Privacy Policy
Privacy Policy
Apostillum, Inc. Effective Date: [DATE] Last Updated: [DATE]
1. Introduction
Apostillum, Inc. ("Apostillum," "we," "us," or "our") is a Delaware C Corporation that provides zero-knowledge AI interaction audit trail services. This Privacy Policy describes how we collect, use, store, and protect information when you use our platform, website, desktop application, browser extension, API integrations, and related services (collectively, the "Service").
Apostillum operates as a zero-knowledge blind notary. This means we cryptographically attest to the existence and integrity of your AI interactions without the ability to read, modify, or delete the underlying content. This architectural reality fundamentally shapes our data practices and is reflected throughout this Policy.
By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, you must discontinue use of the Service immediately.
2. Zero-Knowledge Architecture — What This Means for Your Privacy
Before detailing our data practices, it is important to understand Apostillum's zero-knowledge design:
-
Client-side encryption. All AI interaction content is encrypted on your device using XChaCha20-Poly1305 authenticated encryption before any data leaves your device. Apostillum never receives plaintext conversation data.
-
Hash-only verification. Only a SHA-256 cryptographic hash of the original content is transmitted to our systems for timestamping and blockchain anchoring. This hash cannot be reversed to reconstruct the original content.
-
Shamir's Secret Sharing (client-controlled). Your encryption key can be split into five shares using Shamir's Secret Sharing scheme (3-of-5 threshold). All shares are generated on your device, and you download and control the distribution of all five shares. Apostillum never sees, stores, or transmits any key share.
-
Practical consequence. Apostillum operates as a blind vault. We store encrypted data we cannot read. We timestamp hashes we cannot reverse. We hold zero key shares and have no cryptographic access to your data whatsoever. No employee, officer, contractor, or agent of Apostillum can access the plaintext content of your AI interactions.
3. Information We Collect
3.1 Information You Provide Directly
| Data Category | Examples | Purpose |
|---|---|---|
| Account information | Name, email address, organization name, job title, billing address | Account creation, authentication, billing, customer support |
| Billing information | Payment method details (processed by our payment processor; we do not store full payment card numbers) | Subscription billing |
| Communications | Emails, support tickets, chat messages you send to us | Customer support, product improvement |
| Organization settings | Team member invitations, role assignments, retention policy preferences | Service administration |
3.2 Information Collected Automatically
| Data Category | Examples | Purpose |
|---|---|---|
| Encrypted attestation blobs | XChaCha20-Poly1305 encrypted copies of AI interaction data, stored as opaque binary objects | Long-term evidence preservation (content is inaccessible to Apostillum) |
| Cryptographic hashes | SHA-256 hashes of original interaction content | Integrity verification, blockchain anchoring |
| Blockchain anchoring records | Hedera Consensus Service transaction IDs, Bitcoin OpenTimestamps proofs, RFC 3161 timestamps from DigiCert | Tamper-proof timestamping |
| Interaction metadata | Timestamp of interaction, AI provider identifier (e.g., "Claude," "ChatGPT"), model identifier, token count, session identifier | Audit trail completeness, usage metering, billing |
| Document filename and MIME type | The original filename and MIME type of any document you seal through the desktop application's "Seal a document" feature, stored on the row seal_submissions.original_filename (and the matching mime_type column) |
Display in the verification portal so a regulator can recognise the artefact; troubleshooting; audit trail |
| Service usage data | Features accessed, actions taken within the dashboard, verification portal usage | Service improvement, troubleshooting |
| Device and connection data | IP address, browser type, operating system, device identifier, referring URL | Security, fraud prevention, troubleshooting |
| Log data | Server logs, error logs, API call logs | Service operation, debugging, security monitoring |
3.3 Information We Do NOT Collect
The following data categories are never collected, transmitted, or stored by Apostillum in plaintext form:
- The content of your AI conversations (prompts, responses, or any portion thereof)
- The plaintext of any document, file, or media you discuss with AI systems
- Your AI provider API keys (these remain on your device)
- Complete decryption keys for your encrypted attestation blobs
This is not a policy choice — it is an architectural impossibility. Our systems are designed so that this data cannot reach us in readable form.
4. How We Use Information
We use the information we collect for the following purposes:
- Providing the Service. Encrypting, storing, timestamping, and anchoring your AI interaction attestation records; processing verification requests.
- Billing and account management. Processing payments, managing subscriptions, sending invoices and receipts.
- Security and fraud prevention. Detecting and preventing unauthorized access, abuse, or security incidents.
- Legal compliance. Responding to lawful requests from authorities (subject to the zero-knowledge limitations described in Section 10).
- Service improvement. Analyzing aggregate, de-identified usage patterns to improve the Service.
- Communications. Sending service-related notices (security alerts, maintenance windows, policy changes) and, with your consent, product updates.
We do not use your information for:
- Advertising or ad targeting
- Selling or renting personal data to third parties
- Training AI models
- Profiling or automated decision-making that produces legal effects
5. Data Storage and Retention
5.1 Encrypted Attestation Blobs
Encrypted attestation blobs are stored in WORM (Write Once, Read Many) vault infrastructure using AWS S3 Object Lock in Compliance mode. Under this storage model:
- Standard retention: 20 years. Attestation blobs are retained for twenty (20) years from the date of creation. This matches the marketing commitment of a "20-year tamper-evident archive" and exceeds typical regulatory record-keeping requirements for legal and tax purposes.
- Immutability guarantee. Once written, attestation blobs cannot be modified, overwritten, or deleted by anyone — including Apostillum — until the retention period expires. This is enforced at the infrastructure level by AWS S3 Object Lock Compliance mode.
- Deletion after retention. Upon expiration of the retention period, attestation blobs are automatically purged. You may request earlier deletion of your account and associated metadata, but encrypted attestation blobs will be retained until the applicable retention period expires due to the immutability of WORM storage.
5.2 Account and Billing Data
Account and billing information is retained for the duration of your account plus seven (7) years to satisfy tax, accounting, and regulatory obligations.
5.3 Service Logs
Server logs, error logs, and API call logs are retained for ninety (90) days, unless a longer period is required for an active security investigation.
5.4 Blockchain Records
Cryptographic hashes and timestamps anchored to public blockchains (Hedera, Bitcoin) and RFC 3161 timestamping authorities are permanent and immutable by their nature. These records contain only hashes — not content — and cannot be deleted.
5.5 Irrevocable Records and the Limits of Erasure
Apostillum's evidence guarantee depends on records that, by design, no party — including Apostillum — can later alter or remove. You should understand which records are irrevocable before you create them:
| Record type | Where it lives | Why it cannot be revoked |
|---|---|---|
| SHA-256 hash of your sealed content | Hedera Consensus Service public ledger | Anchored to a public blockchain; consensus history is global and append-only |
| SHA-256 hash of your sealed content | Bitcoin OpenTimestamps calendar + Bitcoin block header | Anchored via Bitcoin proof-of-work; block history is global and append-only |
| SHA-256 hash of your sealed content | RFC 3161 timestamp token (DigiCert TSA) | Cryptographically signed by the timestamping authority; the TSA cannot un-sign a token |
| Encrypted attestation blob | AWS S3 Object Lock vault, COMPLIANCE retention mode | Object Lock COMPLIANCE is enforced by AWS at the bucket policy level. Even AWS root credentials cannot delete a locked object before its retention period expires |
Practical consequence — GDPR Article 17 / CCPA right to delete. Once you create a seal, the four records above are anchored within seconds. From that moment, a request to "delete the seal" cannot be honoured by Apostillum, because no Apostillum control plane has the authority to alter Hedera consensus, the Bitcoin chain, a TSA-signed token, or a COMPLIANCE-locked S3 object. Upon a deletion request we will:
- Delete your account and the human-readable metadata we hold (account row, device list, billing history not required for tax retention).
- Provide written confirmation of what was deleted and what could not be deleted, with the specific reason per record class.
- Note that the encrypted blob remains opaque to us regardless: we hold zero shares of the Shamir-split key, so even before the WORM retention expires we have no cryptographic ability to decrypt it.
This is not a policy preference and not a workflow gap. It is the property that makes Apostillum's evidence trustworthy: an audit trail that a future Apostillum, future AWS, future regulator, or future court order could quietly tamper with would be worthless. Before you seal anything, you should be confident that you are willing to leave a permanent cryptographic record of its existence at that moment in time.
If you require a "soft" record that you can later retract, do not seal it. Apostillum is not the right tool for that use case.
6. Data Sharing and Disclosure
6.1 Third-Party Service Providers
We share information with the following categories of service providers, solely to operate the Service:
| Provider Category | Data Shared | Purpose |
|---|---|---|
| Cloud infrastructure (AWS) | Encrypted attestation blobs, account data, logs | Hosting, storage, compute |
| Payment processor (Stripe or equivalent) | Billing information | Payment processing |
| Blockchain networks (Hedera, Bitcoin) | SHA-256 hashes only | Immutable timestamping |
| RFC 3161 timestamping authority (DigiCert) | SHA-256 hashes only | Cryptographic timestamping |
| Email/communication provider | Email address, name | Transactional emails |
| Analytics (aggregate only) | De-identified, aggregate usage data | Service improvement |
All service providers are bound by data processing agreements that restrict their use of data to the purposes described above.
6.2 Legal Disclosures
We may disclose information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. However, due to our zero-knowledge architecture:
- We can provide: Account information (name, email, organization), interaction metadata (timestamps, AI provider identifiers, token counts), and encrypted attestation blobs.
- We cannot provide: Plaintext AI interaction content. We do not possess decryption keys sufficient to decrypt attestation blobs. A subpoena, court order, or warrant directed at Apostillum for plaintext content cannot be fulfilled — not because of a policy choice, but because of a technical impossibility.
We will notify you of any legal request for your data unless prohibited by law or court order from doing so.
6.3 Business Transfers
In the event of a merger, acquisition, bankruptcy, or asset sale, your data may be transferred to the successor entity. Encrypted attestation blobs will remain encrypted, and the zero-knowledge architecture will be preserved. We will notify you of any such transfer and any changes to this Privacy Policy.
6.4 No Sale of Personal Data
Apostillum does not sell, rent, lease, or trade your personal data to any third party for monetary or other valuable consideration.
7. International Data Transfers
Apostillum is headquartered in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States.
7.1 European Economic Area (EEA), United Kingdom, and Switzerland
For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on:
- Standard Contractual Clauses (SCCs) adopted by the European Commission, supplemented by additional technical and organizational measures.
- EU-US Data Privacy Framework (DPF) and the UK Extension to the DPF, to the extent applicable and certified.
The zero-knowledge architecture provides an additional, substantial safeguard: even if data is accessed by a foreign government, the content remains encrypted and inaccessible without key reconstruction, which is entirely under client control. Apostillum holds no key shares and cannot assist in decryption under any circumstances.
7.2 Japan
For transfers of personal data from Japan, we comply with the Act on the Protection of Personal Information (APPI) and rely on consent, contractual safeguards, or adequacy determinations as applicable.
7.3 Other Jurisdictions
For other jurisdictions, we implement appropriate safeguards as required by applicable law and will supplement this section as we expand into additional markets.
8. Your Rights
8.1 General Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access. Request a copy of the personal data we hold about you.
- Rectification. Request correction of inaccurate personal data.
- Deletion/Erasure. Request deletion of your personal data, subject to the limitations described below.
- Data portability. Request a copy of your data in a structured, commonly used, machine-readable format.
- Restriction of processing. Request that we limit how we use your data.
- Objection. Object to processing based on legitimate interests.
- Withdrawal of consent. Withdraw consent at any time where processing is based on consent.
- Complaint. Lodge a complaint with your local data protection authority.
8.2 Zero-Knowledge Caveats on User Rights
Due to our zero-knowledge architecture, certain rights operate differently:
-
Access to plaintext content. We cannot provide you with plaintext copies of your AI interactions because we do not possess them. You retain exclusive control of your encryption keys (and any Shamir key shares, if enabled) and can reconstruct and decrypt your data independently using the Apostillum client application.
-
Deletion of encrypted attestation blobs. Attestation blobs stored in WORM vaults cannot be deleted before the retention period expires. This is an infrastructure-level constraint, not a policy choice. Upon request, we will: (a) delete your account and all associated metadata; and (b) provide written confirmation of these actions. Because Apostillum holds no key shares, encrypted blobs are already permanently inaccessible to us by design. You may achieve crypto-shredding by destroying your own encryption keys.
-
Rectification of encrypted content. We cannot modify encrypted attestation blobs because (a) we cannot read them to identify what requires correction, and (b) WORM storage prohibits modification. You may submit a corrected interaction as a new attestation record.
-
Portability. We can export your encrypted attestation blobs, metadata, and blockchain anchor records. Decryption requires your encryption keys (or Shamir key shares, if you have enabled key splitting).
8.3 Exercising Your Rights
To exercise any of the above rights, contact us at:
- Email: privacy@apostillum.com
- Mail: Apostillum, Inc., [Address], Wilmington, DE [ZIP]
We will respond to verifiable requests within thirty (30) days, or within the timeframe required by applicable law.
9. GDPR Compliance (European Economic Area)
9.1 Data Controller and Data Processor Roles
- You (the customer) are the data controller for any personal data contained within AI interaction content.
- Apostillum is the data processor, processing encrypted attestation blobs on your behalf and according to your instructions.
For account and billing data, Apostillum acts as an independent data controller.
9.2 Legal Bases for Processing
| Processing Activity | Legal Basis (GDPR Art. 6) |
|---|---|
| Providing the Service (encryption, storage, timestamping) | Performance of a contract (Art. 6(1)(b)) |
| Billing and account management | Performance of a contract (Art. 6(1)(b)) |
| Security and fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
| Service improvement (aggregate analytics) | Legitimate interests (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
9.3 Data Protection Agreement (DPA)
Enterprise and professional customers may request a Data Protection Agreement that supplements this Privacy Policy with GDPR-required terms, including:
- Subject matter and duration of processing
- Nature and purpose of processing
- Types of personal data and categories of data subjects
- Obligations and rights of the controller
- Sub-processor management and notification
- Data breach notification procedures
- Audit rights
- Cross-border transfer mechanisms
To request a DPA, contact privacy@apostillum.com.
9.4 Data Protection Officer
Apostillum has designated a Data Protection contact reachable at dpo@apostillum.com. A formal Data Protection Officer will be appointed if and when required under Article 37 of the GDPR.
10. CCPA / CPRA Compliance (California)
10.1 Categories of Personal Information
Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"), we collect the following categories of personal information:
- Identifiers: Name, email address, IP address, account identifier
- Commercial information: Subscription records, billing history
- Internet or electronic network activity: Service usage data, interaction metadata
- Professional or employment-related information: Job title, organization name (if provided)
10.2 Your CCPA Rights
If you are a California resident, you have the right to:
- Know what personal information we collect, use, and disclose
- Delete your personal information (subject to WORM storage limitations described in Section 8.2)
- Opt out of sale or sharing of personal information — Apostillum does not sell or share personal information as defined by the CCPA
- Non-discrimination for exercising your CCPA rights
- Correct inaccurate personal information
- Limit use of sensitive personal information — Apostillum does not collect sensitive personal information as defined by the CCPA
10.3 How to Exercise CCPA Rights
Submit requests via privacy@apostillum.com or by mail. We will verify your identity before processing any request. You may designate an authorized agent to submit requests on your behalf.
11. Cookie Policy
11.1 Current Use
The Apostillum desktop application and browser extension do not use cookies.
11.2 Web Dashboard (Future)
When the Apostillum web dashboard and verification portal (apostil.ly) are launched, we may use:
| Cookie Type | Purpose | Duration |
|---|---|---|
| Strictly necessary | Authentication, session management, security (CSRF tokens) | Session / up to 24 hours |
| Functional | User preferences, dashboard settings | Up to 1 year |
| Analytics | Aggregate, anonymous usage statistics | Up to 1 year |
We will not use advertising or tracking cookies. We will update this section and, where required, implement a cookie consent mechanism before deploying any non-essential cookies.
12. Security
We implement technical and organizational measures to protect your data, including:
- XChaCha20-Poly1305 authenticated encryption (client-side)
- Client-controlled Shamir's Secret Sharing (3-of-5) for key management (all shares generated and retained by client)
- TLS 1.3 for all data in transit
- AWS S3 Object Lock Compliance mode for data at rest
- Role-based access controls with least privilege
- Regular security assessments and penetration testing
- Incident response procedures with breach notification within 72 hours (GDPR) or as otherwise required by law
- SOC 2 Type II compliance (planned)
No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
13. Children's Privacy
The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us at privacy@apostillum.com and we will take steps to delete such information.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated Privacy Policy on our website with a revised "Last Updated" date
- Sending an email notification to the address associated with your account
- Displaying an in-application notification
Your continued use of the Service after such changes constitutes acceptance of the updated Privacy Policy. Material changes will not apply retroactively to data collected before the change.
15. Contact Information
If you have questions, concerns, or complaints about this Privacy Policy or our data practices, contact us at:
Apostillum, Inc. [Address] Wilmington, DE [ZIP]
- General privacy inquiries: privacy@apostillum.com
- Data Protection contact: dpo@apostillum.com
- Security concerns: security@apostillum.com
- Website: https://apostillum.com
For EEA residents, you also have the right to lodge a complaint with your local supervisory authority.
This Privacy Policy is provided for informational purposes and constitutes the data protection commitments of Apostillum, Inc. It does not create any attorney-client relationship and does not constitute legal advice.