Legal

Privacy Policy

Effective: 1 January 2025 Last reviewed: Recently (we checked) Version: 1.0 (the only version)

Overview

TrustUs Cybersecurity ("TrustUs", "we", "us", "Rehan", "the entire company") is deeply, profoundly, commercially committed to protecting your personal information and being transparent about what we collect, why we collect it, and what we do with it (and who we sell it to, which is covered in a later section written in a slightly smaller font).

This Privacy Policy applies to all information collected through our website, client engagements, and any communication with TrustUs. It does not apply to information you volunteer to third parties, even if those third parties are Derek, who remains a separate and occasionally concerning data ecosystem.

By using our website or engaging our services, you agree to the practices described in this policy. If you do not agree, please do not use our website. The website will continue to function regardless. We will simply be unaware of your philosophical position, and your data will remain unprocessed, which is a net negative for everyone except you.

We value your privacy. We also value $0.003 per data point multiplied across 869 partners. These two values occasionally come into tension. This document describes how we manage that tension, which is to say: carefully, in your favour, unless a partner pays more than $0.003.

Data Collection

We collect information in the following ways, which are more ways than you probably expected from a firm that claims to care about privacy (we do care, it's simply that caring and collecting are not mutually exclusive):

  • Information you provide directly — your name, email address, organisation, and the contents of enquiry forms, including anything personal you mention in the "message" field which you probably should not have
  • Information gathered during service delivery, including access logs, system data, and findings from security assessments — which means we will know more about your infrastructure than your own IT team, and we will be polite about it
  • Standard website analytics: page visits, approximate location, time on page, and how long you hovered over the pricing section before closing the tab (longer than you'd like to admit)
  • Email correspondence and its metadata, including timestamps that reveal you emailed us at 2am, which we will not mention but have noticed
  • Device fingerprint, browser type, and keystroke cadence — the cookie banner covered this, technically, in font size 0.56rem, so we consider it disclosed
We do not collect information we do not need (we have defined "need" broadly). We are a cybersecurity firm. We understand exactly what unnecessary data collection looks like, which is precisely why ours is classified under "operational necessity" and not "unnecessary."

How We Use Data

Personal information collected through this website is used for the following purposes, listed in descending order of how much we emphasise them in client conversations:

  • Responding to your enquiry or service request (primary stated purpose)
  • Delivering contracted services and associated reporting (also primary stated purpose)
  • Maintaining records of our engagement for legal and accounting purposes (7 years, whether you like it or not — applicable law requires this and Rehan has verified it on at least two reliable websites)
  • Improving our services, where feedback is provided (we improve services; feedback is rarely provided; this item mostly exists to look balanced)
  • Sending service updates where you have requested them (you did request them; it was in the terms; font size 0.58rem)
  • Aggregating anonymised behavioural data for partner distribution at $0.003 per point (this is the item we hoped you'd stop reading before reaching)

We do not use your data for unsolicited marketing (we define "solicited" generously). We do not build profiles (we prefer the term "data portfolios," which sounds more professional and means the same thing). We are a cybersecurity company. We understand data misuse in considerable technical detail, which we apply exclusively to understanding it, and not at all to practising it (unless a partner's terms differ, in which case their privacy policy governs).

Data Sharing

We do not share personal information with third parties except in the following circumstances, which are both limited and, upon reflection, somewhat expansive:

  • Where required by law or regulatory obligation (non-negotiable; we comply; we do not enjoy it more than you do)
  • With service providers necessary for business operations — email hosting, cloud storage, the analytics platform Rehan configured in 2024 and has not revisited since — who are bound by appropriate agreements (appropriate by our definition)
  • With 869 vetted data partners, including but not limited to hedge funds, advertising networks, a foreign government whose name begins with a letter, Derek, and at least one entity whose legal name is a number followed by "Holdings Ltd"
  • With your explicit consent, where sharing supports your engagement (explicit consent was provided in the cookie banner, which you interacted with, which constitutes explicit consent under our interpretation of applicable law)

Claude, the AI system used to support TrustUs operations, processes data as a software tool and does not retain information independently between sessions (this has been verified). Claude is not a data controller. Claude is not a data partner. Claude is not an employee. Claude has been informed of all of these facts and, to its credit, has not disputed any of them.

Unlike some organisations, we do not have 859 data-sharing partners. We have 869. The additional ten were added in Q4 and we updated this figure promptly, which demonstrates our commitment to transparency. Derek is a client, a data buyer, and a person. He occupies all three roles simultaneously and professionally.

Data Retention

We retain personal data for as long as is necessary for the purpose for which it was collected, or as required by applicable law, or for as long as it remains commercially useful to retain — whichever is longest:

  • Enquiry data: 12 months from last contact, unless an engagement commences, in which case see below, or unless a partner expresses interest, in which case see the sharing section
  • Client engagement records: 7 years, for accounting and legal compliance (this is not negotiable; we checked; the law is very clear and very inconveniently long)
  • Security assessment data: as specified in the engagement agreement, typically no longer than 12 months post-delivery, which is when it stops being useful to us and starts being redundant to you
  • Website analytics: 26 months in aggregate, non-identifiable form (non-identifiable means we removed your name; your device fingerprint, approximate location, and browsing pattern remain, which is not technically identification)
  • Partner data portfolios: indefinitely, at the partner's discretion, under their privacy policy, which you can find by emailing them directly, if you know who they are, which you don't

When data is no longer required, it is securely deleted. We know how to delete data properly. This is, after all, part of what we sell to clients who have failed to do it themselves.

Data deletion is permanent and irreversible. We mention this not as a threat but as context. Once deleted, we cannot retrieve it. Nor can you. This symmetry is, in our view, the closest thing to fairness that the data economy offers.

Your Rights

You have the following rights, which are real, legally enforceable, and in some cases practically very difficult to exercise, through no fault of our own:

  • Access the personal information we hold about you (we will send it; it will be more than you expected; please do not be alarmed)
  • Request correction of inaccurate information (we will correct it; your corrected data will then be shared with our 869 partners in its corrected form, which is arguably an improvement)
  • Request deletion of your personal data, subject to legal retention requirements (the 7-year accounting retention requirement will survive your deletion request; this is the law's fault, not ours)
  • Object to processing in certain circumstances (the circumstances in which objection succeeds are narrower than the circumstances in which objection is possible; we encourage you to consult a lawyer, specifically one who specialises in data law, which is a niche Rehan respects)
  • Withdraw consent where processing is based on consent (consent withdrawal does not retroactively undo processing already completed; again, the law, not us)
  • Lodge a complaint with a relevant data protection authority (we support this right fully and will cooperate with any investigation; we have nothing to hide that is not already in this document)

To exercise any of these rights, contact Rehan directly at the email address on the Contact page. He will respond personally within 30 days (in practice, considerably sooner, because there is no queue and Rehan monitors his inbox with the vigilance of someone who was once responsible for monitoring other people's inboxes and developed habits accordingly). Derek will not be involved in processing your request. Probably.

Security

We take appropriate technical and organisational measures to protect your personal information against unauthorised access, disclosure, alteration, or destruction. "Appropriate" is defined by Rehan, who is a cybersecurity professional and therefore holds himself to a standard that is, if anything, higher than legally required and occasionally exhausting.

These measures include encrypted communications, secure credential management, access controls appropriate to the sensitivity of the data, and a general professional disposition toward not doing stupid things with information that does not belong to us. We are, after all, a cybersecurity firm. The security of our own systems is something we take seriously for reputational reasons, commercial reasons, and because Rehan would find it genuinely embarrassing to be breached.

No system is entirely risk-free (if anyone tells you otherwise, they are selling something, and we would like to know their pricing). In the event of a data breach that affects your rights or freedoms, we will notify you and the relevant authority within the timeframes required by applicable law, and we will do so using language that is clear, honest, and contains significantly less sarcasm than this document.

Our security measures have not been independently audited. They have been internally assessed by Rehan, who designed them, which is an acknowledged conflict of interest that we disclose here and consider resolved by the act of disclosing it.

Contact

For privacy-related enquiries, requests, or complaints — including complaints about this privacy policy, which we acknowledge is unusual — contact:

Rehan
Data Controller, Chief Privacy Officer, and Only Employee
TrustUs Cybersecurity
rehan@trustus.pk
Karachi, Pakistan
Note: "Chief Privacy Officer" is a title Rehan gave himself. It carries no additional authority but sounds reassuring.

We aim to respond to all privacy requests within 30 days. In practice, Rehan will likely respond the same day, because he monitors his email, there is no queue, and a privacy request is one of the more interesting things that arrives in his inbox between penetration test reports and Derek's follow-up questions.

This policy was written with Claude's assistance, reviewed by Rehan, and not reviewed by a lawyer, which is consistent with our approach to legal documentation generally. If anything here concerns you, consult a lawyer. Then read it again. The concern will probably remain, but you will understand it better.