STAMPiD Privacy Policy

How we handle your data

Effective Date: February 4, 2026
Last Updated: February 4, 2026

In short: STAMPiD is a timestamping service that proves your creative work existed at a specific time. We collect only what we need to operate the service: your account info, cryptographic hashes of your files (never the files themselves), and standard technical data. We do not sell your data.

1. Who We Are

STAMPiD ("we," "us," "our") operates the STAMPiD mobile application and the backend API at api.stampid.tech. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our services.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

2.2 Timestamp and Stamp Data

When you create a timestamp ("stamp"), we collect:

2.3 Audit and Security Logs

For security and compliance, we log:

2.4 Technical and Diagnostic Data

We collect limited technical data to maintain service reliability:

2.5 Information We Do NOT Collect

3. How We Use Your Information

PurposeData UsedLegal Basis (GDPR)
Provide timestamping services File hashes, timestamps, TSA proofs Contract performance
Authenticate your account Email, hashed password, API keys Contract performance
Send service emails (password resets, verifications) Email address Contract performance
Protect against fraud and abuse IP addresses, failed login counts, audit logs Legitimate interest
Maintain service reliability Crash reports, error logs Legitimate interest
Comply with legal obligations Audit logs, account records Legal obligation

4. Data Storage and Retention

4.1 Where We Store Data

Your data is stored on servers provided by Railway (our hosting provider) using PostgreSQL databases with encryption at rest. Redis is used for temporary caching (rate limiting, session tokens) with automatic expiration.

4.2 How Long We Keep Data

4.3 Data Security

We protect your data using:

5. Third-Party Services

We share limited data with the following third-party services to operate STAMPiD:

ServicePurposeData Shared
Sentry (sentry.io) Error monitoring and crash reporting Device type, OS version, error stack traces. PII is disabled (sendDefaultPii=false). No screenshots are captured.
Resend (resend.com) Transactional email delivery (SMTP) Email address, email content (password resets, verification emails)
RFC 3161 Timestamp Authorities Independent timestamp verification Cryptographic hashes only (no files, no personal data)
OpenTimestamps / Bitcoin Blockchain anchoring of timestamps Cryptographic hashes only (anchored to the Bitcoin blockchain)
Railway (railway.app) Application hosting and database All application data (encrypted at rest)

We do not sell, rent, or trade your personal information to any third party.

6. Your Rights

6.1 All Users

Regardless of your location, you have the right to:

6.2 GDPR Rights (European Economic Area, UK, Switzerland)

If you are located in the EEA, UK, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

To exercise these rights, contact us at privacy@stampid.tech. We will respond within 30 days.

Data Protection Authority: You have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.

6.3 CCPA Rights (California Residents)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

To exercise these rights, contact us at privacy@stampid.tech or use the account deletion feature in the app.

Categories of personal information collected in the preceding 12 months: identifiers (email, username), internet activity (IP address, user agent), and inferences (cryptographic hashes derived from your files).

We do not sell personal information. We have not sold personal information in the preceding 12 months.

7. Account Deletion

You may request deletion of your account and personal data at any time by:

Upon deletion:

We will process deletion requests within 30 days.

8. Children's Privacy

STAMPiD is not intended for use by children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under these ages, we will take steps to delete that information promptly.

If you believe a child has provided us with personal information, please contact us at privacy@stampid.tech.

9. International Data Transfers

Your data may be processed in countries outside your country of residence, including the United States. When we transfer data internationally, we ensure appropriate safeguards are in place in accordance with applicable data protection laws.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

Your continued use of STAMPiD after changes are posted constitutes acceptance of the updated policy.

11. Contact Us

For privacy questions, data requests, or concerns:

We aim to respond to all privacy inquiries within 30 days.