Legal
Last updated: March 7, 2026
Attestum™ is operated by Joshua Patrick Davidson, with registered address in Alicante, Comunitat Valenciana, Spain. We are the data controller for the personal data processed through attestum.io and related services.
For privacy inquiries, contact us at: privacy@attestum.io
We are not required to appoint a Data Protection Officer under GDPR Article 37. However, all privacy inquiries sent to the address above will be handled promptly.
This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use Attestum — a platform for creating, claiming, sharing, and verifying cryptographically sealed attestations (such as professional references).
Attestum serves three user roles:
This policy applies to all visitors, registered users, and verifiers of attestum.io.
Account registration: Your name, email address, and password (or Google OAuth credentials). If you sign up via Google, we receive your name, email address, and profile picture URL from Google.
Attestation creation (Attesters): The content you write (freetext, structured answers to template questions, or uploaded PDF files), the name and work email address of the person you are attesting about, your relationship to them, and optional metadata such as duration of working together and skills referenced.
Attestation claiming (Attesters): Your work email address, used to verify your professional identity.
Profile information: Any additional information you choose to add to your profile (e.g., job title, company).
Payment information (Verifiers): When you purchase a verification credit or subscription, your payment details are collected directly by Stripe, our payment processor. We receive from Stripe: your email address, the amount paid, payment status, and a Stripe customer identifier. We do not receive or store your full card number, CVV, or bank account details.
Waitlist signups: Your email address and optional name, if you sign up for a product waitlist.
Communications: Any information you provide when contacting us at privacy@attestum.io or other support channels.
Usage data: When you visit attestum.io, we may collect (with your consent) anonymised analytics data via Vercel Analytics, including pages visited, referral source, browser type, device type, and approximate geographic region. This data is collected only if you consent via our cookie banner.
Authentication cookies: Supabase Auth sets session cookies that are strictly necessary for the service to function (keeping you logged in, managing your session). These do not require consent.
Cookie consent preference: We store a cookie recording your analytics consent choice. This cookie is strictly necessary (for remembering your preference) and does not require separate consent.
Server logs: Vercel, our hosting provider, automatically logs request metadata (IP address, timestamp, URL, user agent) as part of standard web server operation. These logs are retained by Vercel according to their data retention policies.
Content hashes: When an attestation is created, we compute a SHA-256 cryptographic hash of the content. This hash is a one-way fingerprint — it cannot be reversed to reconstruct the original content. The hash is stored on the Base blockchain (an Ethereum Layer 2 network) via the Ethereum Attestation Service (EAS).
Recipient hashes: A hashed version of the subject's email address is stored on-chain. Like content hashes, this cannot be reversed to reveal the email address.
IPFS content identifiers (CIDs): Encrypted attestation content is stored on IPFS (InterPlanetary File System). The CID is a content-based address derived from the encrypted data. It does not contain or reveal any personal data.
Verification logs: When a verifier accesses an attestation, we log the verification event (timestamp, verifier identity, attestation accessed) for audit and security purposes.
We process your personal data on the following lawful bases under GDPR Article 6:
We process data as necessary to provide the Attestum service you have registered for:
We process data where we have a legitimate interest that is not overridden by your rights:
We process data only with your freely given consent for:
You may withdraw consent at any time. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
We retain payment records for seven (7) years as required by Spanish tax and accounting regulations (Código de Comercio, Art. 30; Ley General Tributaria).
Attestum is designed around a core principle: the platform minimises access to your data.
This architecture means that even in the event of a database breach, an attacker would obtain only encrypted content that they cannot decrypt without the platform's private key, which is stored separately.
| Data Type | Retention Period | Basis | |-----------|-----------------|-------| | Account and profile data | Until you delete your account | Contract | | Attestation content (encrypted) | Until revoked by the attester or deletion requested | Contract | | Verification logs | 2 years | Legitimate interest | | Payment records | 7 years | Legal obligation (Spanish tax law) | | Share token metadata | Until token expiration | Contract | | Waitlist signups | Until the relevant product launches or you request deletion | Consent | | On-chain data (hashes, CIDs) | Permanent (blockchain immutability) | See Section 9 | | IPFS content (encrypted) | Persistent while actively pinned by our IPFS providers | Contract | | Cookie consent preference | 12 months (then banner reappears) | Strictly necessary |
We do not sell your personal data. We do not share your data with third parties for their own marketing purposes.
We use the following sub-processors to operate the Attestum service:
| Sub-Processor | Purpose | Data Processed | Location | |---------------|---------|---------------|----------| | Supabase (Supabase Inc.) | Database, authentication | User profiles, attestation metadata, encrypted content | United States (AWS) | | Pinata (Pinata Technologies Inc.) | IPFS pinning (primary) | Encrypted attestation content | United States | | Filebase (Filebase Inc.) | IPFS pinning (backup) | Encrypted attestation content | United States | | Stripe (Stripe Inc.) | Payment processing | Email, payment details, transaction data | United States | | Resend (Resend Inc.) | Transactional email | Email addresses, email content | United States | | Vercel (Vercel Inc.) | Hosting, edge functions, analytics | Request logs, function execution, analytics data (with consent) | United States (AWS) | | Base / Ethereum | Blockchain attestation records | Content hashes, IPFS CIDs, recipient hashes (no personal data) | Decentralised |
Important: Sub-processors that store attestation content (Supabase, Pinata, Filebase) receive only encrypted data. They do not possess the decryption keys and cannot access the plaintext content.
All of our sub-processors (except the Base blockchain, which is decentralised) are based in the United States. We rely on the following mechanisms for lawful transfer of personal data outside the European Economic Area:
Under GDPR, you have the following rights regarding your personal data:
Right of access (Art. 15): You may request a copy of the personal data we hold about you.
Right to rectification (Art. 16): You may request correction of inaccurate personal data. Note: sealed attestation content cannot be edited after sealing — this is by design. The attester may revoke and create a new attestation.
Right to erasure (Art. 17): You may request deletion of your personal data. We will delete your account data, profile, verification logs (or anonymise them), and unpin your IPFS content. See Section 9.1 for how this interacts with blockchain data.
Right to restriction of processing (Art. 18): You may request that we restrict processing of your data in certain circumstances.
Right to data portability (Art. 20): You may request your data in a structured, commonly used, machine-readable format (JSON).
Right to object (Art. 21): You may object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
Right to withdraw consent (Art. 7): Where processing is based on consent (analytics, marketing), you may withdraw consent at any time.
How to exercise your rights: Send your request to privacy@attestum.io from the email address associated with your account. We will respond within 30 days. We may ask you to verify your identity before fulfilling your request.
On-chain data stored on the Base blockchain consists exclusively of cryptographic hashes (content hash, IPFS CID, recipient hash). These are one-way mathematical values that cannot be reversed to reveal any personal data.
When you exercise your right to erasure:
However, once the encrypted content and the mapping data are deleted, the on-chain hashes become meaningless — they cannot be connected to any individual or used to reconstruct any personal data. This approach is consistent with guidance from the French data protection authority (CNIL) on blockchain and personal data, and the general GDPR principle that data which cannot be linked to an identifiable individual is no longer personal data.
These cookies are essential for the service to function. They do not require your consent.
With your consent, we use Vercel Analytics to understand how visitors use the platform (pages visited, traffic sources, device types). Vercel Analytics is privacy-focused and does not use third-party advertising cookies.
Analytics cookies are loaded only after you provide consent via our cookie banner. If you decline, no analytics data is collected and the platform functions fully without them.
You can change your preference at any time using the "Cookie Settings" link in the website footer.
We do not use any third-party advertising cookies or tracking pixels. Stripe may set cookies in the context of its payment checkout page, which is governed by Stripe's own privacy policy.
Attestum is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a person under 18, we will delete that data promptly. If you believe a minor has provided us with personal data, please contact us at privacy@attestum.io.
We implement appropriate technical and organisational measures to protect your personal data, including:
No system is completely secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where necessary, notify affected individuals without undue delay.
We may update this Privacy Policy from time to time to reflect changes in our practices, sub-processors, or applicable law. When we make material changes, we will:
We encourage you to review this policy periodically.
If you believe we have not handled your personal data properly, you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is:
Agencia Española de Protección de Datos (AEPD) C/ Jorge Juan, 6 28001 Madrid, Spain Website: aepd.es
You may also lodge a complaint with the supervisory authority in your country of residence or place of work.
If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA). At our current scale, we do not meet the CCPA applicability thresholds (annual gross revenue exceeding $25 million, data of 100,000+ consumers, or deriving 50%+ of revenue from selling personal information). We do not sell personal information.
If CCPA becomes applicable to us, we will update this section to detail your rights under California law, including the right to know, the right to delete, and the right to opt out of the sale of personal information.
For any questions about this Privacy Policy or our data practices:
Email: privacy@attestum.io Postal address: Joshua Patrick Davidson, Alicante, Comunitat Valenciana, Spain
We aim to respond to all inquiries within 30 days.