Privacy Policy

Last updated: April 21, 2026

1. Who we are

Lantern LLC ("Lantern," "we," "us," "our") operates the Lantern Provenance System, including:

The website and web application at lantern-us.com
The Lantern API at api.lantern-us.com
The Lantern browser extension for Chrome and Edge

These collectively are the "Service." This policy explains what data we collect, how we use it, and what rights you have over it.

Data controller: Lantern LLC, 3100 33rd Pl NW, Washington, DC 20008, United States. Contact: contact@lantern-us.com.

2. What we collect and why

2.1 Account data

When you create a Lantern account, we collect and store:

Email address: identifies your account and receives transactional email (verification, password reset, account notices)
Display name: shown publicly on your verify pages and gallery entries
Password: stored only as a bcrypt hash; plaintext never persisted
Ethereum wallet address: generated by Lantern on your behalf; recorded on-chain when you register content
Encrypted private key: the corresponding wallet private key, AES-256-GCM encrypted at rest with a key we hold server-side
Account timestamps: account creation date, email verification date, onboarding completion date

If you sign up with "Continue with Google," we additionally store Google's opaque stable user ID (sub) so we can recognize you on return visits. We do not store your Google name, Google profile picture, or any other Google profile field.

2.2 Content registrations

When you register a piece of work, we collect and store:

A SHA-256 hash of the image file
Perceptual hashes (dhash and phash) computed from the image, used to match cropped or recompressed copies
Neural-embedding vectors (three fixed-length numerical vectors, one each from the SSCD, CLIP, and DINO family of vision models), used to match transformed copies that classical hashes miss (horizontal flips, crops, rotations, filtered versions). The vectors themselves contain no identifying information; they are statistical descriptions of visual content. See §4.3 for how the vectors are produced.
A timestamp marking when you affirmed authorship at registration
A per-work opt-out-of-AI-training preference (defaults to on when you have the account-level default enabled; overridable per work)
Metadata you provide: title, description, creation tool name, source platform name, source URL
The file type, file size, and file name as uploaded
A Lantern ID (format LNTN-xxxxxxxx) we assign
The on-chain transaction hash after the registration is confirmed on the Base blockchain

We do not retain your image file itself after processing. Image bytes are used transiently to compute the hashes and neural-embedding vectors above and then discarded. The hashes and vectors (which are mathematical summaries, not recoverable images) remain stored as described.

During the processing step, image bytes are transmitted to our neural-inference provider (Modal, see §4.3) so the embedding vectors can be computed on GPU hardware. Modal's containers terminate after inference and do not retain the image bytes.

2.3 Platform links

If you link a social media account to prove platform ownership (Twitter, Pixiv, DeviantArt, ArtStation, Instagram, etc.), we store the platform name, your username on that platform, and the verification status of the link.

2.4 Disputes and reports

If you file a dispute or report against a registered work, we store your email, your name (if you provide it), your claim description, and any evidence URLs you submit.

DMCA takedown notices you submit become part of our records for the duration required to comply with the notice-and-takedown process and any associated legal obligations.

2.5 Authentication and session data

To keep your account secure, we store:

Email verification tokens and password reset tokens: stored as SHA-256 hashes; plaintext is sent only in the email link and discarded after use or expiry
Two-factor authentication data (if you enable it): an encrypted TOTP secret (AES-256-GCM), hashed backup codes, and the last TOTP timestep accepted (to prevent replay)
Active session records: for each signed-in device, we store a session ID (jti), the approximate IP address of the most recent request, the user-agent string, and the timestamps of issuance, last use, and last re-authentication
Throttle events: a minimal audit trail of rate-limited events (e.g., failed login attempts, password reset requests) used to enforce per-IP and per-email rate limits; pruned after 2 hours for short-lived buckets and up to 24 hours for longer ones

2.6 Browser extension

The Lantern browser extension:

Scans page text for Lantern IDs (format: LNTN-xxxxxxxx) on supported art platforms to display verification badges
Hashes images locally in your browser when you use "Verify with Lantern." The image is never uploaded; only its hash is sent to our API.
Caches verification results in chrome.storage for up to 1 hour
Reads the page's DOM only to the extent needed to locate Lantern IDs and images on currently-open art-platform tabs

The extension does not track browsing history, collect data from non-art-platform sites, or transmit any data about your browsing to us.

3. Legal basis for processing (for users in the EU/UK)

Where GDPR applies, we process your personal data on the following bases:

Performance of a contract (GDPR Art. 6(1)(b)): most account and registration processing is necessary to provide the Service you've signed up for.
Legitimate interests (GDPR Art. 6(1)(f)): security-related processing (rate limiting, session tracking, fraud detection) to protect your account and the integrity of the registry.
Consent (GDPR Art. 6(1)(a)): where you explicitly link a third-party account, enable 2FA, or opt in to the browser extension.
Legal obligation (GDPR Art. 6(1)(c)): to respond to valid legal process and to comply with DMCA and other statutory requirements.

4. How we share data

We do not sell your personal information. We share data only in these cases:

4.1 Publicly by design

The following are intentionally public and visible to anyone, including search engines:

Lantern IDs, content hashes, registration timestamps, file type, display name of the registrant, and creator wallet address, shown on the /verify/{LNTN-ID} page and indexed by search engines
Linked platform usernames and verification status (when the link is verified)
Your display name across the public surface of the Service

4.2 Base blockchain (public ledger)

When a registration confirms, the content hash and your wallet address are written to the Base blockchain (an Ethereum Layer 2 network). Blockchain records are public and cannot be deleted. This permanence is required for provenance to be verifiable by anyone.

4.3 Subprocessors (third-party service providers)

We use the third-party service providers below to operate the Service. The authoritative list is published at lantern-us.com/subprocessors.

Provider	Purpose	Data shared
Resend (Delaware, US)	Transactional email delivery	Email address, display name, email body (verification links, password reset links, account notices)
Google LLC (Delaware, US)	OAuth identity provider for "Continue with Google"	Only what you consent to at Google's sign-in prompt: email, display name, profile picture URL, Google `sub` ID. Only applies if you click the Google sign-in button.
Modal (Delaware, US)	Serverless GPU inference for neural-matcher embeddings (SSCD, CLIP, DINO)	Image bytes you upload at registration or image-based verification are transmitted to Modal for embedding computation. Modal returns numerical vectors; image bytes are not retained by Modal or by Lantern after processing. No account identifiers (email, display name, wallet address) cross this boundary.
DigitalOcean (New York, US)	Cloud hosting for the Lantern application server and managed PostgreSQL database	All account data we store (email, display name, encrypted wallet key, registration records, dispute history) resides on DigitalOcean infrastructure. DigitalOcean does not have application-level access; they operate the underlying compute and storage.
Alchemy (San Francisco, US)	Base blockchain RPC access	When a registration is written to the Base blockchain, we submit the transaction (content hash, metadata URI, creator wallet address, signature) via Alchemy's RPC endpoint. These fields are public on-chain by design; no email or display name crosses this boundary.

4.4 Legal requirements

We may disclose data when required by law, legal process, or to protect the rights, property, or safety of Lantern, its users, or others. This includes responding to valid subpoenas, court orders, and DMCA takedown notices (see lantern-us.com/dmca).

5. Data retention

Category	Retention
Account (email, display name, password hash, wallet)	For the life of your account, plus up to 30 days after deletion to process the deletion
Email verification and password reset tokens	15 and 30 minutes respectively; deleted on consumption
Active sessions	90 days of inactivity, then auto-pruned
Throttle / rate-limit events	Up to 24 hours
Content registrations (off-chain metadata)	Until you delete or revoke; revoked records are marked revoked but retained for audit
Content registrations (on-chain record)	Permanent (Base blockchain). Cannot be deleted.
Dispute and DMCA records	Retained as required by law; typically 3 years
Admin action logs	Indefinite; required for audit

6. Your rights

6.1 Everyone

Access: request a copy of the personal data we hold about you
Correction: ask us to correct inaccurate data
Deletion: ask us to delete your account and associated off-chain data. See 6.3 regarding on-chain records.
Revocation of consent: withdraw consent for optional processing (e.g., remove a linked Google account, disable 2FA, uninstall the browser extension)

To exercise these rights, email contact@lantern-us.com. We may ask you to verify account ownership before acting on sensitive requests.

6.2 EU/UK users (GDPR)

If you are in the EU, UK, or EEA, you additionally have the right to data portability, the right to object to processing based on legitimate interests, and the right to lodge a complaint with your local data protection authority.

6.3 California users (CCPA / CPRA)

If you are a California resident, you have the rights described above plus the right to know what categories of personal information we collect, the right to opt out of the sale or sharing of personal information (note: we do not sell or share for cross-context behavioral advertising), and the right to non-discrimination for exercising these rights.

6.4 Deletion and the blockchain

You can delete your Lantern account at any time from /dashboard/security (the "Delete account" card at the bottom of the page). The deletion is permanent and cannot be undone.

What gets deleted: your email, password hash, encrypted wallet private key, all sessions (you are signed out everywhere), email-verification and password-reset tokens, two-factor secrets and backup codes, linked-platform handles (Twitter, Pixiv, etc.), and in-flight registrations that have not yet confirmed on chain. Terms-of-service assent records are also deleted; an internal audit log retains a record that the deletion happened (date, the disposition you picked, and counts) for compliance purposes, but does not retain the email or wallet in any user-searchable form.

What happens to registered work: at the moment you delete, you choose one of three options:

Keep my registrations visible (default). Your registered works stay on Lantern with your current display name and wallet address shown as the historical creator. The works remain visible on /verify and to platforms checking the API. Your account is gone but your provenance record is intact.
Anonymize my display name. Your display name on every registered work is replaced with the literal string [deleted account]. Your wallet address still shows because it is on the blockchain and cannot be erased. Pick this if you want your name off the public record while keeping the work registered.
Revoke every registration first, then delete. Each of your active registrations is revoked on the blockchain (status becomes revoked) before your account is deleted. If any revoke fails (gas, RPC), nothing happens and your account stays alive so you can retry. Revocation is permanent on chain.

What we cannot delete: on-chain records on the public Base blockchain. Your wallet address, the content hashes you registered, and the timestamps of those registrations are visible on chain regardless of what you do here. You can revoke a registration so it displays as revoked, but the historical record stays on chain. By using Lantern you acknowledge this permanence; do not register anything you may need to have permanently and entirely removed.

If self-service does not work for you (for example, two-factor authentication enabled, lost access to your email, or you cannot sign in), email contact@lantern-us.com with the email address on the account and we will action the deletion manually within 30 days. We may ask you to confirm your wallet address or sign a verification message to prove ownership.

7. International data transfers

Lantern is operated from the United States. If you access the Service from outside the US, your personal data is transferred to the US for processing. Our US-based subprocessors (Resend, Google, Modal, DigitalOcean, Alchemy) process data subject to US law. Each subprocessor's standard Data Processing Agreement (incorporated into their Terms of Service, which we accepted at account creation) includes the EU-approved Standard Contractual Clauses for international transfers; the authoritative links are on our Subprocessors page.

8. Security

Technical measures we apply:

HTTPS on all traffic; TLS 1.2+
Bcrypt for password hashing (work factor 12)
AES-256-GCM for encrypting wallet private keys and TOTP secrets at rest
JWT-based session tokens with server-side revocation
Per-IP, per-email, and per-account rate limits on auth endpoints
Two-factor authentication available via TOTP and single-use backup codes
systemd-sandboxed backend process running as a dedicated non-root user with a minimal syscall whitelist
Weekly off-host database snapshots (in progress; currently local backups only)
Operational monitoring with alerting on security-relevant events

No system is perfectly secure. If you believe your account has been compromised, email us immediately at contact@lantern-us.com and change your password via the forgot-password flow.

9. Children

Lantern is not directed at children under 13 years of age (or the equivalent minimum age in your jurisdiction). At account creation we require every user to confirm they are at least 13 years old. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, email contact@lantern-us.com and we will take steps to delete it.

10. Cookies and local storage

Lantern uses localStorage to store your session token on your device so you stay signed in across page loads. We do not use cookies for tracking and do not set third-party advertising cookies. The browser extension uses chrome.storage for local preferences and a short verification cache; nothing in this store is sent to us.

11. DMCA and copyright

See lantern-us.com/dmca for our DMCA takedown and counter-notice procedures. Our designated DMCA agent is registered with the U.S. Copyright Office (DMCA-1071708).

12. Changes to this policy

We may update this policy from time to time. We will update the "Last updated" date at the top. For material changes that affect your rights, we will email registered users with reasonable advance notice before the change takes effect.

13. Contact

For privacy questions, data-subject-rights requests, or general inquiries, email contact@lantern-us.com.

For DMCA notices, see the contact at /dmca.