Privacy Policy
Last updated: April 2025
Who We Are
BA | Stamp is operated by Aletheia Tech Ltd, a company registered in the United Kingdom (128 City Road, London, EC1V 2NX). We are committed to protecting your privacy in compliance with the UK GDPR, the UK Data Protection Act 2018, and the EU General Data Protection Regulation (GDPR).
The Core Privacy Promise
Your files never leave your device. BA | Stamp computes the SHA-256 hash entirely in your browser. Only the 64-character fingerprint is transmitted to our servers. Your original document cannot be reconstructed from the hash — it is a one-way cryptographic function.
Data We Collect
| Data type | Purpose | Retention |
| --- | --- | --- |
| Email address | Authentication (magic link / Google OAuth) | Duration of account + 5 years |
| File hashes (SHA-256) | Timestamping service delivery | Indefinite (on-chain data is permanent) |
| Optional file metadata (name, size, type) | Certificate generation, user convenience | Duration of account |
| Payment information | Billing via Stripe | 7 years (UK tax law) |
| IP addresses | Security, fraud prevention | 90 days |
| Usage logs (pages visited) | First-party analytics, product improvement | 90 days |
Data We Do NOT Collect
• Your original files — never uploaded, never seen, never stored
• File contents — only the cryptographic hash
• Third-party tracking data — no Google Analytics, Meta Pixel, or advertising trackers
• Marketing cookies — not used
Data Storage
All data is stored in EU data centers (Neon EU for database, Vercel for application hosting). We use encryption at rest (AES-256) and in transit (TLS 1.3) for all data.
Data Processors
We use a limited number of third-party processors:
• Stripe — Payment processing (PCI DSS compliant)
• Brevo — Email delivery (EU-based, GDPR compliant)
• Vercel — Application hosting (GDPR compliant, DPA in place)
• Neon — Database hosting (EU region, GDPR compliant)
• Polygon & Bitcoin networks — Public blockchain anchoring (only hashes, no personal data)
We never sell your personal data to third parties.
Cookies
• Strictly necessary — Authentication session, CSRF protection (always on)
• Analytics — First-party only, opt-in, no third-party trackers
• Marketing — Not used
See our Cookie Policy for full details.
Your Rights
Under UK GDPR and EU GDPR, you have the right to:
• Access — Request a copy of your data
• Rectification — Correct inaccurate personal data
• Erasure — Request deletion of your account and data
• Portability — Receive your data in a machine-readable format
• Objection — Object to processing for specific purposes
• Withdraw consent — Where processing is consent-based, withdraw at any time
Important note on blockchain data: Hashes anchored to the blockchain cannot be deleted as they are part of the public ledger. However, without the original file, a hash alone reveals nothing about the document's contents.
To exercise your rights, email privacy@blockchainanalysis.io.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): https://ico.org.uk.
Data Retention
• Account data — Duration of account + 5 years (UK regulatory requirements)
• On-chain hashes — Permanent (blockchain is immutable)
• Payment records — 7 years (UK tax law)
• IP addresses & usage logs — 90 days
• Merkle proofs & certificates — Duration of account
Contact
For privacy-related questions:
Email: privacy@blockchainanalysis.io
Aletheia Tech Ltd, 128 City Road, London, EC1V 2NX, United Kingdom
We aim to respond to all privacy inquiries within 30 days.