Privacy Policy

Effective: March 20, 2026

What We Collect

• SHA-256 content hashes and structured receipt manifests submitted via the API
• Small labels and context fields included by the caller
• Stripe payment metadata (transaction IDs, amounts, timestamps) for optional paid certify flows
• Server-side timestamps at the time of receipt creation
• Derived source fingerprints generated from request source information for rate limiting and correlation

What We Do NOT Collect

• Original artifacts — raw files do not need to reach our servers
• Personally identifiable information (PII) beyond Stripe payment metadata
• Cookies beyond essential session and security cookies
• IP addresses beyond standard 30-day server log retention

How We Use Data

• Create cryptographically signed receipt records
• Verify receipt authenticity via the public verification API
• Enforce rate limits and prevent service abuse

Retention

Receipt records are stored for 10 years in AWS S3 Object Lock (Compliance Mode). This storage is write-once, read-many — records cannot be modified or deleted during the retention period, including by us.

Server logs are retained for 30 days and then permanently deleted.

Third Parties

• AWS — cloud infrastructure, S3 storage, KMS HSM signing
• Stripe — payment processing for optional paid certify flows

We do not sell, share, or transfer data to any other third parties.

Contact

For privacy-related inquiries: contact@mpps.io