Last updated: May 2026
SealTrust, France
Contact for data protection: contact@sealtrust.io
We collect: account data (email, hashed password, first and last name, optional phone, country); custodial wallet address generated when you create an account; NFC verification data (uid_hash, geographic coordinates of the scan, IP address); push notification token (FCM, only if you enable notifications); billing data when you subscribe to a paid plan. Biometric data (Face ID / Touch ID) is processed locally on your device and is never transmitted to our servers.
• Account creation and management
• Provision of the NFC product authentication service
• Fraud and clone detection (trust scoring)
• Customer support
• Billing and payment processing
• Service improvement and security
• Marketing communication (only with your explicit consent)
• Contract execution (provision of the Service)
• Consent (marketing communications, optional geolocation)
• Legitimate interest (fraud detection, security, service improvement)
• Legal obligation (accounting and tax retention)
• Account data: duration of the contractual relationship + 3 years
• NFC verification logs: 365 days
• IP addresses attached to scans: anonymized after 30 days
• Security and audit logs: 24 months
• Unlabeled fraud-detection data: 12 months
• Public on-chain data (token identifiers, ownership transfers, scan hash): permanent, by blockchain design and not erasable
Authorized SealTrust personnel only.
Subprocessors used to operate the Service: AWS KMS (cryptographic key management, eu-west-3, EU); Hostinger (application hosting, EU); Scaleway (media and backups, France); Pinata (IPFS metadata, US); Firebase / Google (push notifications, US); Stripe (billing and payments, US); Resend (transactional email, US); Alchemy and Infura (blockchain RPC, US); Cloudflare (DNS and CDN, US/EU); hCaptcha (anti-bot on contact forms, US).
We do not sell your data to third parties.
Some of our subprocessors listed above are located in the United States. Such transfers are governed by the European Commission's Standard Contractual Clauses (Article 46 GDPR) and the additional safeguards offered by these providers.
Public blockchain: SealTrust uses Base, a public Layer-2 network on Ethereum. Token identifiers, NFT ownership and ownership transfers are public by design and cannot be erased once recorded on-chain.
We implement technical and organizational measures to protect your data: TLS 1.2+ for all communication, Argon2id password hashing, AWS KMS for cryptographic signing, AES-128 NFC Secure Dynamic Messaging (anti-replay, anti-clone), encryption at rest of stored credentials (Fernet), strictly restricted personnel access, and signed audit logs.
You have rights of access, rectification, erasure, restriction, objection, and portability over your personal data.
You can permanently delete your account directly from the mobile app: Settings → Edit profile → Delete account. The server-side deletion is performed by the DELETE /me API endpoint and wipes your account data, NFC scan logs, and ownership claims (with the exception of immutable on-chain records, see §7).
For other requests, contact: contact@sealtrust.io. We respond within 30 days.
You can file a complaint with the French Data Protection Authority (CNIL): www.cnil.fr.
We use strictly necessary cookies for authentication (CSRF token, locale preference, session cookie). A cookie consent banner lets you grant or refuse any non-essential cookies before they are set. We do not use third-party advertising or cross-site tracking cookies.