Privacy Policy

Attestr is operated by PowerPlay Systems Inc., a company incorporated in Ontario, Canada, headquartered in Toronto. We provide cryptographic compliance infrastructure for fintech and financial services organizations.

When this policy refers to “Attestr,” “we,” “us,” or “our,” it means PowerPlay Systems Inc.

Account information

When you sign up for the Attestr dashboard, we collect your email address and company name. Authentication is handled by our identity provider (Supabase Auth) — we do not store passwords directly.

Usage data

We collect standard web analytics to understand how the dashboard and website are used: pages visited, feature usage, browser type, and referring URLs. We do not use this data for advertising.

Attestation data

When you send fraud decisions to the Attestr API, we process the metadata and decision records you provide to generate cryptographic evidence packets. This data is stored in your tenant's isolated ledger and is not shared with other tenants or third parties.

What we do not collect

We do not collect personal information about the individuals referenced in your fraud decisions. Attestr processes decision metadata (timestamps, event IDs, outcomes) — not the underlying customer data that informed those decisions.

We use the information we collect to:

• —Operate, maintain, and improve the Attestr platform
• —Generate and store tamper-proof evidence packets on your behalf
• —Authenticate your access to the dashboard and API
• —Send transactional emails (account verification, security alerts)
• —Detect and prevent abuse, fraud, and security incidents
• —Comply with legal obligations

We do not sell your data. We do not use your attestation data to train machine learning models. We do not serve advertising.

Your data is stored in secured, encrypted databases hosted in North America. All data in transit is encrypted via TLS. Attestation records are additionally protected by SHA-256 hash chains and Ed25519 digital signatures, making post-hoc tampering cryptographically detectable.

Tenant data is logically isolated — each organization's ledger is accessible only through authenticated, tenant-scoped API calls. We use HMAC-SHA256 request signing for API authentication.

For details on our security practices, see our Security page.

We use a limited number of third-party services to operate Attestr:

• —Supabase — authentication and identity management
• —Railway — application hosting and database infrastructure
• —Vercel — website and dashboard hosting

These providers act as data processors on our behalf and are contractually obligated to protect your data. We do not share your data with third parties for their own purposes.

We use essential cookies required for authentication and session management. We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

Essential cookies cannot be disabled as they are necessary for the dashboard to function. They expire when your session ends or after a reasonable inactivity period.

Account data is retained for the duration of your account and deleted upon request after account closure.

Attestation records are retained according to your plan tier and applicable regulatory requirements. Because these records serve as compliance evidence, they are designed to be long-lived. You can export your full ledger at any time.

Usage data is retained in aggregate form and automatically purged after 12 months.

Depending on your jurisdiction, you may have the right to:

• —Access the personal information we hold about you
• —Request correction of inaccurate information
• —Request deletion of your personal information
• —Export your data in a portable format
• —Withdraw consent where processing is based on consent

To exercise any of these rights, contact us at privacy@attestr.io. We will respond within 30 days.

Note: deletion requests for attestation ledger data may be subject to regulatory retention requirements. We will explain any limitations that apply.

We may update this policy from time to time. Material changes will be communicated via email to registered account holders or via a notice on our website. The “Effective date” at the top of this page reflects the most recent revision.