BBlockSign
VerifySign up
Legal · Privacy

How we handle your data.

We hash documents client-side, commit signatures to Solana, and run an account-light backend. This page is a plain-language account of what's collected, where it lives, and how to make us delete it.

TL;DR — what's true

We never see your document contents — files are hashed in your browser.

We collect the bare minimum: email (optional), IP for abuse prevention.

Storage: Supabase (Postgres) + Cloudflare R2. EU & US regions only.

Document hashes & signature txs on Solana mainnet are permanent and public.

One first-party analytics cookie. No Google, no Facebook pixel, no ads.

Email privacy@blocksign.ink for any GDPR/CCPA request.

[01]

Who we are

This service is operated by BlockSign, Inc., a C-corporation incorporated in Delaware, United States. When this policy says "we", "us", or "BlockSign", it means that entity. Our principal place of business is 548 Market Street, PMB 91204, San Francisco, CA 94104, USA.

For the purposes of the EU GDPR and the UK GDPR, BlockSign, Inc. is the data controller for personal data processed through blocksign.ink and the BlockSign API.

[02]

What we collect

We collect as little as possible. Where you give us an email or our infrastructure necessarily logs an identifier, here's the full list:

emailUsed only for signing notifications and account recovery. Hashed at rest.optionalYou
document_sha256Hash of your PDF contract. Computed in your browser.requiredClient
document_blobEncrypted PDF, only if you opt in to cloud-backed storage.optionalYou
ip_addressTruncated to /24 (IPv4) or /48 (IPv6). Held 30 days for abuse + rate-limit.requiredBrowser
user_agentBrowser string. Used for compatibility metrics and abuse triage.requiredBrowser
signature_txSolana transaction signature. Committed publicly on-chain.requiredSolana
audit_eventDoc viewed / signed / revised — appended to your audit trail.requiredServer

We do not collect: government IDs, biometrics, payment card data (Stripe handles that, we never see it), contact lists, location beyond country-level, or anything from trackers we don't run.

[03]

Where it lives

Your encrypted blobs and metadata live with two infrastructure providers we've chosen for their security posture and clear data-processing agreements. Nothing is stored on third-party marketing or ad-tech platforms.

Application database

supabase · postgres 15

Account records, audit trail rows, document metadata, hashed emails. Row-level security on every table.

Regioneu-west-1 (Ireland)
EncryptionAES-256 at rest
DPAsigned · GDPR Art. 28
Object storage

cloudflare R2 · s3-compatible

Optional encrypted PDF blobs. Bucket is private; objects are encrypted with a per-document key derived from your signing credentials.

Regionauto · EU + US edges
Encryptionper-doc XChaCha20
Egresssigned URLs only
Public ledger

solana · mainnet-beta

Document hashes and signature transactions. Public, replicated globally, and — by design — permanent.

Regionworldwide
Encryptionnone — hashed only
Reversibleno
[04]

On-chain caveat

Read this carefully

Anything written to Solana mainnet — document hashes, signature transactions, signer wallet addresses — is permanent, public, and outside our control to delete. That's the entire point of on-chain notarization, but it means the right to erasure (GDPR Art. 17) cannot remove on-chain records.

The on-chain payload is intentionally small: a SHA-256 hash and the signing wallet's public key. Neither reveals the document contents nor your real-world identity unless you separately publish that linkage. If you want full deniability, sign with a fresh wallet you don't reuse.

[05]

Retention

We keep off-chain data only as long as it's useful. Concretely:

account recordUntil you delete your account, then 30-day grace, then purged.until deletion
document blobEncrypted PDF in R2. Deleted on request, or 24 months after last access.≤ 24 months
audit trailRequired for compliance. Retained for the document lifetime + 7 years.7 years
ip_addressTruncated and rotated out of logs after 30 days.30 days
analytics eventFirst-party Plausible. Aggregated and anonymous; raw events kept 90 days.90 days
on-chain commitmentPermanent — see clause 04.permanent
[06]

Cookies & analytics

We use exactly two cookies, both first-party. No third-party trackers, no ad networks, no Google Analytics, no Facebook pixel.

bs_sessionSession cookie. Keeps you signed in. HttpOnly, Secure, SameSite=Lax.14 days
bs_consentRemembers whether you accepted analytics. Strictly functional.365 days

Analytics is provided by Plausible, self-hosted on our infrastructure. It records page views and outbound clicks in aggregate; no cross-site profile, no fingerprint, no cross-device tracking. You can opt out from the cookie banner or by sending Do Not Track — we honor it.

[07]

Sharing & third parties

We share data with the minimum set of subprocessors needed to run the service. Each has a signed Data Processing Agreement and SOC 2 Type II or equivalent attestation:

Supabase Inc.Application database & auth. EU-hosted Postgres.processor
Cloudflare, Inc.R2 object storage, CDN, DDoS protection.processor
Stripe PaymentsIf you pay for a Pro plan — card data goes to Stripe, never to us.processor
PostmarkTransactional email (signing notifications only).processor
Solana validatorsPublic network. Receives the on-chain payload from clause 04.network

We don't sell your data. We don't share it with advertisers. We will share with law enforcement only on receipt of a valid legal process and will notify you unless legally prohibited.

[08]

Your rights

Under GDPR, UK GDPR, CCPA/CPRA, and similar regimes, you have the rights below. To exercise any of them, email privacy@blocksign.ink from the address tied to your account; we'll respond within 30 days.

[01]

Access

Get a copy of every byte we hold on you, in JSON.

[02]

Rectification

Correct anything we have wrong (e.g. an outdated email).

[03]

Erasure

Delete your off-chain data. On-chain records are out of reach — see clause 04.

[04]

Portability

Export your data in a machine-readable format. We give you JSON + your audit trail.

[05]

Restriction

Pause processing while a dispute is open.

[06]

Objection

Object to processing for legitimate-interest grounds (analytics, abuse triage).

[07]

Opt-out of sale

N/A — we don't sell or share data for cross-context behavioral advertising.

[08]

Withdraw consent

Anywhere we ask for it. Withdrawing doesn't affect prior lawful processing.

If we don't satisfy you, you can complain to your local supervisory authority — for EU residents, the lead authority is the Irish Data Protection Commission.

[09]

Security

TLS 1.3 in transit. AES-256 at rest in Postgres; per-document XChaCha20-Poly1305 for blobs in R2. Secrets stored in Cloudflare KV with envelope encryption. We run quarterly pen-tests. If you find a vulnerability, our security contact is security@blocksign.ink — we operate a public bug bounty program.

No system is perfect. If we have a breach affecting personal data, we'll notify regulators within 72 hours and affected users without undue delay.

[10]

Changes to this policy

When we change this policy materially, we'll email everyone with an account, post a notice on the homepage for 30 days, and bump the version stamp at the top. Non-material edits (typos, broken links, clarifications) ship without notice but are visible in the policy's git history.

[11]

Contact us

Privacy requests · DPO
privacy@blocksign.ink

Postal: 548 Market Street, PMB 91204, San Francisco, CA 94104, USA. Allow two weeks for postal responses; email is faster.

Send email