Privacy Policy
Effective: April 13, 2026. DMG L&D, LLC, a Florida limited liability company.
1. Who We Are
This Privacy Policy is published by DMG L&D, LLC, a Florida limited liability company ("Company," "we," "us," or "our"), the operator of Pactbound (pactbound.com). We are the data controller for account and usage data collected through the Service. For questions, contact privacy@pactbound.com.
2. Scope
This Policy applies to personal data collected through the Pactbound website, web application, API, and mobile application. It does not apply to third-party websites or services linked from the Service. If you use Pactbound on behalf of an organization, this Policy applies to you individually; data processing on behalf of your organization is governed by any Data Processing Agreement (DPA) in effect between the Company and your organization.
3. On-Chain Hashes and Personal Data
Pactbound anchors SHA-256 cryptographic hashes on the Hedera Consensus Service, a public distributed ledger. These hashes are one-way digests: they cannot be reversed to recover the original content. Under GDPR Recital 26, information that cannot reasonably be used to identify a natural person is not personal data. The hashes we publish on-chain contain no names, email addresses, identifiers, or any other information that can be used alone or in combination to identify an individual. On-Chain hashes are therefore not personal data under GDPR. Accordingly, the right to erasure (Article 17 GDPR) does not apply to On-Chain Records. This is a fundamental characteristic of the Hedera network and the Service: On-Chain Records are permanent and cannot be deleted by us or by any other party.
4. Data We Collect
We collect the following categories of personal data:
- Account data: email address, name, organization name, and account preferences provided at registration or updated in account settings.
- Handoff content: files, disclosures, and acknowledgment records you upload or create. These are encrypted at rest (AES-256-GCM) and accessible only to you and authorized recipients.
- Usage data: pages visited, features used, actions taken within the application, browser type, operating system, IP address, and referring URL. Collected for service operation and improvement.
- Payment data: billing name, address, and transaction records. Payment card numbers are processed by Stripe and never stored on our systems.
- Communication data: email addresses and content of transactional emails sent via Resend on your behalf (handoff notifications, acknowledgment requests, account alerts).
- Device and push notification tokens: if you use the Pactbound mobile app and opt in to push notifications, we store your Firebase Cloud Messaging token to deliver notifications.
- Support data: information you provide when contacting support.
5. Legal Basis for Processing (GDPR)
For users in the European Economic Area, United Kingdom, and Switzerland, our legal bases for processing are:
- Contract performance (Article 6(1)(b)): processing necessary to provide the Service under our Terms of Service: account management, handoff processing, payment processing, and transactional email.
- Legitimate interests (Article 6(1)(f)): service security, fraud prevention, abuse detection, aggregated analytics to improve the Service, and legal compliance. Our legitimate interests are balanced against your rights and freedoms.
- Consent (Article 6(1)(a)): push notifications (where you have opted in). You may withdraw consent at any time through device settings.
- Legal obligation (Article 6(1)(c)): where processing is required to comply with applicable law.
6. How We Use Your Data
- To create and manage your account.
- To process Handoffs: hash files, generate Merkle proofs, assemble Evidence Bundles, and anchor proofs on the Hedera Consensus Service.
- To send transactional emails: handoff notifications, acknowledgment requests, receipts, and account security alerts.
- To process payments and manage subscriptions via Stripe.
- To enforce our Terms of Service and Acceptable Use Policy.
- To detect and prevent fraud, abuse, and security incidents.
- To improve the Service through aggregated, anonymized usage analytics. We do not build individual behavioral profiles for advertising.
- To respond to legal process, regulatory inquiries, or enforce legal rights.
7. Sub-Processors
We engage the following sub-processors to operate the Service. Each processes data only as necessary for their specific function and under contractual data protection obligations:
- Supabase, Inc.: database (Postgres), authentication, and server-side file storage. Hosted on AWS in US regions.
- Vercel, Inc.: application hosting, serverless functions, and global edge CDN.
- Stripe, Inc.: payment processing. PCI DSS Level 1 certified. Processes billing name, address, and payment card data.
- Resend, Inc.: transactional email delivery. Processes email addresses and email content.
- Hedera (HBAR Foundation / Hashgraph Association): public Consensus Service. Receives only SHA-256 hashes (non-personal data).
- Upstash, Inc.: serverless Redis used for rate limiting and job queue processing.
- Sentry, Inc.: error monitoring and diagnostics. Receives anonymized error and performance data.
- Amazon Web Services, Inc. (AWS): S3 object storage for encrypted file uploads.
- Google LLC (Firebase): Cloud Messaging service for mobile push notifications (opt-in only).
8. Cookies and Tracking
Pactbound uses strictly necessary cookies only. These are session authentication cookies set by Supabase Auth to maintain your logged-in state. We do not use advertising cookies, tracking pixels, analytics cookies, or any third-party cookies for behavioral profiling. Because we use only strictly necessary cookies, no cookie consent banner is required under the ePrivacy Directive. For full details on the specific cookies set, see our Cookie Policy at pactbound.com/legal/cookies.
9. Data Retention
- Account data (login, organization settings, billing information): retained while your account is active. If your organization has no completed handoffs, requesting deletion removes this data immediately. If your organization has completed handoffs, the account cannot be self-service deleted, because handoff evidence records must be retained — contact privacy@pactbound.com to discuss closing an account that has existing evidence records.
- Handoff content and Evidence Bundles: once a handoff is sent, its record, full audit trail, acknowledgments, and on-chain (Hedera) anchor are retained permanently — this is a deliberate part of our evidentiary design and is not affected by account cancellation or deletion. On Team and higher plans, you may configure a retention window (30–3,650 days) after which the underlying uploaded files (not the record itself) are automatically deleted from storage; the handoff record, audit trail, and anchor remain.
- Payment records: retained as required by applicable tax and financial regulations (typically 7 years).
- Usage and error logs: retained for up to 90 days in aggregate anonymized form for service improvement.
- On-Chain Records: permanent. Cannot be deleted by us or any party. Non-identifying as described in Section 3.
- Backups: we maintain periodic database backups for disaster recovery, including our infrastructure provider's automated backups (retained for up to 30 days) and our own periodic backups, which we retain on a rolling basis (a fixed number of recent copies; older ones are deleted, not kept indefinitely). A backup taken before you delete data may retain a copy of that data — including file names and metadata, though never file content once it has been deleted from active storage — for the remainder of that backup's retention window.
10. Data Security
- All data in transit is encrypted using TLS 1.3.
- File Content is encrypted at rest using AES-256-GCM before storage in S3.
- Passwords are not stored. Authentication is managed by Supabase Auth, which uses bcrypt for credential hashing.
- RMM integration credentials are encrypted at rest using AES-256-GCM with a master key stored outside the database.
- Access to production data is restricted to authorized personnel on a need-to-know basis.
- We maintain a vulnerability disclosure policy. To report a security issue, contact security@pactbound.com.
11. Your Rights
Depending on your jurisdiction, you have the following rights regarding your personal data. To exercise any right, contact privacy@pactbound.com. We will respond within 30 days (or within the timeframe required by applicable law).
- Access (GDPR Art. 15 / CCPA): request a copy of the personal data we hold about you.
- Correction (GDPR Art. 16): request correction of inaccurate or incomplete data.
- Erasure (GDPR Art. 17 / CCPA): request deletion of your personal data. This right does not apply to On-Chain Records (which are non-identifying), to handoff evidence records we retain permanently by design (see Section 9), to data we are legally required to retain, or to copies already captured in a backup until that backup's retention window (see Section 9) ends.
- Portability (GDPR Art. 20): request your personal data in a structured, machine-readable format.
- Restriction (GDPR Art. 18): request that we restrict processing of your data in certain circumstances.
- Objection (GDPR Art. 21): object to processing based on legitimate interests.
- Withdraw consent: where processing is based on consent (e.g., push notifications), withdraw at any time via device settings or by contacting us.
- California residents (CCPA): right to know, right to delete, right to opt out of sale (we do not sell personal data), and right to non-discrimination for exercising privacy rights.
- Lodge a complaint: you have the right to lodge a complaint with a supervisory authority in your country of residence.
12. Do Not Sell or Share (CCPA)
DMG L&D, LLC does not sell, rent, or share your personal data with third parties for monetary consideration or for cross-context behavioral advertising. We do not have actual knowledge of selling or sharing the personal data of consumers under 16 years of age.
13. International Data Transfers
We are based in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US and other countries where our sub-processors operate. For transfers from the EEA, UK, or Switzerland to the US, we rely on the EU-US Data Privacy Framework (where applicable) and Standard Contractual Clauses (SCCs) with our sub-processors. You may request a copy of applicable transfer safeguards by contacting privacy@pactbound.com.
14. Children
The Service is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child, contact privacy@pactbound.com immediately and we will delete it.
15. Changes to This Policy
We may update this Policy from time to time. For material changes, we will provide at least 30 days' notice via email to the address on your account before the new version takes effect. Material changes include changes to data categories collected, new sub-processors, and changes to your rights. The effective date at the top of this page reflects the current version.
16. Contact and Data Protection Inquiries
For privacy questions, data access requests, or complaints: privacy@pactbound.com. DMG L&D, LLC, a Florida limited liability company. We do not have a physical mailing address for public contact. All formal privacy notices should be submitted to the email address above.