BitSeal
Effective June 5, 2026

Privacy policy.

An honest account of what BitSeal sees, what it does not, who processes data on our behalf, and the rights you have over that data.

Plain-English summary

BitSeal is a cryptographic timestamping service. Files you seal never leave your device. Only a hash fingerprint, filename, size, MIME type, entropy measurement, and timestamp are transmitted to our ledger. We rely on a small set of third-party providers for hosting, database, and bot protection, listed at /legal/subprocessors. Ledger entries are designed to be durable and publicly queryable by hash. We do not sell data and run no advertising profiles.

1. Data BitSeal does not receive

All cryptographic hashing happens in your browser before anything is sent to our servers. The following categories of data never reach BitSeal infrastructure.

The contents of any file you seal. Files are read, hashed locally, and discarded in your browser.
Private signing keys. BitSeal does not generate, receive, or custody user private keys.
Account credentials or payment details. BitSeal currently has no user accounts and accepts no payments.
Advertising or cross-site tracking identifiers. We do not run ad tech and do not build behavioral profiles.

2. Data BitSeal does receive

To operate the ledger and issue a verifiable seal, the following fields are transmitted to our servers when you use the Evidence Sealer or the Verifier.

Ledger entry fields
  • Root hash64-character BLAKE3 hex fingerprint of the file. Cryptographically irreversible.
  • SHA3-512 hashSecondary NIST-standard hash of the file. Cryptographically irreversible.
  • FilenamePlain text string, truncated to 255 characters. Filenames may contain personal or project names, consider renaming files before sealing if that concerns you.
  • File size and MIME typeByte count and detected content type.
  • Shannon entropyNumeric measure of byte-distribution randomness across the file.
  • Timestamp (UTC)Unix time at which the seal was issued by the server.
  • Ed25519 signatureCryptographic signature under Orygn's Authority key. For v2 seals (the default), binds the SHA3-512 of the canonical manifest, so any field-level tampering breaks the signature. For legacy v1 seals, binds the root hash and timestamp only.
Operational telemetry
  • IP addressObserved by our hosting provider and our bot-protection provider for each request, for the purpose of abuse prevention, rate limiting, and security investigation.
  • User agentBrowser identifier string, recorded in edge logs.
  • Request metadataStandard web-server access records, including request time, path, method, and response status.

3. How we use this data

The data described above is used strictly for the operation, security, and improvement of the Service.

  • Sealing. To generate the signed manifest and the downloadable PDF certificate.
  • Verification. To allow any third party who knows the root hash to confirm its presence in the ledger and retrieve the signed manifest.
  • Abuse prevention. To enforce the bot-protection challenge and block automated flooding of the ledger.
  • Aggregated analytics. To measure page-level traffic and performance through a cookieless analytics provider that does not profile individuals. A second analytics provider with EU consent-mode v2 may be enabled in the future, this policy will be updated before that occurs.

We do not use BitSeal data to train machine-learning models, do not sell or rent it, and do not share it with third parties except the subprocessors listed at /legal/subprocessors.

4. Subprocessors

BitSeal relies on a small set of third-party providers to operate. Each is contractually bound by its own privacy and data-processing commitments. We list providers by category here and maintain the named list, with current regions and policy links, on a dedicated page so that changes can be tracked without re-issuing this policy.

  • Application hosting and edge delivery. Serves bitseal.orygn.tech and runs the serverless functions behind the API. Receives standard HTTP request metadata and, for API routes, the request body.
  • Hardware-backed signing-key custody. Holds the Authority Ed25519 signing key in an AWS KMS HSM validated under FIPS 140-3 Security Level 3 (NIST CMVP Cert #4884). Receives a SHA3-512 digest (v2) or 40-byte root+timestamp message (v1) per signed seal and returns the signature; the private key never leaves the HSM.
  • Managed Postgres. Stores the canonical BitSeal ledger entries listed in Section 2.
  • Abuse-defense backend. Managed Redis storing per-IP and per-X-API-Client sliding-window rate-limit counters, proof-of-work challenges issued for /api/seal (random 32-byte challenge plus issuing IP, 5-minute TTL, marked used after a successful seal), and a 24-hour blocklist of IPs that touched known-bait honeypot endpoints. Counters and challenges expire automatically; no manifest content is sent.
  • Network edge proxy. Cloudflare's CDN/proxy in front of bitseal.orygn.tech. Sees every HTTP request's URL, method, IP, User-Agent, TLS fingerprint, and request headers. Operates the WAF and edge rate-limit rules. Distinct from the bot-protection challenge below.
  • Bot-protection challenge. Runs the human-verification challenge on the submission and verification endpoints. Processes the IP address, TLS fingerprint, User-Agent, sitekey, and origin of each challenged request.
  • Bitcoin-anchor calendar operators. Four public OpenTimestamps calendars (Alice, Bob, Finney, Catallaxy) receive the SHA-256 digest of each seal's Ed25519 signature (32 bytes, no manifest content) at seal time. The calendars aggregate digests and commit them to the Bitcoin blockchain.
  • Bitcoin block-header observers. Public block-explorer services queried by BitSeal's daily upgrade cron (for block heights and times) and by the BitSeal SDK from the user's own machine (for independent anchor verification). Server-side calls send block heights only; client-side calls originate from the user's IP and are not on BitSeal's behalf.
  • Cookieless web analytics. Aggregated page-view and performance analytics. The per-visitor session identifier is discarded after 24 hours and the provider does not build behavioral profiles.
  • Privacy-respecting web analytics (not currently active). A second analytics provider with EU consent-mode v2 may be enabled in the future. This policy will be updated before the integration is activated in production.

The current named list is at /legal/subprocessors.

5. Permanence and the public ledger

BitSeal seals are designed to be durable, publicly queryable by hash, and independently verifiable. We want to be precise about what that means.

What is cryptographically durable

The Ed25519 signature on each seal is verifiable against Orygn's published Authority public key. Any party in possession of a signed manifest or PDF certificate can confirm the signature independently of BitSeal's hosted infrastructure using any standard Ed25519 verifier.

Convenience features of the hosted Service

The hosted lookup at bitseal.orygn.tech/verify, the PDF regeneration endpoint, and the public API are convenience features built on top of the cryptographic record. Because the proof itself lives in the signed manifest and PDF you receive at seal time, we recommend you retain a local copy of any seal you rely on. That local copy verifies independently against the Authority public key with any standard Ed25519 library, with no network call to BitSeal required.

Once a seal is recorded, its ledger entry is treated as part of an evidentiary record for the ordinary course of business. We do not delete individual seal entries in response to general deletion requests, because doing so would defeat the evidentiary purpose of the Service. Once a seal has been committed to a Bitcoin-anchored Signed Tree Head (typically within 24 hours of issuance), the cryptographic commitment to that seal cannot be retracted even by Orygn; deletion of a ledger row removes the convenience of hash-based lookup at our API but does not change the underlying cryptographic record. The narrow circumstances under which we will nonetheless remove a ledger entry are set out in Section 9.

6. Retention

Retention for each category of data is determined by the subprocessor that holds it, as described below. We do not maintain independent long-term copies of subprocessor logs.

  • Ledger entries (managed Postgres). Retained for the life of the Service, subject to the removal conditions in Section 9.
  • Hosting runtime logs. Retained for 1 hour. If we enable extended log retention in the future, this policy will be updated before the change takes effect.
  • Cookieless web analytics. The per-visitor session identifier is discarded after 24 hours. Aggregated, non-identifying analytics are retained by the analytics provider for reporting purposes.
  • Bot-protection signals. Retained by the bot-protection provider under its published data-processing practices. Refer to that provider's policy for the current retention window.
  • Database operational logs. Query and connection logs are retained by the managed-Postgres provider under its operational-log retention practices. Refer to that provider's privacy policy for current details.

7. International transfers

Orygn LLC is established in the United States and processes data in the United States. If you access BitSeal from outside the United States, your information will be transferred to, stored, and processed in the United States. For transfers originating in the European Economic Area, the United Kingdom, or Switzerland, we rely on the Standard Contractual Clauses executed by our subprocessors, and on the UK International Data Transfer Addendum where applicable. Where a subprocessor is certified under the EU-U.S. Data Privacy Framework (including its UK and Swiss extensions), we rely on that certification. The current named list of subprocessors and the applicable legal mechanism for each is at /legal/subprocessors.

8. Your rights

Depending on where you live, you may have the following rights with respect to your personal data. We will honor these rights to the extent required by applicable law and consistent with the evidentiary design of the Service.

Access
Request a copy of the personal data we hold about you.
Correction
Ask us to correct inaccurate personal data, subject to the immutability constraints of the ledger.
Deletion of logs
Request deletion of operational logs that identify you. Ledger entries are governed by Section 9.
Objection and restriction
Object to or restrict certain processing, including analytics.
Portability
Request an export of your ledger entries and metadata in a machine-readable format.
Withdraw consent
Where we rely on consent, withdraw it at any time without affecting prior processing.
Lodge a complaint
Complain to your local data-protection authority.
No discrimination (CCPA)
California residents will not be denied service for exercising privacy rights.

To exercise any right, email [email protected] from the address associated with the request and include enough detail for us to locate the relevant records. We respond within the timeframes required by applicable law, generally within thirty days.

9. Removal of ledger entries

The ledger is designed to be a tamper-evident record of proof-of-existence. We do not delete ledger entries in response to general deletion requests. We will consider removal only in the following narrow circumstances.

  • A valid and enforceable court order issued by a court of competent jurisdiction.
  • A submission determined, after review, to contain content or metadata that is unlawful under laws applicable to Orygn LLC.
  • A submission made without authorization from an Orygn-operated account or integration, where the fact of unauthorized submission can be substantiated.

Removal of a ledger entry is logged. The fact of removal, and a record of the root hash removed, may be preserved in an internal ledger to document the purge.

10. Children

BitSeal is not directed to children under the age of thirteen. We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, contact us and we will take reasonable steps to delete it.

11. Security and breach notification

We use commercially reasonable measures to protect the data we process, including encryption in transit (TLS), encryption at rest through our cloud subprocessors, the Authority signing key held inside AWS KMS hardware-backed custody and callable only via the kms:Sign API by a single narrow IAM principal, database connection strings held as server-only secrets that deny direct client access to the ledger, and a bot-protection challenge in front of submission and verification endpoints.

If we learn of a personal-data breach affecting BitSeal, we will notify affected individuals and the relevant authorities within the timeframes required by applicable law, including seventy-two hours under Article 33 of the GDPR where feasible.

12. Changes to this policy

We may update this Privacy Policy to reflect changes in the Service or in applicable law. The effective date at the top of this page will be updated when we do. Material changes will be surfaced on the BitSeal homepage for at least thirty days before they take effect. Prior versions are available on request from the contact address below.

13. Governing law

This Privacy Policy is governed by the laws of the State of Texas, without regard to its conflict-of-laws provisions. Any dispute arising under it is subject to the dispute-resolution terms described in BitSeal's Terms of Service.

Contact

Privacy inquiries
[email protected]
Orygn LLC, a Texas limited liability company.