Privacy Policy

Last updated: 2026-05-12.

What we never see

Your files do not reach our server. Hashing happens in your browser via crypto.subtle. Only the 32-byte SHA-256 digest is sent to us. We cannot recover your file from the digest; nobody can. The privacy claim is enforced by the structure of the protocol, not by our promise to behave.

What we collect

• SHA-256 hashes you submit, plus the optional client label (filename, max 200 chars) you choose to attach.
• Truncated IP prefixes for rate limiting (we keep the first three octets of IPv4 / 48 bits of IPv6 — enough to spot abuse, not enough to identify individuals). Full IPs are not retained.
• Email addresses for Pack purchases, supplied through Stripe Checkout. We use these only to deliver the claim code and the receipt, and to honor refund requests.
• The anchored receipt itself — receipt ID, hash, timestamp, OTS proof files. These are public-by-design: anyone with the receipt ID can read them via /api/receipt/<id>. Don't anchor secrets you wouldn't want a peer to verify.

What we don't collect

• No analytics scripts, no third-party trackers, no cookies for tracking.
• No advertising IDs or fingerprinting.
• No file contents.
• No full IP addresses in logs or analytics.

Cookies and local storage

We use one localStorage entry, orpho_pack_token, to remember your active Pack claim code across page loads. It's local to your browser; we never read it from the server. Clear it any time via the "remove" button on the Pack banner or your browser's site-data controls.

Third parties

Stripe processes Pack payments. They see your card details and your email; we never do. See stripe.com/privacy.

Resend delivers transactional emails (Pack claim codes, receipt copies). They see your email and the message contents. See resend.com/legal/privacy-policy.

OpenTimestamps calendar servers receive your 32-byte hash when we submit it. They batch many users' hashes into a single Bitcoin transaction; they do not receive your IP (we proxy the submission).

Fly.io hosts our server. Their infrastructure logs may capture connection metadata; we configure our application not to retain full IPs.

Retention

• Anchor records (hashes, timestamps, OTS proofs): retained indefinitely. They are the product.
• Free-tier receipts: may be pruned from our servers 30 days after creation. Your local copy of the receipt JSON + .ots files remains independently verifiable forever.
• Email addresses: retained for the life of the associated Pack credit balance, plus 7 years for tax/refund records.
• Truncated IP prefixes in logs: 24 hours, then rotated.

Your rights

Email [email protected] to request a copy of the data associated with your email address, or to request deletion. We respond within 30 days. EU/UK/California residents: you have the rights granted by GDPR / UK-GDPR / CCPA respectively, and we will honor them.

Changes

We may update this policy; the "Last updated" date will change. Material changes will be emailed to Pack purchasers when feasible.

Contact

Anonymous solo founder. Reach the privacy queue at [email protected].