Privacy & Data Protection

At SecureStamp we take the privacy of our users very seriously. This policy describes how we collect, use, protect and share personal information when using the service available at securestamp.online.

1. Data controller

The data controller for personal data processing is:

2. What data we collect

2.1 Data you provide directly

• Account: name (optional), email address, password (hashed, never stored in plain text)
• Billing: name, billing email. Credit card data is processed directly by Stripe and never stored on our servers
• Domains: domains you register for verification, along with their public DNS records
• Contact: name, company and message when filling out the Enterprise inquiry form
• Waitlist: email and optional name for plugins under development

2.2 Automatically generated data

• IP address (anonymized for analytics)
• Browser type and operating system
• Access date and time
• Emails or domains verified through the plugin (only the sender's domain/email address, never the email content)
• Number of verifications performed

2.3 What we do NOT collect

• The content, subject, attachments or body of your emails
• Your email passwords or access to third-party accounts
• Biometric data or sensitive information as defined by law

3. How we use your data

• Service delivery: verifying domains, processing trust requests, issuing PostalStamps
• Account management: authentication, password recovery, plan administration
• Billing: processing payments, sending invoices, managing subscriptions
• Communications: service notifications, security alerts, plan updates
• Security: fraud detection, abuse prevention, anomalous pattern analysis
• Product improvement: aggregated and anonymized service usage analysis
• Legal: compliance with legal obligations and requirements of competent authorities

We do not use personal data for third-party advertising and do not sell data to any third party.

4. Legal bases

• Contract performance: data necessary to deliver the contracted service
• Consent: marketing communications (you may withdraw consent at any time)
• Legitimate interest: service security, fraud prevention, product improvement
• Legal obligation: response to requirements from competent authorities

5. Who we share data with

5.1 Service providers

• Amazon Web Services (AWS): cloud infrastructure, DynamoDB database, Cognito authentication, email sending (SES). Servers in us-east-1 region (Virginia, USA)
• Stripe: payment processing. Payment data subject to Stripe's privacy policy
• Vercel: web application hosting

5.2 Legal disclosure

We may disclose information when required by law, court order or competent governmental authority, or when necessary to protect rights, property or safety of SecureStamp, its users or third parties.

5.3 Business transfer

In the event of a merger, acquisition or asset sale, data may be transferred to the acquirer, who will be required to comply with this policy or notify you before any material changes.

6. International transfers

Some of our providers process data outside Argentina (primarily in the USA). These transfers are carried out with adequate safeguards under applicable data protection law and under data processing agreements with each provider.

7. How long we retain your data

• Active account data: while the account is active
• Cancelled account data: 90 days after cancellation (to fulfill legal obligations), then permanent deletion
• Verification records: 90 days in aggregated form, then deleted
• Billing data: 10 years per Argentine tax obligations
• Waitlist data: until the corresponding plugin launches or until you request deletion

8. Your rights

Under applicable data protection law, you have the right to:

• Access: request what personal data we hold about you
• Rectification: correct inaccurate or incomplete data
• Erasure: request deletion of your data ("right to be forgotten")
• Portability: receive your data in a structured, machine-readable format
• Objection: object to processing based on legitimate interest
• Consent withdrawal: revoke consent given for specific uses

To exercise these rights, contact privacy@securestamp.online. We respond within a maximum of 30 business days.

9. Cookies and similar technologies

9.1 Strictly necessary cookies

We use session cookies for authentication and service operation. These cookies cannot be disabled without affecting site functionality.

9.2 Analytics cookies

We use first-party analytics (no Google Analytics) to understand how the service is used, in aggregated form without identifying individual users.

9.3 No advertising cookies

We do not use advertising cookies or third-party tracking for advertising purposes.

10. Data security

We implement technical and organizational measures to protect your data:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Two-factor authentication available for all accounts
• Internal access restricted by role (principle of least privilege)
• Regular security audits
• Anomaly monitoring and automatic alerts

In case of a security breach affecting your data, we will notify you within 72 hours of detection.

11. Confidentiality and internal access

Access to user personal data is restricted exclusively to staff and systems that need that information to deliver the service. All internal access is recorded in audit logs. SecureStamp staff is subject to confidentiality obligations and cannot access the content of user emails under any circumstances.

An organization's data (domains, authorized senders, configuration) is confidential and is not shared with other users or organizations on the service.

12. Minors

The service is not directed at children under 13. We do not intentionally collect data from minors. If we become aware that data has been collected from a minor without parental consent, we will delete it immediately.

13. Changes to this policy

We may update this policy periodically. Material changes will be notified by email at least 15 days in advance. The current policy will always be available at securestamp.online/en/privacy.

14. Contact