Privacy Policy

1. Who we are

HeliotTLS (the “Service”, “we”, “us”) is operated by Heliot Cryptography Ltd., registered at Suite 8, Mahé Plaza, Victoria, Republic of Seychelles. The Service issues post-quantum X.509 TLS certificates for email infrastructure.

2. Data we collect

We deliberately collect the minimum data required to operate the Service:

• The mail domain you supplied at checkout (mandatory — printed in the certificate).
• An optional contact email address used solely to send delivery notifications.
• The cryptocurrency you paid in (BTC, LTC or XMR) and the on-chain transaction identifier (BTC and LTC only).
• Anonymous server logs (HTTP method, response code, timestamp). Logs are rotated every 7 days.

We do not collect your IP address in association with your order, your browser fingerprint, your real identity, or any payment metadata beyond what is strictly required for issuance.

3. Cryptocurrency disclosures

Bitcoin and Litecoin transactions are recorded permanently on public blockchains and are pseudonymous, not anonymous. Any third party can correlate the on-chain TXID we record with your wallet activity. If your threat model requires unlinkable payments, we recommend Monero (XMR), which we confirm manually after observing the funds in our wallet.

4. Cookies

We use a single first-party session cookie (htls.sid) on the operator panel. The public site sets no cookies, no analytics tracker and no third-party fingerprinting library. We do not embed Google Fonts client trackers, advertising pixels, or social-media share widgets.

5. Lawful basis (GDPR Art. 6)

Where European data-subject rights apply, the lawful basis for processing your domain and TXID is contractual necessity — Art. 6(1)(b). The optional email is processed under your consent — Art. 6(1)(a) — which you may withdraw at any time by writing to privacy@heliot-tls.example.

6. Retention

Order records are retained for 24 months past expiry of the issued certificate (i.e. 36 months total) for revocation traceability, then deleted. Anonymous server logs are kept 7 days. Payment correlation data older than 90 days is hashed and the originals destroyed.

7. Your rights

You may request access to, rectification of, or erasure of any personal data we hold about you. Because we collect almost none, the typical answer to a Subject Access Request is a copy of your order record and your TXID. Submit requests to privacy@heliot-tls.example using PGP key 9F2C 4A11 ….

8. Lawful interception

Heliot Cryptography Ltd. operates from a jurisdiction with no mutual-legal-assistance treaties covering certificate issuance. We will not voluntarily disclose customer data to any government, intelligence agency or commercial third party. We have never received a national security letter; the absence of this sentence in a future revision should be treated as a warrant canary signal.

9. Changes

This policy can be amended for legal or operational reasons. Material changes will be advertised on the public site for 30 days before taking effect.

10. Contact

Operations: ops@heliot-tls.example
Privacy / data subject: privacy@heliot-tls.example
Abuse / revocation: abuse@heliot-tls.example