Privacy Policy
Last updated: February 2025
Who we are
Sealed (sealed-app.com) is operated by an individual developer based in the United Kingdom. You can contact us at hello@sealed-app.com.
What data we collect
We only collect what we need to run the service. We do not collect data for advertising, profiling, or selling to third parties.
- Account information — email address, username, and hashed password (or Google OAuth credentials if you sign in with Google).
- Profile information — optional name, bio, website, and avatar image.
- Claim data — your claim text (encrypted at rest with AES-256-GCM), a SHA-256 hash of the text, a random nonce, and metadata such as your chosen reveal date.
- Usage data — votes, comments, follows, stars, and notification preferences.
How we use your data
- To provide the service — storing, encrypting, decrypting, hashing, and displaying your claims.
- To send transactional emails — welcome emails, reveal notifications, and optional weekly digests. Every email includes a one-click unsubscribe link. You can also manage email preferences in your settings.
- To moderate content — claim text is checked at submission using an automated moderation API to prevent harmful content.
- To evaluate claims with AI — after a claim is revealed, the claim text is sent to third-party AI services for automated factual evaluation. See below for details.
AI evaluation
When a claim is revealed, its text is sent to three AI providers (OpenAI, Anthropic, and Google) for automated evaluation. Each model searches the web for evidence and returns a verdict on the claim's accuracy. Only the claim text and reveal date are sent — no personal identifiers such as your username or email are included.
AI verdicts are informational and automated. They may be inaccurate, incomplete, or biased. They are not factual determinations or legal judgments. Each verdict includes its sources so you can check the evidence yourself.
Encryption and security
Sealed claim text is encrypted using AES-256-GCM with envelope encryption. Encryption keys are managed by AWS Key Management Service (KMS) in the EU (eu-west-2). The decryption key for each claim is stored separately from the encrypted text. We cannot read your sealed claim text without performing the decryption process, which only happens when the reveal date arrives.
Passwords are hashed with bcrypt (12 rounds) and never stored in plaintext.
Third-party services
We use the following services to operate Sealed:
- Vercel — hosting and serverless infrastructure.
- Supabase — PostgreSQL database hosting.
- AWS KMS — encryption key management (eu-west-2).
- Resend — transactional email delivery (receives your email address).
- OpenAI, Anthropic, Google AI — AI claim evaluation (receives revealed claim text only).
- Google OAuth — optional sign-in provider.
Your data may be transferred to and processed in the United States by some of these providers. Where applicable, these transfers are protected by the EU-US Data Privacy Framework or Standard Contractual Clauses.
Data retention
Your account data is kept for as long as your account exists. If you delete your account, all your personal data — including your claims, encrypted text, comments, votes, and follow relationships — is permanently deleted. Account deletion is irreversible.
Your rights
Under UK data protection law (UK GDPR), you have the right to access, correct, delete, or export your personal data. You also have the right to object to or restrict how we process your data.
You can delete your account and all associated data from your settings page. For any other requests, email us at hello@sealed-app.com. We will respond within 30 days.
If you have concerns about how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.
Changes to this policy
If we make significant changes, we will notify you by email or by placing a notice on the site. We will not materially reduce your privacy rights without giving you advance notice.