ThatsReally.MeBack to home

Privacy Policy

ThatsReally.Me is designed to collect the minimum data needed to run the Service. Your private keys and passkey material never leave your device.

Effective June 14, 2026

ThatsReally.Me provides cryptographic proof of consent — not legal advice, identity verification, or a guarantee against deepfakes.

Information We Collect

  • Account information. Your email address, used for account recovery and the magic-link fallback only.
  • Public cryptographic material. Your public signing key (JWK) is stored so others can verify signatures you create. This is intentionally public.
  • Consent token metadata. When you create a consent token, we store a reference (name, description, timestamps, and revocation status) so you can manage and revoke your tokens. The signed token itself is generated on your device.
  • Usage data. Basic, privacy-preserving analytics (for example, counts of tokens created, videos sealed, and verifications performed) for product improvement. No video content is stored long-term.

What We Do Not Collect or Store

  • Your private keys or passkey material — these never leave your device;
  • The full content of videos you seal; or
  • Any biometric or identity-verification data.

How We Use Information

  • To provide and improve the Service;
  • To allow you to manage and revoke your consent tokens;
  • To detect and prevent abuse; and
  • To comply with legal obligations.

Data Retention & Deletion

  • You may delete your account and associated token metadata at any time.
  • Public keys may remain in verification records for transparency — this is expected behavior for a cryptographic system.
  • We retain minimal logs as required for security and abuse prevention. Logs never contain private keys, full tokens, or signature values.

Your Rights (GDPR / CCPA)

You have the right to access, correct, delete, and port your data. To exercise these rights, contact us at privacy@thatsreally.me.

Third-Party Services

We use a small number of infrastructure providers to operate the Service. Each processes data only as needed to provide its function:

  • Supabase — authentication and database;
  • Vercel — application hosting and delivery;
  • A lightweight C2PA processing service — embedding consent into video files; and
  • Error and performance monitoring — diagnosing and fixing issues, configured for data minimization.

These providers are bound by their respective data-processing agreements.

Logging & Security

What we deliberately never log

Our logging is designed for safety. We never record private keys, passkey credential material, full consent tokens, signature values, or raw IP addresses. Diagnostic logs carry only non-sensitive metadata and a correlation ID so we can trace and resolve issues without exposing your data.

Changes to This Policy

We may update this policy as the Service evolves. Material changes will be reflected by updating the effective date above.

Privacy Policy — ThatsReally.Me