The platform stores account identity, submission metadata, private evidence uploads, case messages, payment references, audit logs, and certificate records needed to deliver authentication services and operate secure review workflows.

Uploads are treated as private operational assets. They should only be accessed by authorized customer, partner, and admin roles through server-checked routes and signed delivery paths.

Stripe processes payment details. Authenticity House stores provider references, statuses, and operational audit records rather than full card data.

Public certificate verification should expose certificate-safe fields only and must avoid private customer evidence, support messages, or unnecessary personal data.

Pre-launch note: final retention windows, deletion handling, and jurisdiction-specific rights language still need legal review.