Privacy Policy

This policy explains what L'AItelier collects when you use laitelier.com, why, how long we keep it, and what rights you have over it.

L'AItelier is the controller of personal data processed through the Service. For questions about this policy, contact privacy@laitelier.com.

During certification your file is briefly uploaded to our servers so the signature can be embedded; it is deleted the instant the certificate is issued. We do not retain the file itself. We collect:

• Account data — email address and a hashed password, or an OAuth identifier if you sign in via a provider.
• Certification data — the SHA-256 hash of your original file, the SHA-256 hash of the watermarked version (if any), a perceptual hash of images for duplicate detection, and structural metadata (mime type, file size, dimensions, duration).
• Your declarations — the source you chose (AI-generated, real-capture, or hybrid), your optional source note, and the compliance frameworks you claimed.
• Signed manifests — the detached C2PA manifests we issue, each containing the data above plus a timestamp and a cryptographic signature.
• Audit logs — records of certificate issuance, re-certification, and deletion events, tied to your user ID.
• Technical telemetry — minimal server logs (request paths, IP, user-agent, timestamp) retained for security and abuse detection.

• To issue certificates. A signed manifest is meaningless without a hash to bind it to — and that hash is the entire cryptographic anchor of the Service.
• To protect creators from theft. Byte-exact and perceptual duplicate checks stop someone from re-certifying your work under their own name.
• To let anyone verify a file by hashing it and asking our verifier whether a certificate exists for it.
• To operate and secure the Service — auth, rate-limiting, fraud prevention, and billing where applicable.
• To comply with law. We will disclose data in response to a valid legal process.

If you're in the EU or UK, we rely on the following Article 6 bases:

• Contract (Art. 6(1)(b)) for everything needed to provide the Service you've signed up for — account, certification, verification.
• Legitimate interests (Art. 6(1)(f)) for security, fraud prevention, service improvement, and enforcing our Terms. We've balanced these against your rights and don't process data that would override them.
• Legal obligation (Art. 6(1)(c)) where tax, accounting, or court-ordered disclosure requires retention.
• Consent (Art. 6(1)(a)) for optional communications like product announcements — always opt-in, always revocable.

• We don't sell, rent, or trade your personal data.
• We don't train AI models on anything you upload.
• We don't retain the raw image, video, audio, or PDF file you certify. It is deleted from our servers the instant the certificate is issued; verification at /validator runs entirely in your browser and uploads nothing.
• We don't use advertising cookies, analytics pixels, or third-party trackers on the product surface.
• We don't share certificate data with other users, platforms, or search engines. Your library is private unless you choose to share a certificate link.

We use a small number of carefully chosen sub-processors, each bound by a data-processing agreement. For operational security we list them by category here; the current named list is available to verified customers on request to privacy@laitelier.com.

• Authentication & database provider — a SOC 2 Type II certified managed platform that stores certificate metadata, content hashes, and signed manifests.
• Application hosting & edge network — runs the web app and API routes, terminates TLS, and produces short-lived server logs.
• Transactional email provider — sign-in links and account notifications only. No marketing lists.

We'll update this list before onboarding any new sub-processor with access to personal data.

Our sub-processors are based in or operate from the United States and the European Union. When personal data moves out of the EEA or UK, we rely on the European Commission's Standard Contractual Clauses and each processor's adherence to the EU-US Data Privacy Framework where applicable.

• Account data — kept while your account is active; deleted within 30 days of account closure except where we're required to keep it longer (e.g. tax law).
• Certificates and manifests — retained indefinitely unless you delete them, because a certificate that vanishes is a certificate that stopped being provable. Delete any certificate from your library at any time.
• Audit logs — kept for the life of the account as a tamper-evidence record; the payload is purely metadata (action, timestamp, hash references).
• Server logs — retained for up to 30 days, then purged.

• TLS 1.2+ on every request. No unencrypted endpoints.
• Passwords are hashed with a modern memory-hard algorithm by our managed auth provider and never stored in plaintext.
• Row-level access controls scope every database read to the signed-in user's rows. Elevated-role access is confined to the certify / verify code paths.
• Certificate signing keys are held in a managed secret store, not in application code.
• We monitor for anomalous access patterns and rotate credentials on a regular cadence.

No system is perfectly secure. If we detect a breach affecting your data, we'll notify you and the relevant supervisory authority within 72 hours as required by GDPR Art. 33.

Depending on where you live, you have the right to:

• Access the data we hold about you.
• Rectify inaccurate data.
• Erase your account and everything linked to it (certificates, hashes, logs).
• Port your certificates out as signed manifest files.
• Object to or restrict processing carried out under legitimate interests.
• Withdraw consent for anything you've opted into.
• Lodge a complaint with a supervisory authority — for EU users that's usually your national data-protection authority; the French CNIL is our lead supervisory authority.

Email privacy@laitelier.com to exercise any of these. We aim to respond within 30 days.

Depending on where you live, additional rules apply on top of the rest of this policy. The substance is the same in each region: access, correction, erasure, portability, and a path to a regulator if we get it wrong. Use Settings → Your data to export or delete, or write to privacy@laitelier.com.

EU, EEA, and UK residents (GDPR / UK GDPR). You have the rights of access, rectification, erasure, restriction, objection, and portability under GDPR Articles 15–21. Our legal bases are summarised in §4. Where we transfer data outside the EEA / UK we rely on the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and (where applicable) the EU–US Data Privacy Framework. You can complain to your local supervisory authority — a directory is at edpb.europa.eu or, in the UK, to the ICO. Personal data breaches affecting EU/UK residents are notified to the relevant supervisory authority within 72 hours where required.

Canadian residents (PIPEDA, BC PIPA, Alberta PIPA, Quebec Law 25). The same access, correction, erasure, and portability rights apply, plus the right to withdraw consent. Reach our Privacy Officer at privacy@laitelier.com. Complaints can be directed to the OPC, OIPC BC, OIPC Alberta, or the CAI Québec. Reportable breaches are notified to the relevant regulator and to affected users as soon as feasible, and we maintain breach records for at least 24 months as PIPEDA s.10.3 requires.

The Service is not directed at children under 16 (or the local equivalent). We don't knowingly collect data from minors. If you believe a minor has created an account, contact us and we'll delete it.

We use a small number of strictly necessary cookies to keep you signed in and to remember your preferences (theme, locale). We don't set advertising, analytics, or cross-site tracking cookies. If we ever introduce optional analytics, it will be behind an explicit consent banner and off by default.

When we make a material change, we'll update the “Last updated” date at the top and — if the change affects how your data is handled — notify you in the product before it takes effect.

Privacy questions: privacy@laitelier.com. Data-protection enquiries and requests to exercise your rights are also handled at this address. For urgent security issues, write to security@laitelier.com.