1. Who we are
Provable.io is operated by RedPkt. We are the data controller for the personal data described below. You can reach our privacy contact at support@provable.io.
2. What we collect and why
| Data | Why | Retention |
|---|---|---|
| Email address | Account identity, sign-in, security notifications. | Until you delete your account. |
| Password (hashed with bcrypt) | To verify sign-in. We never store the plain password. | Until you delete your account. |
| API keys (hashed) and key metadata (name, created/last-used timestamps, usage count) | To authenticate API calls and show usage in your dashboard. | Until you revoke the key or delete your account. |
| API usage counters and per-endpoint breakdowns | To enforce daily quotas and show charts in your dashboard. | Rolling 60 days (daily) and 24 months (monthly). |
| Client seeds you submit, and the outcomes generated for them | Provably-fair verification requires the seed and outcome chain. Outcomes are tagged with your user id only when called with your API key. | Until you delete your account, at which point your seed list and tagged history are removed. |
| IP address and user agent (in server access logs) | Security, abuse detection, debugging. | Up to 30 days in operational logs. |
| Terms acceptance timestamp and policy version | Proof you accepted the Terms at signup. | For the life of the account. |
3. Cookies
We use a single strictly-necessary cookie, provable.sid, to keep you signed in. It is HTTP-only and set with SameSite=Lax. We do not use advertising, analytics, or third-party tracking cookies, which is why there is no consent banner — only the one-time notice you may have seen on first visit.
Your browser also stores small flags in localStorage (e.g. that you dismissed the cookie notice). These never leave your device.
4. Who we share data with
We do not sell your data and we do not share it with advertisers. The only third parties that ever see your data are infrastructure sub-processors strictly necessary to run the service:
- Hosting / runtime — Replit, Inc. (United States), where the application and its data store run.
If you configure outbound webhooks, the outcome payloads you ask us to deliver will be sent to the URLs you provide. You control where those go.
5. Your rights
Depending on where you live, you may have rights to access, correct, export, or delete your personal data, and to object to or restrict certain processing. You can exercise the most common rights directly in your dashboard:
- Access / export — download your full outcome history as CSV or JSON.
- Correction — change your email or password under Account settings.
- Deletion — "Delete my account" permanently removes your account, API keys, usage counters, seed history, and tagged outcomes. There is no recovery.
For anything that isn't self-service — including any data-protection complaint — email support@provable.io and we will respond within 30 days. If you are in the EEA or UK, you also have the right to lodge a complaint with your local supervisory authority.
6. Security
Passwords are stored only as bcrypt hashes. API keys are stored only as SHA-256 hashes — the plain key is shown to you once at creation and never recoverable from our system. The session cookie is HTTP-only. The site is served over HTTPS with HSTS in production. No system is perfectly secure; please report any suspected vulnerability to support@provable.io.
7. International transfers
Our infrastructure is based in the United States. If you access the service from outside the US, your data will be transferred to and processed there.
8. Children
The service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has created an account, email us and we will delete it.
9. Changes
We may update this policy from time to time. Material changes will be announced on this page with a new "Last updated" date. For substantive changes that affect existing users, we will also notify you by email.
10. Contact
Privacy questions or requests: support@provable.io.