Data Handling & Privacy

Introduction

Cr3dentials operates on a privacy-by-design architecture where protecting your sensitive information isn't just a feature—it's the fundamental principle that shapes every aspect of our platform. This page provides complete transparency about how we handle your data, what we collect, what we don't collect, and how we protect your privacy.

Core Privacy Philosophy

Zero-Knowledge Architecture

Our entire system is built around the principle that we cannot and do not access your sensitive personal information. This isn't just a policy choice—it's a technological impossibility built into our architecture.

Key Principles:

  • Privacy by Design: Privacy protections are built into the technology, not added later

  • Data Minimization: We collect only what's absolutely necessary for verification

  • User Control: You decide what information to share and with whom

  • Cryptographic Guarantees: Mathematical proofs ensure privacy, not just promises

What Data We Never Collect or See

Financial Information

CR3Dentials never has access to your financial data:

Never Collected
Why We Don't Need It

Bank account numbers

Zero-knowledge proofs verify ownership without revealing accounts

Account balances

We verify threshold compliance, not exact amounts

Transaction histories

Pattern verification happens locally on your device

Credit card information

Not required for our verification process

Investment portfolios

Outside scope of current verification types

Credit scores

We verify creditworthiness claims, not scores themselves

Tax documents

Income verification through secure third-party proofs

Loan information

Not collected or needed for verification

Personal Identifiable Information (PII)

We operate without accessing traditional PII:

Never Collected
Alternative Approach

Social Security Numbers

Identity verified through cryptographic proofs

Driver's license numbers

Age/identity verified without document access

Passport information

Citizenship claims verified through ZK proofs

Home addresses

Location verification without address disclosure

Birth dates

Age verification without revealing exact birth date

Phone numbers*

Only collected if user chooses it for communication

Biometric data

Never collected or processed

Government ID photos

Identity verified through other means

*Phone numbers are only collected if you explicitly provide them for account recovery or communication preferences.

Employment & Professional Information

Your career details remain private:

Never Collected
How We Verify Instead

Salary amounts

Income threshold verification through ZK proofs

Employment contracts

Employment status verified through third parties

HR records

Professional claims verified without record access

Performance reviews

Skill attestations from colleagues/supervisors

Job titles

Professional credentials verified independently

Employer names*

Employment verification without revealing employers

Start/end dates*

Employment duration verified in ranges

*May be disclosed at user's discretion for specific verification types.

Health & Medical Information

We never process health data:

Never Collected
Future Approach

Medical records

Health claims verified through ZK proofs

Insurance information

Coverage verification without policy details

Prescription data

Medical credentials without personal health info

Health test results

Compliance verification without result disclosure

Mental health records

Professional credentials only

Disability information

Accommodation verification without disclosure

What Data We Do Collect

Account & Authentication Data

Required for Account Creation:

  • Email Address: For account creation, recovery, and important notifications

    • Stored encrypted in our database

    • Used only for authentication and critical communications

    • Can be updated or removed when closing account

  • Wallet Address: For blockchain-based authentication

    • Public key only (not private keys)

    • Used for Web3 authentication and attestation signing

    • Standard blockchain address, publicly visible by nature

Optional Profile Information:

  • Display Name: User-chosen identifier for attestations

    • Can be pseudonymous or anonymous

    • Used for attestation attribution

    • Changeable at any time

  • Communication Preferences: How you want to receive notifications

    • Email frequency settings

    • Notification types (verification updates, security alerts)

    • Can be modified in account settings

Verification Metadata

Request Information:

  • Verification Type: What kind of verification was requested (income, employment, etc.)

  • Requirements: Threshold amounts, time periods, criteria (e.g., "income > $50k")

  • Request Timestamp: When verification was initiated

  • Expiration Date: When verification request expires

  • Status: Current state (pending, completed, failed, expired)

Proof Validation Data:

  • Cryptographic Proof Hashes: Mathematical representations of proofs (not original data)

  • Validation Results: Whether proofs passed or failed verification

  • Validation Timestamp: When proof validation occurred

  • Proof Method: Which verification method was used (Reclaim, direct attestation, etc.)

Attestation References:

  • Attestation UIDs: Unique identifiers for blockchain attestations

  • Schema Information: Structure of attestation data

  • Blockchain Network: Which network attestation was created on

  • Public Keys: For attestation signature verification

Technical & System Data

API Usage Logs:

  • Request Timestamps: When API calls were made

  • Endpoint Access: Which API endpoints were called

  • Response Codes: Success/failure status of requests

  • IP Addresses: For security monitoring and fraud prevention

  • User Agent: Browser/app information for compatibility

Error & Debugging Logs:

  • Error Messages: Technical errors (never containing personal data)

  • Stack Traces: For debugging (scrubbed of sensitive information)

  • Performance Metrics: Response times, system load

  • Usage Statistics: Anonymous, aggregated platform usage

Security Monitoring:

  • Login Attempts: Successful and failed authentication attempts

  • Suspicious Activity: Unusual access patterns or potential threats

  • Rate Limiting: API usage patterns for abuse prevention

  • Audit Trail: Record of sensitive operations (without personal data)

Data Processing Methods

Zero-Knowledge Proof Processing

Step 1: Local Proof Generation

  • Raw credentials processed on your device only

  • Zero-knowledge proofs generated locally

  • CR3Dentials never receives raw data

Step 2: Proof Transmission

  • Only cryptographic proofs sent to our servers

  • Proofs contain no personal information

  • Mathematical validation possible without data access

Step 3: Proof Validation

  • We validate proof authenticity and correctness

  • Verification against requested criteria

  • No access to underlying data used in proof

Step 4: Result Processing

  • Pass/fail result generated

  • Attestation created with public claims only

  • Personal data never included in final attestation

Reclaim Protocol Integration

Secure Data Sourcing:

  • Reclaim connects directly to data sources (banks, employers, etc.)

  • TLS witnessing ensures data authenticity

  • CR3Dentials never sees the source data

Proof Generation Process:

  • Raw data processed by Reclaim's zero-knowledge engine

  • Cryptographic proofs generated meeting your requirements

  • Only mathematical proofs transmitted to CR3Dentials

Privacy Guarantees:

  • Source data never leaves Reclaim's secure environment

  • CR3Dentials receives only proof validation results

  • Full audit trail without personal data exposure

Data Storage & Security

Encryption Standards

Data at Rest:

  • AES-256 Encryption: All stored data encrypted with industry-standard encryption

  • Key Rotation: Encryption keys rotated every 90 days

  • Separate Key Management: Encryption keys stored separately from data

  • Hardware Security Modules: Keys protected by HSMs in production

Data in Transit:

  • TLS 1.3: Latest transport layer security for all communications

  • Certificate Pinning: Prevents man-in-the-middle attacks

  • Perfect Forward Secrecy: Each session uses unique encryption keys

  • End-to-End Encryption: Sensitive operations encrypted client-to-server

Data Sharing & Third-Party Access

What We Never Share

Prohibited Sharing:

  • Raw Personal Data: Never shared, as we don't collect it

  • Financial Information: Never accessed or shared

  • Identity Documents: Never collected or shared

  • Private Communications: User messages or personal interactions

  • Location Data: Precise location information never collected

  • Browsing History: We don't track or share web activity

Limited Sharing Scenarios

Authorized Verification Results:

  • Cryptographic Proof Results: Shared only with parties you authorize

  • Attestation References: Public blockchain references (contain no personal data)

  • Verification Status: Pass/fail results for authorized verifiers

  • Compliance Claims: Regulatory compliance status when required

Legal Requirements:

  • Law Enforcement Requests: Limited to proof metadata, never raw credentials

  • Court Orders: Compliance with valid legal process

  • Regulatory Audits: Anonymized data for compliance verification

  • National Security: As required by law (we'll fight overreach)

Service Providers:

  • Infrastructure Partners: Hosting, security, and monitoring services (with strict DPAs)

  • Blockchain Networks: Public attestation data only

  • Email Service: For account communications (encrypted)

  • Security Services: Threat detection and prevention (anonymized data)

Third-Party Service Agreements

Data Processing Agreements (DPAs):

  • All service providers sign comprehensive DPAs

  • Strict limitations on data use and processing

  • Regular audits of third-party compliance

  • Right to terminate for privacy violations

Service Provider Categories:

  • Infrastructure: AWS, Google Cloud (encrypted data only)

  • Security: Threat detection services (anonymized logs)

  • Communication: Email delivery services (minimal data)

  • Monitoring: Performance and uptime monitoring (no personal data)

User Rights & Controls

Data Access Rights

View Your Data:

  • Account Dashboard: See all data we have about you

  • Verification History: Complete record of your verifications

  • Attestation Registry: All attestations created for you

  • Data Export: Download your data in JSON format

Data Portability:

  • Instant Export: Download your verification history and attestations

  • Standardized Format: JSON export compatible with other systems

  • Cryptographic Proofs: Export proof metadata for independent verification

  • Attestation References: Blockchain UIDs for public verification

Privacy Controls

Verification Privacy Settings:

  • Disclosure Level: Choose how much information to reveal per verification

  • Verifier Authorization: Control who can request verifications from you

  • Attestation Visibility: Public, private, or semi-private attestations

  • Expiration Settings: Set automatic expiration for sensitive attestations

Communication Controls:

  • Notification Preferences: Choose what communications you receive

  • Contact Methods: Select preferred communication channels

  • Marketing Opt-Out: No marketing communications (we don't do marketing anyway)

  • Emergency Contacts: Optional emergency notification settings

Account Management

Profile Controls:

  • Pseudonymous Operation: Use fake names or identifiers if preferred

  • Multiple Identities: Create separate verification identities

  • Identity Switching: Switch between professional and personal identities

  • Anonymous Verification: Option for completely anonymous attestations

Security Settings:

  • Two-Factor Authentication: Required for sensitive operations

  • Login Notifications: Alerts for new device access

  • Suspicious Activity: Automatic alerts for unusual account activity

  • Session Management: View and terminate active sessions

PreviousCr3dentials System ArchitectureNextFAQ

Last updated