Privacy Policy
1. Who we are & scope
authAspect ("authAspect", "we", "us", "our") provides software that seals invisible provenance credentials into your creative work and helps you prove, resolve, and defend ownership. authAspect operates on a shared platform alongside our sister product ScanAspect; identity, the provenance registry, resolution (qr-x.co), and billing are shared platform services. This Policy covers personal data we process as a controller for authAspect's website, app (app.authaspect.com), and services. Where we process content you submit purely on your instructions, we act as your processor and your own privacy commitments to your audience also apply. ScanAspect publishes its own notice for its surfaces. [Legal entity, registered address, and any group companies: TBD.]
2. Information we collect
a. Information you give us
- Account & profile — name, email, username/handle, password or SSO identifier, and profile details, managed through our identity provider (Better Auth, self-hosted).
- Assets you protect — the files you upload for protection. We process them to embed credentials and, by default, do not retain the media. We store a cryptographic hash of the work, your signed provenance claim, and a timestamp in the registry — not the image, video, or audio itself. If you opt in to features that require storing a master or copy, we disclose that at the point of use.
- Content you publish — your verified-page details, links, bio, and destination URLs.
- Support & communications — messages you send us and waitlist / marketing sign-ups (e.g. your email address).
b. Information collected automatically
- Device & usage data — IP address, browser/device type, pages viewed, actions taken, timestamps, and referring URLs.
- Cookies & similar technologies — see §5.
- Discovery data — when the Guardian network surfaces your work, we record the page URL, domain, a content hash, and timestamp. We do not collect personal data about the person who reported a discovery.
c. Information from third parties
- Payment & billing data — subscriptions are sold and processed by Polar as our Merchant-of-Record. Polar collects and processes your payment details under its own privacy policy; we receive limited billing metadata (e.g. plan, status, country, last four digits) but not full card numbers.
- Authentication providers — if you sign in via a third party, we receive the profile data you authorise.
- Agencies / delegates — where an agency manages your account, we may receive information from them on your behalf.
3. How & why we use it
- Provide, operate, and secure the service (embed credentials, run the registry, resolve marks, host your verified page, power discovery).
- Create and manage your account and authenticate you.
- Process transactions and manage subscriptions (via Polar).
- Communicate with you — service messages, support, and, where permitted, product updates and marketing (you can opt out).
- Detect, prevent, and investigate fraud, abuse, and violations of our Terms.
- Comply with legal obligations and enforce our agreements.
- Analyse and improve the service and develop new features.
4. Legal bases (EEA/UK)
Where the GDPR/UK GDPR applies, we process personal data on these bases: performance of a contract (to provide the service you request); legitimate interests (to secure, improve, and market the service, balanced against your rights); consent (e.g. certain cookies and marketing, which you may withdraw); and legal obligation (to comply with law).
5. Cookies & similar technologies
We use strictly necessary cookies to run the site and keep you signed in, and — subject to your consent where required — analytics cookies to understand usage. You can control non-essential cookies through our cookie banner and your browser settings. [Cookie banner + full cookie table: TBD. Analytics provider: TBD.]
6. How we share it
We do not sell your personal data. We share it only as follows:
| Recipient | Purpose |
|---|---|
| Polar | Payments & Merchant-of-Record (billing) |
| Cloudflare | Hosting, edge delivery, security, and data storage |
| Public blockchains (e.g. OpenTimestamps/Bitcoin, EAS) | Tamper-evident timestamps of content hashes (see §7) |
| Analytics / email providers | Product analytics & transactional/marketing email [providers TBD] |
| Professional advisers & authorities | Legal, accounting, or where required by law or to investigate abuse |
| A buyer / successor | In a merger, acquisition, or asset sale (with notice) |
These recipients are bound to appropriate confidentiality and data-protection obligations. A full sub-processor list is available on request. [Sub-processor page: TBD.]
7. Blockchain anchoring — please read
To make provenance tamper-evident, we anchor a cryptographic hash (and Merkle roots of registry batches) to one or more public ledgers. These anchors are public and permanent by design and cannot be edited or deleted by us or anyone else. We anchor only hashes — never your media, name, email, or other personal data — so a public anchor does not expose your content or identity and, on its own, cannot be reversed into either.
8. International transfers
We and our providers may process data in countries other than yours, including the United States. Where we transfer personal data out of the EEA/UK, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (and the UK Addendum) or an adequacy decision. [Data-hosting regions: TBD.]
9. Data retention
We keep personal data only as long as needed for the purposes above: media is not retained by default; registry records (hashes, signed claims, anchors) are retained to preserve provenance — that is their purpose; account data is kept while your account is active and for a reasonable period after closure, subject to legal requirements; blockchain anchors are permanent (§7). We may keep aggregated or de-identified data indefinitely.
10. Security & self-custody
We use encryption in transit and at rest, access controls, and reasonable technical and organisational measures. No method is perfectly secure. If you enable self-custody, your signing key is generated in your browser and stored under your control; we never receive your private key.
11. Your rights & choices
Depending on where you live, you may have the right to access, correct, delete, port, and restrict or object to our processing of your personal data, and to withdraw consent. You can also opt out of marketing at any time via the unsubscribe link or by emailing us. To exercise a right, contact privacy@authaspect.com; we will verify your request and respond within the time the law allows. You may lodge a complaint with your local data-protection authority. Note: we cannot remove data already anchored to a public blockchain, but such anchors contain only a hash — no media or personal data (§7).
12. US state privacy rights (California & others)
If you are a California resident (CCPA/CPRA) or in another US state with a privacy law, you have rights to know, access, correct, delete, and to opt out of "sale" or "sharing" of personal information and of targeted advertising. We do not sell your personal information, and we do not share it for cross-context behavioural advertising. We do not use or disclose sensitive personal information beyond permitted purposes. You may exercise rights (including via an authorised agent) at privacy@authaspect.com, and you have a right to appeal a decision. [Categories of personal information collected/disclosed in the last 12 months, per statutory buckets: TBD.]
13. Children
The service is not directed to, and may not be used by, anyone under 18. We do not knowingly collect data from children. We have zero tolerance for unlawful content, including child sexual abuse material, which is removed and reported to authorities.
14. Changes & contact
We may update this Policy; we will revise the date above and, for material changes, provide additional notice. Contact us at privacy@authaspect.com. [Postal address, Data Protection Officer / EU-UK representative: TBD.]