Privacy Policy

The data controller for personal data collected through the Incipite service is:

UK GDPR note. DE.H.VS is established in France. Where processing of UK residents' personal data is occasional and does not involve large-scale processing of special category data, no UK representative is required under UK GDPR Art. 27(2)(a). All UK data subject requests are handled at legal@incipite.com.

Incipite computes the SHA-256 cryptographic fingerprint of your file directly in your browser. The original file never leaves your device.

Only the fingerprint (64 hexadecimal characters) is transmitted to our servers. Incipite has no access to any element of the content of your works.

The following data is collected when using the service:

• ·Account data: retained for the duration of the account + 3 years after closure, or until deletion is requested.
• ·Certified fingerprints: retained indefinitely to maintain public verifiability of issued certificates.
• ·Payment data: retained by Stripe in accordance with their legal obligations.
• ·Technical logs: 90 rolling days.

Incipite uses the following providers, each bound by their own GDPR commitments:

• ClerkAuthentication and account management — United States (SCC + DPF)
• SupabaseDatabase — fingerprints and metadata (EU/Singapore, SCC)
• VercelApplication hosting — United States (SCC + DPF)
• StripePayment processing — United States / Ireland (SCC + DPF)
• ResendTransactional emails — United States (SCC)
• UpstashCache and rate limiting — EU (GDPR direct)
• SentryApplication error tracking — United States (SCC + DPF) — emails and user IDs sanitised before transmission
• UmamiCookie-less anonymous analytics — EU (GDPR direct)
• cron-job.orgExternal cron trigger (carries only an authentication secret — no personal data) — EU (Germany)
• OpenTimestampsBitcoin blockchain anchoring (receives only the SHA-256 fingerprint)

No personal data (name, email, date of birth) is transmitted to OpenTimestamps, Umami, cron-job.org or Upstash. Only the anonymous cryptographic fingerprint is sent to OpenTimestamps.

Transfers outside the EU: transfers to the United States (Clerk, Vercel, Stripe, Resend, Sentry) are governed by the Standard Contractual Clauses (SCC) adopted by the European Commission (Decision 2021/914) and, where applicable, by self-certification under the EU-U.S. Data Privacy Framework (Adequacy Decision 2023/1795 of 10 July 2023).

Status of the SHA-256 hash: in line with CJEU C-582/14 (Breyer, 2016), a SHA-256 cryptographic fingerprint of a file does not by construction identify a natural person (cryptographic pre-image resistance) and is therefore not personal data taken in isolation. It is its combination with your account identifier that constitutes the processing framed above.

Under EU GDPR and UK GDPR, you have the following rights over your personal data:

• ·Access — Obtain a copy of your data.
• ·Rectification — Correct inaccurate data.
• ·Erasure — Delete your data (subject to legal limitations).
• ·Portability — Receive your data in a structured format.
• ·Objection — Object to certain processing activities.
• ·Restriction — Restrict processing where disputed.

To exercise your rights: legal@incipite.com. Response within 30 days. You may also lodge a complaint with your supervisory authority — in the UK: ICO (ico.org.uk); in the EU: CNIL or your local DPA.

Incipite uses a minimal number of strictly necessary cookies for the operation of the service:

• ·Clerk session cookie — maintains authentication. Duration: session.

No advertising cookies. No third-party analytics trackers.

Strictly necessary cookies (session authentication via Clerk) are exempt from PECR consent requirements under Regulation 6(4) of the Privacy and Electronic Communications Regulations 2003. No tracking or advertising cookies are used.

Incipite implements the following technical and organisational measures:

• ·TLS encryption in transit on all communications.
• ·Database access via Row-Level Security (RLS).
• ·Secret keys managed via encrypted environment variables (Vercel).
• ·Per-user rate limiting to prevent abuse.
• ·No server-side storage of file contents.

Any material changes will be notified by email with 15 days' notice. The current version is always accessible at incipite.com/en/confidentialite.