Privacy Policy

1. Who we are

Prooflayer ("we", "us", "our") operates the platform at proof-layer.net. We are the data controller for personal data processed through our platform. Contact us at [email protected] for any privacy-related enquiries.

2. What data we collect

We collect the following categories of personal data:

3. Hashing and your content

When you register a proof, your file or content is hashed in your browser using the Web Crypto API before anything is sent to our servers. This means the cryptographic fingerprint (SHA-256 hash) is computed client-side.

If you choose to store your file on our platform, it is uploaded encrypted and stored in AWS S3 (eu-west-2, London) with AES-256 encryption. You can choose not to store the file — in which case only the hash and metadata are stored.

Public proofs may be visible to other users. Private proofs are accessible only to you.

4. Blockchain data

Where blockchain anchoring is used, we write a SHA-256 hash to the Polygon blockchain. We do not write any personal data to the blockchain — only the cryptographic hash of your content. Blockchain data is public and permanent by its nature and cannot be deleted.

5. How we share data

We share data with the following third parties:

• Supabase — database and authentication provider (EU data residency)
• AWS S3 (eu-west-2) — encrypted file storage in London region
• Stripe — payment processing (we share transaction data, not card data)
• Cloudflare — CDN, hosting, and our timestamp worker
• freetsa.org — RFC 3161 timestamp authority (receives only the SHA-256 hash, no personal data)
• Loops — email communications (name and email for waitlist and transactional emails)

We do not sell personal data to third parties.

6. Data retention

• Account data is retained for as long as your account is active, plus 90 days after deletion.
• Proof records and metadata are retained indefinitely as they form part of a timestamped evidence record.
• Stored files may be deleted by you at any time from your account settings.
• Blockchain data cannot be deleted — this is explained at the point of anchoring.

7. Your rights under GDPR

If you are in the UK or EU, you have the following rights:

• Access — request a copy of your personal data
• Rectification — correct inaccurate personal data
• Erasure — request deletion of your personal data (subject to limitations where data forms part of an immutable proof record or is on-chain)
• Portability — receive your data in a machine-readable format
• Objection — object to processing based on legitimate interests
• Restriction — restrict processing in certain circumstances

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

8. Right to erasure — important limitation

We will honour erasure requests for account data, profile data, and stored files. However, proof metadata and cryptographic hashes cannot be deleted where doing so would undermine the integrity of a timestamped record. This is because the entire purpose of the platform is to create a permanent, verifiable record.

Blockchain-anchored data is irreversible by the nature of blockchain technology and cannot be erased from the chain.

9. Cookies

We use essential cookies only — those required for authentication and session management. We do not use advertising or tracking cookies. We do not use Google Analytics or any third-party analytics that track you across sites.

10. Security

We take data security seriously. We use encryption in transit (TLS) and at rest (AES-256 for stored files). Our infrastructure is hosted within the EU/UK. We conduct regular security reviews.

If you discover a security vulnerability, please contact us responsibly at [email protected] before public disclosure.

11. Contact

For all privacy enquiries: [email protected]