Privacy Policy

1. Who we are

SDV — Source Document Vault — is operated by TonGuy Platforms, a company incorporated in Germany with operating offices in Zimbabwe. TonGuy Platforms is the data controller for personal data processed through SDV. Contact for privacy matters: privacy@sdv-global.io.

2. What we collect

• Account data: email address, display name, SDV Account ID, jurisdiction.
• Document metadata: titles, types, amounts, jurisdiction codes — never the document file content unless you explicitly upload it for storage.
• Biometric seal hash: a one-way SHA-256 hash. We never store the underlying biometric (fingerprint, face) in any form.
• Audit log entries: IP address, user agent, action timestamps. Required for the legal admissibility of sealed documents.
• Billing data: handled by Stripe. We see only the resulting subscription status and plan, never your card details.

3. How we use it

We process the data above to: (a) authenticate you, (b) seal and verify your documents, (c) run jurisdiction-specific compliance checks, (d) operate billing through Stripe, and (e) send transactional email (account, billing, and security notifications). We do not sell or share your data with advertisers.

4. Where data is stored

SDV is built on sovereign nodes. EU users' documents and metadata are stored in eu-central-1 (Frankfurt, Germany). African users' data is stored in af-south-1 (Cape Town, South Africa). Documents are never replicated across jurisdictions. Backups follow the same residency rules.

5. Data retention

Document metadata is retained for the legally required period of the document's jurisdiction:

• Germany: 10 years (GoBD).
• South Africa, Zimbabwe: 7 years.
• All other supported jurisdictions: 7 years (default).

Account data unrelated to sealed documents (profile, preferences) is deleted 30 days after you close your account. Sealed documents themselves cannot be deleted before their retention period expires — that is a deliberate property of the evidence vault.

6. Your rights

Under the GDPR (and POPIA for South African users) you have the right to: access your data, correct it, request erasure (subject to the legal retention obligation above), restrict processing, object to processing, and request portability. To exercise any of these rights, email privacy@sdv-global.io. We respond within 30 days.

7. Cookies and local storage

SDV sets a session cookie when you sign in (for NextAuth). Your theme preference (light/dark) is stored in your browser's localStorage. We do not use third-party tracking cookies.

8. Third-party processors

• Stripe — payment processing.
• Resend — transactional email delivery.
• AWS — infrastructure hosting (in your jurisdiction's region).
• PostHog — anonymised product analytics. Opt-out is honoured via the analyticsConsent flag on your account.

9. Changes to this policy

We update this policy when our practices change. The version date at the top of this page tells you when it was last revised. Material changes are announced by email to active accounts at least 14 days before they take effect.

10. Contact

Privacy questions, complaints, or rights requests: privacy@sdv-global.io.