Skip to content
Maintruth
Legal

Maintruth Privacy Policy

This policy explains what information Maintruth collects, how it uses and shares that information, and the rights you have. It also explains the difference between data Maintruth controls for its own site and account operations and the customer materials Maintruth processes on a customer's behalf under the service agreement.

Last updated: May 30, 2026

1. Introduction and Scope

This Privacy Policy describes how RRG Labs LLC, a California limited liability company ("Maintruth," "we," "us," or "our"), collects, uses, shares, and protects information in connection with our website at maintruth.com and the trust desk services we provide. Maintruth provides security-review support services to its business customers.

This policy applies to information we handle as a business in our own right, including information about visitors to our website, prospective customers, and the account and billing contacts of our customers. It also explains, at a high level, how we handle the materials a customer uploads to or shares with us so that we can deliver the services. Our handling of those customer materials is governed primarily by the service agreement between Maintruth and the customer, and this policy does not change those agreed terms.

By using our website or services, you acknowledge the practices described in this policy. If you do not agree, please do not use the website or services.

2. Our Roles: Controller and Processor

Maintruth plays two different roles depending on the data involved, and the distinction matters for how the data is governed and for the rights that apply to it.

Maintruth as controller

For information we collect and decide how to use for our own purposes, Maintruth acts as a controller (and a "business" under U.S. state privacy laws). This includes information about website visitors, prospective customers, and the account, administrative, and billing contacts of our customers, along with the website usage, telemetry, and cookie data described below. We determine the purposes and means of processing this information.

Maintruth as processor or service provider

When a customer uploads or shares materials so that we can deliver the trust desk services, Maintruth acts as a processor (and a "service provider" under U.S. state privacy laws) on behalf of that customer. The customer is the controller of those materials and decides why and how they are processed. We process them only to provide, support, secure, and improve the services and as otherwise permitted by the service agreement and this policy.

Where the customer materials contain personal data of the customer's personnel, the customer's own customers, prospective buyers, or other third parties, the customer is responsible as controller for the lawfulness of collecting that data and for sharing it with us. Our processing-side data-protection terms are part of the service agreement and are available to customers on request, as described in the section on data processing addenda below.

3. Information We Collect

We collect the following categories of information.

Account and contact information

When you create an account, request a demo, contact us, or otherwise engage with us, we collect information such as your name, company name, business email address, telephone number, job title, and the contents of your communications with us.

Billing information

To process payments and manage subscriptions, we collect billing contact details, billing address, plan and credit usage, invoices, and payment records. Card and bank details are handled by our payment processors; we do not store full payment card numbers ourselves.

Customer materials and evidence

To deliver the services, customers provide materials that can be highly sensitive, including SOC 2 reports, security policies, architecture details, buyer security questionnaires, security answers, internal evidence, gap registers, and related documents. These materials may contain personal data of the customer's personnel and of third parties, such as names, business contact details, and role information. We process these materials on the customer's behalf as a processor.

Communications

We collect the content and metadata of communications you exchange with us, including email, support messages, notes from buyer security calls we support, and other correspondence.

Website, usage, and telemetry data

When you use our website or services, we automatically collect technical and usage data such as IP address, device and browser type, pages and features accessed, referring pages, timestamps, and diagnostic and performance information. We use this data to operate, secure, and improve the website and services.

Cookies and analytics

We and our analytics providers use cookies and similar technologies to remember preferences, keep you signed in, understand how the website is used, and measure performance. See the section on cookies and tracking technologies below.

4. How We Use Information

We use information for the following purposes.

  • Deliver the services. To complete enterprise security questionnaires, build and maintain answer libraries, import prior questionnaires, inventory and organize evidence, maintain a gap register, support buyer security calls and trust center activity, draft lightweight trust documents and policies, and provide monthly trust desk reporting.
  • Operate AI-assisted workflows. To parse questionnaires, match questions to prior answers, find similar responses, and draft initial language. AI-assisted drafts are always reviewed by a human before delivery, and the customer is always the final approver of buyer-facing answers and of any commitments made to buyers.
  • Support and communicate. To respond to requests, provide customer support, send service and administrative messages, and share information about features and offerings where permitted.
  • Billing and account management. To process payments, manage subscriptions and credits, and maintain account records.
  • Security and integrity. To protect the website, services, and customer materials, enforce least-privilege access, detect and prevent fraud, abuse, and security incidents, and maintain the confidentiality of sensitive materials.
  • Improve the services. To analyze usage, troubleshoot, and improve the quality, performance, and capabilities of the website and services, including through the de-identified and aggregated data described below.
  • Legal compliance. To comply with applicable laws, respond to lawful requests, establish, exercise, or defend legal claims, and enforce our agreements.

Where required by law, we rely on an appropriate legal basis for processing, such as performance of a contract, our legitimate interests in operating and improving the services, your consent, or compliance with a legal obligation.

5. De-Identified and Aggregated Data

This section is important and describes a right that Maintruth reserves. Please read it carefully.

Consistent with our public commitment, we do not use customer confidential materials to train public AI models. We will not use a customer's identifiable confidential materials, including its SOC 2 reports, security policies, architecture details, buyer questionnaires, security answers, internal evidence, and personnel personal data, to train public or third-party AI models. Where we use third-party AI providers to deliver the services, we maintain contractual commitments that restrict those providers from using a customer's identifiable materials to train or improve their own models for general use, and we prefer zero-retention configurations.

At the same time, Maintruth may create de-identified, aggregated, and anonymized data derived from the operation of the services and from customers' use of them. We may use that de-identified and aggregated data perpetually and irrevocably for any purpose, including training and improving Maintruth's own models, AI tooling, answer-library structure, methods, and services, both during and after the term of any customer relationship. We process this data so that it does not identify, and cannot reasonably be used to identify, any customer, its personnel, or any buyer.

De-identified and aggregated data is not customer confidential information and is not personal data once it no longer identifies an individual. Maintruth owns all right, title, and interest in such de-identified and aggregated data. These two practices are designed to fit together: we use only anonymized and aggregated data, and only for Maintruth's own internal models and services, never identifiable confidential materials fed to public or third-party models.

6. How We Share Information

We do not sell personal information. We share information only as described here.

Subprocessors and service providers

We engage subcontractors and subprocessors, including hosting providers and AI providers, to help deliver the website and services. These providers may process information on our behalf and are bound by confidentiality and data-protection obligations no less protective than those that apply to us. We remain responsible for their performance. We maintain a list of subprocessors that is available to customers on request and will provide notice of material new subprocessors that handle customer materials. Because we use least-privilege access, separate per-customer workspaces, and multi-factor authentication, we control which subprocessors can access customer materials.

Legal and safety

We may disclose information if required by law, regulation, legal process, or governmental request, or where we believe disclosure is necessary to protect the rights, property, or safety of Maintruth, our customers, or others, or to enforce our agreements. Where we are legally permitted, and where the request concerns customer materials, we will notify the affected customer and cooperate with reasonable efforts to limit or challenge the disclosure.

Business transfers

If Maintruth is involved in a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred as part of that transaction, subject to the protections of this policy and the service agreement.

With your direction

We share information at a customer's direction, including delivering approved answers and trust documents to the buyers the customer designates.

7. Data Retention and Deletion

We retain information for as long as needed to fulfill the purposes described in this policy, to provide the services, to comply with our legal obligations, to resolve disputes, and to enforce our agreements. Retention periods are based on the purpose for which the information was collected, and we delete or de-identify information when it is no longer needed for that purpose.

On termination of a customer relationship, we provide a reasonable data-export window (for example, 30 days) and then delete or return customer materials on request, subject to legal-retention obligations and routine, time-limited backups that are overwritten in the ordinary course.

Two categories of data survive deletion. First, copies retained in routine system backups, which are cycled out over time. Second, the de-identified and aggregated data described above, which is not identifiable, which Maintruth owns, and which we may retain and use perpetually.

8. Security Measures

We maintain reasonable, industry-standard technical and organizational measures designed to protect information against unauthorized access, use, alteration, and disclosure. These measures are consistent with the commitments on our security page and include least-privilege access, separate per-customer workspaces, multi-factor authentication, the use of approved systems for customer work, and the ability to work under a customer non-disclosure agreement before reviewing sensitive materials.

No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security. You are responsible for keeping your account credentials secure and for the activity that occurs under your account.

If we become aware of a security incident affecting personal data or customer materials, we will notify affected customers without undue delay and, where applicable, within a target of 72 hours after becoming aware of the incident, and we will provide information reasonably available to us to support the customer's own obligations.

9. International Data Transfers

Maintruth is based in the United States, and we and our service providers may process and store information in the United States and in other countries where we or they operate. These countries may have data-protection laws that differ from those in your jurisdiction.

Where we transfer personal data from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been recognized as providing an adequate level of protection, we use appropriate safeguards, such as the Standard Contractual Clauses approved by the relevant authorities, together with any supplementary measures required. Customers may request more information about the transfer mechanisms we use.

10. Your Privacy Rights

Depending on where you live and the role we play with respect to your information, you may have rights regarding your personal data. We honor the rights described below to the extent they apply to you.

EEA, UK, and Swiss rights

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you may have the right to access your personal data, correct inaccurate data, request deletion, restrict or object to certain processing, request portability of data you provided to us, and withdraw consent where processing is based on consent. You may also lodge a complaint with your local supervisory authority.

U.S. state privacy rights

If you are a resident of California or another U.S. state with a comprehensive privacy law, you may have the right to know what personal information we collect and how we use and disclose it, to access and obtain a copy of that information, to correct inaccurate information, to request deletion, and to be free from discrimination for exercising your rights. Maintruth does not sell personal information, and we do not share personal information for cross-context behavioral advertising or targeted advertising as those terms are defined under the California Consumer Privacy Act as amended by the California Privacy Rights Act and similar laws.

Customer-controlled materials

Where a request relates to personal data contained in customer materials that we process on a customer's behalf, the customer is the controller and the appropriate point of contact. We will route such requests to the relevant customer and assist that customer in responding, as provided in the service agreement.

How to exercise your rights

To exercise any of these rights, contact us at privacy@maintruth.com. We will verify your request and respond within the time required by applicable law. You may use an authorized agent where the law permits, subject to verification.

11. Cookies and Tracking Technologies

We and our providers use cookies and similar technologies on our website. Strictly necessary cookies are required to operate the site and keep you signed in. Functional cookies remember your preferences. Analytics cookies help us understand how the site is used and measure performance.

You can control cookies through your browser settings and, where we offer one, through our cookie preferences control. Disabling some cookies may affect how the website functions. We do not use cookies to sell personal information or to share it for cross-context behavioral advertising.

12. Children

Our website and services are intended for businesses and are not directed to children. We do not knowingly collect personal information from anyone under the age of 16 (or under 18 where required by local law). If you believe a child has provided us with personal information, please contact us at privacy@maintruth.com and we will take appropriate steps to delete it.

13. Data Processing Addendum

Where Maintruth processes personal data on a customer's behalf, our processing-side data-protection terms, including a data processing addendum, are part of the service agreement and are available to customers on request. Customers who need a signed data processing addendum, or details about subprocessors and transfer mechanisms, may request one by contacting privacy@maintruth.com.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this policy and, where appropriate, provide additional notice. Changes are not retroactive. Your continued use of the website or services after the effective date of an updated policy constitutes acceptance of the changes.

15. How to Contact Us

If you have questions or requests about this Privacy Policy or our handling of personal data, contact us at privacy@maintruth.com. For legal notices, contact legal@maintruth.com.

Maintruth can be reached at: RRG Labs LLC, 440 N. Barranca Ave. #1890, Covina, CA 91723, United States. If we are required to designate a representative in the European Economic Area or the United Kingdom, we will identify that representative here.