Privacy notice

PQC Shield (“we”, “us”) operates a multi-tenant SaaS that digitally seals and encrypts PDF documents. We act as a processorfor your customers’ data; you (the workspace owner) are the controller.

• Account data: the email address used to sign in, your tenant slug, your role, and your plan.
• Document hashes: SHA-256 of every PDF you Seal. We do not retain the original PDF.
• Encrypted Vault blobs:AES-256-GCM ciphertexts. We cannot read these without a recipient’s private key.
• Recipient identifiers: the email addresses your tenant uses to address Vault envelopes.
• Audit metadata: for every Seal and every Vault open: timestamp, requesting IP, user-agent (truncated), and tenant id.
• Billing data: a tokenised customer reference and the last four digits + brand of your card. Card numbers are tokenised by our PCI-compliant payment processor; we never see the full PAN.

• The plaintext contents of any PDF you Seal or Vault.
• Tracking cookies or third-party analytics. No Google Analytics, no Facebook Pixel.
• Marketing-attribution data. We don’t know which campaign brought you here.
• Recipient browsing history beyond the single Vault envelope they opened.

• Sealed PDFs: never retained. Streamed back to you and dropped.
• Vault ciphertexts: retained per the lifecycle window of your plan; configurable per envelope, with extended retention available on Enterprise plans.
• Audit metadata: retained for the lifetime of your subscription + 1 year. Required to defend against repudiation claims.
• Account data: until you delete your workspace. Deletion is self-service from /app/settings; we honour it within 30 days.

We use a small set of vetted enterprise sub-processors covering cloud infrastructure, payments, transactional email, and trusted timestamping. Each is bound by a Data Processing Agreement and operates under independent third-party security attestations. The current list of named sub-processors is available to customers and prospective customers on request, and any change is announced at least 30 days in advance to subscribed customers.

GDPR / LGPD / CCPA: you may request access, correction, export, or deletion of your personal data by emailing privacy@pqcshield.cloud. Requests are honoured within 30 days. Workspace owners can self-serve via the portal.

Questions: privacy@pqcshield.cloud. Security disclosures: security@pqcshield.cloud.