Privacy Policy

How Sterling and Pierce Holding L.L.C-FZ processes personal data in connection with the Ten-Seconds Software

Version 2026.3 — Effective March 2026

Legal Notice Terms of Service Privacy Policy Acceptable Use Terms of Sale Law Enforcement Transparency DPA

1. Data Controller

Sterling and Pierce Holding L.L.C-FZ
Meydan Grandstand, 6th Floor, Meydan Road, Nad Al Sheba, Dubai, UAE
License No: 2420814.01
Contact: contact@sterlingandpierce.com

Sterling and Pierce Holding L.L.C-FZ acts as Data Controller for personal data processed in connection with the Software's account management, subscription, and legal compliance functions.

2. Privacy Architecture — What We Are Technically Capable Of

The Software is designed with privacy-by-design principles. The following are factual technical statements about the current architecture:

Capability	Publisher's position
Read message content	Not technically possible. Messages are end-to-end encrypted. The server processes only ciphertext.
Reconstruct message history	Not technically possible. No message database exists. Session content is purged from RAM after session termination (max 30 min).
Access private key	Not technically possible. Private key is generated and encrypted on user device. Never transmitted in plaintext.
Access account metadata	Technically possible and retained as described below, for legal and operational purposes.

These technical constraints are genuine architectural features. They do not, however, guarantee: (a) protection from device-level access; (b) immunity from valid legal orders directed at user devices; (c) protection against network-level metadata analysis by third parties.

3. Data Collected and Legal Basis

3.1 — Account data (required for Software operation)

Data	Description	Legal basis (GDPR Art. 6)
Username	Pseudonym chosen by user — no real name required	Art. 6(1)(b) — contract performance
Password hash	bcrypt hash of client-side SHA-256 hash. Plaintext password never received by server.	Art. 6(1)(b)
Encrypted private key blob	AES-encrypted blob decryptable only with user's password	Art. 6(1)(b)
Public key	NaCl Curve25519 public key — by nature public	Art. 6(1)(b)

3.2 — Legal compliance data (retained by legal obligation)

Data	Description	Legal basis (GDPR Art. 6)
Consent records	Timestamp, document version, IP address, user-agent at acceptance	Art. 6(1)(c) — legal obligation
Payment references	Transaction IDs, subscription status. Card data processed by Stripe; crypto by CoinPayments. Not stored by Publisher.	Art. 6(1)(b) & (c)
Technical access logs	Server-side connection logs, IP addresses, timestamps	Art. 6(1)(c) / legitimate interests
Billing information	Name, address, email — only for Clear Trail (invoiced) subscribers, if voluntarily provided	Art. 6(1)(b)

3.3 — Data not collected

Message content — technically inaccessible to the Publisher
Conversation metadata (who communicates with whom, frequency) — not logged by design
Real identity — no real name, date of birth, or government ID is collected for standard accounts
Device identifiers, advertising IDs, or tracking pixels — not used
Behavioural or analytics profiling data — not performed

4. Data Retention

Category	Retention
Account credentials	Duration of subscription + 5 years post-termination
Payment records	10 years (accounting obligations)
Consent records	5 years from acceptance date
Access logs	Up to 1 year
Message content	Not retained — purged from server RAM on session termination
Billing info (invoiced subscribers)	10 years (accounting obligations)

5. Data Sharing

The Publisher does not sell personal data. Data is shared only in the following circumstances:

Payment processors: Stripe Inc. (card payments — EU SCCs in place) and CoinPayments Inc. (cryptocurrency payments). Each receives only the data necessary to process payment.
Law enforcement and legal process: Only in response to valid legal orders from competent authorities. See Law Enforcement Guidelines for the full description of what the Publisher can and cannot provide.
B2B enterprise clients: Where the Software is accessed through an enterprise licence, the enterprise client may act as Data Controller for its users' data. A Data Processing Agreement (see DPA) governs such arrangements.
Legal proceedings: To the extent required by valid court order under applicable law.

6. International Transfers

The Publisher is based in the UAE. For EU users, personal data transfers to the UAE and to third-party processors are conducted under appropriate safeguards, including EU Standard Contractual Clauses where applicable. Stripe operates under SCCs. The UAE is not currently the subject of an EU adequacy decision; transfers are therefore conducted under Art. 46 GDPR safeguards.

7. Cookies

The Software uses only a strictly necessary session authentication cookie (HttpOnly, Secure, SameSite=Strict). No advertising cookies, third-party analytics, or tracking scripts are deployed.

8. Your Rights (GDPR / UAE PDPL)

Subject to applicable law, you have rights to: access, rectify, erase, port, restrict processing of, and object to processing of your personal data. To exercise any right, contact: contact@sterlingandpierce.com. We will respond within 30 days.

Note: The Publisher cannot recover message content (never stored) and cannot decrypt account credentials (encrypted with user password, not held by Publisher).

If you believe your rights have not been respected, you may lodge a complaint with your national supervisory authority (EU) or the TDRA (UAE).

9. Security

The Publisher implements appropriate technical and organisational security measures including: TLS 1.3 for all connections, bcrypt password hashing, AES-encrypted key storage, role-based access control, and security monitoring. No system is perfectly secure. The confidentiality of your communications depends materially on the security of your end device and password.

Version 2026.3 — March 2026 — Sterling and Pierce Holding L.L.C-FZ