PROXAE

Privacy Policy

Data controller: EVERLATS S.L. β€” NIF B16435653 β€” C/ TimΓ³n, 37, 30710 Los AlcΓ‘zares, Spain

1. Core principle

In standard mode, Proxae never receives your original content: the SHA-256 hash is computed directly in your browser via the SubtleCrypto API and only the mathematical fingerprint reaches our servers. In Pro mode with content storage, content is fully encrypted in your browser (AES-256-GCM + PBKDF2) before any transmission β€” Proxae stores only the ciphertext, never the plaintext.

2. Data collected and purposes

Email address

Collected only if you create an account. Used for passwordless authentication (OTP code) and to send certification confirmations.

Legal basis: performance of service contract β€” art. 6.1.b GDPR

SHA-256 hash of your content

Cryptographic fingerprint computed in your browser. Stored permanently as part of the proof β€” its evidentiary value depends on its immutability. In standard mode, the original content never reaches us.

Legal basis: performance of service contract β€” art. 6.1.b GDPR

Encrypted content (Pro accounts)

In Pro mode with content storage, the text or file is encrypted in your browser with AES-256-GCM and a PBKDF2-derived key before transmission. Proxae stores only the ciphertext β€” without the decryption key, it is mathematically unreadable to us.

Legal basis: performance of service contract β€” art. 6.1.b GDPR

IP address hash

We store the SHA-256 hash of your IP address at the time a proof is created (never the raw IP). Used to limit abuse and, for anonymous proofs, to identify the original creator during the creation session.

Legal basis: legitimate interest (security and anti-abuse) β€” art. 6.1.f GDPR

Session data

Technical session cookie required for authentication. Contains no tracking information. Deleted on logout or after 120 minutes of inactivity.

Legal basis: legitimate interest (technical operation) β€” art. 6.1.f GDPR

3. Data we do NOT collect

  • β—‹The original content of your files or texts (in standard mode; in Pro mode only the AES-256-GCM ciphertext is stored, never the plaintext)
  • β—‹Your raw IP address
  • β—‹Individual behavioural data or user profiles (audience statistics are anonymous and aggregated, without cookies)
  • β—‹Payment data (handled entirely by Stripe)
  • β—‹Advertising or third-party tracking cookies

4. Retention periods

Account dataWhile the account is active. Deleted immediately upon deletion request.
Proofs (hashes)Indefinitely β€” their evidentiary value depends on their permanence. Anonymous proofs cannot be linked to a person once the account is deleted.
Sessions120 minutes of inactivity or on logout.

5. Third parties and sub-processors

OVHcloud β€” Hosting

Data is stored on OVHcloud servers located in the European Union. OVHcloud Privacy Policy β†’

Stripe β€” Payments (Pro accounts)

Payment data is handled entirely by Stripe, Inc. Proxae only stores the Stripe customer ID, never banking details. Stripe Privacy Policy β†’

Umami Cloud β€” Audience analytics

We use Umami Cloud to measure site traffic (pages visited, country, device type). Umami uses no cookies, does not track users across sites, and collects no personally identifiable data. Data is aggregated and anonymous. Server located in the European Union. Umami Privacy Policy β†’

Sectigo β€” eIDAS identity verification (Pro, optional)

For Pro users who request eIDAS identity verification, identity data (name, document) is transmitted to Sectigo Ltd, a qualified certification authority in the EU, solely for the purpose of issuing an eIDAS certificate. This transmission is optional and requires explicit consent. Sectigo Privacy Policy β†’

OpenTimestamps calendars β€” Bitcoin anchoring

The SHA-256 hash of your content is transmitted to public OpenTimestamps servers for anchoring in the Bitcoin blockchain. This transmission is inherent to the protocol and contains no personal data.

6. Your rights (GDPR)

Under Regulation (EU) 2016/679 (GDPR), you have the following rights regarding your personal data:

  • ✦Right of access to the data we hold about you
  • ✦Right to rectification of inaccurate data
  • ✦Right to erasure ("right to be forgotten")
  • ✦Right to restriction of processing
  • ✦Right to data portability
  • ✦Right to object to processing based on legitimate interest

To exercise your rights, contact us at [email protected]. We will respond within 30 days. You may also lodge a complaint with the Agencia EspaΓ±ola de ProtecciΓ³n de Datos (AEPD), the competent supervisory authority as our entity is established in Spain.

7. Cookies

We use only strictly necessary technical cookies: a session cookie for authentication and a preferences cookie for language and visual theme. For audience analytics, we use Umami Cloud, which operates without cookies and without individual tracking β€” no analytics cookie is installed in your browser. No cookie consent banner is required as no non-essential cookies are set.

8. Security

Communications are encrypted via TLS. Passwords do not exist (OTP code authentication). IPs are never stored in plaintext (SHA-256 hash). Proof identifiers are UUID v4, non-sequential. Pro content is encrypted in the browser with AES-256-GCM before any transmission.

9. Changes to this policy

We may update this policy at any time. Significant changes will be notified by email to users with an active account. The date of the last update is always visible at the bottom of this page.

Last updated: 19/05/2026