Privacy Policy

Last updated: 2026-05-12.

What we never see

Your files do not reach our server. Hashing happens in your browser via crypto.subtle. Only the 32-byte SHA-256 digest is sent to us. We cannot recover your file from the digest; nobody can. The privacy claim is enforced by the structure of the protocol, not by our promise to behave.

What we collect

• SHA-256 hashes you submit, plus the optional client label (filename, max 200 chars) you choose to attach.
• Truncated IP prefixes for rate limiting (we keep the first three octets of IPv4 / 48 bits of IPv6 — enough to spot abuse, not enough to identify individuals). Full IPs are not retained.
• Email addresses for Pack purchases, supplied through Stripe Checkout. We use these only to deliver the claim code and the receipt, and to honor refund requests.
• The anchored receipt itself — receipt ID, hash, timestamp, OTS proof files. These are public-by-design: anyone with the receipt ID can read them via /api/receipt/<id>. Don't anchor secrets you wouldn't want a peer to verify.

What we don't collect

• No analytics scripts, no third-party trackers, no cookies for tracking.
• No advertising IDs or fingerprinting.
• No file contents.
• No full IP addresses in logs or analytics.

Cookies and local storage

We use one localStorage entry, orpho_pack_token, to remember your active Pack claim code across page loads. It's local to your browser; we never read it from the server. Clear it any time via the "remove" button on the Pack banner or your browser's site-data controls.

Third parties

Stripe processes Pack payments. They see your card details and your email; we never do. See stripe.com/privacy.

Resend delivers transactional emails (Pack claim codes, receipt copies). They see your email and the message contents. See resend.com/legal/privacy-policy.

OpenTimestamps calendar servers receive your 32-byte hash when we submit it. They batch many users' hashes into a single Bitcoin transaction; they do not receive your IP (we proxy the submission).

Fly.io hosts our server. Their infrastructure logs may capture connection metadata; we configure our application not to retain full IPs.

Retention

• Anchor records (hashes, timestamps, OTS proofs): retained indefinitely. They are the product.
• Free-tier receipts: may be pruned from our servers 30 days after creation. Your local copy of the receipt JSON + .ots files remains independently verifiable forever.
• Email addresses: retained for the life of the associated Pack credit balance, plus 7 years for tax/refund records.
• Truncated IP prefixes in logs: 24 hours, then rotated.

Your rights

Email [email protected] to request a copy of the data associated with your email address, or to request deletion. We respond within 30 days. EU/UK/California residents: you have the rights granted by GDPR / UK-GDPR / CCPA respectively, and we will honor them.

Children

Orphograph is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe we have, email [email protected] and we will delete it.

Changes

We may update this policy; the "Last updated" date will change. Material changes will be emailed to Pack purchasers when feasible.

Contact

Anonymous solo founder. Reach the privacy queue at [email protected].