Privacy Policy
1. Scope and roles
This Policy applies to Sprime, Inc. ("Sprime," "we," "us") and the services we operate at sprime.io, sprime.us, pay.sprime.io, and any subdomain or successor (the "Services"). When you are a member of the Vault or Estate tier, you are a data subject for personal data about yourself and a controller for personal data you place in custody about others. We act as a controller for the operational and security data we generate about your use of the Services, and as a processor for the documents and credentials you deposit in your vault.
2. Personal data we handle
2.1 Identity and account
Name, email, billing country, telephone (optional), and the cryptographic identifiers we issue to you (decentralized identifiers, public keys, device handles).
2.2 Vault contents
Files, credentials, attestations, notes, and any other materials you place in your vault. We do not read vault contents. Vault data is encrypted under a key wrapped per tenant in a hardware security module; we cannot produce plaintext without your action.
2.3 Operational telemetry
Network metadata, request timing, error traces, device fingerprints used for anti-fraud, and access events for the tamper-evident audit log.
2.4 Billing
Billing happens on pay.sprime.io, our Stripe-hosted custom domain. Card numbers are tokenized at Stripe and never reach our servers. We retain the last four digits of the instrument, the issuer country, and the amount/currency for tax and reconciliation purposes.
2.5 Fiduciary nominations
If you use the Fiduciary online tool, we retain the nomination, its timestamp, and the cryptographic signature evidencing that it was created by you. The nominee's contact information is held to deliver the confirmation request.
3. Purposes and legal bases
We process personal data for the following purposes, on the corresponding legal bases under GDPR Article 6 and equivalent provisions in CCPA/CPRA and applicable U.S. state laws:
- Performance of contract — to deliver the Services you have requested.
- Legal obligation — to meet tax, anti-money-laundering, and statutory retention requirements.
- Legitimate interests — security, fraud prevention, service integrity, and audited research that uses only aggregate or properly anonymized data.
- Consent — for optional analytics, optional communications, and any processing for which consent is the appropriate basis. You may withdraw at any time.
We do not sell or share personal data for cross-context behavioral advertising, and we do not profile members for advertising purposes. CCPA/CPRA "Do Not Sell or Share" is honored globally as a default.
4. Retention and deletion
We retain personal data only for the period required to deliver the Services you have requested and to satisfy the law. Specifically:
- Vault contents are retained until you delete them or terminate the Service, with cryptographic deletion (key destruction) completed within 30 days of your signal.
- Operational telemetry is retained for 13 months in line with audit needs, then aggregated or destroyed.
- Billing records are retained for the period required by applicable tax law (typically seven years in the United States).
- Tamper-evident audit log entries are retained for the life of the account plus the regulatory window.
5. Sharing and subprocessors
We do not sell personal data and do not authorize any third party to use it for their own purposes. We engage a limited number of subprocessors to deliver the Services; the current list is maintained at on request and includes hosting, billing (Stripe), transactional email, and DDoS protection. Each subprocessor is bound by a Data Processing Agreement that prohibits secondary use and requires equivalent safeguards.
We disclose personal data to public authorities only as required by valid legal process, after notice to the affected member when permitted by law.
6. International transfers
Where personal data leaves the EEA, UK, or Switzerland, we rely on adequacy decisions where available and the European Commission Standard Contractual Clauses (2021) supplemented with the UK Addendum or Swiss Addendum as relevant. Estate clients may elect data residency in a specific jurisdiction; in that case data does not leave it without your written instruction.
7. Your rights
Subject to applicable law, you have the right to access, correct, delete, restrict, port, and object to processing of your personal data, the right to withdraw consent, and the right to lodge a complaint with a supervisory authority. CCPA/CPRA rights include the right to know, the right to delete, the right to correct, the right to opt out of sale or sharing, and the right against retaliation for exercising any of them.
To exercise a right, write to support@sprime.io from the email associated with your account. We will verify the request and respond within 30 days, with one 60-day extension when allowed.
8. Security
We hold personal data under the controls summarized on the Trust & Security page: ISO/IEC 27001 and 27701 management systems, SOC 2 Type II controls, AES-256-GCM at rest, TLS 1.3 in transit, hardware-rooted key custody, microsegmented networks, and a tamper-evident audit log. No system is invulnerable; in the event of a material incident we will notify affected members and authorities within the applicable regulatory window.
9. Children
The Services are intended for adults. We do not knowingly collect personal data from anyone under the age of 18. If we learn we have, we will delete it.
10. Cookies and analytics
We use strictly necessary cookies for sign-in, anti-CSRF, and load balancing. No advertising cookies are set. Optional analytics, if you consent, are processed in aggregate form and stripped of identifiers; you may withdraw at any time in your account settings.
11. Changes
If we make a material change to this Policy, we will notify members by email and post the prior version alongside a redline. Continued use after the effective date constitutes acceptance of the updated Policy.
12. Contact and complaints
Privacy office: support@sprime.io. EU/UK clients may also contact a supervisory authority in their member state or the UK Information Commissioner's Office. California residents may contact the California Privacy Protection Agency.