Privacy Policy
Version 3 · effective 5/18/2026
Privacy Policy — attestly
Effective 2024-08-01
Source repository: Artificial425/attestly
This Privacy Policy describes how Domenic Julian's workspace collects, uses, and discloses personal information in connection with the attestly product. attestly is a service designed to help businesses manage compliance and security. We are committed to protecting the privacy and security of our users' data.
Scope
This policy applies to all personal data processed by Domenic Julian's workspace through the attestly product, including data provided by our customers and their end-users.
Controller
Domenic Julian's workspace (“we”) is the controller of personal data described in this policy. Contact: admin@attestly.dev.
Information we collect
Contact details
Fields detected: fullName, email, phone
Source files: User registration and authentication forms, User profile settings, Payment processing forms
Purposes: To communicate with users about their account; To provide customer support; To send transactional emails and service updates
Retention: Customer-defined
Retention rationale: Data is retained for the duration required to provide the contracted service and to comply with legal and contractual obligations.
How to request deletion: Users can request deletion of their contact information by contacting support at admin@attestly.dev.
Identifiers
Fields detected: fullName, email
Source files: User authentication provider (Clerk)
Purposes: To create and manage user accounts; To uniquely identify and authenticate users
Retention: Customer-defined
Retention rationale: Identifiers are retained as long as the user account is active to ensure proper service delivery.
How to request deletion: Account deletion, which removes associated identifiers, can be requested by contacting admin@attestly.dev.
Financial
Fields detected: credit_card
Source files: Payment processing forms managed by our payment provider, Stripe.
Purposes: To process payments for subscriptions and services; To manage billing and invoicing; To prevent fraudulent transactions
Retention: Customer-defined
Retention rationale: Financial data is retained by our payment processor in accordance with PCI-DSS standards and legal requirements for financial record-keeping.
How to request deletion: Financial information can be managed or removed through the billing portal or by contacting admin@attestly.dev.
Credentials
Fields detected: auth credentials
Source files: User authentication provider (Clerk)
Purposes: To securely authenticate users; To protect user accounts from unauthorized access
Retention: Customer-defined
Retention rationale: Credentials are managed by our authentication provider and are retained as long as the user account exists.
How to request deletion: Credentials are deleted upon account closure, which can be initiated by contacting admin@attestly.dev.
Communications
Fields detected: email content
Source files: Transactional emails sent via Resend
Purposes: To deliver account-related notifications; To provide service updates and security alerts
Retention: Customer-defined
Retention rationale: Email content is retained for a limited period by our email provider for delivery and troubleshooting purposes.
How to request deletion: Deletion of email history can be requested by contacting admin@attestly.dev.
Special category (Art. 9)
Fields detected: biometric, ssn
Source files: Data voluntarily provided by users within the attestly product for specific features.
Purposes: To enable specific product functionalities as directed by the user.
Retention: Customer-defined
Retention rationale: Special category data is retained only as long as necessary to provide the feature for which it was collected.
How to request deletion: Users can request the deletion of this data at any time by contacting admin@attestly.dev.
Other
Fields detected: prompt content, application data, request metadata
Source files: User interaction with AI features, General application usage and data storage, Hosting infrastructure logs
Purposes: To provide AI-powered features and generate outputs; To store and retrieve application data in our database (Neon); To operate, monitor, and secure our hosting infrastructure (Fly.io, Railway)
Retention: Customer-defined
Retention rationale: This data is retained to provide core product functionality and ensure service stability and security.
How to request deletion: Data is deleted upon account closure or by specific request to admin@attestly.dev.
Legal bases for processing
- Contract (Art. 6(1)(b)) — Contact details, Identifiers, Financial, Credentials, Other. Processing is necessary for the performance of our contract with customers to provide, maintain, and secure the attestly product.
- Legitimate interests (Art. 6(1)(f)) — Communications, Device. We process this data based on our legitimate interest in communicating with users, improving our service, and protecting against fraud and security threats.
- Consent (Art. 6(1)(a)) — Special category (Art. 9). The processing of any special category data is based on the explicit consent provided by the data subject for one or more specified purposes.
Disclosures to third parties
| Recipient | Purpose | Categories |
|---|---|---|
| Clerk | User authentication and account management. | Contact details, Identifiers, Credentials |
| Stripe | Payment processing and billing. | Contact details, Financial |
| Resend | Transactional email delivery. | Contact details, Communications |
| Neon | Database hosting for application data. | Other |
| Fly.io | Edge application hosting. | Other |
| Railway | Application hosting. | Other |
| Anthropic | Large language model inference. | Other |
| Google Generative AI (Gemini) | Gemini model inference (text, vision, multimodal). | Other |
| OpenAI | Large language model inference and embeddings. | Other |
International transfers
Your personal data may be transferred to, and processed in, countries other than the one you reside in. Our subprocessors are located in the United States and other global locations. These transfers are safeguarded through appropriate legal mechanisms, such as the European Commission's Standard Contractual Clauses (SCCs) and the UK's International Data Transfer Addendum, to ensure your data receives an adequate level of protection.
Data security
We implement appropriate technical and organizational measures to protect personal data from unauthorized access, use, disclosure, alteration, or destruction. These measures include encryption of data in transit using TLS and at rest using AES-256, role-based access controls to limit access to personal data to authorized personnel, and maintaining audit logs of system activity. We have an incident response plan to address any potential data breaches in a timely manner.
Cookies and analytics
The attestly product uses essential cookies to provide core functionality, such as maintaining user sessions and authentication. These cookies are necessary for the operation of the service. We do not use third-party cookies for advertising, tracking, or analytics purposes.
Sensitive personal information
We process the following sensitive categories of personal data: biometric, government_identifier.
Processing of this data is based on explicit user consent (GDPR Article 9(2)(a)) for specific, user-initiated features. Users can limit the use of this information by choosing not to provide it or by contacting us at admin@attestly.dev to request its deletion.
Automated decision-making
The attestly product does not use automated decision-making that produces legal or similarly significant effects on individuals.
Do Not Sell or Share (California residents)
We do not sell personal information for monetary consideration. We do not share personal information for cross-context behavioural advertising. California residents nonetheless retain the rights described in the California addendum below.
Children's data
The attestly product is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that a child under 16 has provided us with personal information, we will take steps to delete such information.
Your rights
- You have the right to access your personal data.
- You have the right to request the correction of inaccurate personal data.
- You have the right to request the erasure of your personal data.
- You have the right to request the restriction of processing of your personal data.
- You have the right to receive your personal data in a portable format.
- You have the right to object to the processing of your personal data.
- Where processing is based on consent, you have the right to withdraw that consent at any time.
- You have the right to lodge a complaint with a supervisory authority.
Marketing preferences
We use Resend for transactional emails related to your account and service usage. We do not send marketing communications. Should this change, you will be able to manage your preferences via an unsubscribe link in any marketing email or by contacting us directly.
Data portability
Upon request, we will provide you with your personal data in a structured, commonly used, and machine-readable format, such as JSON or CSV. Please submit portability requests to admin@attestly.dev. We will process these requests within 30 days.
Personal-data breach notification
In the event of a personal data breach, we will notify affected customers without undue delay, and in any case within 72 hours of becoming aware of the breach, in accordance with our legal obligations and contractual commitments.
Jurisdiction-specific addenda
European Union (GDPR)
Residents of the European Economic Area (EEA) have the right to access, rectify, or erase their personal data, as well as the right to restrict processing, object to processing, and portability. You also have the right to lodge a complaint with a data protection authority.
To exercise these rights: To exercise these rights, please email admin@attestly.dev with the subject line 'GDPR Request'.
United Kingdom (UK GDPR)
Residents of the United Kingdom have rights under the UK GDPR and Data Protection Act 2018, which are similar to those under the EU GDPR. These include the rights to access, rectification, erasure, restriction, data portability, and to object to processing.
To exercise these rights: To exercise these rights, please email admin@attestly.dev with the subject line 'UK GDPR Request'.
California (CCPA/CPRA)
California residents have the right to know what personal information is collected, to delete it, and to correct inaccurate information. We do not 'sell' or 'share' your personal information as defined by the CCPA/CPRA. You have the right to not be discriminated against for exercising your privacy rights.
To exercise these rights: To exercise these rights, please email admin@attestly.dev with the subject line 'California Privacy Request'.
Virginia (VCDPA)
Virginia residents have the right to access, correct, delete, and obtain a copy of their personal data, and to opt-out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.
To exercise these rights: To exercise these rights, please email admin@attestly.dev with the subject line 'Virginia Privacy Request'.
Colorado (CPA)
Colorado residents have the right to access, correct, delete, and obtain a copy of their personal data, and to opt-out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.
To exercise these rights: To exercise these rights, please email admin@attestly.dev with the subject line 'Colorado Privacy Request'.
Connecticut (CTDPA)
Connecticut residents have the right to access, correct, delete, and obtain a copy of their personal data, and to opt-out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.
To exercise these rights: To exercise these rights, please email admin@attestly.dev with the subject line 'Connecticut Privacy Request'.
Texas (TDPSA)
Texas residents have the right to confirm whether a controller is processing their personal data, to access, correct, and delete their data, and to obtain a portable copy. You also have the right to opt out of processing for targeted advertising, the sale of personal data, or certain types of profiling.
To exercise these rights: To exercise these rights, please email admin@attestly.dev with the subject line 'Texas Privacy Request'.
Contact
If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at admin@attestly.dev. We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy.
Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on our website or by sending you an email notification. We encourage you to review this Privacy Policy periodically for any changes.