Privacy Policy

Hey there. This policy explains what TrustKit does with data when it loads on websites that use us. We care about your privacy, and we only collect what's necessary to keep bad bots out.

Who are we?

Matriigo

600 W Peachtree St NW

Ste 1700 Box 299

Atlanta, GA 30308 USA

What gets collected

When you visit a site using TrustKit, a few things happen automatically so we can tell if traffic is sketchy:

• IP address (used temporarily to guess region or detect anomalies)
• Browser info (user-agent, timezone, screen size, etc.)
• How your browser renders emojis or handles canvas. This helps us catch bots without needing cookies.
• Nonce + challenge result from a proof-of-work solution (we give your browser a quick puzzle to solve, like a proof-of-work mini-test)

Why do we collect this?

Because bots (and trolls) suck.

• Spot suspicious or automated traffic
• Make sure real users aren't blocked

We do this under what's called "legitimate interest" under the GDPR (Art. 6(1)(f)), meaning it's necessary for security and spam prevention.

Do you store anything?

We don't keep much. Here's what we hold on to and for how long, briefly:

• Hashed fingerprints (not reversible, 5 minutes at most)
• Challenge attempts (score, timestamp, basic metadata, for 5 minutes at most)
• Obfuscated IP data (we don't keep full IPs unless we're under attack, for 5 minutes at most)

Do we share data?

No, unless:

• We're forced to by law (this is rare but it can happen)
• It's with infrastructure providers (like our cloud host), under strict contracts (data processing addendums).
Subprocessors
• AhaSend (TakTek GmbH): For transactional E-mail things like verification or account updates

You have rights

We believe everyone deserves strong privacy rights. So no matter where you're from, you can:

• Ask what data (if any) we’ve got on you
• Ask us to delete it
• Ask us to stop using it in certain ways
• Or just reach out with privacy questions

That said, most of what we collect is hashed, obfuscated, and short-lived. Here's what that means in practice:

• We store data for up to 3 days on most sites
• If a site's under constant attack, we may retain some signals and a IP for up to 14 days to keep things secure
• Fingerprints and identifiers are anonymized or hashed, so we usually can't tie them back to any specific person

Still, if you email us at he!!o at (this domain), replacing the exclamation points with the letter l, we'll do our best to help.

How does TrustKit reduce spam without tracking

Think of it like handing out anonymous cards to everyone who visits. We don't ask for names or personal info, just how your device renders things text or your browser (Chrome, Edge, Firefox). If someone uses the same card way too many times in a short period (like 50 times in an hour), it's a big red flag that they're probably not a real person. That way, we can spot spammers without actually tracking or knowing who anyone is.

Cookies

TrustKit's "I'm not a robot" check doesn't use cookies. There's also no tracking, no cross-site stuff.