Privacy Policy

1. Introduction

Encypher ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, APIs, Chrome extension, dashboard, and related services (collectively, the "Services").

We will never sell your personal data to third parties. Your trust is paramount to us, and we are committed to transparent and responsible data practices.

2. Information We Collect

2.1 Information You Provide

We may collect information that you voluntarily provide when you:

• Create an account or register for our Services
• Contact us through forms or email
• Subscribe to newsletters or updates
• Participate in surveys or provide feedback
• Use our interactive demos

This information may include: name, email address, company name, job title, and any other information you choose to provide.

2.2 Automatically Collected Information

When you access our website and dashboard, we automatically collect certain information, including:

• Usage Data: Pages visited, time spent, click patterns, and navigation paths
• Device Information: Browser type, operating system, device type, and screen resolution
• Log Data: IP address, access times, and referring URLs
• Cookies and Tracking Technologies: See Section 4 for details

2.3 Chrome Extension Data

The Encypher Verify Chrome extension collects the following data:

• Content Discovery Events: When the extension detects signed content on a page, it reports an anonymized event to Encypher's analytics service. Each event includes the sanitized page URL and domain (query parameters and hash fragments are stripped before sending), the page title, signer information extracted from the content signature, the verification result, and an ephemeral anonymous session ID that resets each browser session. This event contains no personally identifying information about the extension user. Your IP address is used transiently for rate limiting only and is not stored with the analytics event.
• Content You Sign: When you use the extension to sign content, the text you submit and your API key are sent to the Encypher API. Signed content metadata (document ID, signer ID, timestamp, signing configuration) is stored on our servers for verification and audit purposes.
• Content You Verify: Only the specific signed text block is sent to the Encypher API for verification. Full page content is never transmitted.
• Local Storage: Your API key, extension settings, and a short-term verification cache are stored locally in Chrome's secure storage and are never transmitted to third parties.

Verification results are cached locally in your browser for up to one hour to reduce redundant API calls. The extension does not collect browsing history, full page content, or any information that could identify you as an individual.

2.4 API and Signing Metadata

When you sign content using any Encypher tool (API, Chrome extension, WordPress plugin, or CLI), we store the following metadata on our servers: document ID, signer ID, timestamp, signing configuration, and a content fingerprint. This metadata enables content verification, audit trails, and Coalition licensing operations. We do not store the full text of signed content on our servers.

Public Verification Records: Signing records are part of Encypher's public verification infrastructure. Organization names, document IDs, signer IDs, and signing timestamps associated with content signatures may be returned through the public verification API when content is verified by third parties. This is a core function of our content provenance system: signed content is designed to be publicly verifiable.

3. How We Use Your Information

We use the collected information for the following purposes:

• Service Delivery: To provide, maintain, and improve our Services
• Analytics and Optimization: To analyze usage patterns and optimize website, API, and demo performance
• Communication: To respond to inquiries, send updates, and provide customer support
• Security: To detect, prevent, and address technical issues and security threats
• Legal Compliance: To comply with legal obligations and protect our rights
• Product Development: To improve our technology and develop new features. We do not use your personal data or signed content to train AI models.

We will never sell your personal data to third parties or use it for purposes unrelated to providing and improving our Services.

4. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our website and dashboard to enhance your experience and collect usage data. Types of cookies we use:

• Essential Cookies: Required for the Services to function properly
• Analytics Cookies: Help us understand how visitors interact with our Services
• Functional Cookies: Remember your preferences and settings

The Chrome extension does not use cookies or tracking pixels. You can control website cookies through your browser settings. Disabling certain cookies may limit your ability to use some features of our Services.

5. Data Sharing and Disclosure

We do not sell your personal data. We may share your information only in the following circumstances:

• Service Providers (Sub-processors): With trusted third-party vendors who assist in operating our Services. These providers are contractually obligated to protect your data and may only use it to perform services on our behalf. Our current sub-processors are:
  • Railway (railway.app) — Application hosting and infrastructure
  • SSL.com — Cryptographic certificate issuance for C2PA content signing
  • Stripe — Payment processing for subscriptions and Coalition revenue share payouts
  • SendGrid (Twilio) — Transactional email delivery
  • Sentry — Error monitoring and application diagnostics
• Coalition Licensees: If your organization is enrolled in the Publisher Coalition, your signed content and associated signer metadata (organization name, signing date, provenance information embedded in the content) is made available to approved Coalition licensees. Personal account information (email address, billing details) is not shared with licensees.
• Public Verification API: Organization names, document IDs, and signing timestamps embedded in signed content are publicly accessible through our verification API as a core function of the provenance system. See Section 2.4.
• Legal Requirements: When required by law, court order, or governmental authority
• Business Transfers: In connection with a merger, acquisition, or sale of assets, with appropriate safeguards for your data. You will be notified of any such transfer.
• Protection of Rights: To protect our rights, property, or safety, or that of our users or the public
• With Your Consent: When you explicitly authorize us to share your information

6. Third-Party Services

Our Services integrate with or are distributed through third-party platforms, including:

• Chrome Web Store (Google): The Encypher Verify extension is distributed through Google's Chrome Web Store. Google's privacy policy governs data collected through that platform.
• WordPress / Automattic: Our WordPress plugin is distributed through the WordPress plugin ecosystem.
• Payment Processors: Coalition revenue share payments are processed through Stripe and other payment platforms subject to their own privacy policies.
• Analytics Providers: For website and dashboard performance tracking.

These third parties have their own privacy policies. We are not responsible for their data practices and encourage you to review their policies.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

• Encryption of data in transit (HTTPS/TLS) and at rest
• Regular security assessments and updates
• Access controls and authentication mechanisms
• Secure storage of API keys in the Chrome extension using Chrome's encrypted storage API
• Error and anomaly monitoring via Sentry to detect unauthorized access attempts

Data Location: Our primary infrastructure is hosted in the United States. Enterprise customers may request multi-region deployment options. We will notify you within 72 hours of becoming aware of a security incident that is likely to result in a risk to your rights and freedoms.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

8. Data Retention

We retain different categories of data for different periods based on operational need and legal requirements:

• Signing and verification records (document IDs, signer IDs, timestamps, content fingerprints): retained for 7 years to support long-term content provenance verification and legal proceedings
• API audit logs and access logs: retained for 2 years
• Account data: retained for the duration of your account, plus 90 days after account deletion to allow for account recovery and fulfill any outstanding obligations
• Analytics data: retained for up to 2 years in aggregated or anonymized form
• Payment records: retained as required by applicable financial regulations (typically 7 years)

When data is no longer needed, we securely delete or anonymize it. Longer retention periods may apply where required by law.

9. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information (subject to retention requirements described in Section 8)
• Objection: Object to certain processing of your information
• Portability: Request transfer of your data to another service in a machine-readable format
• Withdraw Consent: Withdraw consent for data processing where consent was the legal basis, including Coalition enrollment (manageable through your account settings)
• Opt-Out: Unsubscribe from marketing communications at any time using the unsubscribe link in any email

To exercise these rights, please contact us at [email protected]. We will respond within 30 days. We may need to verify your identity before processing your request.

Note: Deletion of account data does not remove signing records from the public verification infrastructure. Signing records (document IDs, timestamps, organization names) are part of the content provenance chain and are retained to maintain the integrity of previously signed content.

10. Children's Privacy

Our Services are not intended for children under the age of 13 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately at [email protected].

11. International Data Transfers

Our primary infrastructure is located in the United States. If you are located outside the United States, your information will be transferred to and processed in the United States. We ensure appropriate safeguards are in place to protect your data, including Standard Contractual Clauses (SCCs) for transfers from the European Economic Area (EEA) or United Kingdom. Enterprise customers may request a Data Processing Agreement (DPA) at [email protected].

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website with a new "Last Updated" date and, where required by law, by sending you an email notification. We encourage you to review this policy periodically.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Encypher
Privacy inquiries: [email protected]
Legal: [email protected]

14. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information
• Right to opt-out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising your privacy rights

Authorized Agent: You may designate an authorized agent to submit requests on your behalf. To use an authorized agent, provide written authorization signed by you and your agent, along with proof of identity. Contact [email protected] with your request.

To exercise your California privacy rights, contact us at [email protected].

15. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, you have rights under the General Data Protection Regulation (GDPR) and applicable national law, including those outlined in Section 9.

We process your data based on the following legal bases (Art. 6 GDPR):

• Contract (Art. 6(1)(b)): Processing necessary to provide the Services you have requested, including signing, verification, and account management
• Legitimate Interests (Art. 6(1)(f)): Security monitoring, fraud prevention, product analytics, and improvement of our Services. We have assessed that these interests do not override your rights and freedoms.
• Consent (Art. 6(1)(a)): Coalition enrollment (which involves sublicensing your content) and marketing communications. You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
• Legal Obligation (Art. 6(1)(c)): Where processing is required by applicable law, such as financial record retention

For transfers of personal data from the EEA to the United States, we rely on Standard Contractual Clauses (SCCs) as the transfer mechanism. You may request a copy of our SCCs at [email protected]. You also have the right to lodge a complaint with your local supervisory authority.