Privacy Policy

Who this policy covers

This policy applies to all people who interact with any Bitfrost product or service, across three distinct populations:

• Mobile app users — individuals who use the Bitfrost iOS or Android app to capture and sign photos. These users have no account and are completely anonymous to us.
• Organisational users — employees and contractors of organisations that subscribe to Bitfrost (members and admins). These users have a named account on app.usebitfrost.com.
• Public verifiers — anyone who submits a photo to the public verification endpoint (via app.usebitfrost.com or directly via the API) to check whether an image carries a valid Bitfrost signature. No account is required.

What we collect

Mobile app users

We collect no personal data from mobile app users. Specifically, we do not collect your name, email address, phone number, or location.

When you first launch the app, your device generates a random cryptographic key pair. The private key never leaves your device (it is stored in the iOS Secure Enclave or Android Keystore). The corresponding public key — a random identifier with no connection to your identity — is transmitted to and stored on our servers to allow us to verify that signing requests come from a legitimate, unmodified installation of the Bitfrost app. This public key is retained for up to one year.

On iOS, the key registration process involves the Apple App Attest service, which cryptographically certifies that the key was generated on an Apple device. On Android, each signing request is accompanied by a Play Integrity token that we forward to Google's Play Integrity API for verification. In both cases, device metadata is shared with Apple or Google as part of their respective attestation protocols; Bitfrost does not control what data those services collect.

Standard server request logs (IP address, timestamp, HTTP status) are retained for up to 30 days for security and abuse prevention.

Organisational users

We collect only what is necessary to provide and operate the service:

• Email address — used as your account identifier, to send one-time sign-in codes, to deliver invitation emails, and for data export requests.
• Display name — the name you choose to show in the dashboard. Optional and editable at any time.
• Organisation name — provided at account setup and editable by org admins.
• Verification activity — a count of verification events per billing period, attributed to your account and organisation. Used for quota tracking and billing. The images themselves are never stored; processing is in-memory only.
• API key metadata — name, creation date, and a one-way hash of each API key issued under your organisation. The raw key secret is shown once at generation and is not stored by us in recoverable form.
• Audit log entries — administrative actions performed within your organisation (e.g. inviting a member, revoking a key) are logged with your email address, the action taken, and a timestamp. These entries are visible to Bitfrost super admins and are retained for approximately one year.
• Billing metadata — billing period dates, quota limits, and overage records tied to your organisation. No payment card or banking data is held by us; invoicing is handled manually.
• Pending invitation records — when an admin invites a new member by email, that email address is stored until the invitation is accepted or expires.
• One-time sign-in codes (OTP) — six-digit codes issued at login are stored temporarily in Redis for up to five minutes, then deleted automatically regardless of whether they are used.
• Session cookie — a single HttpOnly session cookie (bf_token) keeps you signed in. This cookie contains a signed JWT; no session state is stored server-side beyond what is described above.

Verification history displayed in the dashboard is stored entirely in your own browser's local storage. It is never transmitted to our servers and is cleared when you clear your browser data or use the clear-history function in the app.

Public verifiers

No personal data is required or collected when using the public verification endpoint. We receive the image you submit (processed in memory only, not retained), and standard server request logs (IP address, timestamp, HTTP status) are kept for up to 30 days.

Legal basis for processing (GDPR)

For organisational users, the primary legal basis is performance of a contract — processing your email address, usage data, and organisation details is necessary to provide the service you or your organisation has engaged us to provide.

Audit logging and security-related data retention (server logs, rate-limiting records) are based on our legitimate interests in operating a secure and abuse-free service, balanced against your privacy rights.

Compliance with statutory retention requirements (e.g. financial record-keeping obligations under Dutch law) constitutes a legal obligation basis for retaining billing metadata beyond the duration of the relationship.

For mobile app users and public verifiers, no personal data is processed except for transient server logs retained for security purposes, on the basis of legitimate interests.

How we use your data

• To authenticate your identity and maintain your signed-in session.
• To process images (watermark embedding and verification) on your behalf.
• To enforce per-device and per-organisation rate limits and quota.
• To send transactional emails: sign-in codes, member invitations, and GDPR data export packages. We do not send marketing emails without explicit opt-in.
• To detect and prevent abuse, fraud, or misuse of the service.
• To compile aggregate, anonymised analytics about service usage (e.g. total verification volume, system health metrics). These reports do not identify individual users.
• To fulfil legal obligations, including responding to lawful requests from authorities.

Sub-processors

We do not sell, rent, or share your personal data with third parties for their own purposes. The following sub-processors have access to personal data as part of delivering the service, and each is bound by a data processing agreement:

• Neon — managed Postgres database; stores accounts, organisation data, verification logs, audit log, and billing records. Hosted in the EU.
• Upstash — managed Redis; stores OTP codes (5-minute TTL), rate-limiting counters, and iOS App Attest public keys (1-year TTL). Hosted in the EU.
• Vercel — application hosting and serverless compute; processes all inbound requests and retains server-side edge logs. Headquartered in the United States (see International Transfers below).
• Resend — transactional email delivery; receives email addresses and message content for sign-in codes, invitations, and data exports. Headquartered in the United States (see International Transfers below).
• Apple (App Attest) — iOS device attestation; receives cryptographic attestation objects from the mobile app as part of device legitimacy verification. Apple's own privacy policy governs data Apple collects through this service.
• Google (Play Integrity API) — Android device attestation; receives per-request integrity tokens from the mobile app, which are forwarded to Google's API for verification. Google's own privacy policy governs data Google collects through this service.

International transfers

Neon and Upstash process data within the European Union. Vercel and Resend are headquartered in the United States. Transfers to these US-based processors are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, which provide an equivalent level of protection to EU data protection law.

Apple and Google operate global infrastructure. Their handling of attestation data is subject to their respective data processing agreements and privacy policies.

Your rights (GDPR)

If you are in the EU or EEA, you have the following rights in relation to your personal data:

• Access — request a copy of all personal data we hold about you.
• Correction — ask us to correct inaccurate or incomplete data.
• Portability — receive your data in a structured, machine-readable format. Organisational users can trigger a data export directly from the Account page in the dashboard; the export is delivered to your registered email address.
• Deletion — request deletion of your personal data. Organisational users can delete their account directly from the Account page. Mobile app users hold no personal data with us; there is nothing to delete.
• Restriction — ask us to restrict processing of your data while a dispute is resolved.
• Objection — object to processing based on legitimate interests.

To exercise any of these rights (other than those available self-serve in the dashboard), email privacy@usebitfrost.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), or with the supervisory authority in the EU member state where you live or work.

Retention

• Account and organisation data — retained while the account or organisation is active. Deleted within 30 days of account closure or org deactivation, except where retention is required by law.
• Verification logs — retained for 1 year, then anonymised (all fields that could identify a user or device are removed; aggregate counts are retained for analytics).
• Audit log entries — retained for approximately 1 year.
• Billing metadata — retained for the duration of the relationship plus any period required by applicable financial record-keeping law (typically 7 years under Dutch law).
• iOS App Attest public keys — retained in Redis for 1 year, after which they are automatically evicted.
• OTP codes — automatically deleted after 5 minutes.
• Server logs — deleted after 30 days.
• Images — not retained at all. All image processing is in-memory; no copy is written to disk or any storage system.

Cookies

The web application (app.usebitfrost.com) sets a single HttpOnly session cookie (bf_token) when you sign in. This cookie contains a signed JWT used to authenticate your requests. It is not used for advertising or tracking, and no analytics or third-party cookies are set.

The landing site (usebitfrost.com) does not set any cookies.

Changes to this policy

We will notify organisational users of material changes by email at least 14 days before the new version takes effect. The effective date at the top of this page is updated on each revision. Your continued use of the service after the effective date constitutes acceptance of the updated policy.

Questions or requests: privacy@usebitfrost.com