Effective Date: February 4, 2026
Last Updated: February 4, 2026
In short: STAMPiD is a timestamping service that proves your creative work existed at a specific time. We collect only what we need to operate the service: your account info, cryptographic hashes of your files (never the files themselves), and standard technical data. We do not sell your data.
1. Who We Are
STAMPiD ("we," "us," "our") operates the STAMPiD mobile application and the backend API at api.stampid.tech. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our services.
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Email address -- used for login, password resets, and service notifications
- Username -- your chosen display name
- Password -- stored as a one-way cryptographic hash (bcrypt); we never store or see your plaintext password
- Full name (optional) -- if you choose to provide it
2.2 Timestamp and Stamp Data
When you create a timestamp ("stamp"), we collect:
- Cryptographic file hash (SHA-256) -- a mathematical fingerprint of your file. We never receive, store, or process your actual files. The hash is computed on your device before being sent to our servers.
- File metadata -- file name, file size, and file type (e.g., audio, image, document)
- Timestamp data -- the date and time the stamp was created
- TSA (Time Stamp Authority) responses -- cryptographic proofs from independent RFC 3161 timestamp authorities confirming when your hash was submitted
- Blockchain anchor data -- if applicable, transaction hashes and block heights from Bitcoin/OpenTimestamps anchoring
- Description and tags (optional) -- any notes you add to your stamps
2.3 Audit and Security Logs
For security and compliance, we log:
- IP addresses -- associated with login attempts and API requests
- User agent strings -- browser/app version information
- Action logs -- records of account actions (login, stamp creation, verification) with timestamps
- Failed login attempts -- count and timing, used for account lockout protection
2.4 Technical and Diagnostic Data
We collect limited technical data to maintain service reliability:
- Crash reports -- via Sentry (see Section 5), including device type, OS version, and stack traces when errors occur. No personally identifiable information (PII) is sent to Sentry by default.
- Rate limiting tokens -- stored temporarily in Redis to enforce API rate limits
2.5 Information We Do NOT Collect
- We do not collect or store your original files (photos, audio, documents)
- We do not collect location data
- We do not use advertising trackers or analytics SDKs
- We do not collect contacts, calendar, or other device data
- We do not take screenshots of your device
3. How We Use Your Information
| Purpose | Data Used | Legal Basis (GDPR) |
| Provide timestamping services |
File hashes, timestamps, TSA proofs |
Contract performance |
| Authenticate your account |
Email, hashed password, API keys |
Contract performance |
| Send service emails (password resets, verifications) |
Email address |
Contract performance |
| Protect against fraud and abuse |
IP addresses, failed login counts, audit logs |
Legitimate interest |
| Maintain service reliability |
Crash reports, error logs |
Legitimate interest |
| Comply with legal obligations |
Audit logs, account records |
Legal obligation |
4. Data Storage and Retention
4.1 Where We Store Data
Your data is stored on servers provided by Railway (our hosting provider) using PostgreSQL databases with encryption at rest. Redis is used for temporary caching (rate limiting, session tokens) with automatic expiration.
4.2 How Long We Keep Data
- Account data -- retained while your account is active, deleted upon account deletion request
- Stamp records and TSA proofs -- retained indefinitely, as these constitute your proof of existence. You may request deletion, but note that blockchain-anchored proofs cannot be removed from public blockchains.
- Audit logs -- retained for up to 2 years for security and compliance
- Rate limiting data -- automatically expires within minutes to hours
- Crash reports -- retained in Sentry for 90 days
4.3 Data Security
We protect your data using:
- HTTPS/TLS encryption for all data in transit
- Bcrypt password hashing with salt
- Ed25519 digital signatures on audit log chains (tamper-evident logging)
- API key hashing (keys are never stored in plaintext)
- Account lockout after repeated failed login attempts
- CORS and CSRF protections
5. Third-Party Services
We share limited data with the following third-party services to operate STAMPiD:
| Service | Purpose | Data Shared |
| Sentry (sentry.io) |
Error monitoring and crash reporting |
Device type, OS version, error stack traces. PII is disabled (sendDefaultPii=false). No screenshots are captured. |
| Resend (resend.com) |
Transactional email delivery (SMTP) |
Email address, email content (password resets, verification emails) |
| RFC 3161 Timestamp Authorities |
Independent timestamp verification |
Cryptographic hashes only (no files, no personal data) |
| OpenTimestamps / Bitcoin |
Blockchain anchoring of timestamps |
Cryptographic hashes only (anchored to the Bitcoin blockchain) |
| Railway (railway.app) |
Application hosting and database |
All application data (encrypted at rest) |
We do not sell, rent, or trade your personal information to any third party.
6. Your Rights
6.1 All Users
Regardless of your location, you have the right to:
- Access your personal data by viewing your account and stamps
- Correct inaccurate information in your account settings
- Delete your account and associated personal data (see Section 7)
- Export your stamp data
6.2 GDPR Rights (European Economic Area, UK, Switzerland)
If you are located in the EEA, UK, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):
- Right to access (Article 15) -- request a copy of all personal data we hold about you
- Right to rectification (Article 16) -- correct inaccurate or incomplete data
- Right to erasure (Article 17) -- request deletion of your personal data ("right to be forgotten")
- Right to restrict processing (Article 18) -- limit how we use your data
- Right to data portability (Article 20) -- receive your data in a structured, machine-readable format
- Right to object (Article 21) -- object to processing based on legitimate interest
- Right to withdraw consent (Article 7) -- where processing is based on consent
To exercise these rights, contact us at privacy@stampid.tech. We will respond within 30 days.
Data Protection Authority: You have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.
6.3 CCPA Rights (California Residents)
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):
- Right to know -- what personal information we collect, use, and share
- Right to delete -- request deletion of your personal information
- Right to opt-out of sale -- we do not sell your personal information, so no opt-out is needed
- Right to non-discrimination -- we will not discriminate against you for exercising your privacy rights
To exercise these rights, contact us at privacy@stampid.tech or use the account deletion feature in the app.
Categories of personal information collected in the preceding 12 months: identifiers (email, username), internet activity (IP address, user agent), and inferences (cryptographic hashes derived from your files).
We do not sell personal information. We have not sold personal information in the preceding 12 months.
7. Account Deletion
You may request deletion of your account and personal data at any time by:
- Using the account deletion option in the app settings
- Emailing privacy@stampid.tech with the subject "Account Deletion Request"
Upon deletion:
- Your account, email, username, and profile data will be permanently deleted
- Your stamp records and associated metadata will be deleted
- Audit logs referencing your account will be anonymized
- Note: Cryptographic hashes that have been anchored to the Bitcoin blockchain cannot be removed from the blockchain. However, these hashes alone cannot be linked back to you or your original files without additional context.
We will process deletion requests within 30 days.
8. Children's Privacy
STAMPiD is not intended for use by children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under these ages, we will take steps to delete that information promptly.
If you believe a child has provided us with personal information, please contact us at privacy@stampid.tech.
9. International Data Transfers
Your data may be processed in countries outside your country of residence, including the United States. When we transfer data internationally, we ensure appropriate safeguards are in place in accordance with applicable data protection laws.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy at this URL
- Updating the "Last Updated" date at the top
- Sending an email notification for significant changes
Your continued use of STAMPiD after changes are posted constitutes acceptance of the updated policy.
11. Contact Us
For privacy questions, data requests, or concerns:
- Email: privacy@stampid.tech
- Subject line: "Privacy Inquiry" for general questions, "Data Request" for access/deletion requests
We aim to respond to all privacy inquiries within 30 days.