Privacy policy

Welcome to Decot! Decot ("we," "us," "our") provides a privacy-preserving Contract Lifecycle Management (CLM) platform (the "Service"). Our core mission involves enabling secure and verifiable contract management by anchoring cryptographic hashes of contract events to the Sui blockchain, while ensuring the actual content of your documents remains encrypted and under your control.

Protecting your privacy is fundamental to how we design and operate our Service. This Privacy Policy ("Policy") explains what Personal Data we collect, how and why we use it, with whom we might share it, and the rights and choices you have regarding your information.

By using our Service, you agree to the collection and use of information in accordance with this Policy.

This Policy applies to Personal Data processed when you interact with or use the Decot Service, which includes:

• Our web application (e.g., app.decot.io).
• Our Application Programming Interfaces (APIs) and Software Development Kits (SDKs).
• The Decot custom ZK login onboarding flow (including supported identity-provider authentication).
• Any related websites, support channels, and services offered by Decot.

Key terms used in this Policy

• Personal Data: Any information relating to an identified or identifiable natural person, as defined by applicable data protection laws (e.g., EU GDPR, CCPA).
• On-Chain Data: Data that is publicly recorded on the Sui blockchain, such as transaction IDs, wallet addresses, and cryptographic hashes.
• Off-Chain Data: Data stored outside the blockchain, such as the encrypted content of your documents.
• zkLogin (Zero-Knowledge Login): A feature of the Sui network allowing users to authenticate using existing web credentials (e.g., Google, Microsoft, Apple accounts) to control a Sui address without directly revealing those credentials on-chain or to Decot.
• Controller: The entity that determines the purposes and means of processing Personal Data.
• Processor: The entity that processes Personal Data on behalf of a Controller.

We collect information in different ways to provide and improve our Service:

3.1. Information you provide directly

• Account Information: When you register for a Decot account, we collect your email address (primarily for notifications, account recovery, and communication), your chosen display name, and if applicable, your organization's name. If you sign up with email and password, we store a hashed version of your password.
• Wallet & Blockchain Identifiers: Your Sui public wallet address is necessary to interact with the Service. This may be an address you connect directly or one derived via zkLogin.
• Contract Metadata You Input: Information you provide when creating or managing contracts, such as document titles, names of involved parties, key dates, and custom tags. Important: while contract content is encrypted, metadata you enter (like titles or party names) might be recorded on-chain if it is part of the transaction data. Be mindful of including sensitive Personal Data in these metadata fields if you wish to maintain its off-chain privacy.
• Communications: If you contact us for support or other inquiries, we collect the information you provide in those communications (e.g., email content, chat logs).

3.2. Information we collect automatically

• Usage and Log Data: Information about your interactions with our Service, such as IP addresses (which may be truncated or anonymized where feasible), browser type, device type, operating system, referring URLs, pages viewed, access times, clickstream data, and error logs. This helps us with security, service improvement, and analytics.
• On-Chain Transaction Data: When you perform actions that interact with the Sui blockchain (e.g., anchoring a document hash, recording a signature), the transaction ID, your wallet address, the hash of the (encrypted) document, and event timestamps are publicly recorded on the Sui ledger. Decot systems read this public data to reflect contract status and history in your dashboard.
• Cookies and Similar Technologies: We use cookies and similar technologies (e.g., local storage, web beacons) to operate the Service — such as keeping you signed in, remembering your preferences, and for security — and for analytics. See the "Cookies & similar technologies" section below.

3.3. Information processed on your behalf (Decot as a data processor)

• Encrypted Document Content: When you upload documents to Decot for management and signing, the content of these documents is client-side encrypted (in your browser) before being transmitted for storage. Decot acts as a data processor for this encrypted content.
• What Decot doesn't do: By design, Decot personnel and systems cannot access or read the unencrypted content of your documents stored through our Service, as we do not hold the primary decryption keys. These are managed by you and the participants you authorize, typically through your wallets.

3.4. Information from third-party services (e.g., zkLogin providers)

• zkLogin Authentication: If you choose to sign up or log in using Decot custom ZK login (e.g., with your Google, Microsoft, or Apple account), we receive an authentication proof and your derived Sui address from the identity-provider flow.
• What Decot doesn't do: We do not receive or store your password for your Google, Microsoft, Apple, or other social accounts. The zkLogin process is designed to provide us with cryptographic proof of your control over an account without sharing your sensitive third-party credentials with us.

We use the information we collect for the following purposes:

• To provide and maintain the Service: To operate our platform, authenticate users, enable contract creation, facilitate sharing and signing workflows, display contract status, and manage your account.
• To secure the Service: To monitor for and prevent fraudulent activity, security incidents, and abuse; to enforce our terms and policies.
• To improve the Service: To understand how users interact with Decot, gather feedback, conduct research, and develop new features. Analytics are typically performed on aggregated and/or anonymized data.
• To communicate with you: To send transactional emails (e.g., signature requests, status updates, security alerts, account notifications), respond to support requests, and provide other information related to your use of the Service.
• For legal compliance and safety: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests; to protect the rights, property, or safety of Decot, our users, or the public as required or permitted by law.
• On-chain record keeping: To facilitate the recording of immutable audit trails (document hashes, metadata you designate for on-chain recording, signer actions, and timestamps) on the Sui blockchain, which is a core feature of the Service.

Under data protection laws like the GDPR, it is important to distinguish our roles:

• Decot as data controller: We act as a data controller for the Personal Data we collect directly from you to manage your account, provide general access to our Service, process your payments (if any), and for our own analytics and service improvement (e.g., your account information, usage data).
• Decot as data processor: When you upload documents and use our Service to manage and process contracts (including their encrypted content and any Personal Data within those encrypted documents), Decot acts as a data processor. We process this data on your behalf and in accordance with your instructions. You, or your organization, are the data controller for the content of the documents you manage via Decot.

If you are in the European Economic Area (EEA) or the United Kingdom (UK), our legal basis for collecting and using Personal Data depends on the data concerned and the context in which we collect it. We will normally collect Personal Data from you only:

• Where we need it to perform a contract with you (e.g., to provide the Decot Service you have subscribed to).
• Where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms (e.g., security, service improvement, analytics).
• Where we have your consent (e.g., for non-essential cookies or marketing communications where consent is required).
• Where we have a legal obligation, or need to protect your vital interests or those of another person.

If you have questions about the legal basis on which we collect and use your Personal Data, please contact us using the details in the "Contact us" section below.

Decot does not sell your Personal Data. We may share your information in the following limited circumstances:

• With other users you authorize: When you use the Service to share contracts or collaborate with other users (e.g., counterparties, internal approvers), they receive access to the relevant (encrypted) documents and associated metadata based on the permissions you grant.
• Public blockchain (Sui): Certain information is inherently public when recorded on the Sui blockchain: your public Sui wallet address(es) involved in transactions, transaction IDs, and any data you explicitly include in on-chain metadata (like contract titles or party names if you choose to make them part of the on-chain record). The actual content of your documents remains client-side encrypted and is not publicly visible on the blockchain.
• Service providers (sub-processors): We engage trusted third-party providers to perform functions for us — such as cloud hosting, decentralised storage for off-chain encrypted documents, email delivery, analytics, payment processing, and customer support. We share Personal Data with them only to the extent necessary, and they are bound by contractual obligations to protect it and process it only on our instructions. A list of our key sub-processors is on our Security page and available on request.
• Legal requirements and safety: We may disclose Personal Data where we believe in good faith it is necessary to comply with a legal obligation or governmental request; enforce our Terms of Use; detect, prevent or address fraud, security or technical issues; or protect the rights, property or safety of Decot, our users, or the public.
• Business transfers: If Decot is involved in a merger, acquisition, financing, reorganization, bankruptcy, sale of assets, or transition of service, your Personal Data may be transferred as part of that transaction as permitted by law. We will notify you and outline your choices.
• With your consent: We may share your Personal Data for other purposes where we have your explicit consent.

Your Personal Data may be transferred to, and processed in, countries other than the one in which you reside. These countries may have data protection laws different from those of your country.

Our servers and some of our service providers may be located in various countries. When we transfer Personal Data outside of the EEA, UK, or Switzerland, we take steps to ensure it receives an adequate level of protection — including by relying on mechanisms such as Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate legal mechanisms.

We retain Personal Data for as long as necessary to fulfil the purposes for which we collected it, including to satisfy legal, accounting or reporting requirements, to establish or defend legal claims, or for fraud prevention.

• On-Chain Data: Information recorded on the Sui blockchain (transaction IDs, document hashes, wallet addresses) is immutable and permanent by the nature of blockchain technology. Decot cannot delete this data.
• Off-Chain Encrypted Documents: The encrypted content of your documents stored off-chain is retained while your account is active or per your instructions. You can typically delete these documents through the Service; deleting the off-chain encrypted document makes its content inaccessible, even though its hash may remain on-chain.
• Account Information: Retained while your account is active and for a reasonable period thereafter, or as necessary to comply with legal obligations, resolve disputes, and enforce our agreements.
• Usage and Log Data: Generally retained for a limited period necessary for security analysis, service improvement, and troubleshooting, after which it is typically aggregated or anonymized.

Decot takes the security of your data very seriously. We implement and maintain appropriate technical, physical, and administrative measures designed to protect your Personal Data from unauthorized access, use, disclosure, alteration, or destruction. These include:

• Client-side encryption: Document content is encrypted (AES-256) in your browser before upload.
• Encryption in transit: All data transmitted between your device and our servers is encrypted using Transport Layer Security (TLS).
• Secure storage: Encrypted documents are stored with reputable cloud and decentralized storage providers who employ their own robust security measures.
• Access controls: We apply strict access controls based on the principle of least privilege, limiting access to Personal Data to authorized personnel only.
• Smart-contract audits: Our on-chain smart contracts undergo security audits by independent third parties; reports are available on request.
• Incident response: We have procedures to deal with any suspected Personal Data breach and will notify you and any applicable regulator where we are legally required to do so.

Your responsibility: no security system is impenetrable. You are responsible for maintaining the security of your account credentials, your wallet private keys or recovery phrases, and the social accounts used for zkLogin. Be vigilant against phishing and use strong, unique passwords.

We use cookies and similar tracking technologies (like web beacons or local storage) to provide and improve our Service.

• Essential cookies: Strictly necessary for the Service to function (e.g., to maintain your login session, ensure security, remember your cookie-consent preferences). These cannot be switched off in our systems.
• Performance and analytics cookies: Let us count visits and traffic sources and understand how users navigate our Service. The information collected is typically aggregated and anonymized.
• Functional cookies: Enable enhanced functionality and personalization, such as remembering your preferences or settings.

You can manage your cookie preferences through the consent banner shown on your first visit, or at any time through your browser settings. Disabling certain essential cookies may affect the functionality and availability of the Service.

Depending on your location and applicable laws (such as GDPR for EEA/UK residents or CCPA for California residents), you may have certain rights regarding your Personal Data, which may include:

• Access: Request copies of the Personal Data we hold about you.
• Rectification: Request that we correct inaccurate, or complete incomplete, Personal Data.
• Erasure: Request that we delete your Personal Data, under certain conditions. For off-chain encrypted documents you can typically initiate deletion through the Service. On-chain data is immutable.
• Restrict processing: Request that we restrict the processing of your Personal Data, under certain conditions.
• Object to processing: Object to our processing of your Personal Data, particularly where we rely on legitimate interests.
• Data portability: Request that we transfer your Personal Data to another organization, or directly to you, under certain conditions.
• Withdraw consent: Where we process based on consent, withdraw it at any time. This will not affect the lawfulness of processing before withdrawal.
• Lodge a complaint: Lodge a complaint with a relevant data protection supervisory authority if you believe our processing infringes applicable law.

To exercise any of these rights, please contact us using the details in the "Contact us" section below. We will respond within the time limits prescribed by applicable law, and may need to verify your identity first to protect your data.

Our Service is not directed to individuals under the age of 16 (or a higher threshold where applicable under local law). We do not knowingly collect Personal Data from children. If you are a parent or guardian and believe your child has provided us with Personal Data, please contact us immediately, and we will take steps to remove that information.

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the "Last updated" date above. If the changes are material, we will provide a more prominent notice (such as a notification on our Service or an email). Your continued use of the Service after changes take effect constitutes acceptance of the updated Policy.

If you have any questions, comments, or concerns about this Privacy Policy or our data practices, or if you wish to exercise your privacy rights, please contact us. We will endeavour to address your inquiry promptly.