⚖️ Legal Framework & Privacy

Last updated: December 2025 — V6.3

🇪🇺 eIDAS Compliant

⛓️ Blockchain Anchored

✍️ PAdES Signed

🌍 International Ready

📋 What SBIX Certify Proves

✅ We DO prove

Existence — The data existed at a specific point in time
Integrity — The data has not been modified since certification
Timestamp — The exact date and time of certification (RFC-3161)
Authenticity — The certificate was issued by SBIX Certify™

❌ We do NOT prove

Authorship — Who created the content
Ownership — Who owns the intellectual property
Accuracy — Whether the content is true or correct
Consent — Any contractual agreement

This distinction is crucial for legal proceedings. Our certificates are evidence of existence, not declarations of rights. Additional documentation may be required to establish ownership or authorship.

🔐 Technical Standards

SBIX Certify follows internationally recognized standards:

Standard	Description	Recognition
SHA-256	Cryptographic hashing (FIPS 180-4)	NIST, ISO, worldwide
RFC-3161	Trusted timestamping protocol	IETF, ETSI, courts worldwide
eIDAS	EU Regulation 910/2014 — Qualified timestamps	27 EU member states
PAdES-B	PDF digital signatures (ETSI EN 319 142-1)	Adobe, ISO 32000
Merkle Tree	Hash tree structure (RFC 6962)	Blockchain, Git, CT Logs
Ed25519	Digital signature algorithm	IETF, OpenSSH, Signal

🇪🇺 eIDAS Qualified Timestamps

🇪🇺

EU Regulation 910/2014

Electronic Identification and Trust Services

Our Pro+ Legal plan includes eIDAS Qualified Timestamps from a Qualified Trust Service Provider (QTSP) on the EU Trusted List.

Article 41 — Legal Effect

"A qualified electronic time stamp shall enjoy the presumption of the accuracy of the date and the time it indicates and the integrity of the data to which the date and time are bound."

🏛️

Legal Presumption

Courts must accept the timestamp as accurate unless proven otherwise

🌍

Cross-Border Recognition

Automatically valid in all 27 EU member states

📜

Non-Repudiation

Cannot be denied by the party who created the document

🌍 International Recognition

Our certificates can serve as supporting evidence in common law jurisdictions:

🇪🇺 European Union

Full legal framework under eIDAS. Qualified timestamps enjoy legal presumption of accuracy.

eIDAS Qualified

🇬🇧 United Kingdom

Post-Brexit UK retained eIDAS-equivalent rules. Accepted under Civil Evidence Act 1995.

Common Law

🇺🇸 United States

Admissible under Federal Rules of Evidence (Rule 901). Courts accept blockchain evidence in IP disputes.

Federal Rules

🇨🇦 Canada

Governed by Canada Evidence Act. Increasingly accepted in IP and commercial disputes.

Common Law

🇦🇺 Australia

Electronic Transactions Act 1999. Blockchain evidence cited in patent disputes.

Common Law

🌐 WIPO / International IP

Valuable for patent priority claims and prior art documentation worldwide.

IP Documentation

⚠️ Disclaimer: Evidentiary weight depends on the specific court, jurisdiction, and circumstances. We recommend consulting with local legal counsel for jurisdiction-specific advice. Final assessment remains at the discretion of competent courts.

✍️ PAdES Digital Signature

Every SBIX Certify certificate is digitally signed using PAdES-B (PDF Advanced Electronic Signature), ensuring:

✅ Authenticity — Certificate issued by SBIX Certify™ / GLABTECH SARL
✅ Integrity — PDF has not been modified since signing
✅ Verifiable — Check signature in any PDF reader (Adobe, Foxit, etc.)
✅ Tamper-evident — Any modification invalidates the signature

Standard: ETSI EN 319 142-1 (PAdES Baseline B-Level)

🏢 Certificate Issuer

Issuer	GLABTECH SARL
Product	SBIX Certify™ v6.3
Location	St-Barthélemy, FR (EU jurisdiction)
Infrastructure	EU-based, ASN 30077
Contact	legal@sbix.io

🔍 Independent Verification

All SBIX Certify proofs can be verified independently, without trusting us:

📄 PDF Signature

Open in Adobe Reader → Signature Panel → "Signature is valid"

⛓️ Tezos Blockchain

Search transaction hash on tzkt.io

🌐 Aleph Network

Search message hash on explorer.aleph.im

⏱️ TSA Timestamp

Verify .tsr file with OpenSSL or any RFC-3161 tool

🔐 File Hash

Recalculate SHA-256 of your file and compare

🌳 Merkle Root

Recompute from leaves using standard algorithm

Even if SBIX disappears, your certificates remain verifiable forever on the blockchain.

🔑 Key Points

📄

Files Never Stored

Your documents are processed in memory and immediately discarded. Only the hash is kept.

🔐

Hash Only

We store only the SHA-256 hash — a 64-character string that cannot reveal your file contents.

🚫

No Tracking

No analytics, no advertising trackers, no third-party cookies. Your privacy is respected.

🗑️

Right to Erasure

Request deletion of your account and associated data at any time.

1. Data Controller

The data controller for SBIX Certify is:

GLABTECH SARL
St-Barthélemy, FR
ASN 30077
Email: privacy@sbix.io

2. Data We Collect

Data Type	Purpose	Retention
Email address	Account creation, notifications	Until account deletion
Password (hashed)	Authentication	Until account deletion
File hash (SHA-256)	Certificate generation	Permanent (blockchain)
Filename	Certificate display	Until certificate deletion
Client Reference	Certificate identification	Until certificate deletion
Requester Identity (optional)	Certificate attribution	Until certificate deletion
Timestamp	Proof of existence	Permanent
IP address	Security, rate limiting	7 days (logs)

3. Data We Do NOT Collect

❌ Your actual files or documents
❌ File contents in any form
❌ Browsing history
❌ Device fingerprints
❌ Third-party tracking data
❌ Marketing profiles

        Important: Your files are processed entirely in memory and are never written to disk or transmitted to any storage system.
      

4. How We Use Your Data

✅ Generate cryptographic certificates
✅ Anchor proofs on blockchain
✅ Send email notifications (optional)
✅ Process payments (via Stripe)
✅ Provide customer support
✅ Prevent fraud and abuse

5. Legal Basis (GDPR Art. 6)

Processing	Legal Basis
Account creation	Contract performance (Art. 6.1.b)
Certificate generation	Contract performance (Art. 6.1.b)
Email notifications	Consent (Art. 6.1.a)
Security logging	Legitimate interest (Art. 6.1.f)
Payment processing	Contract performance (Art. 6.1.b)

6. Your Rights (GDPR)

Under GDPR, you have the following rights:

📋 Right of Access

Request a copy of all data we hold about you.

✏️ Right to Rectification

Correct any inaccurate personal data.

🗑️ Right to Erasure

Request deletion of your personal data.

⏸️ Right to Restrict

Limit how we process your data.

📦 Right to Portability

Receive your data in a portable format.

🚫 Right to Object

Object to certain types of processing.

To exercise any of these rights, contact us at privacy@sbix.io. We will respond within 30 days.

7. Data Retention

Account data: Retained until you delete your account
Certificates: Permanent (blockchain is immutable)
Server logs: 7 days
Payment records: 7 years (legal requirement)

        Note: Blockchain anchors are permanent and cannot be deleted due to the immutable nature of blockchain technology.
      

8. Cookies

We use only essential cookies:

Cookie	Purpose	Duration
`session`	Authentication	Session
`sbix_theme`	Theme preference	1 year
`sbix_lang`	Language preference	1 year

We do not use analytics cookies, advertising cookies, or third-party tracking cookies.

9. Third Parties

Service	Purpose	Data Shared
Stripe	Payment processing	Email, payment info
Tezos Network	Blockchain anchoring	Hash only (public)
Aleph Cloud	Decentralized storage	Hash only (public)
QTSP (Pro+)	eIDAS Timestamp	Hash only

10. Security Measures

✅ TLS 1.3 encryption in transit
✅ Passwords hashed with bcrypt
✅ Ed25519 signatures for certificates
✅ PAdES digital signature on PDFs
✅ Rate limiting and DDoS protection
✅ Regular security audits
✅ Minimal data collection principle

11. Contact

For any privacy-related questions or to exercise your GDPR rights:

📧 privacy@sbix.io

🏢 GLABTECH SARL — St-Barthélemy, FR

🌐 ASN 30077

You also have the right to lodge a complaint with your local data protection authority.