ANANKE Labs
ANANKELABS
Privacy Policy

Privacy Policy

Effective date: March 15, 2026

ANANKE Labs ("ANANKE", "we", "us", or "our") operates the ANANKE trust infrastructure platform, including the web application, mobile application, REST API, and SDK. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our services. We are committed to transparency and to protecting your privacy in accordance with the General Data Protection Regulation (GDPR), Moroccan Law 09-08 on the protection of personal data, and other applicable data protection laws.

1. Who we are

ANANKE Labs is a trust infrastructure company registered in Morocco. We provide digital trust services that allow organizations to protect, verify, and manage the lifecycle of documents and physical items.

For the purposes of applicable data protection legislation, ANANKE Labs is the data controller for the personal data we collect through our platform and website. When we process documents or data on behalf of your organization, we act as a data processor under your organization's instructions.

2. Data we collect

We collect and process the following categories of personal data:

Account and identity data

  • Full name, email address, and organization affiliation when you create an account
  • Authentication credentials (passwords are hashed and never stored in readable form)
  • Role and permission assignments within your organization

Document and item data

  • Documents uploaded to the platform are stored as protected PDFs with embedded cryptographic signatures
  • Document metadata including titles, template configurations, lifecycle status, and timestamps
  • Cryptographic fingerprints (hashes) of documents, used for verification proof records
  • T-CODE identifiers and associated metadata for physical items

Usage and technical data

  • IP addresses, browser type, device information, and operating system
  • Pages visited, features used, and actions performed within the platform
  • Timestamps of requests and verification events
  • API call logs (without request or response content)

Communication data

  • Information you provide when contacting us via email, forms, or support channels
  • Feedback, questions, or correspondence related to your use of our services

3. How we use your data

We process your personal data for the following purposes:

  • Providing and operating the ANANKE platform, including document protection, T-CODE generation, verification, and lifecycle management
  • Authenticating your identity and managing access to your organization's workspace
  • Generating cryptographic proofs and verification records for documents and items
  • Anchoring cryptographic hashes to the blockchain — only hashes are published externally; no personal data or document content is ever published
  • Maintaining a complete audit trail for compliance and accountability purposes
  • Sending service-related communications, including security notices and updates
  • Improving and developing our services based on aggregated, anonymized usage patterns
  • Complying with legal obligations, responding to lawful requests, and establishing or defending legal claims

5. Data sharing and third parties

We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances:

  • Infrastructure providers — we use Microsoft Azure (including Azure Key Vault and managed HSM) and other cloud infrastructure providers to host and secure the platform; these providers process data on our behalf under strict contractual obligations
  • Blockchain networks — when anchoring verification proofs, only cryptographic hashes (not personal data or document content) are published to the Hedera Hashgraph network
  • Payment processors — if you subscribe to paid services, payment information is handled directly by our payment processor; we do not store or process payment card details
  • Legal requirements — we may disclose data if required to do so by law, court order, or regulatory authority, or to protect the rights, property, or safety of ANANKE Labs, our users, or the public
  • With your consent — we may share data with third parties if you have given explicit consent for a specific purpose

6. Data retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law:

Account data is retained for the duration of your account and for a reasonable period thereafter to allow for reactivation or to comply with legal obligations.

Document data and verification records are retained in accordance with your organization's configuration and applicable legal retention requirements. Cryptographic proofs and audit trails may be retained for extended periods to support long-term verification and regulatory compliance.

Usage and technical logs are retained for up to 24 months for security monitoring and service improvement, then anonymized or deleted.

When data is no longer needed, it is securely deleted or anonymized so that it can no longer be associated with you.

7. Your rights

Under the GDPR and applicable data protection laws, you have the following rights regarding your personal data:

  • Right of access — you can request a copy of the personal data we hold about you
  • Right to rectification — you can ask us to correct inaccurate or incomplete data
  • Right to erasure — you can request deletion of your personal data, subject to legal retention obligations and where erasure would not compromise the integrity of cryptographic proof records
  • Right to restriction — you can ask us to temporarily restrict processing of your data in certain circumstances
  • Right to data portability — you can request your data in a structured, machine-readable format
  • Right to object — you can object to processing based on legitimate interests
  • Right to withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at privacy@anankelabs.net. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority or the Moroccan CNDP (Commission Nationale de contrôle de la protection des Données à caractère Personnel).

8. How we protect your data

We implement industry-standard technical and organizational measures to protect your personal data:

  • All data is encrypted at rest and in transit using strong encryption standards
  • Cryptographic signing keys are stored in hardware security modules (HSM) certified to FIPS 140-2 Level 3; private keys never leave the HSM boundary
  • Each organization's data is fully isolated — there is no cross-organization data access
  • API keys are secured using strong one-way hashing; the raw key is shown once and never stored
  • Authentication is handled through our own OpenID Connect identity provider with cryptographically signed tokens
  • We maintain comprehensive audit trails for all security-relevant events
  • Access to production systems is strictly limited and monitored

9. Cookies and tracking

Our website and platform use essential cookies that are necessary for the service to function (authentication tokens, session management, language preferences). These do not require consent as they are strictly necessary.

We do not use third-party advertising cookies or cross-site tracking technologies. We do not sell or share cookie data with advertisers.

We may use minimal analytics to understand aggregated usage patterns. If we use analytics that process personal data, we will provide clear notice and obtain consent where required.

10. International data transfers

ANANKE Labs is based in Morocco. Our infrastructure is hosted on Microsoft Azure, which may involve data processing in the European Economic Area (EEA) and other regions where Azure operates.

When personal data is transferred outside Morocco or the EEA, we ensure appropriate safeguards are in place, including standard contractual clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms.

Blockchain anchoring publishes only cryptographic hashes (not personal data) to the Hedera Hashgraph distributed ledger, which operates across multiple jurisdictions. Since only non-personal data (hashes) is published, this does not constitute a transfer of personal data.

11. Children's privacy

Our services are designed for organizations and their authorized users. We do not knowingly collect personal data from children under the age of 16. If we become aware that we have collected personal data from a child under 16 without appropriate consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at privacy@anankelabs.net.

12. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated policy on our website with a revised effective date. For significant changes, we may also notify you by email or through the platform.

We encourage you to review this policy periodically. Your continued use of our services after changes are posted constitutes acceptance of the updated policy.

13. Contact us

If you have questions about this Privacy Policy, your personal data, or our privacy practices, you can reach us at:

ANANKE Labs
privacy@anankelabs.net
Morocco

For data protection inquiries, please include "Privacy Request" in the subject line of your email.

← Terms of ServiceSecurity & Governance →