Decot Privacy Policy

Welcome to Decot! Decot ("we," "us," "our") provides a privacy-preserving Contract Lifecycle Management (CLM) platform (the "Service"). Our core mission involves enabling secure and verifiable contract management by anchoring cryptographic hashes of contract events to the Sui blockchain, while ensuring the actual content of your documents remains encrypted and under your control.

Protecting your privacy is fundamental to how we design and operate our Service. This Privacy Policy ("Policy") explains what Personal Data we collect, how and why we use it, with whom we might share it, and the rights and choices you have regarding your information.

By using our Service, you agree to the collection and use of information in accordance with this Policy.

This Policy applies to Personal Data processed when you interact with or use the Decot Service, which includes:

• Our web application (e.g., app.decot.io)
• Our Application Programming Interfaces (APIs) and Software Development Kits (SDKs)
• The Decot custom ZK login onboarding flow (including supported identity-provider authentication)
• Any related websites, support channels, and services offered by Decot.

Key terms used in this Policy:

• Personal Data: Any information relating to an identified or identifiable natural person, as defined by applicable data protection laws (e.g., EU GDPR, CCPA).
• On-Chain Data: Data that is publicly recorded on the Sui blockchain, such as transaction IDs, wallet addresses, and cryptographic hashes.
• Off-Chain Data: Data stored outside the blockchain, such as the encrypted content of your documents.
• zkLogin (Zero-Knowledge Login): A feature of the Sui network allowing users to authenticate using existing web credentials (e.g., Google, Microsoft, Apple accounts) to control a Sui address without directly revealing those credentials on-chain or to Decot.
• Controller: The entity that determines the purposes and means of processing Personal Data.
• Processor: The entity that processes Personal Data on behalf of a Controller.

We collect information in different ways to provide and improve our Service:

We use the information we collect for the following purposes:

• To Provide and Maintain the Service: To operate our platform, authenticate users, enable contract creation, facilitate sharing and signing workflows, display contract status, and manage your account.
• To Secure the Service: To monitor for and prevent fraudulent activity, security incidents, and abuse; to enforce our terms and policies.
• To Improve the Service: To understand how users interact with Decot, gather feedback, conduct research, and develop new features and functionalities. Analytics are typically performed on aggregated and/or anonymized data.
• To Communicate With You: To send transactional emails (e.g., signature requests, status updates, security alerts, account notifications), respond to your support requests, and provide other information related to your use of the Service.
• For Legal Compliance and Safety: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests; to protect the rights, property, or safety of Decot, our users, or the public as required or permitted by law.
• On-Chain Record Keeping: To facilitate the recording of immutable audit trails (document hashes, metadata you designate for on-chain recording, signer actions, and timestamps) on the Sui blockchain, which is a core feature of the Service.

Under data protection laws like the GDPR, it's important to distinguish our roles:

• Decot as Data Controller: We act as a data controller for the Personal Data we collect directly from you to manage your account, provide general access to our Service, process your payments (if any), and for our own analytics and service improvement purposes (e.g., your account information, usage data).
• Decot as Data Processor: When you upload documents and use our Service to manage and process contracts (including their encrypted content and any Personal Data contained within those encrypted documents), Decot acts as a data processor. We process this data on your behalf and in accordance with your instructions (e.g., when you share a document for signature). You, or your organization, are the data controller for the content of the documents you manage via Decot.

If you are in the European Economic Area (EEA) or the United Kingdom (UK), our legal basis for collecting and using the Personal Data described above will depend on the Personal Data concerned and the specific context in which we collect it. However, we will normally collect Personal Data from you only:

• Where we need the Personal Data to perform a contract with you (e.g., to provide the Decot Service you have subscribed to).
• Where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms (e.g., for our security measures, to improve our Service, for analytics).
• Where we have your consent to do so (e.g., for non-essential cookies or for sending marketing communications where consent is required).
• Where we have a legal obligation to collect Personal Data from you or may otherwise need the Personal Data to protect your vital interests or those of another person.

If you have questions about or need further information concerning the legal basis on which we collect and use your Personal Data, please contact us using the details provided under the "Contact Us" section (Section 15) below.

Decot does not sell your Personal Data. We may share your information in the following limited circumstances:

• With Other Users You Authorize: When you use the Service to share contracts or collaborate with other users (e.g., counterparties, internal approvers), they will receive access to the relevant (encrypted) documents and associated metadata based on the permissions you grant.
• Public Blockchain (Sui): Certain information is inherently public when recorded on the Sui blockchain. This includes your public Sui wallet address(es) involved in transactions, transaction IDs, and any data you explicitly include in on-chain metadata (like contract titles or party names if you choose to make them part of the on-chain record).
  Reminder: The actual content of your documents remains client-side encrypted and is *not* publicly visible on the blockchain.
• Service Providers (Sub-processors): We engage trusted third-party service providers to perform functions and provide services to us, such as cloud hosting (e.g., AWS, Arweave for off-chain encrypted storage), email delivery services, analytics providers, payment processors, and customer support tools. We share your Personal Data with these providers only to the extent necessary for them to perform these services on our behalf, and they are bound by contractual obligations to protect your Personal Data and process it only in accordance with our instructions. A list of our key sub-processors can be made available upon request.
• Legal Requirements and Safety: We may disclose your Personal Data if we believe in good faith that such disclosure is necessary to: (a) comply with a legal obligation, applicable law, regulation, legal process, or enforceable governmental request; (b) enforce our Terms of Service, including investigation of potential violations; (c) detect, prevent, or otherwise address fraud, security, or technical issues; or (d) protect against harm to the rights, property, or safety of Decot, our users, or the public as required or permitted by law.
• Business Transfers: If Decot is involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your Personal Data may be sold or transferred as part of such a transaction as permitted by law and/or contract. We will notify you of any such deal and outline your choices in that event.
• With Your Consent: We may share your Personal Data for other purposes if we have your explicit consent to do so.

Your Personal Data may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different from the laws of your country.

Specifically, our servers and some of our service providers may be located in various countries around the world. When we transfer Personal Data outside of the EEA, UK, or Switzerland, we take steps to ensure that your information receives an adequate level of protection where it is processed, including by relying on mechanisms such as Standard Contractual Clauses (SCCs) as approved by the European Commission or other appropriate legal mechanisms.

We retain Personal Data for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for fraud prevention purposes.

• On-Chain Data: Information recorded on the Sui blockchain (such as transaction IDs, document hashes, and wallet addresses associated with transactions) is immutable and permanent by the nature of blockchain technology. Decot cannot delete this data.
• Off-Chain Encrypted Documents: The encrypted content of your documents stored off-chain is retained as long as your account is active or as per your instructions. You typically have the ability to delete these encrypted documents from Decot's managed off-chain storage through the Service. Deleting the off-chain encrypted document makes its content inaccessible, even though its hash may remain on-chain.
• Account Information: We retain your account information for as long as your account is active and for a reasonable period thereafter in case you decide to re-activate the Service, or as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
• Usage and Log Data: This data is generally retained for a limited period necessary for security analysis, service improvement, and troubleshooting, after which it is typically aggregated or anonymized.

Decot takes the security of your data very seriously. We implement and maintain appropriate technical, physical, and administrative security measures designed to protect your Personal Data from unauthorized access, use, disclosure, alteration, or destruction. These measures include:

• Client-Side Encryption: As emphasized, document content is encrypted (AES-256) in your browser before upload.
• Encryption in Transit: All data transmitted between your device and our servers is encrypted using Transport Layer Security (TLS).
• Secure Storage: Encrypted documents are stored with reputable cloud and decentralized storage providers who employ their own robust security measures.
• Access Controls: We implement strict access controls within our systems, based on the principle of least privilege, to limit access to Personal Data to authorized personnel only.
• Smart Contract Audits: Our on-chain smart contracts undergo regular security audits by independent third parties. Audit reports are often made available in our Trust & Compliance section.
• Incident Response: We have procedures in place to deal with any suspected Personal Data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

We use cookies and similar tracking technologies (like web beacons or local storage) to provide and improve our Service.

• Essential Cookies: These are strictly necessary for the Service to function (e.g., to maintain your login session, ensure security, remember your cookie consent preferences). They cannot be switched off in our systems.
• Performance and Analytics Cookies: These cookies allow us to count visits and traffic sources, understand how users navigate our Service, and identify areas for improvement. The information collected is typically aggregated and anonymized.
• Functional Cookies: These cookies enable enhanced functionality and personalization, such as remembering your preferences or settings. They may be set by us or by third-party providers whose services we have integrated.

You can typically manage your cookie preferences through a cookie consent banner presented when you first visit our site, or at any time through your browser settings. Please note that disabling certain essential cookies may affect the functionality and availability of the Service.

Depending on your location and applicable data protection laws (such as GDPR for EEA/UK residents or CCPA for California residents), you may have certain rights regarding your Personal Data. These rights may include:

• The right to access: You can request copies of your Personal Data that we hold.
• The right to rectification: You can request that we correct any inaccurate Personal Data or complete any incomplete Personal Data.
• The right to erasure (or "right to be forgotten"): You can request that we delete your Personal Data, under certain conditions. For off-chain encrypted documents, you can typically initiate deletion through the Service. On-chain data is immutable.
• The right to restrict processing: You can request that we restrict the processing of your Personal Data, under certain conditions.
• The right to object to processing: You can object to our processing of your Personal Data, under certain conditions, particularly where we rely on legitimate interests as our legal basis.
• The right to data portability: You can request that we transfer the Personal Data that we have collected about you to another organization, or directly to you, under certain conditions.
• The right to withdraw consent: If we are processing your Personal Data based on your consent (e.g., for certain cookies or marketing communications), you have the right to withdraw your consent at any time. Withdrawing consent will not affect the lawfulness of processing based on consent before its withdrawal.
• The right to lodge a complaint: You have the right to lodge a complaint with a relevant data protection supervisory authority if you believe that our processing of your Personal Data infringes applicable data protection laws.

To exercise any of these rights, please contact us using the details provided in the "Contact Us" section (Section 15). We will respond to your request within the time limits prescribed by applicable law. We may need to verify your identity before processing your request to ensure the security of your Personal Data.

Our Service is not directed to individuals under the age of 16 (or a higher age threshold where applicable under local law, such as 18 in some jurisdictions for financial or contractual services). We do not knowingly collect Personal Data from children. If you are a parent or guardian and you are aware that your child has provided us with Personal Data, please contact us immediately. If we become aware that we have collected Personal Data from a child without verification of parental consent, we will take steps to remove that information from our systems.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the "Last Updated" date at the top of this Policy. If the changes are material, we will provide a more prominent notice, such as by posting a notification on our Service or sending you an email (if we have your email address and you have not opted out of such communications). We encourage you to review this Policy periodically to stay informed about how we are protecting your information. Your continued use of the Service after any changes to this Privacy Policy will constitute your acceptance of such changes.

If you have any questions, comments, or concerns about this Privacy Policy or our data practices, or if you wish to exercise your privacy rights, please contact us at:

We will endeavor to address your inquiry promptly and efficiently.