Skip to main content
Cr3dentials runs on a privacy-by-design architecture. Protecting your sensitive information is the principle that shapes the platform, not a feature added on top. This page is a full account of how we handle data: what we collect, what we don’t, and how we protect your privacy.

Core Privacy Philosophy

Zero-Knowledge Architecture

Our system is built so that we cannot and do not access your sensitive personal information. This is a property of the architecture, not a policy choice. Key Principles
  • Privacy by design: Privacy protections are built into the technology, not added later.
  • Data minimization: We collect only what verification requires.
  • User control: You decide what to share and with whom.
  • Cryptographic guarantees: Mathematical proofs ensure privacy, not just promises.

What We Never Collect or See

Financial Information

Cr3dentials never has access to your financial data.
Never CollectedWhy We Don’t Need It
Bank account numbersZero-knowledge proofs verify ownership without revealing accounts
Account balancesWe verify threshold compliance, not exact amounts
Transaction historiesPattern verification happens locally on your device
Credit card informationNot required for our verification process
Investment portfoliosOutside scope of current verification types
Credit scoresWe verify creditworthiness claims, not scores themselves
Tax documentsIncome verification through secure third-party proofs
Loan informationNot collected or needed for verification

Personal Identifiable Information (PII)

We operate without accessing traditional PII.
Never CollectedAlternative Approach
Social Security NumbersIdentity verified through cryptographic proofs
Driver’s license numbersAge/identity verified without document access
Passport informationCitizenship claims verified through ZK proofs
Home addressesLocation verification without address disclosure
Birth datesAge verification without revealing exact birth date
Phone numbers*Only collected if you choose it for communication
Biometric dataNever collected or processed
Government ID photosIdentity verified through other means
Phone numbers are only collected if you explicitly provide them for account recovery or communication preferences.

Employment and Professional Information

Your career details remain private.
Never CollectedHow We Verify Instead
Salary amountsIncome threshold verification through ZK proofs
Employment contractsEmployment status verified through third parties
HR recordsProfessional claims verified without record access
Performance reviewsSkill attestations from colleagues/supervisors
Job titlesProfessional credentials verified independently
Employer names*Employment verification without revealing employers
Start/end dates*Employment duration verified in ranges
Employer names and employment dates may be disclosed at your discretion for specific verification types.

Health and Medical Information

We never process health data.
Never CollectedHow We Verify Instead
Medical recordsHealth claims verified through ZK proofs
Insurance informationCoverage verification without policy details
Prescription dataMedical credentials without personal health info
Health test resultsCompliance verification without result disclosure
Mental health recordsProfessional credentials only
Disability informationAccommodation verification without disclosure

What We Do Collect

Account and Authentication Data

Required for account creation
  • Email address: For account creation, recovery, and important notifications.
    • Stored encrypted in our database.
    • Used only for authentication and critical communications.
    • Can be updated or removed when closing your account.
  • Wallet address: For blockchain-based authentication.
    • Public key only, never private keys.
    • Used for Web3 authentication and attestation signing.
    • A standard blockchain address, publicly visible by nature.
Optional profile information
  • Display name: A user-chosen identifier for attestations. Can be pseudonymous or anonymous, and changeable at any time.
  • Communication preferences: Email frequency settings and notification types (verification updates, security alerts). Modifiable in account settings.

Verification Metadata

Request information
  • Verification type: What kind of verification was requested (income, employment, etc.)
  • Requirements: Threshold amounts, time periods, criteria (e.g., “income > $50k”)
  • Request timestamp: When verification was initiated
  • Expiration date: When the request expires
  • Status: Current state (pending, completed, failed, expired)
Proof validation data
  • Cryptographic proof hashes: Mathematical representations of proofs, not original data
  • Validation results: Whether proofs passed or failed
  • Validation timestamp: When validation occurred
  • Proof method: Which method was used (Reclaim, direct attestation, etc.)
Attestation references
  • Attestation UIDs: Unique identifiers for blockchain attestations
  • Schema information: Structure of attestation data
  • Blockchain network: Which network the attestation was created on
  • Public keys: For attestation signature verification

Technical and System Data

API usage logs
  • Request timestamps, endpoint access, response codes
  • IP addresses for security monitoring and fraud prevention
  • User agent for browser/app compatibility
Error and debugging logs
  • Error messages (never containing personal data)
  • Stack traces (scrubbed of sensitive information)
  • Performance metrics and anonymous, aggregated usage statistics
Security monitoring
  • Login attempts (successful and failed)
  • Suspicious activity and unusual access patterns
  • Rate limiting for abuse prevention
  • Audit trail of sensitive operations (without personal data)

Data Processing Methods

Zero-Knowledge Proof Processing

1

Local proof generation

Raw credentials are processed on your device only. Zero-knowledge proofs are generated locally. Cr3dentials never receives raw data.
2

Proof transmission

Only cryptographic proofs are sent to our servers. Proofs contain no personal information, and mathematical validation is possible without data access.
3

Proof validation

We validate proof authenticity and correctness against the requested criteria. We have no access to the underlying data used in the proof.
4

Result processing

A pass/fail result is generated and an attestation is created with public claims only. Personal data is never included in the final attestation.

Reclaim Protocol Integration

Secure data sourcing
  • Reclaim connects directly to data sources (banks, employers, etc.).
  • TLS witnessing ensures data authenticity.
  • Cr3dentials never sees the source data.
Proof generation process
  • Raw data is processed by Reclaim’s zero-knowledge engine.
  • Cryptographic proofs are generated to meet your requirements.
  • Only mathematical proofs are transmitted to Cr3dentials.
Privacy guarantees
  • Source data never leaves Reclaim’s secure environment.
  • Cr3dentials receives only proof validation results.
  • A full audit trail exists without personal data exposure.

Data Storage and Security

Encryption Standards

Data at rest
  • AES-256 encryption: All stored data is encrypted with industry-standard encryption.
  • Key rotation: Encryption keys rotated every 90 days.
  • Separate key management: Encryption keys stored separately from data.
  • Hardware security modules: Keys protected by HSMs in production.
Data in transit
  • TLS 1.3: Latest transport layer security for all communications.
  • Certificate pinning: Prevents man-in-the-middle attacks.
  • Perfect forward secrecy: Each session uses unique encryption keys.
  • End-to-end encryption: Sensitive operations encrypted client-to-server.

Data Sharing and Third-Party Access

What We Never Share

  • Raw personal data: Never shared, because we don’t collect it.
  • Financial information: Never accessed or shared.
  • Identity documents: Never collected or shared.
  • Private communications: User messages or personal interactions.
  • Location data: Precise location is never collected.
  • Browsing history: We don’t track or share web activity.

Limited Sharing Scenarios

Authorized verification results
  • Cryptographic proof results: Shared only with parties you authorize.
  • Attestation references: Public blockchain references that contain no personal data.
  • Verification status: Pass/fail results for authorized verifiers.
  • Compliance claims: Regulatory compliance status when required.
Legal requirements
  • Law enforcement requests: Limited to proof metadata, never raw credentials.
  • Court orders: Compliance with valid legal process.
  • Regulatory audits: Anonymized data for compliance verification.
  • National security: As required by law; we will fight overreach.
Service providers
  • Infrastructure partners: Hosting, security, and monitoring (with strict DPAs).
  • Blockchain networks: Public attestation data only.
  • Email service: For account communications (encrypted).
  • Security services: Threat detection and prevention (anonymized data).

Third-Party Service Agreements

All service providers sign comprehensive Data Processing Agreements (DPAs) with strict limitations on data use and processing, regular compliance audits, and the right to terminate for privacy violations.
CategoryProvidersData Shared
InfrastructureAWS, Google CloudEncrypted data only
SecurityThreat detection servicesAnonymized logs
CommunicationEmail delivery servicesMinimal data
MonitoringPerformance and uptimeNo personal data

User Rights and Controls

Data Access Rights

View your data
  • Account dashboard: See all data we have about you.
  • Verification history: Complete record of your verifications.
  • Attestation registry: All attestations created for you.
  • Data export: Download your data in JSON format.
Data portability
  • Instant export of verification history and attestations.
  • Standardized JSON format compatible with other systems.
  • Proof metadata exportable for independent verification.
  • Attestation references (blockchain UIDs) for public verification.

Privacy Controls

Verification privacy settings
  • Disclosure level: Choose how much to reveal per verification.
  • Verifier authorization: Control who can request verifications from you.
  • Attestation visibility: Public, private, or semi-private attestations.
  • Expiration settings: Set automatic expiration for sensitive attestations.
Communication controls
  • Notification preferences: Choose what communications you receive.
  • Contact methods: Select preferred channels.
  • Marketing opt-out: No marketing communications.
  • Emergency contacts: Optional emergency notification settings.

Account Management

Profile controls
  • Pseudonymous operation: Use chosen names or identifiers.
  • Multiple identities: Create separate verification identities.
  • Identity switching: Switch between professional and personal identities.
  • Anonymous verification: Option for completely anonymous attestations.
Security settings
  • Two-factor authentication: Required for sensitive operations.
  • Login notifications: Alerts for new device access.
  • Suspicious activity: Automatic alerts for unusual account activity.
  • Session management: View and terminate active sessions.