Legal

Privacy policy

Last updated: 11 July 2026

Who we are

TrustedOrigin is a website trust certification service operated by Code Cabin, Inc., 2035 Sunset Lake Road, Suite B-2, Newark, Delaware 19702, United States. This policy explains what data we collect, why we collect it, and the choices you have. Questions about anything here can be sent to [email protected].

Data we collect from customers

When you create a TrustedOrigin account we collect your name, email address and a password (stored hashed, never in plain text). When you add a domain we collect that domain name and, for business verification, the company registration documents you choose to send us.

Payments are processed by Stripe. Your card details go directly to Stripe and never touch our servers; we store only a reference to your subscription.

We send service emails (alerts about issues found on your site, verification updates) through SendGrid using the email address on your account.

Data we collect about websites we certify

To provide the certification we crawl and scan the publicly available pages and files of domains our customers register. During these checks, page content is submitted to Cloudmersive for malware analysis, domains are checked against PhishTank phishing databases and AbuseIPDB reputation data, certificate records are read from public certificate transparency logs, and public DNS records are checked. All of this concerns public website data, not personal data.

Scan results, scores and issue records are stored so they can be shown in the customer dashboard and the public verification panel.

Data about visitors to certified websites

When a website displays the Trust Badge, we count how often the badge is served and how often visitors open the verification panel. These are aggregate daily counters tied to the website, not to the visitor. We do not build visitor profiles, we do not use identifiers, and we do not track anyone across websites.

Two small first-party cookies (to_mini and to_full, each containing only the value "1" and expiring after 24 hours) are used so the same visitor is not counted twice in one day. They are documented in full in our cookie notice, and website owners can disable them entirely from their dashboard.

The visitor's IP address is technically received by our servers when the badge loads, as with any web request. We do not store it against the visit.

Analytics on our own website

trustedorigin.org uses Google Analytics and Mouseflow to understand how our own site is used. These tools collect anonymised usage data under their own privacy policies. Our cookie notice lists the cookies involved.

Who we share data with

We share data only with the service providers needed to run TrustedOrigin: Stripe (payments), SendGrid (email), Cloudmersive (malware scanning of public pages), AbuseIPDB and PhishTank (public reputation checks), Google Analytics and Mouseflow (our own site analytics), and our hosting providers. We do not sell personal data to anyone, ever.

We may disclose data if required by law or to protect the rights and safety of our users and the public.

Retention

Account data is kept while your account is active. Scan history and statistics are kept so the dashboard and badge can show them. Business verification documents are kept only as long as needed to perform and evidence the verification. If you close your account, we delete your personal data within a reasonable period, except where the law requires longer retention.

Your rights

You can ask us for a copy of the personal data we hold about you, ask us to correct it, or ask us to delete it. Email [email protected] and a human will handle the request. Depending on where you live, you may have additional rights under laws such as the GDPR or CCPA, and we will honour them.

Children

TrustedOrigin is a business service and is not directed at children under 16. We do not knowingly collect personal data from children.

Changes to this policy

If we make material changes we will update this page and, for significant changes affecting customers, notify you by email. The date at the top shows when the policy was last revised.