Privacy Policy
Last Updated: April 2, 2026
This Privacy Policy should be read alongside our Terms of Service and Data Processing Agreement.
The Short Version
- ✓ We don't track you
- ✓ We don't sell your data
- ✓ We don't use analytics (no Google Analytics, no cookies)
- ✓ If you create an account, we store your email (to send you login links)
- ✓ ProveChain and TimeAnchor process manual uploads client-side, your files never leave your browser
- ✓ If you connect cloud services (e.g., GitHub, Google Drive), we read files only to compute hashes, then immediately discard the content
- ✓ If you use SignaSeal, signed documents are stored securely on our platform for the signing workflow
- ✓ Our use of Google API data adheres to the Google API Services User Data Policy, including Limited Use requirements
The Long Version
1. Information We Collect
We collect minimal information necessary to provide our services:
- Account Information: If you create an account, we collect your email address.
- Usage Data: Basic server logs (IP addresses, timestamps) for security and debugging purposes. These are deleted after 30 days.
- Payment Information: If you subscribe to a paid plan, payment processing is handled by Stripe. We never see or store your credit card details.
2. How We Use Your Information
We use collected information solely to:
- Provide and maintain our services
- Send you transactional emails (login links, receipts, service updates)
- Prevent abuse and ensure security
- Comply with legal obligations
We never: Sell your data, use it for advertising, or share it with third parties (except as required by law).
3. Product-Specific Data Handling
Each product handles data differently:
- ProveChain: For manual proofs, files are hashed entirely client-side via WebAssembly and never leave your browser. For connected service proofs (GitHub, Google Drive, Dropbox, OneDrive), our servers temporarily read file content from your cloud provider, compute a SHA-256 hash, and immediately discard the content. Only the cryptographic hash is stored. See Section 4 for full details on connected services. File hashes may be publicly verifiable, that is the purpose of the service.
- TimeAnchor: Proof verification runs entirely in your browser. No data is transmitted to any server. Nothing is stored. Even if we could see the data, a cryptographic hash reveals nothing about the original content.
- SignaSeal: Signed documents are stored on our platform with encrypted database storage to support the signing workflow, sharing, and audit trails. Signing metadata (timestamps, IP addresses, signatures) is stored to provide non-repudiation guarantees. Free tier documents are retained for 48 hours after completion, then deleted. Paid tier documents are retained until you delete them.
- Vigilo Verify: File integrity checks are performed client-side. Hash comparisons happen locally. Only hash data is stored for continuous monitoring purposes.
4. Connected Services & Third-Party Integrations
Some Aramantos Digital products (currently ProveChain) allow you to connect third-party cloud services to enable automated proof creation. This section describes how connected service data is handled.
Services You Can Connect
You may connect the following services via OAuth (industry-standard authorisation):
- GitHub
- Google Drive
- Dropbox
- OneDrive (Microsoft)
You may also connect the following services via API key:
- Amazon S3
- Google Cloud Storage
OAuth Scopes Requested
When you connect a service via OAuth, we request only the permissions necessary to provide the service:
- Google: userinfo.email, userinfo.profile (sign-in and account identification), drive.readonly (read-only access to Google Drive files for hash computation)
- GitHub: repo, read:user, user:email (sign-in, repository access, and email for account identification)
- Dropbox: files.metadata.read, files.content.read, account_info.read (file access for hash computation and account identification)
- OneDrive (Microsoft Graph): User.Read, Files.Read.All (account identification and read-only file access for hash computation)
What Data Is Accessed
When you create a proof from a connected service, our servers temporarily read file metadata and content from your cloud provider to compute a SHA-256 hash. File content is immediately discarded after hashing. Only the cryptographic hash and file path are stored as proof metadata. Your files are never stored on our servers.
How OAuth Tokens Are Stored
OAuth access tokens and refresh tokens are encrypted at rest using AES-256 (via pgcrypto). Tokens are never logged, never included in API responses, and never shared with third parties.
Token Refresh
Some providers issue short-lived access tokens with refresh tokens. Tokens are automatically refreshed when needed. If a refresh fails, the connection is marked as expired and you are prompted to reconnect.
Revoking Access
You can disconnect any connected service from your account settings at any time. Disconnection immediately deletes the stored credentials from our database. You can also revoke access from the provider's side (e.g., Google Account > Security > Third-party apps, GitHub > Settings > Applications).
Google API Services User Data Policy
Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
5. Your Rights (GDPR)
Under GDPR, you have the right to:
- Access: Request a copy of your data
- Rectification: Correct inaccurate data
- Erasure: Delete your account and data
- Portability: Export your data
- Objection: Object to data processing
To exercise any of these rights, email support@aramantos.dev. We will respond to all data subject requests within 30 days. If a request is particularly complex, we may extend this by up to two additional months, but we will let you know within the initial 30-day period.
6. Cookies and Tracking
We use minimal essential cookies for:
- Session management (keeping you logged in)
- Security (CSRF protection)
We do NOT use: Google Analytics, Facebook Pixel, or any third-party tracking tools.
7. Third-Party Services
We use the following third-party services:
- Cloudflare: DNS management and email routing (cloudflare.com/privacypolicy)
- Vercel: Application hosting and CDN (vercel.com/legal/privacy-policy)
- Google Cloud Platform: Authentication and identity infrastructure (cloud.google.com/terms/cloud-privacy-notice)
- Supabase: Database and file storage (supabase.com/privacy)
- Stripe: Payment processing (stripe.com/privacy)
- Resend: Transactional email delivery (resend.com/legal/privacy-policy)
- OpenTimestamps: Bitcoin blockchain timestamping protocol (open-source, no data collection)
These services are GDPR-compliant and do not track users beyond what is necessary for their functionality.
8. Data Retention
- Account data: Retained until you delete your account
- Connected service credentials: Encrypted OAuth tokens are deleted immediately when you disconnect a service, or when your account is deleted
- Free tier documents (SignaSeal): Retained for 48 hours after completion, then permanently deleted
- Paid tier documents: Retained until you delete them or your account
- Account deletion (Individual tiers): Data permanently deleted within 30 days
- Account deletion (Enterprise tiers): Data permanently deleted within 90 days
- Server logs: Deleted after 30 days
- Backups: Retained for 90 days for disaster recovery
- Blockchain records: Permanent by design (Bitcoin timestamps cannot be removed)
9. Changes to This Policy
We may update this policy occasionally. If we make significant changes, we will notify you via email (if you have an account) or a prominent notice on our website.
10. Data Controller & Sub-Processors
Data Controller: Aramantos Digital, Ireland. Aramantos Digital is the data controller for all personal data processed across its products and services.
The following sub-processors are engaged to provide our services. Each has been assessed for GDPR compliance:
| Sub-Processor | Purpose | Data Processed |
|---|---|---|
| Cloudflare | DNS management, email routing, DDoS protection | IP addresses, DNS queries, email metadata |
| Vercel | Application hosting, CDN, web analytics | IP addresses, request logs, page views |
| Google Cloud Platform | Authentication and API infrastructure | Account data, OAuth tokens |
| Supabase | Database and file storage | Account data, proofs, documents, hashes |
| Stripe | Payment processing | Payment data (card details never stored by Aramantos Digital) |
| Resend | Transactional email delivery | Email addresses, email content |
| OpenTimestamps | Bitcoin blockchain timestamping | Cryptographic hashes only (no personal data) |
For privacy policies and compliance details for each sub-processor, see Section 7 above. Aramantos Digital will notify users at least 30 days before adding or replacing a sub-processor.
11. Contact Us
If you have questions about this Privacy Policy:
- Email: support@aramantos.dev
- Data Controller: Aramantos Digital
- Location: Ireland
Our Promise:
This policy is not legal boilerplate. It is a commitment. Aramantos Digital builds tools that respect your privacy, and this policy reflects that.