SEAL — Privacy Policy
Last updated: [date] Version: 1.0
1. Data Controller
Arkon Technology Kızılırmak Mah. Ufuk Üniversitesi Cd. Next Level Loft Ofis, No: 4 Floor: 27 No: 72/76, Söğütözü, Çankaya/Ankara, Türkiye Email: support@getsealapp.com
2. Personal Data We Collect
2.1 Automatically
- Device ID (UUID): Generated on first app launch. Used to pair your device with counterparties; not linked to any external identity by default.
- Cryptographic public key: Needed for signature verification. Private key stays on your device only.
- Device type + platform (iOS / Android).
- IP address — held in server logs temporarily (rate-limit + fraud prevention).
2.2 Provided by you
- Phone number — for WhatsApp OTP verification.
- Display name — so the other party can recognize you during pairing.
- Agreement contents — items, notes, amounts, dates you enter.
- Push notification token — so we can alert you when the other party acts.
3. How We Use It
- Operating the service: creating, signing, sharing, and verifying agreements.
- Security: session, OTP, and signature verification; rate limits; abuse prevention.
- Notifications: surfacing revisions / approvals / rejections from the other party.
- Audit chain: cryptographically recording who did what, when — this is the core legal value of the app.
- Error tracking: Sentry collects anonymous error data when activated.
4. Legal Basis
- Performance of contract (account + agreement records).
- Legal obligation (required disclosures).
- Explicit consent (phone verification, push notifications, optional error tracking).
- Legitimate interest (rate limiting, fraud prevention).
5. Third-Party Data Processors
| Party | Purpose | Data | Location |
|---|---|---|---|
| MongoDB Atlas | Database | All app data (TLS-encrypted connection) | EU / US |
| Railway | Backend hosting | Application code + server logs | EU / US |
| Twilio | WhatsApp OTP delivery | Phone number + OTP | EU / US |
| Expo (EAS) | Mobile builds + push relay | Push token | US |
| Sentry (when active) | Error tracking | Anonymous errors | EU / US |
International transfers rely on processors’ contractual safeguards in accordance with applicable data protection laws.
6. Retention
- OTP verification records: 5 minutes (auto-deleted via TTL).
- Pairing codes: 30 minutes (auto-deleted via TTL).
- Signing challenges: 5 minutes (auto-deleted via TTL).
- Agreement content + audit chain: retained until user deletion request. Deletion removes content; audit-log entries are anonymized but retained to preserve chain integrity.
- Server logs: 30-day rotation.
7. Your Rights
You may:
- Request access to personal data we hold about you,
- Rectify inaccurate or incomplete data,
- Request deletion subject to legal retention requirements,
- Object to automated processing that adversely affects you,
- Request limitation of processing,
- Seek compensation for damages caused by unlawful processing.
Send requests to support@getsealapp.com. We reply within 30 days.
8. Security Measures
- All network traffic is encrypted with TLS.
- Database access is restricted by IP allow-list + SCRAM authentication.
- Private signing keys live only in the device’s secure enclave (iOS Keychain / Android Keystore) — never transmitted to our servers.
- OTP codes are stored as salted SHA-256 hashes, never plaintext.
- Rate limiting + trusted-host middleware protect against common attacks.
9. Children
Seal is not intended for users under 18. Personal data of minors that we become aware of is deleted on request.
10. Changes
We may update this policy. Material changes will be notified in-app.
11. Contact
Data protection inquiries: support@getsealapp.com