Privacy
Policy.
How Truffle collects, uses, stores, and discloses personal information from clients who access or use our services on runtruffle.com.
Effective Date: 2026-05-22 · Last Updated: 2026-05-22
This Privacy Policy ("Policy") describes how ZDS Zander Digital Services S.L. (operating name "Truffle") ("Truffle", "we", "our", or "us") collects, uses, stores, and discloses personal information from clients ("you") who access or use our services on our website runtruffle.com. This Privacy Policy applies to personal information we collect in the course of our business as a controller, such as through our website as well as various interactions (e.g. customer service inquiries) you may have with us.
By registering for, accessing, or using the Services, you acknowledge that you have read and understood this Policy. If you do not agree with the terms of this Policy, you must not use the Services.
This Policy applies solely to the personal data of customers (companies and their authorised individual users) who access the Services. It does not apply to:
- Data generated by or relating to the end-users of our customers' products or marketing campaigns;
- Synthetic marketing queries or fictional buyer-persona data transmitted to AI models (which contain no personal data);
- The privacy practices of third-party AI providers whose outputs we analyse; or
- Any website or service operated by a third party that may be linked to or from our platform.
1. Details of the Controller
Responsible for this website, its content and any processing of personal data that happens on it is ZDS Zander Digital Services S.L., c/ Rosselló 188 4C, 08008 Barcelona, Spain. You can reach our data protection team at hello@runtruffle.com.
2. Personal Data We Collect
Given the B2B nature of the Services, the volume and sensitivity of personal data processed is intentionally minimal. The only categories of personal data that Truffle collects directly from individuals are set out below.
2.1 Personal information submitted to us
Account Data
When you create an account or subscribe to the Service or grant employees access to the Services, they may provide account and profile data such as billing or contact information, professional details, and account preferences to us. To create an account with us, you supply us with:
- Full name
- Work email address
- Password
- Domain or similar details
- Account creation timestamp and last-login timestamp
Payment Data
When you make a purchase or request a refund, we process the details of the transaction. The information collected depends on the payment method you choose. It can include your debit or credit card information and other financial information.
Support and Customer Service
We provide support and customer service in connection with our Services and collect the personal information you submit when submitting a request, such as contact information, details of your problem or issue, and related documentation, screenshots, or information.
Communication Data
We may collect your name, title, company name, and other information you provide and/or consent to when you communicate with us in person or on calls.
2.2 Personal information we generate or collect automatically
Usage Data
In the course of using the Services, customers provide and we store the following project-level data. This data relates to brands and commercial entities, not to natural persons, and is therefore generally not personal data. However, it may become personal data where, for example, a sole trader's trading name corresponds to their personal name:
- Brand names, domain names, and company names subject to monitoring
- Industry sector and geographic target markets
- Synthetic buyer-persona definitions (fictitious demographic and behavioural profiles created for the purpose of generating realistic test queries; these profiles do not correspond to real individuals)
- Synthetic marketing search queries generated from buyer personas
- AI model responses retrieved in the course of monitoring (stored as raw output data)
- Competitor brand names and domains entered for benchmarking purposes
Service Data
Where customers choose to connect third-party services, we collect and store (in encrypted form):
- Google OAuth 2.0 access and refresh tokens, granting read-only access to the customer's Google Search Console and/or Google Analytics account
- API keys generated by or for the customer's OpenRouter account, used to route queries to AI model providers
These credentials are stored using industry-standard encryption at rest and are never shared with third parties except the specific service for which they were provided (Google or OpenRouter, respectively).
Technical Data
We may collect limited technical data in connection with the operation and security of the platform, including:
- IP address (used for rate limiting, abuse prevention, and security logging; not used for profiling or analytics)
- Login attempt logs (for rate-limiting and fraud detection)
- API request metadata (timestamps, HTTP status codes, response latency; no request or response content is logged by Truffle at the infrastructure level)
3. Purposes and Legal Bases
Truffle processes personal data only for the purposes set out below. For each purpose, we identify the applicable legal basis under Article 6 GDPR.
| Purpose | Personal Data Involved | Legal Basis (Art. 6 GDPR) |
|---|---|---|
| Provision and operation of the Services (account management, project execution, dashboard delivery) | Name, email, password, project data | Art. 6(1)(b) — Performance of contract |
| Authentication and security (login verification, rate limiting, abuse prevention) | Email, hashed password, IP address, login logs | Art. 6(1)(f) — Legitimate interest (platform security) |
| Integration with Google services (Search Console / Analytics) | Google OAuth tokens | Art. 6(1)(b) — Performance of contract |
| Service communications (account notifications, security alerts, product updates) | Name, email address | Art. 6(1)(b) — Performance of contract |
| Customer support and correspondence | Name, email, contents of support communications | Art. 6(1)(b) — Performance of contract |
| Invoicing and financial record-keeping | Customer company details, billing contact details | Art. 6(1)(c) — Legal obligation (tax / commercial law) |
| Product improvement and analytics (aggregated, non-identifying usage patterns) | Anonymised usage metadata | Art. 6(1)(f) — Legitimate interest (product development) |
| Compliance with legal obligations (responding to lawful requests by authorities) | As required | Art. 6(1)(c) — Legal obligation |
| Marketing communications (only where customer has opted in) | Name, email address | Art. 6(1)(a) — Consent |
4. Third Parties and Other Recipients
What we send to AI model providers
A core design principle of Truffle is that no personal data is transmitted to any AI model provider. The platform sends exclusively:
- Synthetic, AI-generated marketing queries as fictional search inputs derived from buyer personas;
- Brand names and domain names designated by the customer for monitoring purposes;
- Geographic and industry context parameters where applicable.
These inputs contain no names, email addresses, IP addresses, user identifiers, or any other information relating to identified or identifiable natural persons. Buyer personas are wholly fictitious marketing constructs and do not correspond to real individuals.
We may disclose personal data collected in the scope of this privacy notice to members of our corporate group ("Affiliates"). Where it involves a transfer of your data to third countries outside the UK / European Economic Area ("EEA") / Switzerland we will ensure that it is adequately safeguarded. Our customer data is exclusively stored in the European Union.
Sub-processors
| Sub-processor | Location | Data Transmitted | Purpose | Transfer Mechanism |
|---|---|---|---|---|
| Hetzner Online GmbH | Germany (EU) | All customer data (accounts, project data, AI responses, credentials) | Primary hosting, database (MariaDB), automated backups (2×/day) | Intra-EU transfer |
| OpenRouter Inc. | USA (EU routing available) | Synthetic queries, brand names, location context only — NO personal data | API gateway routing synthetic queries to AI model providers | SCCs / Enterprise EU routing + DPA |
| OpenAI / Google / Anthropic / Perplexity (via OpenRouter) | USA | Synthetic queries and brand names only — NO personal data | AI model inference for brand visibility analysis | SCCs (via OpenRouter DPA) |
| Google LLC (OAuth) | USA | Customer OAuth tokens (read-only scope to Search Console / Analytics) | Optional integration: reading customer's own SEO data | SCCs + Google DPA |
| DataForSEO | USA / EU | Domain names, keywords, URLs (publicly available data only) | SEO data enrichment | SCCs where applicable |
| Apify Technologies s.r.o. | Czech Republic (EU) | URLs for analysis (no personal data) | Web scraping for supplementary data (limited use, subject to review) | Intra-EU transfer |
| Link Research Tools GmbH (LRT) | Austria (EU) | Domain lists (up to 10,000 entries; no personal data) | Backlink and domain authority analysis | Intra-EU transfer |
5. Cross-Border Data Transfers
The primary server infrastructure for the Services is located in Germany and operated by Hetzner Online GmbH, a German entity. The majority of processing therefore occurs within the European Economic Area ("EEA") and does not constitute an international transfer.
The sharing of the data collected within the scope of this privacy policy may involve cross-border data transfers to our Affiliates and service providers (other third parties) in third countries that have different privacy laws. When we transfer personal data to a third country, such transfers are subject to the following safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission or similar contractual data transfer mechanisms approved by other competent authorities under applicable laws, incorporated into the applicable DPAs with each sub-processor; and/or
- Adequacy decisions issued by the European Commission or other competent authorities under applicable laws.
6. Data Retention
Truffle retains personal data for no longer than is necessary for the purposes for which it was collected and as permitted by applicable law. This may include keeping it for the period of time needed for us to pursue legitimate business interests, conduct audits, comply with and demonstrate compliance with legal obligations, resolve disputes, and enforce our agreements.
Account data and project data are retained for the duration of the contractual relationship, and we implement a safety retention window of three months following account deletion. We maintain limited data to comply with legal data retention obligations, in particular we keep transaction data for 10 years to comply with tax and accounting legal requirements, credit card information for the duration in which the customer can challenge the transaction, and traffic data for one year to comply with legal data retention obligations. Limited data is maintained on the basis of our legitimate interests, such as customer care exchanges for a year after account termination, to support our customer care decisions, enforce our rights and defend ourselves in the event of a claim.
Where legally permitted, we may retain and use anonymised data (information that cannot be traced back to you individually) to enhance our services, develop new features and technologies, and maintain platform safety, including through the use of machine learning.
7. Your Rights Under GDPR
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights in relation to your personal data. These rights are subject to certain conditions and limitations under applicable law.
| Right | Description |
|---|---|
| Right of Access (Art. 15) | You have the right to request a copy of the personal data we hold about you, together with information about how we process it. |
| Right to Rectification (Art. 16) | You have the right to request correction of inaccurate or incomplete personal data. |
| Right to Erasure (Art. 17) | You have the right to request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, where you withdraw consent, or where processing is unlawful. This right is subject to legal retention obligations. |
| Right to Restriction of Processing (Art. 18) | You have the right to request that we restrict our processing of your personal data in certain circumstances. |
| Right to Data Portability (Art. 20) | Where processing is based on your consent or performance of a contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller. |
| Right to Object (Art. 21) | You have the right to object at any time to processing of your personal data where the legal basis is our legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds. |
| Right to Withdraw Consent (Art. 7(3)) | Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal. |
| Right to Lodge a Complaint (Art. 77) | You have the right to lodge a complaint with the data protection supervisory authority in your country of residence, place of work, or place of the alleged infringement. |
To exercise any of the above rights, please contact us using the details provided in Section 9. We will respond to verified requests within 30 days. We may ask you to verify your identity before processing your request. There is no charge for making a request; however, where requests are manifestly unfounded or excessive, we reserve the right to charge a reasonable administrative fee or decline to respond.
8. Cookies and Tracking Technologies
A cookie is a small file placed on your device or browser that allows us to recognise and remember your preferences, helping us personalise and improve your experience on our website.
When you visit our website, we automatically collect personal information through cookies and similar technologies. Some are essential for the website to function and cannot be switched off. For others, such as those used to show you targeted ads, you have choices about how they are used. For more details on how we use cookies and your available options, please refer to our Cookie Policy, which is available separately.
9. Contact Information and Data Protection Officer
If you have any questions, concerns, or requests regarding this Policy or Truffle's processing of your personal data, please contact:
Data Controller: ZDS Zander Digital Services S.L.
Postal Address: c/ Rosselló 188 4C, 08008 Barcelona, Spain
Privacy Email: hello@runtruffle.com
Web: runtruffle.com
10. Changes to This Policy
Truffle may update this Policy from time to time to reflect changes in our practices, the Services, or applicable law. Where changes are material, we will notify customers by email to the address associated with their account and/or by displaying a prominent notice within the platform at least 14 days before the changes take effect. The date of the most recent revision is indicated at the top of this Policy. Continued use of the Services after the effective date of any update constitutes acceptance of the revised Policy.
