to deliver those services as defined in your service agreement.

Information Collected Automatically

Device & Browser Data

We automatically collect standard technical information: IP address, browser type and version, operating system, device type, screen resolution, referring URL, pages visited, and timestamps. This data is collected through our hosting provider (Netlify) and any analytics tools in use.

Server Logs

Our hosting infrastructure (Netlify) maintains standard server access logs that include IP addresses, request timestamps, HTTP methods, response codes, and user-agent strings.

HOW WE USE YOUR DATA

We use the information we collect for the following purposes:

• Service delivery. To provide cybersecurity services you have requested, including MDR, digital forensics, AI governance advisory, ISO compliance audits, and personal protection.
• Lead follow-up. To respond to inquiries submitted through our contact and recon lead forms, including sending you relevant information about our services via email.
• Security scanning. To execute the email breach scan and domain recon scan you initiate, querying public databases and returning results to your browser session.
• Site operations. To maintain, secure, and improve our website, detect abuse, and ensure the integrity of our scanning tools.
• Analytics. To understand how visitors use our site, which pages are most visited, and how to improve user experience.
• Legal compliance. To meet our legal obligations, respond to lawful requests, and protect our rights.

THIRD-PARTY DATA SHARING

We share data with third parties only as necessary to operate our site and deliver our services. We do not sell, rent, or trade your personal information. The following services receive data from our site:

Netlify (Hosting & Forms)

Our website is hosted on Netlify. All form submissions (recon-lead, brief, personal-recon-lead) are processed and stored by Netlify's form handling infrastructure. Netlify also collects server logs. Netlify Privacy Policy

XposedOrNot API

Our email breach scanner queries the XposedOrNot API with the email address you enter. The email is transmitted to XposedOrNot's servers to check against their breach database. We do not control how XposedOrNot processes that query. XposedOrNot Privacy Policy

HaveIBeenPwned (HIBP)

If configured, our scanner may also query the HaveIBeenPwned API using a k-anonymity model (only a partial hash of the email is transmitted). HIBP does not receive your full email address in this mode. HIBP Privacy Policy

Cloudflare DNS-over-HTTPS (DoH)

Our domain recon scanner uses Cloudflare's public DoH resolver (1.1.1.1) to perform DNS lookups on domains you enter. Cloudflare receives the DNS queries. Cloudflare Privacy Policy

crt.sh (Certificate Transparency)

Our domain recon scanner queries crt.sh to enumerate SSL/TLS certificates issued for the target domain. The domain name is transmitted to crt.sh's publicly accessible API.

NIST National Vulnerability Database (NVD)

Our recon scanner may query the NIST NVD API to check for known vulnerabilities associated with detected technologies. Technology identifiers (not personal data) are transmitted.

Resend (Email)

We use Resend as our transactional email provider. If we send you email (e.g., scan results, follow-up correspondence), your email address and message content are processed by Resend. Resend Privacy Policy

Service Delivery Partners

For contracted services, we may share relevant data with our technology partners including Field Effect (MDR platform), BlackCloak (executive protection), Aura (family protection), Incogni (data broker removal), and CORK (cyber insurance). Data shared with these partners is governed by separate service agreements and their respective privacy policies.

SCANNER DATA & PUBLIC SOURCE QUERIES

Email breach scanner: Queries the XposedOrNot (and optionally HaveIBeenPwned) APIs against known breach compilations. Results are displayed in your browser session only. We do not store the email address or scan results on our servers beyond the duration of the request.

Domain recon scanner: Performs passive reconnaissance using DNS lookups (via Cloudflare DoH), certificate transparency logs (via crt.sh), and vulnerability databases (via NIST NVD). All queries target publicly accessible APIs. No data is stored server-side beyond the active session. Scan results are rendered client-side in your browser.

Netlify Functions: Some scanner queries are proxied through Netlify Functions (serverless) to avoid CORS restrictions. These functions are stateless — they process the request, return the response, and retain no data.

COOKIES & TRACKING

We currently use minimal to no cookies. Our site does not deploy third-party advertising trackers, retargeting pixels, or social media tracking scripts.

Our hosting provider (Netlify) may set essential cookies required for site functionality, security, and load balancing. These are strictly necessary and cannot be opted out of while using the site.

If we implement analytics or tracking cookies in the future, we will update this policy and provide appropriate notice and consent mechanisms before activating them.

Local storage: Our scanning tools may use browser local storage or session storage to temporarily hold scan state during your active session. This data is not transmitted to our servers and is cleared when your session ends.

DATA RETENTION

Form Submissions

Lead form data submitted through Netlify Forms is retained for as long as necessary to follow up on your inquiry and maintain our business records. Typically no longer than 24 months from last contact, unless an active service engagement exists.

Scanner Data

Email addresses and domain names entered into our scanning tools are not retained beyond the active server request. No scan inputs or results are stored in any database.

Server Logs

Netlify server logs (including IP addresses and access records) are retained per Netlify's standard retention policy, typically 30 days.

Service Engagement Data

Data related to contracted professional services (MDR, forensics, compliance) is retained per the terms of the applicable service agreement and any legal or regulatory requirements.

Deletion Requests

You may request deletion of your personal data at any time by contacting us at info@trstxcyber.com. We will process deletion requests within 45 days, subject to any legal obligations that require us to retain certain records.

SECURITY MEASURES

We are a cybersecurity company. We take data protection seriously and implement security measures commensurate with the sensitivity of the data we handle:

• Encryption in transit. All data transmitted between your browser and our servers is encrypted via TLS 1.2+ (HTTPS enforced site-wide).
• No plaintext storage of scan results. Scanner inputs and outputs are processed in memory and returned to the client. They are not written to persistent storage.
• Serverless architecture. Our Netlify Functions are stateless and ephemeral. They spin up, process a request, and terminate — leaving no residual data.
• Access controls. Access to form submission data and hosting infrastructure is restricted to authorized TRST CYBER personnel only, secured with multi-factor authentication.
• Vendor security. Our technology partners (Netlify, Field Effect, BlackCloak, etc.) maintain their own security certifications and compliance frameworks.
• Incident response. We maintain a documented incident response process. In the event of a data breach affecting your personal information, we will notify you and relevant authorities as required by applicable law.

CALIFORNIA PRIVACY RIGHTS

TRST CYBER is a California company. If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the following rights regarding your personal information:

Your Rights Under CCPA/CPRA

• Right to Know. You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
• Right to Delete. You have the right to request deletion of your personal information, subject to certain exceptions (e.g., completing a transaction, legal obligations, security purposes).
• Right to Correct. You have the right to request that we correct inaccurate personal information we maintain about you.
• Right to Opt-Out of Sale/Sharing. We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. There is nothing to opt out of.
• Right to Limit Use of Sensitive Personal Information. We do not collect or process sensitive personal information as defined by the CPRA beyond what is necessary to provide our services.
• Right to Non-Discrimination. We will not discriminate against you for exercising any of your CCPA/CPRA rights. You will not receive different pricing, a different quality of service, or be denied services for exercising your rights.

How to Exercise Your Rights

Submit a verifiable consumer request by emailing info@trstxcyber.com with the subject line "CCPA Request" or by calling +1 (714) 716-4007. We will verify your identity before processing your request and respond within 45 days.

Categories of Personal Information Collected (Last 12 Months)

Identifiers

Name, email address, phone number, IP address

Commercial Information

Records of services purchased or considered, inquiries submitted

Internet Activity

Browsing history on our site, interactions with our scanning tools, search queries entered into our scanners

Professional Information

Company name, job title (when provided in forms)

EUROPEAN PRIVACY RIGHTS

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and applicable local laws provide you with additional rights regarding your personal data.

Lawful Basis for Processing

We process your personal data under the following lawful bases:

• Consent. When you voluntarily submit a form or initiate a scan, you consent to the processing necessary to fulfill that action.
• Legitimate Interest. We have a legitimate interest in responding to inquiries, improving our services, securing our website, and conducting analytics — balanced against your data protection rights.
• Contract. When you engage us for professional services, processing is necessary for the performance of our contract with you.
• Legal Obligation. We may process data to comply with applicable laws and regulations.

Your Rights Under GDPR

• Right of Access. You may request a copy of the personal data we hold about you.
• Right to Rectification. You may request that we correct inaccurate or incomplete data.
• Right to Erasure. You may request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
• Right to Restrict Processing. You may request that we limit processing of your data in certain circumstances.
• Right to Data Portability. You may request a machine-readable copy of data you have provided to us.
• Right to Object. You may object to processing based on legitimate interest, including direct marketing.
• Right to Withdraw Consent. Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint. You have the right to file a complaint with your local data protection authority.

Data Controller

The data controller for information collected through this website is:
TRST CYBER
5762 Bolsa Ave. Unit 101
Huntington Beach, CA 92649, USA
info@trstxcyber.com

To exercise any GDPR right, contact us at info@trstxcyber.com with the subject line "GDPR Request." We will respond within 30 days.

CHILDREN'S PRIVACY

Our website and services are not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, contact us immediately at info@trstxcyber.com and we will delete that data within 48 hours.

Our scanning tools require users to enter email addresses and domain names. We do not verify the age of individuals using these tools, but they are designed for business professionals and adult personal use.

INTERNATIONAL DATA TRANSFERS

TRST CYBER is based in the United States. If you access our website from outside the US, your data will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.

When our scanning tools query third-party APIs (XposedOrNot, Cloudflare, crt.sh, NIST NVD), your input data may be processed on servers located in various countries. These transfers are inherent to the publicly available APIs being queried.

For EEA/UK users, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards where applicable to ensure adequate protection for cross-border data transfers with our service providers.

CHANGES TO THIS POLICY

We reserve the right to update this Privacy Policy at any time. When we make material changes, we will update the "Effective" date at the top of this page and, where appropriate, provide additional notice (such as a banner on our website or an email to known contacts).

Continued use of our website after changes are posted constitutes your acceptance of the updated policy. We recommend reviewing this page periodically.

CONTACT US

For privacy-related inquiries, data access requests, deletion requests, or questions about this policy: