Summary
This Privacy Policy explains how Trusted Path Ltd collects, uses, stores, and shares your personal data when you visit our website, participate in our pilot programme, or receive our services. Please read it carefully before using our site or services.
If you have any questions, contact us at dpo@trustedpath.biz.
Who We Are
For the purposes of UK data protection law, Trusted Path Ltd is the data controller in respect of personal data collected via our website (www.trustedpath.biz), our survey and interview system (surveys.trustedpath.biz), and any communications, contracts, or interactions related to our services.
Data Controller
Trusted Path Ltd
Company number: 16189138
Registered office: 86-90 Paul Street, London, EC2A 4NE, United Kingdom
Email: dpo@trustedpath.biz
Founder/Lead Contact: cto@trustedpath.biz
Website: www.trustedpath.biz
What Personal Data We Collect
Website Visitors
When you visit our website, we may collect the following categories of personal data:
- Technical data: IP address, browser type and version, operating system, device type, and screen resolution.
- Usage data: Pages visited, time spent on each page, referral source, and navigation paths.
- Cookie data: Session and preference cookies, subject to your consent as described in Section 11.
Contact and Enquiry Data
When you submit a contact form, book a pilot call, or otherwise contact us, we collect:
- Full name
- Work email address
- Organisation name
- Job title or role (if provided)
- The content of your message or enquiry
Pilot Programme and Platform Data
If you participate in our pilot programme or sign up to use the Trusted Path platform, we collect additional data as described in our Data Processing Agreement and Terms of Service, including:
- Professional contact details (name, work email, job title)
- Organisation and team information
- SDLC maturity assessment inputs and responses
- Survey and interview responses
- Platform usage and activity data
Data We Do Not Collect
We do not intentionally collect special category personal data (such as data about health, ethnicity, religion, or political opinions) through our website or standard service interactions. We do not collect payment card data directly — any payments are processed by our payment processors.
How We Collect Your Data
Directly From You
- Contact and booking forms on our website
- Email and telephone communications
- Pilot programme enrolment and onboarding
- Survey and interview participation
Automatically
- Server logs when you access our website
- Cookies and similar tracking technologies (see Section 11)
- Analytics tools (subject to your consent)
From Third Parties
- Professional networking platforms such as LinkedIn, where you have made your details publicly available or connected with us
- Referrals from existing contacts or partners
- Publicly available business directories, used for B2B prospecting
How We Use Your Data
We use your personal data for the following purposes:
| Purpose | Description | Lawful Basis |
|---|---|---|
| Responding to enquiries | Processing contact form submissions and booking requests | Contract / LI |
| Delivering the pilot | Onboarding, assessment, and reporting during the six-week pilot programme | Contract |
| Platform provision | Account management, access control, and service delivery | Contract |
| Product improvement | Analysing aggregated usage data to improve the platform and our offering | LI |
| Marketing | Sending updates, newsletters, and relevant content to opted-in contacts | Consent / LI |
| Legal compliance | Meeting obligations under applicable law, including data protection and tax law | Legal Obligation |
| Security | Monitoring for abuse, fraud, and security incidents | LI |
LI = Legitimate Interests. We have carried out a legitimate interests assessment (LIA) for each activity marked LI and determined that our interests do not override your fundamental rights and freedoms.
Lawful Bases for Processing
Performance of a Contract (Article 6(1)(b))
Where processing is necessary to perform a contract with you or to take steps at your request before entering into such a contract.
Legitimate Interests (Article 6(1)(f))
Where processing is necessary for our legitimate interests, including operating and improving our platform, conducting B2B outreach, maintaining security, and preventing fraud, provided those interests are not overridden by your rights.
Legal Obligation (Article 6(1)(c))
Where processing is necessary to comply with a legal obligation, including tax, accounting, or data protection law requirements.
Consent (Article 6(1)(a))
Where you have given clear consent for a specific purpose, such as subscribing to marketing communications or accepting non-essential cookies. Where processing is based on your consent, you may withdraw that consent at any time by contacting dpo@trustedpath.biz. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
Data Sharing and Disclosure
We do not sell your personal data. We share data only in the following circumstances:
Service Providers (Sub-Processors)
We use a limited number of trusted third-party service providers to operate our business. These providers act as data processors and are contractually bound to process data only on our instructions and in accordance with applicable data protection law. Our current sub-processors include:
| Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting and infrastructure | EU (Ireland) |
| Google Workspace | Transactional and operational email delivery (info@trustedpath.biz, dpo@trustedpath.biz) | EU / US (SCCs) |
| Calendly / Booking Tool | Pilot call scheduling | US (SCCs) |
| Stripe | Payment processing | EU / US (SCCs) |
Legal and Regulatory Disclosure
We may disclose personal data where required by law, court order, or a competent regulatory authority, including the Information Commissioner's Office (ICO) or law enforcement agencies acting under lawful authority.
Business Transfers
In the event of a merger, acquisition, or sale of all or substantially all of our assets, personal data may be transferred to the successor entity, subject to equivalent data protection obligations.
International Data Transfers
Where we or our sub-processors transfer personal data to countries that do not benefit from a UK adequacy decision, we ensure appropriate safeguards are in place, including International Data Transfer Agreements (IDTAs), the UK's equivalent of the EU Standard Contractual Clauses (SCCs).
Specifically, transfers to our US-based sub-processors (including Google Workspace and Stripe) are governed by IDTAs incorporated into our data processing agreements with those providers.
Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law.
| Category | Retention Period | Basis |
|---|---|---|
| Contact and enquiry records | 3 years from last contact | Legitimate interests |
| Pilot programme data | Duration of engagement + 2 years | Contract; legal obligation |
| Platform customer data | Duration of subscription + 1 year | Contract; legal obligation |
| Financial and invoicing records | 6 years | Legal obligation (UK tax law) |
| Marketing consent records | Until consent withdrawn + 1 year | Consent; legal obligation |
| Website analytics data | 13 months (aggregated thereafter) | Legitimate interests; consent |
| Security and access logs | 12 months | Legitimate interests |
At the end of the applicable retention period, personal data is securely deleted or anonymised.
Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Access controls based on the principle of least privilege
- Multi-factor authentication for internal systems
- Regular vulnerability assessments and penetration testing
- Incident response and breach notification procedures
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware and will notify affected individuals without undue delay where required by law.
Responsible Disclosure
If you discover a security vulnerability affecting our systems, please report it responsibly to dpo@trustedpath.biz. We will acknowledge and investigate all credible reports.
Your Rights
Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:
Access
Obtain a copy of the personal data we hold about you.
Rectification
Have inaccurate or incomplete data corrected.
Erasure
Request deletion of your data in certain circumstances.
Restriction
Restrict our processing of your data while a dispute is resolved.
Portability
Receive your data in a structured, machine-readable format.
Objection
Object to processing based on legitimate interests or for direct marketing.
Automated Decisions
Not be subject to decisions based solely on automated processing.
Withdraw Consent
Withdraw consent at any time where processing is consent-based.
To exercise any of these rights, please contact us at dpo@trustedpath.biz. We may need to verify your identity before fulfilling a request.
Marketing Opt-Out
If you receive B2B marketing communications from us, you may opt out at any time by clicking the unsubscribe link in the communication or by contacting us at dpo@trustedpath.biz. We will honour opt-out requests within 10 business days.
Cookies and Tracking Technologies
Cookies We Use
| Category | Purpose | Lawful Basis |
|---|---|---|
| Strictly Necessary | Session management, security, and form functionality. Cannot be disabled. | Necessary |
| Analytics | Aggregated usage statistics to improve the website. | Consent |
| Functional | Storing preferences such as language or layout settings. | Consent |
| Marketing | Tracking visits across sites to deliver relevant advertising. | Consent |
Cookie Consent
When you first visit www.trustedpath.biz, our cookie consent banner will ask for your preferences before any non-essential cookies are set. A full list of cookies in use is available on our Cookie Policy page.
Children's Data
Our website and services are directed at business professionals and are not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected personal data from a child, please contact us immediately at dpo@trustedpath.biz and we will delete it promptly.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our data processing activities, business operations, or applicable law. Where changes are material, we will notify platform users by email or via an in-app notice before the changes take effect.
Version History
v1.0 — 14 March 2026: Initial publication.
Contact and Complaints
If you have any questions, concerns, or complaints about how we handle your personal data, please contact us in the first instance:
Data Controller Contact
Trusted Path Ltd
Email: dpo@trustedpath.biz
Address: 86-90 Paul Street, London, EC2A 4NE, United Kingdom
We aim to respond to all data protection queries within 10 business days.
Right to Lodge a Complaint
If you are not satisfied with our response, or if you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office (ICO)
Website: ico.org.uk
Telephone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF