ProveChain Watermark
ProveChain
ProveChain
Home

Privacy Policy

Last updated: March 25, 2026

Privacy by Design: We never store your file contents

KEY PRIVACY PRINCIPLE

We never store your file contents. We only store cryptographic hashes (SHA-256 fingerprints), file/folder names, and account information. Your files stay on your machine (or in your cloud provider).

1. Information We Collect

1.1 CLI Tool (Offline)

✅ ZERO Data Collection

The CLI tool runs 100% locally. No data is sent to our servers. Hashing and proof generation happen entirely on your machine.

1.2 Free Tier (Web App)

Minimal Data Collection

File hashing happens locally in your browser. Your files are never uploaded to our servers. However, when you save a proof, we store:

  • Account Information: Email address (for authentication)
  • Proof Metadata: File name(s) or folder name, cryptographic hash, timestamp, file size

File and folder names are stored so you can identify your proofs. You can rename these at any time from your dashboard.

1.3 Paid Tiers (Founding Member, Professional)

In addition to the data collected for free tier users, paid tiers also involve:

  • Payment Information: Processed by Stripe (we do not store card details)
  • Enhanced Proof Metadata: Descriptions, version notes, blockchain anchoring data
  • Connected Service Data: See Section 1.4 below for details on how automated proofs handle your files
  • Usage Analytics: Number of proofs created, subscription status

What We DON'T Collect:

  • ❌ Your source code or file contents (we read them to hash, then immediately discard)
  • ❌ Browsing history
  • ❌ IP addresses (unless required for fraud prevention)

1.4 Automated Cloud Proofs (Connected Services)

When you connect cloud services (GitHub, OneDrive, Google Drive, Dropbox) for automated proof generation, our servers interact with your files differently than browser-based proofs:

How Automated Proofs Work

  • GitHub, OneDrive, Dropbox: Our servers read the file content from your cloud provider, compute a SHA-256 hash, and immediately discard the file content. Only the hash is stored.
  • Google Workspace (Docs, Sheets, Slides): These files use proprietary formats that are not deterministic, meaning the same document can produce different binary data each time it is accessed. To ensure consistent, verifiable hashes, our servers export the content into a stable format (Docs to plain text, Sheets to CSV, Slides to plain text), hash the exported content, and then immediately discard it. This transformation is necessary because hashing the raw Google format would produce different results each time, making verification impossible.

Key Guarantee

File content is never stored on our servers. It is read (and transformed if necessary), hashed, and immediately discarded. Only the resulting cryptographic hash, file name, and timestamp are retained as proof metadata.

2. Your Responsibility: File Preservation

⚠️ IMPORTANT: ProveChain Stores Hashes, Not Files

This is a privacy feature - we never have access to your files. But it means file preservation is entirely your responsibility.

You are solely responsible for:

  • Preserving the original file versions used to create each proof
  • Storing files securely with restricted access
  • Maintaining separate copies for each proof version

Without the original files, proofs cannot be verified and have no legal value. See our Terms of Service (Section 7) for detailed file preservation requirements.

3. How We Use Your Information

We use collected data only to:

  • Provide and improve the Service
  • Process payments via Stripe
  • Send important account updates (e.g., subscription expiry)
  • Respond to support requests
  • Comply with legal obligations

We will NEVER: Sell your data, use it for advertising, or share it with third parties beyond the service providers listed in Section 6.

4. Data Storage and Security

4.1 Encryption

  • In Transit: All data transmitted via HTTPS (TLS encryption)
  • At Rest: Proof storage is encrypted at rest by our infrastructure provider (Supabase/AWS)

4.2 Data Location

Data is stored on servers within the European Union (EU) to comply with GDPR requirements.

4.3 Data Retention

Upon account deletion, proof data is permanently deleted according to your tier:

  • Active Accounts: Data retained while your account is active
  • Free Tier: Proof data retained for 48 hours after completion, then permanently deleted
  • Individual Tiers (Founding Member, Professional): Data permanently deleted within 30 days of account deletion
  • Enterprise Tiers (Team, Business, Custom): Data permanently deleted within 90 days of account deletion
  • Blockchain Data: Immutable. Hashes anchored to the Bitcoin blockchain remain on-chain permanently and cannot be deleted

5. Lawful Basis and Your GDPR Rights

We process your data under the following lawful bases (GDPR Article 6):

  • Contract Performance: Account data, proof metadata, and connected service processing are necessary to provide the ProveChain service you signed up for
  • Legitimate Interest: Usage analytics (proof counts, subscription status) to maintain and improve the service
  • Legal Obligation: Retaining billing records as required by tax and financial regulations

If you're in the EU, you have the following rights:

  • Right to Access: Request a copy of your data
  • Right to Rectification: Correct inaccurate data
  • Right to Erasure: Request deletion of your data
  • Right to Data Portability: Export your data in JSON format
  • Right to Object: Opt-out of certain data processing

To exercise any of these rights, email: support@aramantos.dev

We will respond to all data subject requests within 30 days. If a request is particularly complex, we may extend this by up to two additional months, but we will let you know within the initial 30-day period.

6. Third-Party Services

We use the following third-party services to operate ProveChain:

  • Cloudflare: DNS management and email routing. All traffic passes through Cloudflare. (see Cloudflare Privacy Policy)
  • Vercel: Application hosting and CDN. (see Vercel Privacy Policy)
  • Google Cloud Platform: Authentication and identity infrastructure. (see Google Cloud Privacy Notice)
  • Supabase: Database and file storage. (see Supabase Privacy Policy)
  • Stripe: Payment processing. We do not store card details. (see Stripe Privacy Policy)
  • Resend: Transactional email delivery. (see Resend Privacy Policy)
  • OpenTimestamps: Bitcoin blockchain timestamping protocol. OpenTimestamps is open-source and does not collect personal data. Proof hashes are published to the Bitcoin blockchain and are publicly visible and immutable.

7. Cookies and Tracking

✅ NO Tracking Cookies

We do not use analytics, advertising, or tracking cookies. The only cookies we use are essential session cookies for authentication (if you're logged in).

8. Children's Privacy

ProveChain is not intended for users under 18 years old. We do not knowingly collect data from children. If you believe a child has provided us with personal information, contact us immediately.

9. Google API Services

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. OAuth tokens are encrypted (AES-256 via pgcrypto) and deleted upon disconnection of the service.

10. Data Controller & Sub-Processors

Aramantos Digital is the data controller for all personal data processed through ProveChain. We determine the purposes and means of processing your data.

We use the following sub-processors to operate the Service. Each processes data only on our instructions and under appropriate data processing agreements:

ProviderPurposeData Processed
SupabaseDatabase hosting & authenticationAccount data, proof metadata, encrypted OAuth tokens
VercelApplication hosting & edge deliveryRequest logs, IP addresses (transient)
StripePayment processingBilling details, subscription status
OpenTimestampsBlockchain anchoringCryptographic hashes only (no personal data)

For a full list of sub-processors or to be notified of changes, contact support@aramantos.dev.

11. Related Legal Documents

12. Changes to This Policy

We may update this Privacy Policy with 30 days' notice. Material changes will be emailed to all users. Continued use of the Service after changes constitutes acceptance.

13. Contact Us

Data Controller: Aramantos Digital

Email: support@aramantos.dev

Terms of ServiceFAQ