Trustpilot and Data Protection – What Belongs in the Privacy Policy

When a website operator uses Trustpilot in the form of embedded TrustBox widgets, the operator processes web server log data, device data, browser information and coarse location data of visitors when the page is loaded, for the purpose of displaying reviews — typically based on a third-party-content consent or, alternatively, on legitimate interests under Art. 6 (1) (f) GDPR. This page summarises the key Trustpilot privacy topics, classifies them under the GDPR and explains what should be included in the privacy policy of the operator's own website.

The description is based on Trustpilot's publicly available statements (Privacy Policy, Data Processing Agreement, Help Centre) and on publicly researchable sources. It does not replace a case-by-case review by the website operator.

A. Purpose and Functionality of Trustpilot

Trustpilot is an open review platform from Denmark on which consumers can rate businesses. For website operators, the integration of Trustpilot on their own website is particularly relevant, primarily in two flavours: first, the so-called TrustBox widgets, which display star ratings, individual reviews or lists of reviews directly on the website; second, the automated dispatch of review invitations by email via the Automatic Feedback Service (AFS) following a purchase or contract.

This page focuses on the TrustBox widget integration as the most relevant point of contact between the website visitor and Trustpilot. Technically, a small JavaScript loader (https://widget.trustpilot.com/bootstrap/v5/tp.widget.bootstrap.min.js) is embedded; at runtime it loads the various widget contents — such as Carousel, Mini, Slider, Micro, Review List or Drop-Down — from Trustpilot's servers and renders them within the operator's markup. The parallel AFS function is briefly addressed because it is often deployed alongside the widget in practice, but it is a separate processing operation with its own legal assessment.

This page does not cover Trustpilot's own platform functions (a business's own profile page on trustpilot.com, replying to reviews, internal reporting) or Trustpilot's processing of reviewer data on its own platform.

B. Mandatory Information in the Privacy Policy When Using Trustpilot

Beyond general information on the controller, the supervisory authority and the data subjects' rights, the GDPR requires website operators to provide specific mandatory information when using a tool such as Trustpilot: the purposes of processing (Art. 13 (1) (c) GDPR), the legal bases (Art. 13 (1) (c) GDPR), where processing relies on a balancing of interests, the specific legitimate interests pursued (Art. 13 (1) (d) GDPR), the recipients or categories of recipients (Art. 13 (1) (e) GDPR), information on third-country transfers (Art. 13 (1) (f) GDPR) and the storage period or the criteria used to determine it (Art. 13 (2) (a) GDPR). Where data is not collected from the data subject directly, the categories of personal data (Art. 14 (1) (d) GDPR) must be added.

These mandatory items are broken down for Trustpilot in the following sections.

In practice, it has become customary to address every individual tool — including Trustpilot — with a dedicated, often lawyer-drafted text block in the privacy policy. This "template-clause-per-tool" logic is bad practice: it inflates the privacy policy, repeats substantively identical statements (server logs, IP address, legitimate interests) over and over, and makes the text barely readable for users — the opposite of what Art. 12 (1) GDPR demands with its transparency requirement. A more appropriate approach is topic-oriented: processing operations are described across all tools in thematic blocks (server operation, third-party content, newsletter, sales …), and the specific service providers — including Trustpilot — are listed together in a recipient list in an appendix. This is precisely the methodology of the matterius generator.

C. Provider of Trustpilot

According to Trustpilot's publicly available information, the contracting party for German website operators is:

• Trustpilot A/S
• Pilestræde 58, 5th floor
• DK-1112 Copenhagen K, Denmark
• CVR No.: 30276582

The seat and main processing therefore lie within the European Union; a third-country transfer is not inherent in Trustpilot's own processing. Trustpilot operates subsidiaries in, among others, the United Kingdom, the United States and Australia. Where subprocessors in third countries are engaged, Trustpilot lists them in its subprocessor list (see https://corporate.trustpilot.com/legal/for-businesses/subprocessors).

The Trustpilot privacy notices and contracts most relevant for TrustBox use and AFS are in particular:

• End-User Privacy Policy: https://corporate.trustpilot.com/legal/for-reviewers/privacy-policy-end-user
• Business Privacy Policy: https://corporate.trustpilot.com/legal/for-businesses/business-privacy-policy
• Data Processing Agreement (DPA): https://corporate.trustpilot.com/legal/for-businesses/data-processing-agreement
• Cookie list: https://legal.trustpilot.com/legal/cookie-list

D. Data Processing by Trustpilot – Step by Step

E. Data Collected When Using Trustpilot

In a pure TrustBox embed, the following data is typically collected when the widget resources are delivered: IP address of the internet connection, date and time of the request, URL of the embedding page (referrer), browser and operating system details, and the region roughly determined from the IP. According to publicly available information, Trustpilot may set cookies, for instance for technical delivery and abuse prevention; Trustpilot maintains a current overview in its cookie list. With AFS, the order and contact data transmitted by the website operator is added, in particular the email address, name, an order/reference number, the time of order and possibly the products purchased.

These data fall into the following standardised data type classes:

• Web server log data: data the server receives with each widget request, e.g. IP address, date and time, URL of the embedding page, referrer, user agent, status code, transferred data volume.
• Device data: information about the end device, e.g. device type, operating system, screen resolution, touch support.
• Browser information: browser name, browser version, language settings where applicable.
• Coarse location data: location derived from the IP address at city or regional level.
• User account data (only with AFS, where the operator transmits existing-customer data): in particular the email address as the recipient's contact identifier.

When AFS is used, order data (order number, date, possibly product identifier) is added; Trustpilot uses this data exclusively to control the dispatch of the invitation.

F. Operator's Purposes When Using Trustpilot

Website operators typically embed TrustBox widgets to make existing reviews visible to visitors, to increase trust in their own offering and to cite an independent review source. With AFS, the goal is to obtain as many authentic customer reviews as possible in order to make their own reputation measurable and to develop the product and service offering further.

These purposes fall into the following standardised purpose classes:

• Function provision: delivering the widget and displaying the review content, error detection and error correction during rendering.
• Security and abuse prevention: protection against manipulation attempts, bot activity and other abusive use of the review display.
• General product improvement: aggregate-level evaluation of reach and display frequency in order to design the website appropriately.
• General marketing: making reviews visible as a general, non-individualised marketing measure; measuring the success of review integrations via platform reports.
• Communication (with AFS): sending the review invitation to the customer following a contract.

G. Legal Bases for Using Trustpilot

In the integration function discussed here, Trustpilot falls within the tool category third-party content (reviews); AFS is a flanking function with its own legal classification as customer-related direct marketing/communication.

For the embedding of TrustBox widgets, the following legal bases typically come into consideration based on the provider's publicly available information and standard assessment:

• Third-party-content consent (Art. 6 (1) (a) GDPR, possibly in conjunction with Section 25 (1) TDDDG, where access to the end device — for instance via cookies — takes place). Where the TrustBox is loaded only after consent has been given, this is regularly the cleanest legal basis.
• Legitimate interests (Art. 6 (1) (f) GDPR) in efficiency, security and general marketing (visibility of independent reviews). This basis comes into consideration where the widget is delivered without consent and no tracking mechanisms beyond what is necessary are activated. Whether the balancing of interests holds in the specific case must be assessed individually.

For AFS dispatch, the following typically come into consideration:

• Legitimate interests in advertising and improvement (Art. 6 (1) (f) GDPR) in conjunction with Section 7 (3) UWG (German Act Against Unfair Competition), where the recipient provided their email address in connection with the sale of goods or services, the invitation relates to a review of similar goods or services, the customer was clearly informed of the right to object both at collection and in every email, and has not objected.
• Consent (Art. 6 (1) (a) GDPR in conjunction with Section 7 (2) No. 3 UWG) where the requirements of Section 7 (3) UWG are not fully met — in particular for new customers without a prior purchase, for review invitations regarding dissimilar products, or where no opt-out notice was given at collection. Section 7 UWG generally prohibits unreasonable annoyance through electronic mail in the scope of German competition law; case law regularly classifies review invitations as advertising within the meaning of Section 7 UWG.

Which legal basis applies depends on the specific deployment scenario, the consent banner setup, the tracking configuration and the UWG compliance of the review invitation, and is to be assessed by the website operator on a case-by-case basis.

H. Special Notes on Trustpilot

• EU seat, no third-country transfer for Trustpilot's processing as such: Trustpilot A/S is based in Denmark and, according to publicly available information, carries out its main processing within the EEA. This is a practical advantage compared with US-based review providers — but the subprocessor list should still be checked for any third-country links.
• Role: According to its own statements, Trustpilot acts as an independent controller for the Trustpilot platform and the review system. For the dispatch of review invitations via AFS, however, Trustpilot offers a Data Processing Agreement (DPA) and typically acts as a processor in that respect. The final classification is to be checked by the website operator on a case-by-case basis.
• DPA: Trustpilot's standard DPA is available via the business account and at https://corporate.trustpilot.com/legal/for-businesses/data-processing-agreement. Concluding or accepting it is strongly recommended before going live with AFS.
• Subprocessors: The current list is published at https://corporate.trustpilot.com/legal/for-businesses/subprocessors. It should be reviewed once before deployment and regularly thereafter.
• Cookies and consent integration: According to publicly available information, the TrustBox may set cookies. From a compliance perspective, it is advisable to deliver the widget behind a consent wrapper (e.g. a consent banner with third-party-content consent) and to load it only after consent has been given.
• Settings for the website operator: With AFS, attention should be paid to a dispatch logic that is competition-law-compliant: a sufficient notice of the right to object already at the time of data collection, a clear unsubscribe link in every invitation email, blocking of objection addresses, compliance with the requirements of Section 7 (3) UWG.
• Opt-out for end users: End users can stop the review invitation at any time via the unsubscribe link in the email; the TrustBox display itself can primarily be controlled via the consent banner.
• "Fake reviews" risk: UWG and mandatory information requirements (Consumer Rights Directive, Section 5b (3) UWG) regarding authenticity and verification statements for reviews must be assessed separately; this is a competition-law, not a data-protection, issue.

I. FAQ on Trustpilot and Data Protection

J. Conclusion and Call to Action on Trustpilot

As a European review portal, Trustpilot is comparatively unproblematic from a German data-protection perspective: the main processing takes place within the EEA, Trustpilot provides a DPA for AFS, and the TrustBox widgets can be delivered behind a consent banner in a clean technical setup. The critical points lie less in the third-country transfer than in the correct classification of roles (controller for the widget, processor for AFS), in the UWG compliance of review invitations and in ongoing maintenance of the subprocessor list.

For the website operator, it is mostly of little use to include a separate template clause for Trustpilot in the privacy policy. Such tool-specific clauses repeat themselves in substance (web server log data, IP address, legitimate interests) and inflate the privacy policy — contrary to the transparency requirement of Art. 12 (1) GDPR, which calls for precise, transparent and easily accessible information.

A structured, topic-oriented approach is preferable: processing operations are explained across topic blocks (server operation, third-party content, review invitations, sales …), and Trustpilot — together with other service providers — appears only in the recipient appendix with its role, seat and privacy notices. This is precisely the methodology of the matterius generator.

K. Curator

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com