Attestyxby JIL Sovereign
Sign inSign up free
How it worksTiersPricingAPIGrantsProofMandate
Sign inSign up free
SAMPLE - DRAFT FOR COUNSEL REVIEW. Not yet executed by JIL Sovereign Technologies, Inc. or binding on any party.
Public

Privacy Policy

GDPR / LGPD / PDPA / CCPA compliant data handling notice.

Effective: 2026-05-04Last updated: 2026-05-04Version 1.0 (sample)

1. Introduction

This Privacy Policy describes how JIL Sovereign Technologies, Inc. (“Operating Co”) collects, uses, discloses, and protects personal data in connection with the Attestyx Platform. We comply with the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act, the Brazilian Lei Geral de Proteção de Dados (“LGPD”), the Singapore Personal Data Protection Act 2012 (“PDPA”), the UAE Personal Data Protection Law (Federal Decree-Law No. 45/2021) (“UAE PDPL”), and other applicable data protection laws.

2. Data Controller and DPO

For the purposes of GDPR Article 4(7), Operating Co acts as Data Controller for personal data collected directly from Foundation Administrators, Grantee Administrators, and other end users. For the purposes of GDPR Article 4(8), Operating Co acts as Data Processor when processing personal data on behalf of Foundations under the Master Services Agreement and Data Processing Addendum. Our Data Protection Officer can be reached at [email protected].

3. Categories of Personal Data Collected

We collect the following categories of personal data:

  • Account data: name, email, role, organization, hashed password, MFA settings.
  • Identity data: legal name and registration ID for organizations; legal name, role, FTE percentage, and authorized-signer status for personnel; legal name, ownership percentage, country, and PEP status for beneficial owners.
  • Content data: documents you upload to the vault (Form 990s, audited financials, bylaws, board rosters, etc.) along with their content hashes and metadata.
  • Usage data: pages visited, actions taken, timestamps, IP address, user agent, geographic region.
  • Sanctions screening data: results of OFAC, EU, UK HMT, UN, AU DFAT, CA OSFI, and jurisdictional list screenings against names you provide.
  • Application + grant data: narratives, budgets, milestone evidence, attestations, and Verdict Engine outputs.

4. Lawful Basis for Processing (GDPR Art. 6)

Where the GDPR applies, we rely on the following lawful bases:

  • Contract (Art. 6(1)(b)): processing necessary for performance of our contract with you, including account management, application submission, milestone tracking, and disbursement signaling.
  • Legal obligation (Art. 6(1)(c)): sanctions screening; tax-status verification; record-keeping required by applicable charitable-sector regulation.
  • Legitimate interests (Art. 6(1)(f)): cross-foundation intelligence operations to detect fraud and misuse; security monitoring; product improvement. We have conducted Legitimate Interests Assessments and offer opt-out for non-essential cross-foundation sharing.
  • Consent (Art. 6(1)(a)): optional document-vault sharing across foundations; marketing communications; analytical cookies.

5. Special Categories (GDPR Art. 9)

We may incidentally process Protected Health Information (PHI) when grant programs systematically involve health data. In those cases we operate under a Business Associate Agreement (US) or equivalent special-category lawful basis under Art. 9(2)(j) for archiving in the public interest or scientific research where applicable. Programs that systematically involve PHI must execute a Business Associate Agreement.

6. Data Subject Rights

Depending on the law applicable to you, you have the right to: access, rectification, erasure, restriction of processing, data portability, object to processing, withdraw consent, and (where applicable) lodge a complaint with a supervisory authority. Requests should be sent to [email protected]. We will respond within 30 days (45 days where extended notice is permitted) and at no cost for routine requests.

7. Cross-Border Transfers

Personal data is processed in our regional data centers in Helsinki (Hetzner Object Storage, EU-Central) and our Hetzner Nuremberg compute environment. Where personal data is transferred outside the data subject's jurisdiction, we rely on Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), adequacy decisions where applicable, and supplementary measures including encryption at rest (AES-256) and in transit (TLS 1.3).

8. Retention Periods

Account data is retained for the duration of your account plus 7 years for record-keeping. Application + grant data is retained for 10 years from grant closure to support audit, recovery, and regulatory requirements. Sanctions screening records are retained for 7 years. CREB attestations are retained for the life of the Platform; CourtChain anchors are immutable. Documents in the vault are retained until you delete them, subject to legal-hold requirements.

9. Cookies and Tracking

See our Cookie Policy for details on cookies and tracking technologies.

10. Security

We implement administrative, physical, and technical safeguards including AES-256 encryption at rest; TLS 1.3 in transit; Argon2id password hashing; multi-factor authentication; least-privilege access control; quarterly access reviews; annual third-party penetration testing; HIPAA-grade incident response procedures; SOC 2 Type II audit (planned Q4 2027).

11. Children

The Platform is not directed to children under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected such data, contact [email protected].

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified to your registered account email and posted with at least 30 days' notice on this page.

13. Contact

Privacy inquiries: [email protected].
Data Protection Officer: [email protected].
EU Representative under GDPR Art. 27: to be appointed.