Privacy Policy
We keep this straightforward. Here's exactly what we collect, what we don't, and how we handle your data.
Overview
TrustLists ("we", "us", "our") operates trustlists.org — a public directory of company trust centers — and TrustLists Companion, a Chrome extension for GRC compliance teams.
Short version: We collect minimal, anonymous usage data to operate the service. The Chrome extension reads vendor names for local matching only — nothing is sent to our servers.
Website & API
When you visit trustlists.org or use the public API at trustlists.org/api/trust-centers.json, standard web server logs may capture your IP address, browser, and pages you request — used solely for debugging and security.
Chrome Extension
TrustLists Companion reads vendor names from Drata and Vanta and matches them to the public TrustLists directory. All processing happens locally in your browser.
The extension never sends vendor names, GRC data, credentials, or any personal information to our servers or any third party.
Extension Permissions
| Permission | Why it's needed |
|---|---|
activeTab | Identifies which tab is active so the side panel shows matches for the current GRC page. |
sidePanel | Required to register and open the side panel UI. |
storage | Caches the TrustLists directory locally (24-hour TTL) and stores optional manual vendor links. |
trustlists.org | Fetches the public trust-center JSON dataset. The only external host the extension connects to. |
Data Storage & Retention
| What | Where | Retention |
|---|---|---|
| TrustLists directory cache | storage.local | Deleted automatically after 24 hours. |
| Manual vendor links | storage.sync | Until you remove them or uninstall. |
| Last GRC session data | storage.session | Cleared after 30 minutes or Chrome closes. |
Uninstalling TrustLists Companion removes all locally stored data.
Contact
Questions or requests?
We're happy to answer anything about how we handle data.
privacy@trustlists.org