BA| Stamp

Terms of Service

Last updated: April 2026

1. Acceptance of Terms

By accessing or using BA | Stamp ("the Service"), operated at bastamp.com, you agree to be bound by these Terms of Service (the "Terms"). If you do not agree with any provision of these Terms, do not access or use the Service. These Terms apply to all users, including registered account holders, visitors, and anyone who accesses the Service through any means, including the public verification pages, the open-source verifier, and the API. The Service is operated by Aletheia Tech Ltd, a company incorporated in England and Wales (the "Operator", "we", "us", or "our").

2. Definitions

In these Terms, the following capitalised terms have the meanings set out below: • "Service" / "BA | Stamp" — the software-as-a-service timestamping platform operated by Aletheia Tech Ltd at bastamp.com, including the dashboard, API, public verification pages, and PDF certificate generation. • "User" / "you" — any person or legal entity that accesses or uses the Service, whether or not registered. • "Account" — a registered user profile on the Service, authenticated by email address and protected by session credentials. • "Document" / "File" — any digital file submitted by the User for hashing. The Service never receives the Document itself; only its SHA-256 fingerprint is transmitted. • "Hash" / "SHA-256 Fingerprint" — the 64-character hexadecimal output of applying the SHA-256 cryptographic hash function to a Document. • "Stamp" — the record of a Hash associated with a User's Account, together with the related metadata, Merkle Proof, Batch reference, and Certificate. • "Batch" — a group of Hashes aggregated into a single Merkle Tree and anchored in one on-chain transaction for efficiency. • "Merkle Tree" / "Merkle Root" / "Merkle Proof" — the cryptographic structure used to aggregate Hashes into a single Batch root, and the sibling-path data proving inclusion of a specific Hash in that root. • "Anchoring" — the act of writing a Merkle Root onto a blockchain via a publicly verifiable transaction. • "Polygon" — the Polygon proof-of-stake blockchain, the primary anchoring chain used by the Service. • "Bitcoin" / "OpenTimestamps" — the Bitcoin blockchain and the OpenTimestamps protocol used to obtain a secondary attestation of the Merkle Root. • "Certificate" — the PDF document generated by the Service for each anchored Stamp, containing the Hash, Merkle Proof, on-chain references, jurisdiction-specific legal framing, and step-by-step verification instructions. • "Credit" / "Stamp Credit" — a prepaid unit entitling the User to submit one Document for Anchoring. • "Verification Page" — the public web page hosted at /verify/[hash] that displays the on-chain record and allows independent recomputation of the Hash. • "Open-source Verifier" / "stamp-verify" — the MIT-licensed command-line tool published by the Operator enabling verification of Certificates without reliance on the Service. • "Archive" — the User-controlled state that hides a Stamp from the primary dashboard view; reversible via Restore. Archiving does not affect the on-chain record or Certificate. • "eIDAS" — Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market, as amended by Regulation (EU) 2024/1183. • "QTSP" — Qualified Trust Service Provider within the meaning of eIDAS Article 3(20). • "Non-qualified Electronic Timestamp" — an electronic timestamp within the meaning of eIDAS Article 41, which is what the Service issues. • "Qualified Electronic Timestamp" — an electronic timestamp meeting the additional requirements of eIDAS Article 42, which the Service does not issue.

3. Description of the Services

BA | Stamp provides blockchain timestamping services with the following core components: • Document Timestamping — client-side SHA-256 hashing of the User's Documents, with the resulting Hash aggregated into a Batch and anchored to the Polygon blockchain via a Merkle Root. • Bitcoin Secondary Anchor — each Merkle Root is additionally submitted to the OpenTimestamps calendar system for attestation on the Bitcoin blockchain, providing defense-in-depth against the unavailability of any single chain. • Cryptographic Certificates — PDF Certificates containing the Hash, Merkle Proof, on-chain transaction references, jurisdiction-specific legal framing, and reproducible verification instructions. • Public Verification Pages — a public page for every Stamp at /verify/[hash], allowing any third party to recompute the Hash locally and confirm the on-chain anchor without creating an account. • Open-source Verifier — stamp-verify, an MIT-licensed tool that reproduces verification locally using only the Certificate and a public blockchain RPC endpoint. • Dashboard, Labels, Tags, Archive — account-holder interfaces for managing, labelling, tagging, searching, and archiving Stamps.

4. Account Registration

• You must provide a valid email address when creating an Account. • You are responsible for maintaining the security of your Account credentials and session. • One Account per natural person or legal entity, unless otherwise agreed in writing. • You must be at least 18 years old (or the age of majority in your jurisdiction, whichever is higher) to use the Service. • You must promptly notify the Operator of any unauthorised use of your Account. • You must not share credentials, session tokens, or API keys with unauthorised parties. • The Operator may refuse, suspend, or terminate Accounts that violate these Terms, are used for fraudulent purposes, or are required to be terminated by applicable law.

5. How the Service Works

5.1 Client-Side Hashing. Documents are hashed entirely in the User's browser using SHA-256. Only the resulting 64-character Hash is transmitted to our servers. We never receive, store, or process the original Document. The SHA-256 function is one-way: the original Document cannot be reconstructed from the Hash. 5.2 Polygon Anchoring (Primary). Hashes submitted by Users are queued and aggregated into Batches. Each Batch produces a single Merkle Root, which is written to our verified smart contract on the Polygon proof-of-stake blockchain in one on-chain transaction. The Polygon block time at which the transaction is included becomes the tamper-proof timestamp of every Hash in the Batch. Polygon is chosen for its low cost and fast finality, which makes frequent batching economical. 5.3 Bitcoin Secondary Anchoring (Defense-in-Depth). In addition to the Polygon anchor, every Merkle Root is submitted to the OpenTimestamps calendar system for secondary attestation on the Bitcoin blockchain. Bitcoin confirmation typically occurs within one to six hours of submission. Once confirmed, the OpenTimestamps proof is associated with the Batch and made available through the Certificate and the Verification Page. Bitcoin anchoring is provided at no additional cost and is designed to preserve verifiability even if the Polygon network becomes unavailable, compromised, or discontinued in the future. The OpenTimestamps proof can be verified independently with any OpenTimestamps-compatible tool, including the open-source OpenTimestamps client and our stamp-verify utility. 5.4 Certificates. Upon successful Polygon anchoring, the Service generates a PDF Certificate containing: the SHA-256 Hash; the Merkle Proof linking the Hash to the Merkle Root; the Polygon transaction hash and block time; the Bitcoin OpenTimestamps attestation reference (once confirmed); jurisdiction-specific legal framing; a numbered step-by-step verification procedure; and a QR code/URL to the Verification Page. Certificates are designed to be self-contained and independently verifiable — they do not require the Operator's systems to remain online. 5.5 Public Verification Pages. Each anchored Stamp is reachable at a public URL of the form /verify/[hash]. The page displays the on-chain record (Polygon and, when available, Bitcoin), the Merkle Proof, and a drag-and-drop tool that recomputes SHA-256 locally in the visitor's browser to confirm that a provided file produces the recorded Hash. No account, login, or personal data of the verifier is required. The Verification Page is designed to be shared with third parties (counterparties, counsel, courts, insurers, auditors) as independent evidence. 5.6 Open-source Verifier. Verification does not depend on the continued availability of the Service. We publish stamp-verify, an MIT-licensed open-source tool which reproduces the verification logic using only the PDF Certificate and a public blockchain RPC endpoint. Source code is published on GitHub; any party may audit, fork, or reuse it. 5.7 Archive & Restore. Registered Users may archive individual Stamps at their discretion. Archiving hides the Stamp from the primary dashboard and moves it to a dedicated "Archived" view. Archiving is fully reversible via Restore and does not delete, modify, or invalidate the underlying on-chain anchor, the Certificate, or the Verification Page. It is purely an interface preference on the Operator's systems. The Service does not expose any capability to delete an anchored Stamp: the on-chain anchor is inherently permanent, and account-level records persist until Account closure (see Section 15). Archive state synchronises across devices associated with the same Account. 5.8 No Guarantee of Perpetuity. While blockchain data is designed to be permanent, the Operator cannot guarantee the perpetual availability or correct operation of any specific blockchain network. The dual-anchor approach (Polygon + Bitcoin) is designed to mitigate this risk: for as long as at least one of the two chains remains operational and accessible, a Certificate issued by the Service remains verifiable using public data and the open-source Verifier.

6. Service Availability and Anchoring Schedule

6.1 Anchoring Schedule. Submitted Hashes are batched and anchored on Polygon at regular intervals (typically every five to fifteen minutes during normal operation). The Service does not guarantee any specific individual anchoring latency; intervals may vary with network conditions, gas market dynamics, or planned maintenance. 6.2 Status. Each Stamp has a status ("pending" while queued, "anchored" once the Polygon transaction is confirmed, "failed" in the event of a terminal error). Submission of a Hash is not conclusive until the status becomes "anchored". 6.3 Batch Failures and Retries. If a Batch transaction reverts or is otherwise not included on-chain, affected Hashes are automatically requeued into the subsequent Batch. No Credit is consumed for a failed Anchoring attempt unless and until the Hash is successfully anchored. 6.4 Bitcoin Attestation Latency. Bitcoin confirmation of the OpenTimestamps attestation typically takes one to six hours after submission but may take longer subject to the Bitcoin network's block production and calendar server availability. A Certificate may be issued before the Bitcoin attestation is confirmed; it is then updated or downloadable again once confirmation occurs. 6.5 Uptime. The Operator strives for high availability but makes no warranty of uninterrupted service. Planned maintenance, blockchain network congestion, force majeure events, or outages of third-party infrastructure may delay Anchoring. 6.6 Third-party Dependencies. The Service relies on third-party infrastructure including (without limitation) the Polygon network, Bitcoin network, OpenTimestamps calendar servers, cloud hosting providers, and payment processors. Temporary outages of these providers may affect specific operations.

7. Pricing and Payment

• Prices are listed in USD, EUR, and GBP and are displayed inclusive or exclusive of VAT as indicated at checkout. • Payment is required in advance. Stamp Credits are issued to the Account upon successful payment and are consumed as Hashes are submitted. • Credits are non-transferable between Accounts and do not expire save where expressly stated at the time of purchase. • Enterprise and volume pricing is available by contact with the Operator. • Prices may be changed by the Operator with thirty (30) days' notice for Accounts with active subscriptions; purchased Credits are honoured at the price paid. • Payments are processed securely through Stripe, Inc. and its local affiliates. Card data is held by Stripe, not by the Operator. • VAT or equivalent taxes are applied in accordance with applicable law (including the UK VAT regime and EU OSS where applicable).

8. Refund Policy

Unused Credits. Refundable within fourteen (14) days of purchase, provided no Stamps have been submitted from the pack. Where applicable consumer protection law (including the UK Consumer Contracts Regulations 2013 and EU Directive 2011/83/EU) provides a longer statutory withdrawal period, that period prevails. • Used Credits. Non-refundable once a Hash has been submitted, because the Hash is immediately queued for Anchoring and the associated cost is incurred. • Platform Errors. If Anchoring fails due to a terminal platform error (not blockchain network volatility), the Credit is automatically restored to the Account at no cost. • Chargebacks. Unjustified chargebacks may result in Account suspension and legal recovery of costs.

9. Limitations, Disclaimers and Evidentiary Value

9.1 Not Legal Advice. BA | Stamp provides technical timestamping infrastructure, not legal advice. The Certificates cite applicable legal frameworks for informational purposes only. Users are solely responsible for determining whether a non-qualified electronic timestamp is appropriate for their use case and, where necessary, for consulting qualified legal counsel. 9.2 Non-qualified Electronic Timestamp under eIDAS Art. 41. The timestamps issued by BA | Stamp are non-qualified electronic timestamps within the meaning of Article 41 of eIDAS. Under Article 41(1), an electronic timestamp "shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in electronic form or that it does not meet the requirements of the qualified electronic timestamp." 9.3 Not a QTSP. Aletheia Tech Ltd is not a Qualified Trust Service Provider accredited under eIDAS Article 42 or its national implementations. The Service does not issue qualified electronic timestamps. If your use case specifically requires a qualified electronic timestamp under Art. 42 (for example, certain long-term electronic archival regimes under national supervised conservation laws), obtain it from a QTSP accredited in the relevant jurisdiction. 9.4 Jurisdiction-Specific Admissibility. The Certificates list legal references for each supported jurisdiction (including eIDAS Art. 41 for the EU/EEA; Art. 2712 of the Italian Civil Code for Italy; FRE 901(b)(9) and, where applicable, 902(13)/902(14) for the United States; the UK Electronic Communications Act 2000 and CPR Part 32 for England and Wales; and equivalents elsewhere) based on our research at the time of issuance. Legal regimes evolve. The cited references are informational and do not constitute an opinion on admissibility or probative weight in any specific matter, which remains for the competent court or authority to determine. 9.5 No Warranty. The Service is provided "as is" and "as available" without warranties of any kind, whether express, implied, statutory, or otherwise, including but not limited to warranties of merchantability, fitness for a particular purpose, non-infringement, uninterrupted availability, continuous accuracy, or perpetuity of any specific blockchain network. To the extent any warranty cannot be excluded under applicable law, it is limited to the minimum duration permitted by that law.

10. Intellectual Property

• The BA | Stamp platform, brand, trademarks, user interface, Certificate template design, and proprietary source code are the intellectual property of Aletheia Tech Ltd. • The Stamper smart contract source code is publicly verified on Polygonscan and may be freely inspected. • The open-source Verifier (stamp-verify) is released under the MIT License. Its source code is publicly available and may be freely audited, forked, and reused, subject to the MIT terms. • Certificates generated through the Service are provided to Users for use as evidence or reference; Users may share, present, and reproduce their own Certificates without restriction. • The Verification Pages are publicly accessible by design. Users accept that a Certificate's Verification URL, and the corresponding on-chain record, are publicly visible as a condition of the Service.

11. Acceptable Use

You agree NOT to: • Use the Service to facilitate, record, or evidence any unlawful activity. • Submit Documents the Anchoring of which would itself constitute a criminal offence in your jurisdiction. • Submit false, misleading, or deceptive metadata with the intent to deceive a third party as to the nature, origin, or authorship of a Document. • Attempt to reverse-engineer, probe, tamper with, or otherwise interfere with the platform infrastructure or the smart contract beyond permitted inspection. • Overwhelm our systems with excessive automated requests, denial-of-service attacks, or similar abusive patterns. • Share Account credentials, session tokens, or API keys with unauthorised parties. • Use the Service in breach of applicable sanctions laws, including UK, EU, and US sanctions regimes.

12. Data, Privacy and Retention

12.1 What We Store. The Operator stores, in association with an Account: your email address (for authentication and transactional communication); the SHA-256 Hashes you submit; optional metadata you voluntarily provide (filename, file size, MIME type, label, tags, jurisdiction selection, locale); Merkle Proofs, Batch references, and blockchain transaction identifiers; Archive state (archivedAt timestamp, if applicable); payment records (card data is held by Stripe, not by the Operator); authentication sessions and audit logs. 12.2 What We Do Not Store. The Operator never receives, stores, or processes original Documents. All hashing is performed client-side; only the 64-character SHA-256 fingerprint is transmitted. 12.3 Legal Basis (GDPR / UK DPA 2018). For Users in the EU/EEA, the United Kingdom, and equivalent jurisdictions, processing is based on: (a) performance of the contract (Art. 6(1)(b) GDPR) for Account provisioning, Anchoring, Certificate delivery, and payment; (b) legitimate interests (Art. 6(1)(f) GDPR) for platform security, fraud prevention, and abuse monitoring; and (c) consent (Art. 6(1)(a) GDPR) for non-essential analytics, where explicitly opted in. 12.4 Data Controller. Aletheia Tech Ltd, incorporated in England and Wales, acts as data controller for personal data processed in connection with the Service. Data-subject enquiries: legal@blockchainanalysis.io. 12.5 Retention. Account data is retained for the lifetime of the Account. Hashes, Merkle Proofs, Batch references, and Certificates are retained for as long as the on-chain anchor persists, because regenerating Certificates and Verification Pages on demand requires these linking records. Upon Account closure (see Section 15), the Operator retains a minimal record sufficient to preserve the public verifiability of existing Stamps, as Certificates and Verification Pages are designed to remain independently verifiable beyond the lifetime of any individual Account. Personal data not required for verifiability is deleted or anonymised within ninety (90) days of Account closure, except where retention is required by applicable law (for example, VAT and accounting records retained for seven (7) years in the United Kingdom). 12.6 User Rights. Users in GDPR / UK DPA jurisdictions have the rights of access, rectification, erasure (subject to 12.5), restriction of processing, portability, and objection. Complaints may be made to the UK Information Commissioner's Office (ICO) or the competent supervisory authority in the User's country of residence. 12.7 International Transfers. Where personal data is transferred outside the UK or EEA, the Operator relies on appropriate safeguards (including the UK International Data Transfer Agreement and the EU Standard Contractual Clauses) as required by applicable law. 12.8 Full Privacy Policy. See the Privacy Policy for full details including sub-processors, cookie usage, and security measures.

13. Limitation of Liability

To the maximum extent permitted by applicable law: • The Operator's total aggregate liability arising out of or in connection with these Terms, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, shall not exceed the greater of (a) the total amount paid by the User to the Operator in the twelve (12) months preceding the event giving rise to the claim and (b) one hundred (100) US dollars. • The Operator shall not be liable for indirect, incidental, special, consequential, punitive, or exemplary damages, or for loss of profits, revenue, goodwill, business opportunity, or data. • The Operator shall not be liable for the availability, performance, or security of third-party blockchain networks, calendar servers, payment processors, or other third-party infrastructure on which the Service depends. • The Operator shall not be liable for any specific legal interpretation of the evidentiary weight or admissibility of a Certificate in any jurisdiction. • Nothing in this Section 13 limits or excludes liability for: (i) death or personal injury caused by negligence; (ii) fraud or fraudulent misrepresentation; or (iii) any other liability that cannot be limited or excluded under applicable law.

14. Governing Law, Jurisdiction and Dispute Resolution

14.1 Governing Law. These Terms and any non-contractual obligations arising from or relating to them are governed by and construed in accordance with the laws of England and Wales. 14.2 Good-faith Negotiation. Any dispute shall first be addressed in good faith directly between the parties. Each party shall use reasonable efforts to resolve the dispute within thirty (30) days of written notice. 14.3 Mediation. If the dispute is not resolved under Section 14.2, the parties may, by mutual written agreement, submit it to non-binding mediation administered by the Centre for Effective Dispute Resolution (CEDR) in London, or by an equivalent recognised mediation body, before commencing litigation. 14.4 Jurisdiction. Failing resolution under Sections 14.2 and 14.3, the courts of England and Wales shall have exclusive jurisdiction over any dispute, save that nothing in this Section prevents either party from seeking urgent injunctive or equitable relief in any court of competent jurisdiction. 14.5 EU/EEA Consumers. If you are a consumer resident in the EU or EEA, this Section does not deprive you of the mandatory protection of the courts or law of your country of residence as afforded by applicable consumer law.

15. Termination

• You may close your Account at any time by contacting legal@blockchainanalysis.io or, where offered, via the Account settings. • The Operator may suspend or terminate Accounts that materially violate these Terms, that are used for unlawful purposes, or where required to do so by applicable law, court order, or sanctions regime. • Upon termination: (a) existing Certificates and Verification Pages remain verifiable, as they are self-contained and do not depend on your Account; (b) unused Credits are not refunded except as provided in Section 8; (c) the retention rules in Section 12 apply to residual personal data. • Sections relating to intellectual property, limitation of liability, governing law, dispute resolution, data retention, and any provision that by its nature is intended to survive termination shall survive termination.

16. Changes to the Terms

The Operator may update these Terms from time to time to reflect changes to the Service, applicable law, or industry practice. When we make material changes, we will update the "Last updated" date and provide reasonable notice (for example, by email to the Account's registered address or by a notice in the dashboard) at least thirty (30) days before the changes take effect, save where a shorter period is required by law. Your continued use of the Service after the effective date constitutes acceptance of the updated Terms. If you do not accept the updated Terms, your remedy is to cease using the Service and, where applicable, close your Account under Section 15.

17. Controlling Language

These Terms of Service are drafted in English. Translations into other languages are provided for User convenience only. In case of inconsistency, ambiguity, or conflict between the English version and any translation, the English version shall prevail, save where applicable consumer-protection law requires otherwise.

18. Contact

BA | Stamp — operated by Aletheia Tech Ltd Registered in England and Wales Email: legal@blockchainanalysis.io Web: bastamp.com