1. Who is responsible
SocialTrust (“we”, “us”), operated at socialtrust.io, provides a social-proof SaaS for online stores. Privacy contact: privacy@socialtrust.io. Support: support@socialtrust.io.
Account & billing data: we are the controller.
Store visitor / order / lead data processed through the widget, tracking APIs, and store webhooks for a merchant customer:
the merchant is typically the controller and SocialTrust acts as their processor on their documented instructions (dashboard settings, integrations, and API usage).
2. Personal data we process
| Category | Examples | Typical lawful basis |
|---|---|---|
| Account data | Name, email, password hash, plan, role | Contract (Art. 6(1)(b)) |
| Billing data | Stripe customer/subscription IDs, plan status, amounts; card details handled by Stripe | Contract; legal obligation for tax records |
| Site configuration | Site name, domain, widget settings, products, imported reviews | Contract |
| Service usage | Dashboard actions, auth events, audit logs, support emails | Contract; legitimate interests (security & improvement) |
| Widget / store events (on behalf of merchants) | Page views, impressions, clicks, sales, inquiry / WhatsApp / call lead signals; visitor IDs; product/SKU; first name + initial; city; coarse location from IP when geo is enabled | Merchant’s basis (often legitimate interests / consent as they determine); we process as processor |
| Technical data | IP address (for geo lookup and security), user agent, timestamps | Legitimate interests; processor instructions for merchant traffic |
We do not intentionally collect special-category data. We do not knowingly offer accounts to children under 18. Merchants must not configure the Service to display sensitive personal data in notifications.
3. How we use data
- Provide, authenticate, and secure accounts (including HttpOnly session cookies).
- Provision sites, enforce plan limits, and operate billing via Stripe.
- Deliver widget configuration and social-proof feeds on merchant sites.
- Record events for analytics, quotas, live-visitor counts, and lead history in the merchant dashboard.
- Resolve approximate city/country for notifications when a merchant enables geo behaviour (using IP-based lookup).
- Import public or authorised reviews (for example Trustpilot or Google) when a merchant connects those sources.
- Send transactional email such as password-reset links when email delivery is configured.
- Detect abuse, debug failures, and improve reliability of the Service.
We do not sell personal data. We do not use merchant store visitor data to advertise SocialTrust to those visitors on third-party platforms.
4. Cookies and similar technologies
We use cookies and similar technologies as described in our dedicated Cookie Policy. In short:
| Name | Type | Purpose | Duration |
|---|---|---|---|
ot_session |
Strictly necessary | Keeps you signed in to the dashboard (JWT session) | Up to 30 days |
st_consent / st_cookie_consent |
Strictly necessary | Stores your cookie consent choice so we do not re-prompt unnecessarily | Up to 365 days |
st_prefs, st_analytics, st_vid |
Optional (consent required) | Preferences flag and first-party marketing analytics | Up to 365 days when accepted |
| Widget visitor ID (local storage on merchant sites) | Merchant-site storage | Correlate heartbeats / last-shown timing for the widget | Browser / widget lifecycle |
Optional cookies are gated behind our on-site consent banner (Accept all / Reject optional / Manage). You can reopen preferences anytime via Cookie settings. Merchants remain responsible for cookie notices on their own storefronts where the widget runs.
5. Processors and sub-processors
Depending on configuration, we use providers such as:
- Hosting / database — cloud application hosts and managed Postgres (for example Neon or similar) for storing account and event data.
- Stripe — payment processing and subscription billing.
- Email (SMTP) — transactional mail when configured by the operator.
- Geo-IP — ipwho.is and/or ipinfo.io to resolve approximate city/country from IP when geo is enabled.
- Review sources — Trustpilot and Google Places APIs when a merchant imports reviews.
- Store platforms — Shopify, WooCommerce, or Stripe Checkout webhooks when a merchant connects them to send order events.
We require processors to protect personal data under appropriate contracts. International transfers (if any) rely on adequacy decisions or standard contractual clauses / equivalent safeguards where required.
6. Retention
| Data | Retention |
|---|---|
| Account & site configuration | For the life of the account; deleted or anonymised within a reasonable period after account deletion (target: 30 days), unless we must retain longer for disputes or law |
| Billing / subscription records | Typically up to 7 years where needed for tax and accounting |
| Widget events & leads | Retained while the merchant account/site exists so feeds and dashboards work; merchants may delete sites or request deletion |
| Password-reset tokens | Until used or expired |
| Audit logs | For a limited security/operations window |
7. Sharing
We share personal data only:
- With sub-processors needed to run the Service;
- With the merchant who owns a site, for data collected on that site;
- When required by law, regulation, or valid legal process;
- In connection with a merger, acquisition, or asset sale, with appropriate safeguards;
- With your consent or direction.
8. Security
We use industry-standard measures appropriate to a SaaS product of this type, including TLS in production, password hashing (bcrypt), HttpOnly session cookies, and server-side authorisation for tenant data. No method of transmission or storage is perfectly secure; please use a strong unique password and contact us promptly if you suspect unauthorised access.
9. Your rights
Depending on your location, you may have rights to:
- Access, correct, or delete personal data we hold about you;
- Restrict or object to certain processing;
- Receive a portable copy of data you provided;
- Withdraw consent where processing is consent-based;
- Lodge a complaint with a supervisory authority (in the UK: the ICO).
Account holders can update profile details in the dashboard and may request deletion by emailing privacy@socialtrust.io. End customers of a merchant store should contact that merchant first for rights requests about store notifications or orders; we will assist merchants as their processor.
California (CCPA/CPRA) summary
We do not “sell” or “share” personal information for cross-context behavioural advertising as those terms are commonly defined. California residents may request know/delete/correct rights via privacy@socialtrust.io. We will not discriminate for exercising privacy rights.
10. Merchants’ responsibilities
If you use SocialTrust on your store, you must:
- Provide appropriate privacy notices to your visitors and customers;
- Obtain any required consents for cookies, marketing, or lead capture in your jurisdiction;
- Avoid sending us more personal data than needed for social proof (we recommend first name + initial and city, not full addresses or contact details in public notifications);
- Configure geo and lead features in line with your policies and local law.
11. International visitors
The Service may be accessed from outside the UK. Where we transfer personal data internationally, we take steps designed to ensure an adequate level of protection as required by applicable law.
12. Changes to this policy
We may update this Privacy Policy to reflect product or legal changes. We will revise the “Last updated” date and, for material changes, provide additional notice where appropriate.
13. Contact
Privacy requests: privacy@socialtrust.io
General support: support@socialtrust.io
Related: Terms of Service · Cookie Policy ·
Cookie settings