Sealway
English
Join the waitlist
Open menu

Privacy policy

Ondarea Holding SAS, operating the Sealway brand, places particular importance on the protection of its users’ personal data. This policy describes the processing of personal data carried out within the sealway.app website and the Sealway application services.

1. Data controller

The data controller is:

  • Ondarea Holding SAS
  • Société par actions simplifiée
  • 5 lotissement Séguéla
  • 31190 Miremont
  • France

Personal data contact email: [email protected]

2. Services covered

This policy applies to:

  • the public sealway.app website;
  • contact, waitlist or early access forms;
  • the Sealway application services for creating, retaining, managing and verifying digital evidence;
  • communications with Ondarea Holding SAS in connection with the use of Sealway.

3. Personal data collected

Depending on your use of Sealway, we may process the following categories of data.

Identification and account data:

  • last name;
  • first name;
  • email address;
  • organisation or company, where applicable;
  • user role or profile;
  • internal account identifiers;
  • language preferences.

Data related to the waitlist or early access:

  • email address;
  • declared profile;
  • main intended use;
  • language;
  • registration date;
  • invitation or access status.

Data related to digital evidence:

  • cryptographic file fingerprints;
  • technical evidence metadata;
  • timestamp tokens;
  • blockchain anchoring elements;
  • creation and processing dates;
  • evidence type;
  • processing status;
  • information needed to generate the evidence file.

Data related to files and content:

  • files transmitted to create evidence;
  • photos, videos, documents, audio files or attachments;
  • file names;
  • file sizes;
  • technical information needed for processing.

Files are received by Sealway in order to create evidence. Upon receipt, Sealway computes the content fingerprint, encrypts the data before storage and retains the files according to the duration applicable to the chosen offer.

Data related to certified emails:

  • Message-ID;
  • sender;
  • visible recipients;
  • subject;
  • date of receipt by Sealway;
  • message body;
  • attachments;
  • technical headers necessary for the evidence.

Sealway receives the email when it is added in blind copy at sending. The evidence is created from the elements actually received by Sealway.

Billing and payment data:

  • billing information;
  • order history;
  • invoiced amounts;
  • payment status;
  • transaction references;
  • information needed for accounting and tax obligations.

Full banking data is processed by the payment provider. Sealway does not store full credit card numbers.

Technical and log data:

  • IP address;
  • device type;
  • operating system;
  • browser;
  • technical identifiers;
  • connection dates and times;
  • security logs;
  • usage logs;
  • application events necessary for the operation and security of the service.

Support and communication data:

  • messages sent to support;
  • request content;
  • any items transmitted;
  • history of exchanges.

4. Sensitive data

Sealway is not intended to collect special categories of data within the meaning of the GDPR, such as health data, political opinions, religious beliefs or biometric data.

However, users may transmit to Sealway files, emails or documents containing such information when creating evidence.

In that case, this data is processed solely to provide the requested service, create the evidence file, ensure the security of processing and comply with applicable obligations.

It is the user’s responsibility to ensure they have the rights and authorisations necessary to transmit the relevant content to Sealway.

5. Purposes of processing

Data is processed for the following purposes:

Service provision:

  • creation of digital evidence;
  • computation of cryptographic fingerprints;
  • generation of evidence files;
  • qualified eIDAS timestamping;
  • blockchain anchoring;
  • temporary or extended retention depending on the offer;
  • integrity verification.

Account management:

  • creation and administration of accounts;
  • authentication;
  • organisation management;
  • access rights management;
  • monitoring of service use.

Certified emails management:

  • receipt of emails sent to Sealway in blind copy;
  • processing of headers, body and attachments;
  • creation of an evidence file associated with the received email.

Security and fraud prevention:

  • technical monitoring;
  • abuse detection;
  • protection against unauthorised access;
  • security logging;
  • prevention of fraudulent or unlawful uses.

Billing and legal obligations:

  • order management;
  • payment processing;
  • issuance and retention of invoices;
  • compliance with accounting, tax and legal obligations.

Support and user relations:

  • response to requests;
  • technical assistance;
  • complaint handling;
  • follow-up of exchanges.

Service improvement:

  • analysis of product use;
  • error correction;
  • improvement of user experience;
  • audience measurement of the public website.

Communication:

  • waitlist management;
  • sending information about the launch;
  • information related to the service;
  • communications strictly necessary for the use of Sealway.

6. Legal bases

Processing relies, depending on the case, on the following legal bases:

Performance of the contract or pre-contractual measures:

  • creation and management of the account;
  • provision of the Sealway service;
  • creation and retention of evidence;
  • processing of emails sent to Sealway;
  • user support;
  • early access management.

Legal obligation:

  • accounting and tax obligations;
  • retention of certain invoices;
  • response to legally founded requests from competent authorities.

Legitimate interest:

  • service security;
  • fraud prevention;
  • product improvement;
  • non-intrusive audience measurement;
  • management of activity records and technical logs;
  • defence of Ondarea Holding SAS’s rights in the event of a dispute.

Consent:

  • subscription to certain non-strictly-necessary communications;
  • placing of cookies or trackers subject to consent, where applicable;
  • certain optional processing where consent is required.

7. Encryption and data security

Sealway implements technical and organisational measures intended to protect the data processed.

Files transmitted to Sealway are encrypted before storage. Sensitive metadata associated with evidence may also be encrypted in the database, in particular email recipients, subject, file names or certain information related to attachments.

The master keys used to protect the data are separated per organisation and stored in a key management service operated by Scaleway, a French cloud provider. These keys are not stored in the Sealway database or application storage.

Sealway teams have no direct access to sensitive content and metadata in clear text, except where strictly necessary as part of operations provided for by the service, with associated access controls.

As no architecture can be presented as inviolable, Sealway applies a combination of encryption, key isolation, access control, logging, European hosting and limited retention durations to reduce risks.

8. Retention durations

Data is retained for a duration proportionate to the purposes for which it is processed.

Account data:

Account data is retained for the duration of the contractual relationship, then deleted or archived according to applicable legal obligations.

Waitlist and early access:

Data collected for the waitlist is retained until the public launch of the service or until you request its deletion. It may be retained longer if you subsequently create a Sealway account.

Original files used to create evidence:

With the free tier, the original file is retained temporarily for 7 days, then deleted.

With a paid offer or storage subscription, the retention duration depends on the chosen offer.

Certificates and evidence files:

The evidence certificate and metadata necessary for the evidence are retained for the duration of the account, then for 1 year after account deletion, unless a legal obligation or legitimate request justifies longer retention.

Invoices and accounting data:

Data necessary for accounting and tax obligations is retained for the applicable legal durations.

Technical and security logs:

Logs are retained for a limited duration, proportionate to security, diagnostics, fraud prevention and rights defence needs.

Support requests:

Exchanges with support are retained for the duration necessary to handle the request, then archived for a proportionate duration where follow-up or dispute may be needed.

9. Data recipients

Data may be accessible, within the limits of their respective duties, to the following categories of recipients:

  • authorised teams of Ondarea Holding SAS;
  • hosting providers;
  • storage providers;
  • security providers;
  • key management providers;
  • payment providers;
  • qualified trust service providers under the eIDAS Regulation;
  • audience measurement providers;
  • support or communication providers;
  • administrative or judicial authorities where required by law.

Main subprocessors may include in particular:

  • Cloudflare, for hosting the static public website and certain security or distribution services;
  • Scaleway, for hosting the application infrastructure, storage and key management;
  • Stripe, for payment processing;
  • a qualified trust service provider for eIDAS timestamping.

The detailed list of subprocessors may be communicated upon request or specified in a dedicated page when the service is opened publicly.

10. Transfers outside the European Union

Sealway prioritises hosting and processing data within the European Union.

The static public website is hosted by Cloudflare Pages. Some services provided by international providers, notably Cloudflare or Stripe, may involve transfers or access from countries outside the European Union.

Where such transfers exist, they are framed by appropriate safeguards in accordance with the GDPR, such as an adequacy decision, standard contractual clauses or any other mechanism recognised by applicable regulations.

No transfer outside the EU is carried out without a legal basis or appropriate safeguard.

11. Cookies and audience measurement

The public sealway.app website uses Cloudflare Web Analytics for audience measurement. This service is designed to operate without setting cookies and without individual user tracking.

When payment services are offered, strictly necessary cookies or trackers may be set by the payment provider in order to enable secure transaction processing.

If other cookies or trackers subject to consent are used in the future, a consent collection mechanism will be put in place.

12. Your rights

In accordance with the GDPR, you have the following rights:

  • right of access;
  • right of rectification;
  • right of erasure;
  • right to restriction of processing;
  • right to object;
  • right to portability;
  • right to withdraw your consent where processing is based on consent;
  • right to define directives concerning the fate of your data after your death, where this right is applicable.

To exercise your rights, you can contact us:

By email:

[email protected]

By mail:

  • Ondarea Holding SAS
  • 5 lotissement Séguéla
  • 31190 Miremont
  • France

We may ask you for additional information to confirm your identity where necessary. You also have the right to lodge a complaint with the French Data Protection Authority, the CNIL.

13. Third-party data contained in your files or emails

When you transmit to Sealway a file, email or attachment containing personal data relating to third parties, you remain responsible for ensuring that you have a legal basis or sufficient authorisation to transmit this data to Sealway.

Sealway processes this data solely to provide the requested service, in particular to create, retain and verify digital evidence.

14. Minors

Sealway is not intended for children who are minors and not authorised by their legal representative.

If we learn that an account has been created by a minor without the required authorisation, we may take the necessary measures, including account deletion.

15. Automated decisions

Sealway does not implement automated decisions producing legal effects concerning you or significantly affecting you within the meaning of the GDPR.

16. Modification of the policy

Ondarea Holding SAS may amend this privacy policy to take account of changes to the service, regulations or its data processing.

The applicable version is the one published on the sealway.app website at the date of consultation. In the event of significant changes, users may be informed by an appropriate means.