← Back to Home

Privacy Policy

Last updated: June 2026

1. Who we are

Attestia Protocol ("Attestia", "we", "us") operates the website and web application at attestiaprotocol.xyz, including the authenticated product at /app, the public Try detector demo, and the optional Attestia browser extension for in-page image verification. We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR) and applicable data protection laws.

For any privacy-related questions you can reach us at: info@attestia.xyz

2. What data we collect and why

2.1 Account and protocol use

When you sign in to the Attestia web application, authentication is handled by Privy (email login) together with Supabase (session management). Depending on your role, we may store:

  • Email address — to create your account, send verification and protocol notifications, and link API keys or billing. Stored in our database and never sold.
  • Wallet address — Attestia provisions an embedded wallet through Privy for attesters, or a custodial wallet for submitters. Wallet addresses are public on the blockchain and are not personally identifiable information per se.
  • Profile details — optional fields such as name, organisation, country, city, birth date, attester username, and declared verification algorithms, used for onboarding, display on the network map, and protocol operations.
  • API keys — if you create programmatic access keys, we store a hashed key identifier, label, creation time, and last-used timestamp linked to your account email.

2.2 Media attestation (submitters and attesters)

  • Media files — when you register media for on-chain attestation, the file is pinned to IPFS and its cryptographic hash is registered on-chain. We do not extract personal data from submitted files beyond what you provide as metadata.
  • Attestation metadata — title, content type, media context, scores, and timestamps are stored off-chain (and anchored on-chain where applicable) to operate the verification network.

2.3 Try detector demo and browser extension

The Try detector page and the Attestia browser extension let you check an image for synthetic-media risk without signing in and without creating an on-chain attestation.

  • Uploaded or fetched images— you provide an image (web upload or, in the extension, an image URL from the page you are viewing). The image is sent to our server and forwarded to Attestia's deepfake detector service for analysis. Images submitted through the public demo are processed transiently: they are not registered as attestations and are not retained after the analysis completes, except where short-lived server logs are kept for security (see §2.5).
  • Optional hints — on the Try detector page you may supply a content type and a short text description to improve routing. These hints are sent with the image and discarded with the request.
  • Detection results — probability scores, verdict text, and reasoning are returned to your browser. Demo results are probabilistic and for illustration only; they are not blockchain-anchored proof of authenticity.
  • Extension settings — the extension stores your chosen API base URL, language, and per-site enablement in chrome.storage on your device. It keeps a small in-memory cache of recent results (not synced to our servers).

The extension downloads images from third-party sites (e.g. social feeds) only when you explicitly trigger verification. It does not include third-party analytics.

2.4 Contact and participation forms

If you use the participation or contact form, we collect the name, email, organisation, role, and message you submit. When configured, submissions are protected by Cloudflare Turnstile (a CAPTCHA service that may process your IP address and browser signals). Messages are emailed to our team and not used for advertising.

2.5 Billing

Paid plans are processed by Stripe and/or PayPal. We do not store full payment card numbers. We receive confirmation of payment status and plan tier so we can credit your account.

2.6 Data collected automatically

  • Server logs — our hosting infrastructure may log IP addresses, request timestamps, user agents, and HTTP status codes for security, abuse prevention, and operations. These logs are retained for a maximum of 30 days.
  • Language preference — stored in your browser's localStorage (attestia-lang) and reflected in the URL locale prefix. Supported languages: English, Italian, Spanish, French, Japanese, Chinese, and Russian. This data never leaves your device except when you choose a language for the site.
  • Theme preference — light or dark mode is stored in localStorage (attestia-theme) on your device only.

2.7 What we do not use

We do not use advertising networks or social media tracking pixels. We load Google Analytics only after you accept the consent banner, so we can measure traffic and site usage. We do not sell any data.

3. Cookies and browser storage

This website uses strictly necessary cookies for core functionality, a consent cookie to remember your choice, and Google Analytics cookies only after you accept the banner. You can reopen and change your choice from the Cookie settings page.

Cookie / storagePurposeDuration
attestia_ga_consentRemembers whether you accepted or rejected the analytics banner.1 year
_ga, _ga_*Measures traffic and usage through Google Analytics (only after consent).Up to 2 years
wagmi.*Stores your wallet connection state so the page does not flash on reload. Set by the Wagmi library (open source). No personal data.Session / 1 day
Privy session cookiesAuthentication session for the web application. Set only when you sign in through Privy.Session / up to 30 days
sb-*Supabase authentication session for the web application and the blog admin panel (/admin/blog). Only set when you sign in.1 week
attestia-lang, attestia-themeLanguage and theme preferences in localStorage (not cookies).Until cleared

You can delete cookies via your browser settings. Deleting them will sign you out of the application and admin panel, reset wallet connection state, and clear analytics cookies.

4. Legal basis for processing (GDPR Art. 6)

  • Contract performance (Art. 6.1.b) — processing your account, wallet, media, and attestation data to provide the verification service you requested.
  • Consent (Art. 6.1.a) — Google Analytics (only after banner acceptance); optional profile fields you choose to provide.
  • Legitimate interests (Art. 6.1.f) — server logs and abuse prevention; functional cookies and local storage for a stable experience; operating the public Try detector demo and extension API at your request when you upload or verify an image.

5. Data retention

  • Account and profile data: retained while your account is active. You may request deletion at any time.
  • Try detector / extension analysis: images processed transiently; not kept as attestations after the request completes.
  • Extension result cache: held in browser memory only, cleared when the extension restarts or you clear cache.
  • Server logs: maximum 30 days.
  • On-chain attestations and IPFS-pinned media: permanently recorded on public networks. We cannot delete blockchain or IPFS data once published.

6. Data transfers and processors

We rely on the following categories of service providers:

  • Supabase — authentication and database (EU region where configured).
  • MongoDB — application data storage (hosting region per deployment).
  • Privy — email login and embedded wallet infrastructure (United States).
  • Pinata / IPFS — distributed media storage for attestations.
  • Attestia detector service — image analysis for the Try detector, extension, and native scoring pipeline.
  • Stripe / PayPal — payment processing.
  • Cloudflare Turnstile — bot protection on contact forms.
  • Google Analytics — optional traffic measurement (after consent).
  • Ethereum / Base — public blockchains for attestations and settlement.

Where data is processed outside the EU/EEA, we rely on the providers' Standard Contractual Clauses (SCCs) or equivalent safeguards.

7. Your rights under GDPR

If you are in the EEA or UK, you have the right to:

  • Access — request a copy of the data we hold about you.
  • Rectification — correct inaccurate data.
  • Erasure — request deletion of your personal data (except data on public blockchains or IPFS).
  • Portability — receive your data in a machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — for analytics, via Cookie settings at any time.
  • Lodge a complaint — with your local supervisory authority (e.g. Garante Privacy in Italy).

To exercise any of these rights, contact us at info@attestia.xyz. We will respond within 30 days.

8. Changes to this policy

We may update this policy as the protocol, Try detector, and extension evolve. Material changes will be announced on our blog. The "Last updated" date at the top of this page always reflects the most recent version.