Privacy Policy
Last updated: January 2025 · GDPR-Aware
1. Data We Collect
We collect account information (name, email), contract data, signature metadata (cryptographic hashes, not image binaries), device evidence fingerprints, IP addresses, and audit trail events. We do not sell your data to third parties.
2. Legal Basis (GDPR)
We process data under: contractual necessity (providing the service), legitimate interests (security, fraud prevention), and legal obligation (audit trail retention). Where consent is required, we obtain it explicitly.
3. Data Retention
Executed contracts and their audit trails are retained per your configured retention policy (default: 7 years). Personal data may be anonymized via Right-to-be-Forgotten requests, while audit hashes and legal records are preserved.
4. Legal Holds
When a legal hold is active on a contract, GDPR deletion workflows are suspended for that record until the hold expires.
5. Your Rights
Under GDPR, you have rights to: access, rectification, erasure (where not legally blocked), portability, and objection. Contact privacy@preatom.com to exercise these rights.
6. Security
Data is encrypted at rest (AES-256-GCM) and in transit (TLS 1.3). Encryption keys are managed via Supabase Vault. We conduct regular security audits and penetration tests.
7. Contact
Data Controller: PREATOM · privacy@preatom.com · security@preatom.com