Skip to content
Draft — pending legal review. This document is a working copy. Final terms will be posted before public launch. For enterprise contracts, use the DPA attached to your MSA.

LEGAL

Privacy Policy

Last updated: April 20, 2026

1. Overview

Hashproof (“we,” “us”) operates the Hashproof content-provenance API, SDKs, and dashboard at hashproof.ai. This policy explains what we collect, how we use it, and the rights you have under GDPR, CCPA/CPRA, and comparable regimes.

2. Data we collect

Account data
Email address, OAuth provider identity (Google or GitHub), and authentication tokens managed by our identity provider Supabase.
Content we sign
Binaries you send to the Hashproof signing or verification endpoints, plus any assertion metadata you attach. Stored for the retention window of your tier.
Usage telemetry
API request metadata (method, endpoint, status code, response time, IP address, timestamp). Used for rate limiting, billing, and fraud detection. Retained for 90 days.
Product analytics
Anonymized page views and performance metrics collected via Vercel Analytics and Vercel Speed Insights. We do not use third-party advertising trackers.

3. How we use data

  • To provide the Hashproof API and dashboard.
  • To meter usage, enforce rate limits, and generate invoices.
  • To investigate abuse, security incidents, and regulatory requests.
  • To send service communications (deprecation notices, incident alerts) — never marketing unless you opt in.

4. Sub-processors

We rely on vetted vendors to operate the service. See the full list — including what each one processes and in which regions — on our security page.

5. Your rights

You can access, export, correct, or delete your data at any time from the dashboard or by emailing privacy@hashproof.ai. We respond to verified requests within 30 days.

Under GDPR, you additionally have the right to object to processing and to lodge a complaint with your local supervisory authority. Under CCPA/CPRA, you have the right to know, delete, and opt out of sale — we do not sell personal data.

6. Retention

Signed manifests: retained for the window specified by your tier (30 days on Free, 1 year on Growth, 7 years on Scale, custom on Enterprise). Usage telemetry: 90 days. Account data: retained while your account is active; deleted within 30 days of account closure, subject to legal record-keeping obligations.

7. International transfers

The Hashproof API runs in US regions by default (AWS us-east-1 and us-west-2). EU residency is available on the Enterprise tier. For cross-border transfers we rely on Standard Contractual Clauses.

8. Contact

Data controller: privacy@hashproof.ai.