HydroSig OÜ – Privacy Notice
(v. 2025-08-05 — draft for legal review; replace bracketed text [ ] with your company specifics before publishing)
1. Who We Are
HydroSig OÜ (“HydroSig”, “we”, “us”) operates a SaaS platform that scans digital images for AI-watermark compliance and issues cryptographically signed receipts.
- Controller: HydroSig OÜ, reg. no. [ ], Harju maakond, Tallinn, Estonia.
- Data-Protection Officer (DPO): dpo@hydrosig.ai
2. Scope
This Notice explains how we collect, use, disclose and protect Personal Data when:
- you visit hydrosig.ai or any sub-domain (“Site”),
- you create an account or receive an API key,
- you submit images or other assets to our /scan endpoint (“Service”), or
- we otherwise interact with you (support, marketing, events).
It does not cover third-party sites or services that integrate with HydroSig.
3. Personal Data We Process
| Context | Categories | Source | Mandatory? |
|---|---|---|---|
| Account & Billing | Name, work email, job title, company, address, VAT ID, billing contact, payment tokens (handled by Stripe) | You | Yes |
| Service Logs | IP address, API key ID, timestamp, endpoint, request size, HTTP headers | Automatic | Yes (for security) |
| Scan Payloads | Images / video frames, optional metadata you send | You | Yes (to fulfil the contract) |
| Receipts | Hash of content, verdict, timestamp, account ID, cryptographic signature | Generated by us | Yes |
| Marketing | Newsletter opt-in e-mail, events info, cookies / analytics IDs | You, cookies | No |
We do not knowingly collect data about children under 16 or sensitive personal data (GDPR Art 9) unless it is inherent in an image you upload; in that case you remain responsible for having a lawful basis to provide it.
4. Purposes & Legal Bases
| Purpose | Legal Basis (GDPR) | Examples |
|---|---|---|
| Provide, secure & maintain the Service | Art 6 (1)(b) – contract performance | Process scans, return verdicts, log access, store receipts |
| Billing & account management | Art 6 (1)(b) and (c) – contract & legal obligation | Issue invoices, process payments, keep tax records |
| Improve models & detectors (non-personal) | Art 6 (1)(f) – legitimate interest | Aggregate failure cases, retrain watermark models |
| Marketing & product updates | Art 6 (1)(a) – consent or (f) – legitimate interest (B2B soft opt-in) | Send newsletters, webinar invites |
| Compliance with law & litigation | Art 6 (1)(c) – legal obligation | Respond to lawful requests, enforce terms |
When we rely on legitimate interest we have balanced it against your rights and determined our interest (e.g., service security) is not overridden.
5. Retention
- Scan Payloads: deleted automatically ≤30 days after processing, unless you enable “extended debug” (90 days).
- Receipts & metadata: kept 6 years by default to meet regulatory evidence requirements.
- Account & billing records: 7 years (Estonian accounting rules).
- Marketing contacts: until you unsubscribe or after 18 months of inactivity.
We anonymise or securely delete data once retention expires.
6. Disclosures & International Transfers
| Recipient | Role | Safeguard |
|---|---|---|
| Microsoft Azure (EU West, backup in EU North) | Infrastructure hosting & blob storage | EU SCCs & DPA |
| Stripe Payments Europe | Payment processing | PCI-DSS; EU SCCs |
| Postmark / SendGrid | Transactional e-mail | EU SCCs |
| Sentry | Error monitoring (truncated log data, no images) | EU SCCs |
We never sell or rent your Personal Data. International transfers outside the EEA/UK rely on:
- Adequacy decisions (e.g., UK), or
- Standard Contractual Clauses (SCCs) + additional measures (encryption in transit & at rest, RLS in Postgres).
Law-enforcement requests are reviewed case-by-case; we resist overly broad demands and notify you where legally allowed.
7. Security
- End-to-end TLS 1.3 with HSTS
- All payloads encrypted at rest using AES-256
- Role-based access, just-in-time credentials, zero plaintext secrets
- SOC 2 Type II controls in progress; ISO 27001 roadmap Q1 2026
- Quarterly penetration tests & 24×7 monitoring
If we discover a breach that affects you, we’ll notify your account owner without undue delay and report to regulators within 72 hours where required.
8. Your Rights (EEA/UK)
| Right | What it means | How to exercise |
|---|---|---|
| Access | Obtain a copy of Personal Data we hold | Email privacy@hydrosig.ai |
| Rectification | Correct inaccurate data | Dashboard or e-mail |
| Erasure | “Right to be forgotten” | Limitations apply for Receipts retained to meet legal duties |
| Restriction | Pause processing in limited cases | E-mail request |
| Portability | Structured, machine-readable export | Dashboard or e-mail |
| Objection | Object to processing based on legitimate interests | Opt-out link or e-mail |
| Complaint | Lodge with Supervisory Authority | Estonian DPA: www.aki.ee |
For CCPA/CPRA residents we honour Access / Deletion / Correction / Opt-out of “sharing” requests via the same channel.
9. Cookies & Similar Tech
We use minimal first-party cookies for session management and Plausible Analytics (self-hosted EU instance, no PII, no cross-site tracking). You can disable cookies in browser settings but the dashboard may not function.
10. Automated Decision-Making
HydroSig’s model returns a “Compliant / Non-compliant” verdict automatically.
We do not make legal or significant decisions about individuals; verdicts are used by your organisation, not HydroSig, to take action. You may contact us for human review of a detection outcome.
11. Changes to This Notice
We may update this Privacy Notice (e.g., to reflect new laws or features). We will post the revised version with a new “Last Updated” date and, if changes are material, notify account owners 30 days beforehand.
12. Contact
Questions, requests or concerns:
HydroSig OÜ – Privacy Team
[Street address]
10111 Tallinn, Estonia
privacy@hydrosig.ai | +372 [ ]
If you believe we have not handled your data properly, you may lodge a complaint with your local Data-Protection Authority.
By using HydroSig, you acknowledge that you have read and understood this Privacy Notice.