1. Introduction
This Privacy Policy describes how Witnium Technologies AB (”Witnium”, “we”, “us”, “our”) collects, uses, discloses, and protects personal data in connection with the witniumchain.com website (the “Website”), the Witniumchain platform (the “Platform”), and the related application programming interfaces, software development kits, model context protocol servers, and documentation we make available (collectively, the “Services”).
We process personal data in accordance with Regulation (EU) 2016/679 (”GDPR”), the Swedish Data Protection Act (lag (2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning), and other applicable laws.
This Policy applies to personal data we collect from visitors to the Website, individuals who create accounts on the Platform, individuals who interact with the Services on behalf of our customers (”Customers”), and individuals who contact us in other capacities. It does not apply to personal data that our Customers process using the Services on behalf of their own end users; that processing is governed by the Data Processing Agreement between Witnium and the Customer.
2. Who we are
We are Witnium Technologies AB, a limited liability company incorporated in Sweden, with organisation number 559416-7453 and registered office at Tyska Skolgränd 4, 111 31 Stockholm, Sweden. Witnium is the controller of personal data described in Section 3 of this Policy.
You may contact us about this Policy or the processing of your personal data at legal@witnium.com or by post to the address above.
We have not appointed a Data Protection Officer. Our processing activities do not meet the criteria for mandatory designation under Article 37(1) GDPR: we are not a public authority or body, our core activities do not consist of regular and systematic monitoring of data subjects on a large scale, and our core activities do not consist of large-scale processing of special categories of data or data relating to criminal convictions and offences. The architectural privacy properties of the Platform (described at witniumchain.com/security) materially limit the categories and volume of personal data we process. For all data protection enquiries, please contact legal@witnium.com.
3. What information we collect
We collect personal data in three categories, set out below. The architecture of the Platform is designed to limit the personal data we have access to. In particular, witness content submitted to the Platform is hashed by the Customer’s client before transmission to us, and we never receive or have technical means to recover the underlying content.
3.1 Information you provide to us
When you create an account or otherwise interact with the Services, we collect:
- Identity data: name, email address, job title, organisation name.
- Authentication data: hashed password (we never store plaintext passwords), two-factor authentication enrolment status, recovery codes (stored only in hashed form).
- Billing data: billing address, VAT identification number, payment method tokens issued by our payment processor (we do not store full payment card numbers), invoice history.
- Communications: the content of support tickets, sales enquiries, and other correspondence you direct to us.
3.2 Information collected automatically
When you use the Website or the Platform we automatically collect:
- Device and connection data: IP address, user agent, device type, operating system, browser type and version, language preference, time zone.
- Usage data: pages visited, features used, timestamps of access, referring URLs, session identifiers.
- Operational metadata: for each API call to the Platform, we record the calling account, timestamp, endpoint invoked, request identifier, and outcome (success or error category). For each witness operation we record the contract address, witness identifier, the public key of each signer, the SHA-256 fingerprint of the witnessed content, and credit accounting data. We do not record the content of witnesses; that content does not reach our systems in any retrievable form.
- Cookies and similar technologies: see Section 9.
3.3 Information from third parties
We may receive information about you from:
- our payment processor (Stripe), in the form of transaction confirmations and tax determinations;
- identity providers, if you elect to authenticate using third-party single sign-on;
- public sources (such as company registries) when conducting due diligence on Customers; and
- partners who refer you to us, where you have consented to the referral.
4. How we use information (legal bases)
We use personal data only for the purposes set out below, and only where we have a lawful basis under Article 6 GDPR.
| Purpose | Categories of data | Legal basis |
|---|---|---|
| Provide and operate the Services | Categories of dataIdentity, authentication, usage, operational metadata | Legal basisContract (Art. 6(1)(b)) |
| Bill for the Services | Categories of dataIdentity, billing, usage | Legal basisContract (Art. 6(1)(b)) |
| Communicate with you about the Services (transactional emails, security notices) | Categories of dataIdentity, communications | Legal basisContract (Art. 6(1)(b)) |
| Provide customer support | Categories of dataIdentity, communications, usage | Legal basisContract (Art. 6(1)(b)); legitimate interests |
| Maintain security, prevent fraud, investigate misuse | Categories of dataDevice and connection, usage, operational metadata | Legal basisLegitimate interests (Art. 6(1)(f)) |
| Comply with legal obligations (accounting, tax, AML where applicable) | Categories of dataBilling, identity | Legal basisLegal obligation (Art. 6(1)(c)) |
| Improve the Services (aggregated analysis) | Categories of dataUsage, operational metadata (in pseudonymous or aggregated form) | Legal basisLegitimate interests (Art. 6(1)(f)) |
| Send marketing communications (only with consent) | Categories of dataIdentity, communications preferences | Legal basisConsent (Art. 6(1)(a)) |
| Establish, exercise, or defend legal claims | Categories of dataAll categories as relevant | Legal basisLegitimate interests (Art. 6(1)(f)); legal obligation |
Where our legal basis is legitimate interests, we have assessed those interests against your rights and freedoms and concluded that our processing is proportionate. You may object to such processing as set out in Section 8.
We do not engage in automated decision-making that produces legal effects concerning you or similarly significantly affects you, within the meaning of Article 22 GDPR.
5. How we share information
We share personal data only as set out below.
5.1 With sub-processors
We engage sub-processors to provide infrastructure, communications, analytics, customer support, payment processing, and similar services. Each sub-processor is bound by a written agreement that imposes data protection obligations consistent with this Policy and Article 28 GDPR. The current list of sub-processors is maintained at witniumchain.com/subprocessors.
5.2 With Customers and within Customer organisations
If you use the Services as an authorised user of a Customer organisation, the administrator of that organisation may have access to your account information and usage data within the organisation’s workspace.
5.3 With professional advisers
We share personal data with our auditors, lawyers, accountants, insurers, and other professional advisers under appropriate confidentiality obligations, where necessary for them to perform their services to us.
5.4 In corporate transactions
If Witnium is involved in a merger, acquisition, asset sale, financing, or similar corporate transaction, personal data may be disclosed to counterparties and their advisers subject to confidentiality, and may transfer to the successor entity as part of the transaction.
5.5 To comply with law or protect rights
We may disclose personal data where required by law, regulation, court order, or other binding legal process, or where we believe in good faith that disclosure is necessary to investigate or prevent fraud or other illegal activity, to protect the safety of any person, or to enforce our Terms of Service.
We do not sell personal data and we do not share personal data for cross-context behavioural advertising.
6. International transfers
We are a Swedish company and we host the Platform on infrastructure located within the European Union or the European Economic Area. Some of our sub-processors (notably our payment processor) are established in the United States. Where personal data is transferred outside the EEA, we rely on appropriate safeguards under Chapter V GDPR, including:
- the Standard Contractual Clauses approved by the European Commission (Decision 2021/914); and
- where applicable, the EU-U.S. Data Privacy Framework.
You may request a copy of the safeguards in place for a specific transfer by emailing legal@witnium.com.
7. How long we keep information
We retain personal data only for as long as necessary for the purposes for which it was collected, having regard to the applicable legal basis and any legal obligation to retain.
| Data category | Retention |
|---|---|
| Account data | RetentionDuration of the account, plus 90 days after closure |
| Billing and tax records | Retention7 years from the end of the financial year (Swedish Bookkeeping Act, bokföringslag (1999:1078)) |
| Operational metadata associated with witness operations | RetentionDuration of the Customer’s chosen retention period (between 90 days and 10 years depending on plan), plus an audit-tail period not exceeding 90 days |
| Witness records on chain | RetentionIndefinitely; chain records are immutable by design and cannot be erased, but they contain only fingerprints and metadata, not content |
| Support communications | Retention3 years from the date of the last interaction |
| Marketing consent records | RetentionUntil consent is withdrawn, plus 1 year |
| Security and audit logs | Retention12 months |
The immutability of chain records is essential to the function of the Service. We address this in Section 8.3 below.
8. Your rights
Under the GDPR, you have the rights set out in this Section in relation to personal data we hold about you. To exercise any of these rights, contact legal@witnium.com. We will respond without undue delay and in any event within one month, subject to extension where permitted under Article 12(3) GDPR.
8.1 Standard data subject rights
- Access (Art. 15): to obtain confirmation of whether we process personal data about you, and a copy of that data.
- Rectification (Art. 16): to have inaccurate personal data corrected.
- Erasure (Art. 17): to have your personal data erased in certain circumstances. See Section 8.3 below regarding chain records.
- Restriction (Art. 18): to have processing restricted in certain circumstances.
- Portability (Art. 20): to receive your personal data in a structured, commonly used, machine-readable format, and to transmit it to another controller.
- Objection (Art. 21): to object to processing based on legitimate interests, including profiling. We will cease such processing unless we demonstrate compelling legitimate grounds that override your interests.
- Withdraw consent (Art. 7): to withdraw any consent you have given us, at any time, without affecting the lawfulness of prior processing.
- Lodge a complaint: see Section 14.
8.2 Identity verification
To protect you, we may need to verify your identity before responding to a request. We will not require more information than is necessary for verification.
8.3 The right to erasure and chain records
A core architectural feature of the Platform is that records sealed on the underlying chain are tamper-evident and cannot be modified or deleted by us. This is essential to the audit-grade function of the Service.
Chain records do not contain content; they contain cryptographic fingerprints (hashes), public keys, timestamps, and operation metadata. These records do not, in isolation, constitute personal data within the meaning of Article 4(1) GDPR with respect to any identifiable individual, except where a Customer voluntarily includes identifiers in the operational context of a witness.
Where a chain record has been associated with you (for example, because your public key or an identifier you provided is recorded), we will, on request and where required by Article 17 GDPR:
- erase off-chain personal data within our control;
- suppress the association between you and the chain record in our active systems; and
- explain why the on-chain record itself cannot technically be erased.
Article 17(3) recognises exemptions to the right to erasure where erasure would conflict with overriding public interests or with the establishment, exercise, or defence of legal claims, and we will rely on these exemptions where applicable. We will also engage in good faith to mitigate the impact on your rights.
9. Cookies and similar technologies
The Website uses cookies and similar technologies to operate, to remember your preferences, to analyse usage, and (with your consent) to support marketing.
We classify cookies as:
- Strictly necessary: required for the Website and Platform to function (for example, authentication and session cookies). These are set without consent on the basis of Article 5(3) of Directive 2002/58/EC.
- Analytics: measure traffic and usage to improve the Service. Set only with your consent.
- Marketing: support advertising and remarketing. Set only with your consent.
You can manage your cookie preferences via the cookie banner presented on your first visit and via the cookie settings link in the footer of the Website. You can also configure your browser to refuse cookies, but parts of the Website and Platform may not function correctly as a result.
10. Children
The Services are intended for use by businesses and professionals and are not directed at children. We do not knowingly collect personal data from children under the age of 16. If you believe a child has provided personal data to us, contact legal@witnium.com and we will delete it.
11. Security
We maintain technical and organisational measures designed to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. Our security practices are described at witniumchain.com/security.
12. Changes to this Policy
We may amend this Policy from time to time. Where changes are material, we will provide reasonable advance notice by email to the account contact and/or by prominent notice on the Website. The “Last updated” date at the top of this Policy reflects the date of the most recent change. Continued use of the Services following any change constitutes acceptance of the updated Policy.
13. Contact
To contact us about this Policy or your personal data, write to legal@witnium.com or to:
Witnium Technologies AB Attn: Privacy Tyska Skolgränd 4 111 31 Stockholm Sweden
14. Complaints
You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement. In Sweden, the supervisory authority is Integritetsskyddsmyndigheten (IMY), Box 8114, 104 20 Stockholm, telephone +46 8 657 61 00, email imy@imy.se. We would, however, appreciate the opportunity to address your concerns before you contact a supervisory authority, and we encourage you to contact us first.
Questions? Talk to us before you sign.