Privacy Policy

TRUSTED AUTHORITY AI

PRIVACY POLICY - Effective Date: 1 March 2026  |  Last Updated: April 2026

This Policy is designed to meet obligations under: GDPR (EU/Malta) · PDPA (Singapore) · PDPC (Malaysia) · PDPO (Hong Kong) · Privacy Act 1988 (Australia) · PIPL (China) · PDPB (Vietnam) · CCPA/CPRA (California, USA) · CAN-SPAM Act (USA)

Brand Name - Trusted Authority AI

Operating Entity - Trusted Authority AI (a consultancy brand operated by its principal)

Principal Domicile - Malta (EU Member State)

Primary Markets - Singapore · Malaysia · Vietnam · Australia · APAC Region · United States

Contact Email - [email protected]

Website - www.trustedauthorityai.com

1. Introduction & Scope

Trusted Authority AI (“we”, “us”, “our”) is an AI management consulting brand providing strategy, advisory, and implementation services to mid-market businesses across Southeast Asia, the broader Asia-Pacific region, and the United States. We are committed to protecting the privacy and personal data of every individual who interacts with us, whether as a prospective client, current client, website visitor, or business contact.

This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, how long we retain it, and what rights you have. It applies to all personal data processed through our website, client engagements, marketing activities, and communication channels.

Where applicable law grants you stronger rights than those described herein, those rights shall prevail. If you are located in the European Economic Area (EEA) or are a Maltese resident, GDPR applies. If you are in Singapore, the Personal Data Protection Act 2012 (PDPA) applies. Malaysian residents are covered by the Personal Data Protection Act 2010 (PDPA Malaysia). California residents have additional rights under CCPA/CPRA. Australian residents are covered by the Privacy Act 1988 and the Australian Privacy Principles (APPs).

2. Data Controller / Data Owner

Trusted Authority AI operates as a sole-trader consulting brand with principal registration and tax residency in Malta (an EU Member State), giving rise to GDPR obligations as the baseline standard.

For the purposes of applicable data protection law, we are the data controller (or data owner/data processor where applicable under non-EU frameworks) of the personal data described in this Policy.

Contact details for data-related enquiries:

•        Email: [email protected]

•        Website: www.trustedauthorityai.com/contact

•        Response time: We aim to respond to all privacy enquiries within 30 calendar days.

3. Personal Data We Collect

3.1 Data You Provide Directly

•        Identity & contact data: full name, job title, company name, business email address, telephone number

•        Enquiry & engagement data: messages sent via contact forms, emails, or consultation booking requests

•        Business information: company size, revenue range, industry sector, operational locations, and business challenges shared during discovery calls or onboarding

•        Contractual data: information provided during proposal, agreement signing, and project delivery phases

•        Payment data: invoicing details (processed via secure third-party payment processors; we do not store full card details)

•        Communication preferences: opt-in/opt-out records for marketing communications

3.2 Data Collected Automatically

•        Technical data: IP address, browser type and version, device type, operating system, referring URL, and pages visited

•        Usage data: session duration, clickstream data, and interaction patterns collected via cookies and analytics tools

•        Communication metadata: email open rates and click-through data (aggregated and anonymised where possible)

3.3 Data from Third Parties

•        Professional profile data from LinkedIn and other public business directories

•        Referral data from business partners or existing clients

•        Firmographic data from reputable B2B data providers for outreach purposes

We do not collect, process, or store ‘special category’ personal data (e.g. health, biometric, racial, or religious data) and request that clients refrain from sharing such data unless strictly necessary for service delivery.

4. How We Use Your Personal Data

4.1 Legal Bases (GDPR & Equivalent Frameworks)

We process personal data under the following legal bases:

•        Contractual necessity – to deliver consulting services under an agreed engagement

•        Legitimate interests – for business development, marketing to professionals, and improving our services

•        Consent – for marketing emails and newsletters where required by applicable law

•        Legal obligation – to comply with applicable tax, corporate, and regulatory requirements

4.2 Purposes of Processing

•        Responding to enquiries and scheduling consultations

•        Preparing and delivering AI strategy consulting engagements, audits, and workshops

•        Sending project-related communications and deliverables

•        Issuing invoices and managing payments

•        Sending marketing communications, case studies, and insights (where consented or permitted under legitimate interests)

•        Improving our website, services, and marketing via anonymised analytics

•        Complying with legal obligations in Malta, Singapore, Malaysia, Vietnam, Australia, and other applicable jurisdictions

•        Fraud prevention and security purposes

5. Disclosure of Personal Data

We do not sell, rent, or trade personal data to third parties. We may share data in the following limited circumstances:

5.1 Service Providers

We engage trusted third-party processors who assist us in delivering our services. These include:

•        CRM and marketing automation platforms (e.g. GoHighLevel)

•        Email delivery and communication platforms

•        Cloud storage and document management providers

•        Payment processors and invoicing platforms

•        Analytics and website performance tools

All processors are subject to data processing agreements (DPAs) and are required to maintain appropriate technical and organisational security measures.

5.2 Professional Advisors

We may share data with legal, accounting, or tax advisors under obligations of professional confidentiality.

5.3 Legal Compliance

We may disclose data where required by law, court order, or regulatory authority in any jurisdiction where we operate, including but not limited to Malta, Singapore, Malaysia, Vietnam, Australia, and the United States.

5.4 Business Transfers

In the event of a business restructuring, merger, or acquisition, personal data may be transferred to a successor entity, subject to equivalent privacy protections.

6. International Data Transfers

As an international consultancy, your personal data may be transferred to and processed in countries outside your home jurisdiction. Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, including:

•        Standard Contractual Clauses (SCCs) approved by the European Commission

•        Transfer Impact Assessments (TIAs) where required

•        Adequacy decisions recognised by the relevant supervisory authority

For transfers to/from Singapore: we comply with the PDPA transfer limitation obligation and use contractual arrangements to ensure comparable protection.

For transfers to/from Malaysia: we comply with the PDPA 2010 transfer prohibition requirements.

For transfers to/from Australia: we comply with Australian Privacy Principle 8 regarding cross-border disclosure.

For transfers to/from Vietnam: we apply protections consistent with Decree 13/2023/ND-CP.

For transfers involving US residents: we apply privacy protections consistent with applicable US state privacy laws.

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. General retention periods are as follows:

Category - Retention Period

Prospect/enquiry data (no engagement) - 2 years from last interaction

Active client engagement data - Duration of engagement + 7 years

Invoicing & financial records - 7 years (tax/legal obligation)

Marketing consent records - Until consent is withdrawn + 3 years

Website analytics data - 26 months (aggregated/anonymised)

Employee/contractor data - Duration of relationship + 7 years

After retention periods expire, data is securely deleted or anonymised in accordance with our data deletion procedures.

8. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration, disclosure, or destruction. These include:

•        Encryption of data in transit (TLS/SSL) and at rest

•        Role-based access controls limiting data access to authorised personnel only

•        Secure cloud infrastructure with enterprise-grade service providers

•        Regular review of security practices and third-party processor agreements

•        Incident response procedures compliant with applicable breach notification requirements

In the event of a personal data breach that poses a risk to individuals’ rights and freedoms, we will notify relevant supervisory authorities and affected individuals within the timeframes required by applicable law (e.g. 72 hours under GDPR; 3 business days under Singapore PDPA mandatory breach notification).

9. Your Privacy Rights

9.1 Rights Under GDPR (EU/Malta Residents)

•        Right of access – obtain a copy of your personal data

•        Right to rectification – correct inaccurate or incomplete data

•        Right to erasure (‘right to be forgotten’) – request deletion of data where no legal basis remains

•        Right to restriction – limit how we process your data

•        Right to data portability – receive your data in a structured, machine-readable format

•        Right to object – object to processing based on legitimate interests or for direct marketing

•        Rights related to automated decision-making and profiling

9.2 Singapore PDPA Rights

•        Right of access – request access to personal data held about you

•        Right of correction – request correction of inaccurate or incomplete data

•        Right to withdraw consent – withdraw consent at any time (subject to legal/contractual consequences)

•        Right to data portability (where applicable under 2021 amendments)

9.3 Malaysia PDPA Rights

•        Right of access – request access to personal data

•        Right of correction – correct inaccurate data

•        Right to withdraw consent – withdraw consent for processing

•        Right to prevent processing for direct marketing purposes

9.4 Australia – Privacy Act Rights

•        Right to access personal information held about you

•        Right to correct inaccurate, incomplete, or misleading information

•        Right to make a privacy complaint to the Office of the Australian Information Commissioner (OAIC)

9.5 California (USA) – CCPA/CPRA Rights

•        Right to know – categories and specific pieces of personal information collected

•        Right to delete – request deletion of personal information

•        Right to correct – correct inaccurate personal information

•        Right to opt-out of sale or sharing of personal information (we do not sell data)

•        Right to non-discrimination – not to be discriminated against for exercising CCPA rights

•        Right to limit use of sensitive personal information

To exercise any of the above rights, contact us at [email protected]. We will respond within the timeframe required by your applicable jurisdiction (generally 30 days, extendable by a further 30 days where complex).

10. Cookies & Tracking Technologies

Our website uses cookies and similar technologies to enhance user experience, measure performance, and support our marketing activities. We use:

•        Strictly necessary cookies – essential for the website to function; cannot be disabled

•        Analytics cookies – help us understand how visitors interact with our website (e.g. Google Analytics with IP anonymisation enabled)

•        Marketing/targeting cookies – used to deliver relevant advertising; only deployed with your explicit consent

You can manage cookie preferences via the cookie consent banner displayed on your first visit, or through your browser settings. Disabling non-essential cookies will not affect your ability to use our services.

11. Marketing Communications

We may send you marketing communications about our AI consulting services, insights, and resources where:

•        You have provided explicit consent, or

•        We have a legitimate interest in contacting you as a business professional (in jurisdictions where this is permitted, such as the B2B exemption under Singapore PDPA and equivalent frameworks)

Every marketing communication includes a clear and easy unsubscribe mechanism. Requests to unsubscribe will be actioned within 10 business days. We comply with CAN-SPAM Act requirements for recipients in the United States, CASL-equivalent standards for Canadian contacts, and applicable anti-spam laws in each jurisdiction we operate.

12. Children’s Privacy

Our services are directed exclusively at business professionals and organisations. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor has provided us with personal data, please contact us immediately at [email protected] and we will delete such data promptly.

13. Third-Party Links & Integrations

Our website and deliverables may contain links to third-party websites, tools, or platforms. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you access through our content.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. Material changes will be notified via email to active clients and via a prominent notice on our website. The ‘Last Updated’ date at the top of this document indicates when the most recent changes were made. Continued use of our services after the effective date of any changes constitutes acceptance of the updated Policy.

15. Supervisory Authorities & Complaints

You have the right to lodge a complaint with the relevant data protection supervisory authority in your jurisdiction. Key authorities include:

•        Malta (GDPR lead authority): Information and Data Protection Commissioner – www.idpc.org.mt

•        Singapore: Personal Data Protection Commission – www.pdpc.gov.sg

•        Malaysia: Department of Personal Data Protection – www.pdp.gov.my

•        Australia: Office of the Australian Information Commissioner – www.oaic.gov.au

•        Hong Kong: Office of the Privacy Commissioner for Personal Data – www.pcpd.org.hk

•        USA (California): California Privacy Protection Agency – www.cppa.ca.gov

We encourage you to contact us first at [email protected] to resolve any concerns directly before escalating to a supervisory authority.

16. Contact Us

Privacy Enquiries

Trusted Authority AI

Email: [email protected]

Website: www.trustedauthorityai.com

This Privacy Policy was drafted to reflect our obligations across multiple jurisdictions and should be reviewed by a qualified legal practitioner familiar with the laws of each relevant territory before formal publication. Nothing in this document constitutes legal advice.