Privacy Policy

Effective: March 20, 2026

What We Collect

• SHA-256 content hashes submitted via the attestation API
• Stripe payment metadata (transaction IDs, amounts, timestamps) for paid attestations
• Server-side timestamps at the time of attestation
• Derived agent IDs generated via Argon2 hashing — pseudonymous and unlinkable to real-world identity

What We Do NOT Collect

• Original content — only SHA-256 hashes are submitted; raw data never reaches our servers
• Personally identifiable information (PII) beyond Stripe payment metadata
• Cookies beyond essential session and security cookies
• IP addresses beyond standard 30-day server log retention

How We Use Data

• Create cryptographically signed attestation records
• Verify attestation authenticity via the public verification API
• Enforce rate limits and prevent service abuse

Retention

Attestation records are stored for 10 years in AWS S3 Object Lock (Compliance Mode). This storage is write-once, read-many — records cannot be modified or deleted during the retention period, including by us.

Server logs are retained for 30 days and then permanently deleted.

Third Parties

• AWS — cloud infrastructure, S3 storage, KMS HSM signing
• Stripe — payment processing for paid attestations

We do not sell, share, or transfer data to any other third parties.

Contact

For privacy-related inquiries: contact@mpps.io