Legal
Working closed-beta privacy policy for TrustKarry. Effective date: April 28, 2026.
This policy describes how TrustKarry collects and uses information during its closed-beta phase. References to "TrustKarry," "we," and "us" mean the closed-beta team operating the platform. The legal operating entity will be confirmed by counsel before broader launch.
TrustKarry collects: account details (name, email, phone, password hash, language); profile information (avatar, country, city, user type); identity verification documents you upload (government ID, address proof, selfie, document metadata); trip details and item-request details you create; in-app messages you send and the attachments you choose to share; safety checkpoint evidence and offline-payment acknowledgements; notifications and event timestamps; and operational logs needed to run, secure, and debug the service.
We process your information to (a) authenticate you and operate your account (contract / legitimate interest), (b) facilitate marketplace coordination between senders and travelers (contract), (c) manually review identity verification and moderation cases (legitimate interest in trust and safety), (d) send transactional notifications about your requests, trips, verification, and disputes (contract), (e) investigate disputes and prevent abuse (legitimate interest, legal obligation where applicable), and (f) improve the product within the bounds of this policy (legitimate interest). Where consent is the legal basis, you can withdraw it at any time without affecting prior lawful processing.
Identity verification documents are sensitive operational records. Access is restricted to: the user who submitted them; TrustKarry admins reviewing the submission; and TrustKarry operators investigating a related safety or dispute case. Verification documents are not visible to your counterparties. Counterparties only see your high-level verification status (Verified, Under Review, Not Verified, or Rejected) — never the documents themselves. Safety checkpoint evidence attached to a transaction may be visible to the participants of that transaction and to admins reviewing it.
We use third-party service providers to operate the platform. These providers process data only to provide their service to TrustKarry. The current list includes: a transactional email provider (Resend); a managed Postgres host and managed Redis host for primary data; an object-storage provider for media (verification documents, message attachments, safety evidence) accessed through signed URLs; a Next.js / Go application hosting provider; and standard error and uptime monitoring. We add or remove providers as the system evolves and will keep this section reasonably current.
TrustKarry is operated for users in Canada and Nigeria during closed beta. Data may be stored or processed in Canada, the United States, or other regions where our service providers operate. Where data is transferred across borders, we rely on contractual safeguards and provider-level certifications. If you have specific data-residency requirements, contact us before submitting verification documents.
We retain account information for as long as your account is active and for a reasonable period after closure (typically up to 24 months) to support disputes, safety review, and legal obligations. Verification documents are retained while the verification record is active and are deleted within 90 days of a final decision unless retention is required for an ongoing safety investigation. In-app messages, transaction history, and safety evidence are retained while the related request is active and afterwards as part of standard records. Operational logs are kept for a shorter period sufficient for security review and debugging. You can request deletion at any time as described in section 8.
Depending on where you live, you may have the right to: access the personal information we hold about you; correct inaccurate information; request deletion of your information (subject to legal and safety retention obligations); request a portable copy of your information in a common format; object to certain processing; and withdraw consent where consent is the legal basis. To exercise any of these rights, contact us at the email in section 11. We may need to verify your identity before acting on the request.
TrustKarry uses HTTPS for all traffic between the app and the API; signed and time-limited URLs for access to verification documents and safety evidence; password hashing for authentication; and access controls that limit which operators can read which records. No system is perfectly secure. If we become aware of a security incident that materially affects your information, we will use reasonable efforts to notify affected users without undue delay and within 72 hours of confirming the incident, in line with applicable law.
TrustKarry is not directed to children under 16 and you must be at least 18 years old to use the service per the Terms of Service. We do not knowingly collect personal information from children under 16. If you believe a child has provided information to us, contact us and we will delete it.
Privacy questions, deletion requests, and other rights requests can be sent to info.trustkarry@gmail.com. (Closed-beta placeholder; a dedicated privacy contact will be confirmed by counsel before broader launch.)
We may update this policy as the product evolves. The effective date below the page title indicates when the most recent version takes effect. Where a change is material, we will use reasonable efforts to notify users.
This privacy policy is a closed-beta working draft prepared to make our actual data practices explicit during the invite-only phase. It must be reviewed and revised by a qualified lawyer before any broader launch.