Privacy Policy

This Privacy Policy ("Policy") describes how Vlaander LTD ("Vlaander," "we," "us," or "our") collects, uses, stores, protects, and discloses information in connection with the Prima Evidence service (the "Service") operated at www.primaevidence.com. We are committed to protecting your privacy and have designed the Service with data minimization as a core principle. The Service is built so that your files never leave your device and minimal personal data is collected.

The data controller for personal data processed through the Service is: Vlaander LTD Federal Republic of Nigeria Contact: [email protected]

3.1 Data We Do NOT Collect The following data is expressly NOT collected, stored, or processed by Vlaander LTD: (a) File contents: Your files are hashed entirely within your browser. The file content never leaves your device; (b) User accounts: The Service does not require or maintain user accounts, usernames, or passwords; (c) Names or addresses: We do not collect your name, physical address, or mailing address; (d) Persistent identifiers: We do not use tracking cookies or persistent device identifiers; and (e) Location data: We do not collect precise geolocation information. 3.2 Data We Process 3.2.1 Transaction Data (Collected to Provide the Service) (a) SHA-256 hash of your file (64-character hexadecimal string); (b) Email address (for proof delivery and confirmation); (c) Optional metadata you provide (title, up to 200 characters; description, up to 1,000 characters); (d) Transaction reference identifier (system-generated); (e) Timestamp of proof issuance (UTC); (f) Payment confirmation details from Flutterwave (transaction ID, amount, currency, status); and (g) Arweave transaction ID (upon successful proof issuance). 3.2.2 Technical Data (Collected Automatically) (a) IP address (processed transiently by Cloudflare; not persistently logged by Vlaander LTD); (b) Browser type and version; (c) HTTP request headers; and (d) Error logs (retained for up to 7 days, containing truncated data only).

We process personal data on the following legal bases: (a) Contract Performance (GDPR Article 6(1)(b)): Processing necessary to perform the Service you have requested; (b) Legitimate Interests (GDPR Article 6(1)(f)): Processing necessary for our legitimate interests in operating, maintaining, and improving the Service, preventing fraud, and ensuring security; and (c) Legal Obligation (GDPR Article 6(1)(c)): Processing necessary to comply with applicable legal obligations.

We use the data we collect solely for the following purposes: (a) To provide, operate, and maintain the Service; (b) To process proof transactions and write proof records to the Arweave blockchain; (c) To verify payments via Flutterwave; (d) To send confirmation emails and verification codes; (e) To populate the verification cache (KV store) for fast hash lookups; (f) To detect, prevent, and address technical issues, fraud, or security concerns; (g) To comply with applicable legal obligations; and (h) To generate aggregated, anonymized operational metrics (e.g., total proofs issued).

6.1 Third-Party Service Providers We share limited data with the following third-party service providers: (a) Arweave Network: Hash, metadata, timestamp, payment reference, and proof identifiers are written permanently to the Arweave blockchain (public and immutable); (b) Flutterwave: Payment transaction data is processed by Flutterwave in accordance with Flutterwave's privacy policy; (c) Cloudflare: Infrastructure provider for API hosting, content delivery, and DDoS protection. 6.2 Public Blockchain Data YOU ACKNOWLEDGE THAT PROOF RECORDS WRITTEN TO THE ARWEAVE BLOCKCHAIN ARE PUBLIC AND PERMANENTLY ACCESSIBLE. This includes: the SHA-256 hash, any metadata you provided, the timestamp, the proof identifier, payment reference, and sequence numbers. This data cannot be made private or deleted once written to Arweave. 6.3 Legal Disclosures We may disclose your information if required by law, or if we believe in good faith that such action is necessary to: comply with a legal obligation; protect the rights or property of Vlaander LTD; prevent wrongdoing; protect personal safety or the public; or protect against legal liability.

(a) Proof records on Arweave: Permanent (by design of the Arweave protocol); (b) KV cache (hash lookup): Permanent (for verification functionality); (c) Transaction state (Durable Objects): 24 hours after terminal state; (d) API logs (Cloudflare): 7 days (Cloudflare default retention); (e) Counter state (aggregate metrics): Permanent (anonymized, non-personal); (f) Verification codes: 10 minutes (automatically expired).

We implement appropriate technical and organizational measures to protect the data we process, including: (a) All data in transit is encrypted using TLS 1.2 or higher; (b) API secrets and credentials are stored using Cloudflare Workers secrets; (c) Webhook authentication uses timing-safe string comparison; (d) Input validation and rate limiting protect against abuse; and (e) No raw file content is ever transmitted or stored. While we implement reasonable security measures, no system is completely secure. We cannot guarantee the absolute security of your data.

9.1 GDPR Rights (EEA/UK Users) If you are located in the EEA or UK, you have the following rights: (a) Right of access: Request a copy of the personal data we hold about you; (b) Right to rectification: Request correction of inaccurate personal data; (c) Right to erasure: Request deletion of your personal data, subject to the limitation that blockchain data is immutable; (d) Right to restriction: Request restriction of processing in certain circumstances; (e) Right to portability: Request a machine-readable copy of your data; (f) Right to object: Object to processing based on legitimate interests; and (g) Right to lodge a complaint: File a complaint with your local data protection authority. 9.2 NDPA/NDPR Rights (Nigerian Users) If you are located in Nigeria, you have rights under the Nigeria Data Protection Act 2023 and NDPR, including the right to access, rectify, and object to the processing of your personal data. 9.3 Blockchain Data Limitation IMPORTANT: Due to the immutable nature of blockchain technology, data written to the Arweave network CANNOT be modified, corrected, or deleted by Vlaander LTD. By using the Service, you acknowledge this technical limitation on the exercise of certain data protection rights.

The Service is hosted on Cloudflare's global edge network, and proof records are stored on the decentralized Arweave network. Your data may be processed in multiple jurisdictions. Where personal data is transferred outside of the EEA/UK, we ensure appropriate safeguards are in place, including Cloudflare's Data Processing Addendum and Standard Contractual Clauses.

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete such information.

We may update this Privacy Policy from time to time. We will post the updated policy on the Site with a revised "Last Updated" date. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

For questions about this Privacy Policy or to exercise your data protection rights, contact us at: Vlaander LTD Email: [email protected] Federal Republic of Nigeria