Privacy Policy
Effective Date: December 3, 2025 | Last Updated: December 3, 2025
1. Introduction
TattleHash ("we," "our," "us") respects your privacy. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our cryptographic attestation service ("Service").
TattleHash operates from British Columbia, Canada, and is subject to Canadian privacy laws including the Personal Information Protection and Electronic Documents Act (PIPEDA).
2. Information We Collect
Information You Provide:
| Data Type | Purpose | Required? |
|---|---|---|
| Email address | Account creation, login verification, notifications | Yes |
| Password (hashed) | Account authentication (email/password users only) | Conditional |
| Username / Display name | Public identifier on attestations | Optional |
| Wallet address(es) | Blockchain authentication, attestation linking | Conditional |
Information We DO NOT Collect:
- Government ID or identity documents
- Physical address
- Phone number
- Date of birth
- Financial account information (bank accounts, credit card numbers stored by us)
- Biometric data
- Account balances - Enforced tier verifies only that funds are available up to the requested amount; we never see, store, or transmit actual balance figures
Note: Payment processing is handled by Stripe. We do not store your payment card details.
Fund Availability Verification (Enforced Tier):
- We verify only whether funds are available up to the requested transaction amount
- The result is a simple pass/fail - no balance information is returned
- Your actual account balance is never exposed to TattleHash, your counterparty, or any third party
- No balance data is stored in our systems or recorded in attestations
Information Generated Through Use:
| Data Type | Purpose | Retention |
|---|---|---|
| Attestation records | Service delivery | Permanent (blockchain) |
| Attestation metadata | Verification, receipts | Permanent |
| Login timestamps | Security, audit | 12 months |
| IP addresses | Rate limiting, security | 30 days |
| Session tokens | Authentication | Until logout or 24hr expiry |
3. How We Use Your Information
We use your information to:
- Provide the Service - Create and verify attestations
- Authenticate you - Verify your identity via email code or wallet signature
- Send notifications - Attestation confirmations, counterparty alerts
- Process payments - Credit purchases via Stripe
- Maintain security - Detect fraud, prevent abuse, enforce rate limits
- Improve the Service - Analyze usage patterns (aggregated, anonymized)
- Communicate with you - Service updates, policy changes, support
We do NOT:
- Sell your personal information
- Share your data with advertisers
- Use your data for unrelated marketing
- Profile you for purposes beyond service delivery
4. Information Sharing
We share your information only in these circumstances:
With Counterparties:
When you create Fire, Gatekeeper, or Enforced attestations, your counterparty receives:
- Your email address or wallet address (as identifier)
- Attestation details you mutually agreed to
- Transaction timestamp
This sharing is inherent to the Service's function.
With Service Providers:
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Email, purchase amount |
| Cloudflare | Hosting, security | IP address, request data |
| Polygon Network | Blockchain anchoring | Attestation hashes (public) |
Legal Compliance:
We may disclose information if required by law, court order, or government request.
Business Transfer:
If TattleHash is acquired or merged, user data may transfer to the successor entity under the same privacy protections.
5. Blockchain and Public Data
What Goes On-Chain:
| Data | Visibility |
|---|---|
| Attestation hash | Public (Polygon blockchain) |
| Timestamp | Public |
| Transaction ID | Public |
| Your email/wallet | NOT on-chain (stored in our database) |
| Attestation content | NOT on-chain (only the hash) |
Permanence:
Blockchain records are permanent and immutable. Once an attestation hash is anchored, it cannot be removed. This is a feature of the Service, not a bug.
Verification:
Anyone with an attestation ID can verify its authenticity via our public verification endpoint. This confirms the hash matches the blockchain record but does not expose your personal information.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Until account deletion |
| Attestation records | Permanent (blockchain requirement) |
| Login/session logs | 12 months |
| IP addresses | 30 days |
| Payment records | 7 years (legal/tax requirement) |
Account Deletion:
You may request account deletion by contacting us. Upon deletion:
- Your email and login credentials are removed
- Your wallet associations are removed
- Attestations remain on-chain (they are permanent)
- Attestations will show as created by "deleted account"
7. Data Security
We implement security measures including:
- Encryption - Data encrypted in transit (TLS) and at rest
- Password hashing - PBKDF2-SHA256 with 100,000 iterations
- Authentication - Email verification codes, wallet signatures, JWT tokens
- Rate limiting - Per-user and per-IP limits
- Access controls - Limited employee access to user data
- Security headers - HSTS, CSP, X-Frame-Options
No system is 100% secure. We cannot guarantee absolute security but will notify affected users of any breach as required by law.
8. Your Rights
Under Canadian privacy law and depending on your jurisdiction, you may have the right to:
| Right | How to Exercise |
|---|---|
| Access your data | Email us for a copy |
| Correct inaccurate data | Update in account settings or email us |
| Delete your account | Email us (attestations remain on-chain) |
| Withdraw consent | Stop using the Service |
| Complain | Contact us or your local privacy authority |
To exercise any right, contact: ashiscock@gmail.com
We will respond within 30 days.
9. Cookies and Tracking
What We Use:
| Technology | Purpose | Required? |
|---|---|---|
| Session cookies | Authentication | Yes (functional) |
| Local storage | User preferences | Yes (functional) |
What We DON'T Use:
- Advertising cookies
- Third-party tracking pixels
- Social media trackers
- Analytics cookies that identify individuals
We may use anonymized, aggregated analytics to understand service usage.
10. Children's Privacy
TattleHash is not intended for users under 18 years of age. We do not knowingly collect information from children.
If we discover we have collected data from a user under 18, we will delete their account and associated data (except permanent blockchain records).
11. International Users
TattleHash operates from British Columbia, Canada. If you access the Service from outside Canada, your information will be transferred to and processed in Canada.
By using the Service, you consent to this transfer. Canadian privacy laws may differ from those in your jurisdiction.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be communicated via:
- Email to registered users (for material changes)
- Updated "Last Updated" date on this page
Continued use after changes constitutes acceptance.
13. Contact Us
For privacy questions, data requests, or concerns:
Email: ashiscock@gmail.com
Mailing Address:
TattleHash
British Columbia, Canada
14. Privacy Authority
If you are not satisfied with our response to a privacy concern, you may contact:
Office of the Privacy Commissioner of Canada
Website: www.priv.gc.ca
Phone: 1-800-282-1376
By using TattleHash, you acknowledge that you have read and understood this Privacy Policy.