An honest account of what BitSeal sees, what it does not, who processes data on our behalf, and the rights you have over that data.
BitSeal is a cryptographic timestamping service. Files you seal never leave your device. Only a hash fingerprint, filename, size, MIME type, entropy measurement, and timestamp are transmitted to our ledger. We rely on a small set of third-party providers for hosting, database, and bot protection, listed at /legal/subprocessors. Ledger entries are designed to be durable and publicly queryable by hash. We do not sell data and run no advertising profiles.
All cryptographic hashing happens in your browser before anything is sent to our servers. The following categories of data never reach BitSeal infrastructure.
To operate the ledger and issue a verifiable seal, the following fields are transmitted to our servers when you use the Evidence Sealer or the Verifier.
Root hash64-character BLAKE3 hex fingerprint of the file. Cryptographically irreversible.SHA3-512 hashSecondary NIST-standard hash of the file. Cryptographically irreversible.FilenamePlain text string, truncated to 255 characters. Filenames may contain personal or project names, consider renaming files before sealing if that concerns you.File size and MIME typeByte count and detected content type.Shannon entropyNumeric measure of byte-distribution randomness across the file.Timestamp (UTC)Unix time at which the seal was issued by the server.Ed25519 signatureCryptographic signature under Orygn's Authority key. For v2 seals (the default), binds the SHA3-512 of the canonical manifest, so any field-level tampering breaks the signature. For legacy v1 seals, binds the root hash and timestamp only.IP addressObserved by our hosting provider and our bot-protection provider for each request, for the purpose of abuse prevention, rate limiting, and security investigation.User agentBrowser identifier string, recorded in edge logs.Request metadataStandard web-server access records, including request time, path, method, and response status.The data described above is used strictly for the operation, security, and improvement of the Service.
We do not use BitSeal data to train machine-learning models, do not sell or rent it, and do not share it with third parties except the subprocessors listed at /legal/subprocessors.
BitSeal relies on a small set of third-party providers to operate. Each is contractually bound by its own privacy and data-processing commitments. We list providers by category here and maintain the named list, with current regions and policy links, on a dedicated page so that changes can be tracked without re-issuing this policy.
The current named list is at /legal/subprocessors.
BitSeal seals are designed to be durable, publicly queryable by hash, and independently verifiable. We want to be precise about what that means.
The Ed25519 signature on each seal is verifiable against Orygn's published Authority public key. Any party in possession of a signed manifest or PDF certificate can confirm the signature independently of BitSeal's hosted infrastructure using any standard Ed25519 verifier.
The hosted lookup at bitseal.orygn.tech/verify, the PDF regeneration endpoint, and the public API are convenience features built on top of the cryptographic record. Because the proof itself lives in the signed manifest and PDF you receive at seal time, we recommend you retain a local copy of any seal you rely on. That local copy verifies independently against the Authority public key with any standard Ed25519 library, with no network call to BitSeal required.
Once a seal is recorded, its ledger entry is treated as part of an evidentiary record for the ordinary course of business. We do not delete individual seal entries in response to general deletion requests, because doing so would defeat the evidentiary purpose of the Service. Once a seal has been committed to a Bitcoin-anchored Signed Tree Head (typically within 24 hours of issuance), the cryptographic commitment to that seal cannot be retracted even by Orygn; deletion of a ledger row removes the convenience of hash-based lookup at our API but does not change the underlying cryptographic record. The narrow circumstances under which we will nonetheless remove a ledger entry are set out in Section 9.
Retention for each category of data is determined by the subprocessor that holds it, as described below. We do not maintain independent long-term copies of subprocessor logs.
Orygn LLC is established in the United States and processes data in the United States. If you access BitSeal from outside the United States, your information will be transferred to, stored, and processed in the United States. For transfers originating in the European Economic Area, the United Kingdom, or Switzerland, we rely on the Standard Contractual Clauses executed by our subprocessors, and on the UK International Data Transfer Addendum where applicable. Where a subprocessor is certified under the EU-U.S. Data Privacy Framework (including its UK and Swiss extensions), we rely on that certification. The current named list of subprocessors and the applicable legal mechanism for each is at /legal/subprocessors.
Depending on where you live, you may have the following rights with respect to your personal data. We will honor these rights to the extent required by applicable law and consistent with the evidentiary design of the Service.
To exercise any right, email [email protected] from the address associated with the request and include enough detail for us to locate the relevant records. We respond within the timeframes required by applicable law, generally within thirty days.
The ledger is designed to be a tamper-evident record of proof-of-existence. We do not delete ledger entries in response to general deletion requests. We will consider removal only in the following narrow circumstances.
Removal of a ledger entry is logged. The fact of removal, and a record of the root hash removed, may be preserved in an internal ledger to document the purge.
BitSeal is not directed to children under the age of thirteen. We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, contact us and we will take reasonable steps to delete it.
We use commercially reasonable measures to protect the data we process, including encryption in transit (TLS), encryption at rest through our cloud subprocessors, the Authority signing key held inside AWS KMS hardware-backed custody and callable only via the kms:Sign API by a single narrow IAM principal, database connection strings held as server-only secrets that deny direct client access to the ledger, and a bot-protection challenge in front of submission and verification endpoints.
If we learn of a personal-data breach affecting BitSeal, we will notify affected individuals and the relevant authorities within the timeframes required by applicable law, including seventy-two hours under Article 33 of the GDPR where feasible.
We may update this Privacy Policy to reflect changes in the Service or in applicable law. The effective date at the top of this page will be updated when we do. Material changes will be surfaced on the BitSeal homepage for at least thirty days before they take effect. Prior versions are available on request from the contact address below.
This Privacy Policy is governed by the laws of the State of Texas, without regard to its conflict-of-laws provisions. Any dispute arising under it is subject to the dispute-resolution terms described in BitSeal's Terms of Service.