Vault App Privacy Policy

Key definitions

Analytics

ID Crypt Global reserves the rights to looks at trends of usage within the app. All information gathered through analytics is for the purpose of ID Crypt Global improving their customer experience, with all data used being aggregated and anonymous.

Biometrics

A study of people's unique physical and behavioural characteristics, which aims to identify or recognise a unique individual based on traits they have. ID Crypt Global uses biometrics to create a Biometric Lock for your digital identities and use of the ID Crypt Global app and services. Biometric locks are based on biometric models created from your face or voice. Note neither an image nor voice recording is stored, rather only the resulting biometric model is stored by ID Crypt Global.

Data Controller

The data controller determines the purposes for which and how personal data is processed. So, if your company/organisation decides "why" and "how" the personal data should be processed it is the data controller.

Data Protection Officer

The person who is responsible for overseeing a company's data protection implementation to ensure compliance with data privacy law.

Encryption

This allows information to be hidden so that it cannot be read without a cryptographic key.

GDPR

The General Data Protection Regulation is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the UK & European Union (EU). It protects people and lays down rules about how data about people can be used.

This Privacy Policy

This privacy policy covers the ID Crypt Global Vault Application (the "app").

ID Crypt Global is both the technology provider, developer and provider of the ID Crypt Global Vault App and Data Controller of personal identifiable data that forms your digital identity.

The app is a Self-Sovereign Identity (SSI) app that provides you with a secure mobile vault to hold digital identities within. It works by allowing you to share verified details (claims/attributes) from your digital identity (which is created from ID documents that you own).

The app enables you to quickly share specific claims about your identity in a secure, cryptographically verified fashion, be that in an online environment or physically face to face. The app is interoperable with any SSI based implementation and other SSI apps.

Information collection and use

ID Crypt Global collects limited information when creating / configuring the app. Additional information is collected when a digital identity is to be issued to you the user, this information is dependent on the type of digital identity being requested/issued.

The information we collect when creating your app

PIN Code: You create a unique PIN code that is used to secure the use of your app.

Biometric model: A biometric model derived from an image taken of you from the app (this can be from a video) is produced and stored. This is stored to enable biometrics to be used to lock and secure your app. In addition, the biometric model provides additional security and protection if your device is lost or stolen. Please note, ID Crypt Global does not store a picture / video of your face, only the resulting data model.

The information we collect when issuing you with an ID Crypt Global Digital Passport Identity

Name: Your name is collected from your government issued passport.

Date of birth: Your date of birth is collected from your government issued passport. It can be used to confirm your age if you are requested to do so.

Document ID: Your government issued passport document ID is collected, this is to allow matching to any governmental lists and to confirm the validity of the passport.

The information we collect when issuing you with an ID Crypt Global Email identity

Email address: We collect your email address, so that ownership of this maybe cryptographically proven to third parties.

Information collected by the app is used to issue digital identity credentials to your mobile device

Other SSI issuers may also form connections with the app and therefore issue digital Identity credentials. These third parties will have collected data relevant to the identity they are issuing. Note that even though these third-party identity credentials are stored within the app, ID Crypt Global does not collect or store this information nor is ID Crypt Global aware of the issued credential.

Resolving issues

The app can be installed on multiple devices and contain the ID Crypt Global digital identities on multiple devices. However, digital identities are linked to a single account and therefore cannot be shared across accounts or used on a different account. If you attempt to create a digital identity that has already been created, then you will receive an error message. In such instances, you should attempt to recover your account and previously issued digital identities. Once recovered, then you will receive the various ID Crypt Global digital identities that have been issued to you in the past.

ID Crypt Global does not provide identity credentials for all use cases, other SSI issuers may provide identity credentials which are stored within the app. Any issues with receiving these credentials should be addressed to the third-party issuer.

Your app may become "blocked" if you attempt to attach / create a digital identity that has already been created. ID Documents used to create a digital identity can only be used for a single account ever. Once blocked, your app will not function.

Managing your digital identity

Identity credentials that are stored within the app are managed and controlled by you alone. You have 100% total control over how claims/attributes within the credentials are shared and who they are shared with.

Recovering your account

You may need to recover your account if you are moving to a new device, have uninstalled the app, and are reinstalling the app, have had your device lost or stolen. In any case, recovering an account is carried out by:

Providing an email address which has been previously verified by ID Crypt Global.

Re-presenting your government issued passport.

Alternatively, your email address may be used with an access key.

Providing that you had received ID Crypt Global email and Passport credentials, an account can be recovered by providing the verified email address, ID Crypt Global will then provide instructions to that email address. Once these instructions have been followed, you may re-present your government issued passport for the ID Crypt Global Passport identity to be re-issued to you.

In some cases, an access key will also have to be provided. Access keys are created by you within the app and need to be stored safely outside of the app e.g., within One Drive, Google Drive or iCloud.

Deleting your account

You must delete your account prior to deleting the app. When deleting your account your data is removed from the ID Crypt Global platform. Any issued identities are scheduled for archive, where they will be deleted after 3 years. This process is not immediate due to regulatory audit requirements for certain industries where your digital identity may have been used, such as within the gaming, health or financial services industry. Note, issued credentials cannot be linked to or used when an account has been deleted.

Push notifications

Some functions require the app to receive push notifications, for example, when using password-less login capabilities to a website / digital service. The app makes available all push notification channels within the settings of the app, these maybe unique to your digital identity - however each is configurable and can therefore be switched off by you.

Information sharing

When you share your personal information

Your digital identity is under your total control; therefore, you decide when and who to share information with. When being requested to share information, the app will:

Confirm who is requesting the information from you.

Inform you of the information that is being requested.

Inform you of any additional information that is not available from a digital identity credential.

Sharing of information is known as the presentation of a "Proof". Proof records are stored within the app, acting like a receipt of what data you have shared. Proof records allow you to see who, when and what was shared with a third party.

In certain use cases, you may create a "Proof" without it being requested, you may then present this proof to a third party. In such instances it is you who has determined what information is added to the proof, the third party has not requested the information via the app.

ID Crypt Global encourages third parties that request identity proofs from any user to request as little information as possible, and wherever possible request a "zero knowledge proof" (ZKP). A ZKP provides cryptographic proof of a specific claim/attribute about you, however, it does not share any of your underlying data. An example would be a proof that is requested to confirm that you are over the age of 18. A ZKP would cryptographically confirm that you are over the age of 18, without your data of birth being shared.

When ID Crypt Global shares personal information

Only you can choose when and what information you share. However, to protect your data further, ID Crypt Global provides additional services that remove the need for a third party to store information that may be shared by you.

In several industries, personal identifiable information is collected to derive additional data, for example, your personal data is collected so that it can be used to request your credit risk score. ID Crypt Global looks to protect your personal information by providing additional information on an issued digital identity to a third party on request. In the example of a Credit Risk Score, ID Crypt Global may provide your associated Credit Risk Score based on your issued identity. This removes the need for a third party to request many claims/attributes from you and removes then need for the third party to store any if your information that you have shared. These services therefore protect your data and personal information further.

There are some circumstances where ID Crypt Global maybe legally required to share personal information.

When we suspect an account may involve identity theft, fraud or is a threat to national security.

If you present a false document.

If a request is received by law enforcement or another national security-based organisation (in such cases this will be linked to illegal activities).

Identity connections

When information is requested to be shared, this is done via a secure connection. The connection between you and the third party is cryptographically secured, ensuring no one else can intercept your data. This cryptographically secure connection generates a unique digital identity, which is a representation of the relationship you have with the third party. The third party also receives a unique digital identity representation of the connection and relationship with you. The third party may use this digital identity to remember you by.

Identity connections are unique and as such, they stop third parties collaborating and being able to correlate and collate additional personal identifiable data you.

Security and data location

We store your information relating to an issued digital identity securely in our data centres based within the EU. This data is encrypted at rest, isolated from the public internet, and always secured. Your data never leaves this secure location.

There is no need for your information to be viewed by our staff members. In addition, your data is not shared at any stage of onboarding, you are using our services or when deleting your account, except for law enforcement data requests.

Issued digital identity credentials are stored locally on your mobile device, securely within the app. When data is shared by you, it is shared directly point to point, i.e., directly from your mobile device with the third party you are sharing data with. Note ID Crypt Global is not in the flow of data sharing and therefore data is not shared from the ID Crypt Global secure data stores.

ID Crypt Global security policies are aligned with industry standards such as NIST and ISO 27001. The ID Crypt Global data location is continually tested for compliance with data centre international standards as well as for security and privacy. Independent penetration tests are carried out on an annual basis to ensure data security. ID Crypt Global will produce associated documentation on standards and security reviews of data centres if required.

Why do biometrics add additional security?

Traditional security is based around something that you know, such as a PIN or a password. This can be "guessed" or "hacked". Biometrics are linked directly to unique elements of you, such as your face, fingerprint, or voice signature. These biometrics cannot be guessed and as such, add an additional powerful layer of security.

Note that biometrics are becoming an increasingly popular way of securing accounts, many technologies focussed organisations, banks and governments are using biometrics such as voice, face, and fingerprint to secure accounts.

Your rights and choices

Access rights

You are entitled to know what personal information ID Crypt Global holds about you, and you may request a copy of that data. Note, ID Crypt Global stores only data that is linked to an issued digital identity credential. You may view this data at any time from your local device by viewing the digital identity credential in full.

In-house and Firebase analytics

Any analytical information that is collected from the use of the app is aggregated and made anonymous. We cannot therefore provide you with any information relating to your use of the app.

Correction rights

You are entitled to correct personal information that ID Crypt Global holds. Correction of data will require evidence of the correct data, this will be limited to the type of digital identity issued, such as an ID Crypt Global Email Credential or ID Crypt Global Passport. In the case of a change of name, you will be required to present a government issued passport or associated document for the name change to be verified and the digital identity credential re-issued. If you need to contact customer support, please email: privacy@idcrypt.global.

Deletion rights

In certain circumstances you are entitled to ask ID Crypt Global to delete the personal information held about you. If you want to close your account and delete your information, you can do so from within the app.

Restriction rights

In certain circumstances you are entitled to ask us to restrict our processing of your personal information. You can ask us to do this if:

You dispute the accuracy of your personal information.

Our processing of your personal information is unlawful, but you prefer restriction to deletion

We no longer need the information, but you need it for legal reasons.

You have objected to our processing, and we are still dealing with this objection.

If you want to contact us about your restriction rights, please email: letstalk@idcrypt.global

Portability rights

In certain circumstances you are entitled to receive personal information about yourself in a structured, commonly used and machine-readable format. This can be done via the app, as all information is stored within the issued digital identity credential.

Complain to the regulator

As a UK company, ID Crypt Global is regulated by the UK Information Commissioner's Office (ICO) who is responsible for making sure that companies comply with the law on handling personal information. https://ico.org.uk/global/contact-us/

Contact us

You may contact ID Crypt Global via the following methods:

General purpose email: letstalk@idcrypt.global

Privacy / Security related email: privacy@idcrypt.global

Previous privacy policy versions

All versions of the ID Crypt Global privacy policy are stored securely by ID Crypt Global. There are no previous versions to date.