Privacy Policy
Privacy Policy
How S4 Ledger handles, protects, and processes your data
Effective Date: February 1, 2026
1. Our Core Privacy Principle
No sensitive data on-chain — ever. S4 Ledger was designed from the ground up to anchor only SHA-256 hashes to the XRP Ledger. We never store, transmit, or process classified data, CUI, PII, ITAR-controlled content, or any sensitive material on any public blockchain.
What goes on-chain: A 64-character SHA-256 hash string
What never goes on-chain: Original records, names, locations, part details, or any identifiable information
2. Data We Collect
| Category | Data | Purpose | Retention |
|---|
| Anchor Metadata | SHA-256 hash, record type, branch, timestamp | Transaction tracking, metrics dashboard | Indefinite (on-chain) |
| API Usage | Request timestamps, endpoints called, response codes | Rate limiting, monitoring, analytics | 90 days |
| Account Info | Organization name, contact email, subscription tier | Service delivery, billing, support | Duration of account |
| Analytics | Page views, session duration (anonymized) | Platform improvement | 12 months |
3. Data We Do NOT Collect
- Original record content (records are hashed client-side or in-memory and never persisted)
- Classified or CUI material
- Social Security numbers, health records, or financial account numbers
- Biometric data
- Device-level tracking identifiers (no fingerprinting)
4. How We Use Your Data
- Service delivery: Processing anchor requests, returning hash verification results, displaying metrics
- Platform improvement: Analyzing aggregate usage patterns to improve performance and UX
- Security: Monitoring for abuse, unauthorized access, or anomalous activity
- Communication: Service updates, security notices, and billing (if applicable)
We do not sell, rent, or share your data with third parties for marketing purposes.
5. Data Security
S4 Ledger implements security controls aligned with defense industry standards:
- NIST SP 800-171: Controls for protecting Controlled Unclassified Information
- CMMC Level 2: Active alignment roadmap toward certification
- Encryption: TLS 1.3 for all data in transit; AES-256 for data at rest
- Access control: Role-based access, principle of least privilege
- Audit logging: All API access and administrative actions are logged
- Incident response: Documented plan with <24-hour notification for security events
6. Blockchain Immutability
Once a SHA-256 hash is anchored to the XRP Ledger, it is immutable and cannot be deleted, modified, or redacted. This is by design — immutability is the core value proposition of S4 Ledger. Because only hashes (not original content) are stored on-chain, immutability does not create a privacy risk for underlying data.
If you need to supersede a record, you can anchor a new version with updated content. The original hash remains on the ledger but can be marked as superseded in your internal systems.
7. Third-Party Services
- XRP Ledger: Public, decentralized blockchain operated by independent validators. Transaction hashes and memo fields are publicly visible.
- Vercel: Hosting platform for the S4 Ledger website and API. Subject to Vercel's privacy practices.
- GitHub: Source code and SDK distribution. Subject to GitHub's privacy policy.
8. Defense & Government Users
For Department of Defense (DoD) and government users:
- S4 Ledger's hash-only architecture supports records at any classification level when deployed appropriately. Only the irreversible SHA-256 hash leaves the source system — the hash itself is unclassified.
- For Secret records, S4 Ledger can be deployed on-premises within the SIPRNet boundary with hash egress through a DISA-approved cross-domain solution.
- For Top Secret / SCI records, the same architecture applies within JWICS enclaves.
- CUI should only be submitted through approved on-premises or FedRAMP-authorized deployments (when available).
- The public demo and testnet environment should only be used with non-sensitive, unclassified test data.
- For DFARS 252.204-7012 compliance requirements, contact us for our System Security Plan (SSP) and Plan of Action and Milestones (POA&M).
9. Cookies & Tracking
S4 Ledger uses only functional cookies essential for the operation of the platform (e.g., localStorage for session data in the Demo App). We do not use advertising cookies, social media trackers, or third-party tracking pixels.
10. Your Rights
- Access: Request a copy of data we hold about you
- Correction: Request correction of inaccurate account information
- Deletion: Request deletion of your account and associated data (note: on-chain hashes are immutable)
- Portability: Export your transaction history and anchor records
- Objection: Object to processing of your data for specific purposes
To exercise these rights, contact us at privacy@s4ledger.com or via our Contact page.
11. Children's Privacy
S4 Ledger is a professional enterprise platform and is not intended for use by individuals under the age of 18. We do not knowingly collect data from minors.
12. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated via email to registered users and prominently displayed on our website. The "Effective Date" at the top reflects the most recent revision.
13. Contact
For privacy questions or concerns: