How we handle your information.

This policy covers personal information processed by True Primary across the marketing site, the brief-intake flow, the expert network, and the project library. It applies to anyone who submits a brief, applies as an expert, contacts us, signs in to the product, or uses the website.

True Primary acts as an independent controller for its core business activities — running the expert network, operating the website, managing client and expert relationships, and recruitment. Where a written engagement or expert agreement provides for it, True Primary may act as a processor or service provider on behalf of a client team.

From buyers: name, organisation, work email, optional phone, the content of any brief or message you send us, and basic technical signals (IP, user agent, referrer) when you load the site. From experts: name, contact email, declared seats and operating areas, scheduling availability, the content of any reply to a request, and (with explicit consent) the recording and transcript of any interaction you take part in. We do not buy personal data from third parties.

Special-category or sensitive personal data — including data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, health or sex-life data, or biometric data — is processed only where it is necessary, lawful, and proportionate. The most common contexts are compliance screening, equal-opportunities monitoring, payment and tax administration, or where you choose to disclose such information in a brief, transcript, or message to us.

Buyer information is held to route briefs to the partner best placed to handle them, to fulfil the engagement, and to keep an auditable record of the work. Expert information is held to match relevant requests, schedule interactions, brief experts in advance, pay them promptly, and respect their declared restrictions on every future brief. Site analytics are held to understand which pages help prospects and which do not.

Under the UK GDPR and the EU GDPR, the lawful bases we rely on depend on the context:

• Contract — to deliver an engagement you, your team, or an expert has agreed to.
• Legitimate interests — to operate, secure, improve, and grow a useful service, where those interests are not overridden by your rights.
• Legal obligation — to comply with tax, regulatory, compliance, and statutory record-keeping requirements.
• Consent — for marketing email where required, for non-essential cookies, and for interaction recordings.
• Vital interests — only in the rare event needed to protect someone’s life.

Equivalent lawful grounds under applicable national implementations of the GDPR and under US state privacy laws apply on the same basis.

We share information only with the people and systems necessary to run the engagement. Brief content goes to the routed experts. Synthesis goes back to the commissioning buyer team. Service providers are bound by written contracts that require confidentiality, security, lawful processing, and deletion or return on instruction. We do not sell personal information. We do not share contact details with marketing partners.

The current operational stack:

• Vercel — application hosting and edge delivery (US / EU regions; SCCs and UK Addendum where applicable).
• Resend — transactional and notification email delivery.
• Google Workspace — business email, documents, and internal collaboration.
• Linear — internal issue and project tracking.
• GitHub — source-code hosting and version control.
• Canva — design asset preparation.

This list is updated as the stack changes; the version on this page is the current one.

Retention follows the criteria below. Specific periods depend on relationship duration, regulatory and tax requirements, applicable limitation periods, and the buyer team's documented retention rules.

You can ask us to show you the personal information we hold about you, correct anything inaccurate, delete it, restrict how we use it, port it elsewhere where applicable, or object to our use of it, by writing to the addresses below. Experts retain a separate, workflow-level right to redact any portion of a transcript before it enters the library, and to decline any future request without explanation.

Under the UK GDPR and the EU GDPR — and the national implementations applicable in your country — you have the rights of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. You can complain to your supervisory authority at any time. In the UK that is the Information Commissioner's Office (ICO, ico.org.uk); in the EU, your national data-protection authority.

Under the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA), and under comparable comprehensive privacy laws in other US states, you have the right to know what personal information we hold, to delete it, to correct it, to opt out of any sale or sharing of your personal information for cross-context behavioural advertising (we do not engage in either), to limit our use of sensitive personal information, to designate an authorised agent to act for you, and to be free from discrimination for exercising any of these rights. We respect Global Privacy Control (GPC) signals as a valid opt-out request.

We respond to verifiable requests within the timelines required by applicable law.

All personal information is encrypted in transit (TLS) and at rest. Internal access is least-privilege and audited. Briefs, transcript summaries, and library entries are visible only to the right team members. We can run on a private library footprint for clients with specific data-residency or audit-bound requirements; speak to us before onboarding.

We are not currently certified to ISO/IEC 27001 and do not claim ISO/IEC 27001 certification. References to ISO/IEC 27001, information security standards, or industry security frameworks are provided for descriptive purposes only and should not be interpreted as a statement that our organisation, services, systems, controls, or information security management system are ISO/IEC 27001 certified, compliant, audited, accredited, or otherwise approved.

This section adds California-specific detail to the rights described above. In the preceding twelve months, True Primary has:

• Collected the categories of personal information described in section 02 (identifiers such as name, email, IP address; commercial and professional information; internet and other electronic activity; audio recordings with explicit consent).
• Sourced that information directly from you when you submit a brief, apply as an expert, contact us, or use the site; from service providers acting on our instructions; and from publicly available professional sources.
• Used it for the business purposes described in section 03 (running the engagement, operating the site, scheduling, payment, compliance, audit, security, and service improvement).
• Shared it only with the routed experts, the commissioning buyer team, and the service providers listed in section 05.
• Did not sell or share personal information for cross-context behavioural advertising, and did not use or disclose sensitive personal information beyond the purposes permitted by the CPRA.

To exercise California rights, contact privacy@trueprimary.com. Authorised agents may submit requests on your behalf and will be asked to verify their authority.

Privacy questions, data-rights requests, and security disclosures can be sent to:

• Privacy and data-rights requests — privacy@trueprimary.com
• Privacy alias (monitored route; no formal DPO appointment claimed) — dpo@trueprimary.com
• Security disclosures — security@trueprimary.com
• Postal correspondence — by written request to legal@trueprimary.com first; an address will be confirmed where one is needed.

A named human reviews every request inside one working day. This policy will be updated as the product evolves; material changes will be flagged on the site itself, not buried in a change log.