Privacy Policy

Last updated: January 2025 · GDPR-Aware

1. Data We Collect

We collect account information (name, email), contract data, signature metadata (cryptographic hashes, not image binaries), device evidence fingerprints, IP addresses, and audit trail events. We do not sell your data to third parties.

2. Legal Basis (GDPR)

We process data under: contractual necessity (providing the service), legitimate interests (security, fraud prevention), and legal obligation (audit trail retention). Where consent is required, we obtain it explicitly.

3. Data Retention

Executed contracts and their audit trails are retained per your configured retention policy (default: 7 years). Personal data may be anonymized via Right-to-be-Forgotten requests, while audit hashes and legal records are preserved.

4. Legal Holds

When a legal hold is active on a contract, GDPR deletion workflows are suspended for that record until the hold expires.

5. Your Rights

Under GDPR, you have rights to: access, rectification, erasure (where not legally blocked), portability, and objection. Contact privacy@preatom.com to exercise these rights.

6. Security

Data is encrypted at rest (AES-256-GCM) and in transit (TLS 1.3). Encryption keys are managed via Supabase Vault. We conduct regular security audits and penetration tests.

7. Contact

Data Controller: PREATOM · privacy@preatom.com · security@preatom.com