Privacy Policy

Last updated: 2023/09/15

Preamble

This is the Privacy Policy of zkMe applications (both web and mobile), SDKs, APIs, or other cloud-based services that we host on your behalf (the “Services”). zkMe is a brand of the zkMe Technology Limited. Please note: A separate Privacy Policy is available for the website www.zk.me.

Privacy is one of our core values, so zkMe Technology Limited. (“we”, “us”, “our” or “zkMe”) respects your privacy. Our Services are specifically designed to minimize the amount of data that is collected about you ("you", or "User") and to remove the need for any central data storage or data sharing requirement. In order to interact with you and improve the services, we do collect some information.

This Service Privacy Policy ("Policy") will explain to you what data we collect, and how we use your personal data. It also describes how you can access, update, or otherwise take control of the personal data that we have collected from you. We, being a software-as-a-service business, take our responsibilities with regard to the requirements of CCPA and the EU GDPR very seriously.

By the nature of the zkMe Self-Sovereign Identity App, the application (on your end user device) processes a wide variety of information, including personal identifiable information and special categories of personal data. It is our most important goal to keep your data private. In stark contrast to most identity providers available in the market, we will never share any personal data with anyone (not even zkMe itself). Our applications are built with the intent to minimize the collection, sharing and storage of such data. For each type of data laid out below, we will therefore explain in the highest degree of detail, the processing level and depth in order for you to understand how zkMe helps protect your privacy compared to traditional identity verification service providers.

Your Personal Data is collected from you when:

a. You open our mobile app or interact with a website pop-up;

b. You create or update your digital credentials through our mobile app or website pop-up;

c. You verify your credentials through our mobile app or website pop-up;

d. You access or use any feature, content, software, hardware or other product available on or through the Services or otherwise provided by us.

Your access and use of the Services is conditioned on your providing us with any requested User Information.

1. Digital Credentials

1.1 What data is collected?

zkMe uses digital identity technology and digital wallets to provide a secure method for consumers and businesses to access and exchange identity-related information (hereinafter "DID"). In order to generate a DID, the following data is provided by you when you register for your account with the Services, as you use the Services, or as you engage with the Company through its Services. We consider all such information voluntarily provided:

  • a user-selected sub-domain,
  • your wallet public key addresses.

    • 1.2 How we use data

    Your DID is the virtual representation that you passed credential based verification. zkMe and other service providers can access the DID as a vehicle to verify selective checks on your credentials. Since the credentials are anonymized using Zero-Knowledge Proofs (ZKP), no Personal Identifiable Information (PII) is stored, accessed, nor processed in any way by zkMe or any other service provider unilaterally.

    1.3 How we secure and retain data

    DIDs are stored on the public distributed ledger Polygon (the MATIC blockchain) and any additional distributed ledger we receive explicit permission for a data copy from you. The DID is stored in the form of a non-transferable, non-fungible token (hereinafter "SBT").

    This SBT contains the following data:

  • a unique, DID identifier,
  • a private-key shard (see "Personal Identifiable Information),
  • a list of pointers that refer to the ZKP generated for your DID (see "Anonymized Individual Data").

    • Since this data is stored on public distributed ledgers, all of its contents are available to the public. None of the data provided here is sensitive in nature or can be used to identify you personally. You can delete the SBT storing your DID at any time (and thus revoke any data processing linked to it) from within the zkMe App or any self-custody wallet holding such DID.

    2. Personal Identifiable Information (PII)

    2.1 What data is collected?

    For each credential that you verify and generate anonymous zero-knowledge proofs from, a unique set of personal identifiable information (PII) is processed. Currently, the following credentials are supported:

    1. Proof-of-Citizenship

    (based on Passport, Identity Card, or Driver's License and facial recognition).

    In order to verify your Proof-of-Citizenship, the following data is processed:

  • a government-issued alphanumeric Identifier

    • (Passport No., Identity Card No. Or Driver's License Number),

  • your nodal point faceprint,
  • your Nationality,
  • your Date of Birth,
  • your Gender,
  • the Date of Issue,
  • the Date of Expiry.

    • 2. Proof-of-Personhood

    (based multiple pictures of your face)

    In order to verify your Proof-of-Personhood, the following data is processed:

  • your nodal point faceprint.

    • This data is provided by you when you verify credentials within the Services, as you use the Services, or as you engage with the Company through its Services. We consider all such information voluntarily provided.

    2.2 How we use data

    The main purpose for the collection of personal data is its anonymization and protection from misuse. The ZKPs we generate from your credentials are mathematically verifiable proofs that a factual statement on your personal data is correct, without revealing the personal data itself. For example, within the Proof-of-Citizenship credential, one of the proofs we generate proofs that you are over 18 years old, without revealing your birthdate; the only data that is exposed to the parties involved is the "True/False" statement to "Is the following user of 18 years old?". For the Proof-of-Personhood credential, the nodel point faceprint is protected through fully homomorphic (FH) encryption. FH encryption ensures that zkMe servers can identify faceprint uniqueness without the ability to decrypt, recover or reuse the original faceprint likeness for any other purpose. For more details refer to chapter 4 Anonymized Individual Data and/or our Help section

    Credential date of issue and expiry are used to define the validity of a ZKP. Validities are pooled in monthly buckets in order to avoid indirect user verification. In order to comply with legal, law enforcement, and anti-money laundering regulation enforcement, a threshold cryptography encrypted, decentralized data archive for the original data from which the Proof-of-Citizenship ZKPs are derived from is created. Only threshold cryptography encrypted data leaves your mobile end device; at no point throughout the entire process does any single stakeholder have access to your private data with exception of the aforementioned regulatory compliance.

    Your personal data is not stored, accessed, shared or in any other way processed besides mentioned above.

    2.3 How we secure and retain data

    The decentralized data archive is retained for as long as required by law. The archive is protected through state of the art threshold encryption. The encryption is generated directly by your mobile end device. The key required to decrypt the data is split into three (3) private key shard. One of these key shards is written on your DID SBT, the second one is maintained in your profile (see Special Categories of Personal Data), and the third one is provided to the regulatory/issuing body of the affected credentials, or remains in custody with zkMe pending data exchange agreements with relevant regulatory bodies. Decryption without access to all private key shards is not possible; this means that no single party is able to access your private data on their own.

    No other copy of your personal data persists, your personal data is actively deleted from your mobile device once encrypted and the ZKPs have been generated.

    3. Special Categories of Personal Data

    3.1 What data is collected?

    When you create a DID with our Services, we collect the following Special Category of Personal Data:

  • your nodal point faceprint from picture-based facial recognition,
  • your Email-Address.

    • You provide certain User Information when you register for your account with the Services, as you use the Services, or as you engage with Company through its Services. We consider all such information voluntarily provided.

    3.2 How we use data

    In order to uniquely identify you and to protect you and the service providers you interact with from malicious attacks from pseudonymous identities (anti-sybil protection), a world-wide unique identifier for each Service end-user is needed.

    3.3 How we secure and retain data

    The zkMe profile (hereinafter "profile") is stored on zkMe servers. Your profile consists of the following data:

  • your unique DID identifier,
  • your Email-Address,
  • a sub-domain name,
  • your FH encrypted nodal point faceprint,
  • a private key shard,
  • your wallets' public keys.

    • zkMe takes the highest degree of commercially reasonable measures, including administrative, technical, and physical safeguards, to:

    • a. protect your profile from loss, theft, misuse, and unauthorized access, disclosure, alteration, and destruction,
    • b. ensure the security, confidentiality, and integrity of your profile,
    • c. protect against any threats or hazards to the security or integrity of the profile,
    • d. protect against unauthorized access to, or unauthorized disclosure of the profile, and
    • e. take such security measures required by any applicable privacy laws.

    We cannot completely guarantee that unauthorized third parties will never be able to defeat our security measures or use your profile for improper purposes. In the event that your profile in our possession or under our control is compromised as a result of a security breach, we shall give prompt notice to you, with full particulars, and shall immediately commence a thorough investigation of any such incident. This data is provided by you when you verify credentials within the Services, as you use the Services, or as you engage with the Company through its Services. We consider all such information voluntarily provided.

    4. Anonymized Individual Data

    4.1 What data is collected?

    When you verify credentials through the zkMe app, the app anonymizes your personal data through the use of zero-knowledge proofs (ZKP). Zero-knowledge proofs are a method by which we help you stay anonymous; they are a mathematical method to prove certain statements about you without disclosing any of the underlying personal data. The questions we verify through ZKPs are carefully selected in order to ensure full anonymity and make real name identification of you through indirect means practically impossible by making sure that each single ZKP demographic profile (i.e. each single collection yes/no answers) is expected to be shared by at least 50.000 people. Already anonymous individual data does not require further anonymization and will be provided as collected.

    In the following, a list of the anonymized data verifiers can access for each of the credentials verified through zkMe once authorized by you:

    1. Proof-of-Citizenship

    • a. Adulthood - Is the credential holder over 18 years old? [yes/no]
    • b. Citizenship - Country of your citizenship
    • c. Gender - Your Gender

    2. Proof-of-Personhood

    • a. Uniqueness - Has your faceprint been used to create another Proof-of-Personhood credential with another profile/ wallet? [yes/no]
    • b. Similarity Ciphertext - To what degree does your FH encrypted faceprint match with previously collected FH encrypted faceprints? [0 - 100%]

    3. Social

    • a. Aggregate Score - A point based representation of your overall social media activity and engagement across different social media platforms, including but not limited to X.
    • b. Topic Specific Score -A point based representation of your social media activity and engagement on a certain topic across different social media platforms, including but not limited to X.

    4.2 How we use data

    Anonymous individual user data is used by service providers ('verifiers') to verify your eligibility to access certain features, to fulfill verifiers' legal KYC requirements and by zkMe to aggregate into anonymous market demographic overviews. Throughout the whole process, no PII, nor special category of personal data is ever exposed to any party.

    4.3 How we secure and retain data

    Anonymized individual data is stored on decentralized storage and is only accessible by zkMe and verifiers that have been authorized by you. The data is protected through state of the art encryption and whitelisting of trusted verifiers.

    5. Device & Usage Information

    5.1 What data is collected?

  • Service Usage Data may automatically be collected when you interact with our Services. This information may include data about your interactions with the features, content and links contained in our Services, time of interaction, operating system used, IP address, language preferences, and other cookie data. While none of this data will allow us to directly identify who you are, some of this data can be used to approximate your location.
  • Supplementary Data may be received about you from Data Providers. We may combine this data with the information we already have about you in order to maintain accuracy of our records, and provide products and services that you may be interested in.
  • App Analytics might be provided by third-party tools to collect information on how you interact with our App. This data may include information on which pages you visit, how much time you spend on each page, which operating system and browser you use, and geographic location information. These tools will generate cookies for this purpose which can only be used by the service provider. The data collected may be transmitted to and stored by these service providers in a country other than where you reside. This information does not include personal data such as names, addresses, email addresses, etc, and will be stored and used in accordance with their own privacy policies.

    • 5.2 How we use data

    Delivering, updating, and improving the Services that we provide to you. We collect various data you use and interact with our Services. We use this data to:

    • a. improve and optimize the performance of our Services,
    • b. identify and investigate security risks, and needed enhancements to our Services,
    • c. detect and prevent fraud and abuse of our Services,
    • d. collect statistics about the use of our Services,
    • e. analyze which of our Services are most relevant to you.

    Device & Usage information is collected anonymously and not linked to your identity or profile.

    5.3 How we secure and retain data

    Device & Usage information is stored on zkMe servers. zkMe takes the highest degree of commercially reasonable measures, including administrative, technical, and physical safeguards, to:

    • 1. protect your profile from loss, theft, misuse, and unauthorized access, disclosure, alteration, and destruction,
    • 2. ensure the security, confidentiality, and integrity of your profile through the use of, among others, state of the art encryption like threshold and FH encryption,
    • 3. protect against any threats or hazards to the security or integrity of the profile,
    • 4. protect against unauthorized access to, or unauthorized disclosure of the profile, and
    • 5. take such security measures required by any applicable privacy laws.

    6. Your Data Subject rights

    You may contact our Data Protection Officer (DPO) for any reason through the "Contact Us" form or via the following e-mail address: contact@zk.me.

    If you have any questions that aren't addressed by this Privacy Policy, please let us know! Use it to contact us for anything related to our use of your information, including opting-out of sharing your information with others, updating your information, finding out what information we have about you, or for anything that you feel violates any of your above listed rights.

    If you make a request to delete your personal data, that request will be honored only to the extent where the data is no longer needed for the Services, or when it is no longer required for our business, legal or contractual record keeping requirements. Any request to delete all or any personal data related to a Visitor is fulfilled within 30 days. This period is justified by the complexity of the systems and technologies we operate to process the data. Where a Personal Data Breach occurs or is suspected, it is reported immediately to the DPO or the CEO and, where applicable, to the data protection authority and the individual affected by the breach. The report includes full and accurate details of the incident (including its reasons and magnitude) and sets out the planned measures intended to eliminate the breach.

    We adhere to the principles of personal data protection as envisaged in CCPA and the EU GDPR. In accordance with these principles, Personal Data is:

  • Processed fairly and lawfully and in a transparent manner in relation to the Data Subject;
  • Processed for specified, explicit and legitimate purposes only and not further processed in a manner that is incompatible with those purposes;
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • Kept accurate and up to date;
  • Retained in a form permitting identification of Data Subjects for no longer than is necessary for the purposes for which they are processed;
  • Not retained longer than necessary;
  • Processed in a manner that ensures their appropriate security;
  • Not transferred outside the EEA without adequate protection. follow generally accepted standards to collect, store and protect Personal Data, including the use of encryption.
  • We retain personal data for as long as it is needed to provide the Services.

    • We process the Personal Data under §28 of the EU GDPR. We may determine the purposes and means of Personal Data Processing under §24 of the EU GDPR. We ensure that no Personal Data is used for any purposes incompatible with the aforementioned ones. If we are legally permitted to do so, we will take reasonable steps to notify you in the event we are required to provide your information to third parties as part of a legal process. It should be underlined that we do not sell Personal Data and strictly comply with restrictions and prohibitions under CCPA and the EU GDPR.

    As the Data Controller, we respect and guarantee the following rights of each Data Subject:

  • Right to obtain confirmation as to whether or not his or her personal data are being processed (§15 of the EU GDPR);
  • Right to rectification (§16 of the EU GDPR);
  • Right to erase Personal Data (§17 of the EU GDPR) if one of the following applies: (i) the Personal data is no longer necessary in relation to the purposes for which was collected or otherwise processed; (ii) Data Subject objects to the Processing and there are no overriding legitimate grounds for the Processing; (iii) the Personal Data have been unlawfully processed;
  • Right to restrict personal data processing (§18 of the EU GDPR) if one of the following applies: (i) the accuracy of the personal data is contested; (ii) the processing is unlawful and the Data Subject objects to the erasure of the Personal Data and requests to restrict their use instead; (iii) zkMe Technology Limited no longer needs the Personal Data for the purposes of the processing, but they are required by the Data Subject to establish, exercise or defend legal claims; (iv) the Data Subject has objected to processing pending the verification whether zkMe Technology Limited legitimate grounds override those of Data Subject;
  • Right to be informed (§19 of the EU GDPR);
  • Right to data portability (§20 of the EU GDPR);
  • Right to object (§21 of the EU GDPR) if the processing is justified by the "public interest" or "legitimate interest" legal ground as set out in point (e) and (f) of §6(1) of the GDPR;
  • Right not to be subject solely on automated processing (§22 of the EU GDPR) unless one of the following applies: (i) such decision is necessary for entering into, or performance of a contract; (ii) such decision is authorised by the law to which zkMe is subject and which also lays down suitable measures to safeguard the Data Subject's rights and freedoms and legitimate interests, or (iii) such decision is based on the Data Subject's explicit consent;
  • Right to lodge a complaint (§77 of the EU GDPR).

    • We guarantee that making a request for receiving personal data is free unless a reasonable cost is to be charged where requests are unfounded or excessive or repetitive in character.

    7. Definitions

  • CCPA

    • the California Consumer Privacy Act of 2018, Civil Code sections 1798.100.

  • EU GDPR

    • the General Data Protection Regulation 2016/679 (GDPR) is a regulation in European Union (EU) law on data protection and privacy in the EU and the European Economic Area (EEA).

  • Consent

    • any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which they, by a statement or by clear affirmative action, signify agreement to the processing of their Personal Data;

  • Data Processor

    • zkMe Technology Limited where it processes personal data;

  • Data Providers

    • third-party service providers or public authorities are used to collect additional information necessary for the provision of the Services.

  • Data Subject

    • any Visitor whose Personal Data zkMe Technology Limited may process;

  • Personal Data

    • any information relating to an identified or identifiable Data Subject;

  • Personal Data Breach

    • a breach of data security leading to unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

  • Personal Data Processing

    • any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

  • Special Categories of Personal Data

    • Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation;

  • Third-Party Processors

    • processors authorised to process data activities under the direct authority of zkMe Technology Limited;

  • Visitor

    • any individual using the App and connected Services;

  • Website

    • https://zk.me/

    8. Changes to the Privacy Policy

    This App Privacy Policy is constantly reviewed and amended in order to provide appropriate compliance with CCPA and the EU GDPR.

    If we make any substantial changes, we will notify you through the Services. Any changes to this Policy will be effective upon fifteen (15) calendar days following our notification posting through the Services. These changes will be effective immediately for new users of the Services. Continued use of the Services following notice of changes to this Policy shall indicate your acknowledgement and acceptance of such changes and agreement to be bound by the updated Policy.