Document of Record § Privacy Notice

Privacy Notice.
In plain language.

We collect only what's needed to verify credentials, seal documents, and keep your account secure. We don't sell your data. Credentials, MFA secrets, signing keys, OAuth tokens, and webhook secrets are encrypted at the field level (AES-256-GCM).

Version
v4.1
Effective
April 22, 2026
Jurisdiction
Global · GDPR · CCPA
Reading
≈ 8 min
§01

Overview

EngineeringID ("we", "us", "our") is operated by EngineeringID. This Privacy Notice describes how we collect, use, and protect personal information when you use our credential and document sealing platform across the web, iOS, macOS, Android, browser extensions, and integrations.

We follow the principles of data minimization, purpose limitation, and encrypted-by-default storage. Where applicable law (GDPR, CCPA, PIPEDA, UK GDPR, LGPD, APPI, or state equivalents) gives you more rights, those apply — we don't use geography to shrink what you're owed.

§02

What We Collect

Information you give us directly

  • Identity & contact: name, email, organization, phone (optional).
  • Professional credentials: license number, state or jurisdiction, profession, issuing board, expiration date.
  • Documents: the files you upload for sealing. Document bodies are stored on cloud-storage infrastructure that provides encryption-at-rest; document bodies are not application-layer encrypted by Credo.
  • Billing information: processed by Stripe. We never see your full card number.
  • Government ID (for identity verification only): see § Identity Verification Privacy.

Information we collect automatically

  • Device & session: user agent, IP address, device type, OS, language preference.
  • Usage data: pages viewed, features used, error events — for reliability and fraud detection.
  • Audit trail: every sealing event is hash-chained for tamper-evidence.

Information from third parties

  • State licensing boards: we query public license databases to verify credentials.
  • Payment processor: Stripe returns subscription and payment status.
§03

How We Use It

  • Provide the service: seal, verify, store, and share documents you create.
  • Verify credentials: confirm that a license number is valid and belongs to you.
  • Security & fraud prevention: detect account takeovers, block abuse, maintain audit logs.
  • Communicate: transactional email (receipts, seal confirmations, security alerts), and — only if you opt in — product announcements.
  • Comply with law: respond to valid legal process, maintain records required by professional licensing regulations.
  • Improve the product: aggregated, de-identified analytics on feature usage and error rates.

We don't use your documents or credentials to train machine learning models. AI features (document classification, OCR, summary assist) run on data you've explicitly opted into, and are processed in isolated compute environments.

§04

Retention

§05

Data Sharing

We share with:

  • Cloud infrastructure: Fly.io (app hosting), managed PostgreSQL, Cloudflare (CDN, DNS, DDoS).
  • Email delivery: Resend for transactional email.
  • Payment processing: Stripe.
  • Analytics: Privacy-preserving analytics for understanding feature usage.
  • Legal compliance: courts, regulators, or licensing boards only when a valid legal process compels it — and, where law permits, we notify you.

Public by design: verification codes and sealed-document integrity metadata (hash, seal holder's public name, license state) are publicly verifiable by design. This is the point of the product — anyone should be able to verify authenticity.

§06

Security

  • Encryption at rest: Field-level AES-256-GCM for credentials, MFA secrets, SSO tokens, and signing-key material.
  • Encryption in transit: TLS 1.3 everywhere; HSTS enabled.
  • Credential signing: RSA-4096 signatures on credential manifests.
  • Authentication: Bcrypt password hashing; MFA via TOTP authenticator apps.
  • Audit integrity: seal events are hash-chained; tampering is cryptographically detectable.
  • Vulnerability disclosure: [email protected].
§07

Your Rights

  • Access: contact [email protected] to request your data export.
  • Correct: update any inaccurate personal information in Account Settings.
  • Delete: remove your account and all personal data (legal retention exceptions apply for sealed records).
  • Portability: export in JSON.
  • Object: opt out of any non-transactional processing.
  • Automated decisions: we don't make legally significant decisions about you via automation alone.
  • Regulatory complaint: file with your supervisory authority (e.g., your state AG, the ICO, your DPA) at any time.
§08

Children's Data

Our platform requires a valid professional license, which is only issued to adults. If we discover we've collected information from someone under 18, we'll delete it. If you're a parent and believe your child has provided us information, contact [email protected].

§09

Changes

Past versions are available on request. Contact [email protected].

§11

Contact

Privacy team
[email protected]

We aim to respond within 30 days where applicable under GDPR/CCPA.