Privacy Policy
Last updated: May 26, 2026 · Effective: May 26, 2026
Overview
Universal Identity Protocol ("UIP," "we," "us") provides a developer platform that lets businesses compose government-attested workflows — identity, signatures, consent, and other primitives — across the digital wallets your end users already carry (Apple Wallet, Google Wallet, EUDI national wallets, and others).
This policy explains, in plain language, what data we collect, why we collect it, how long we keep it, who we share it with, and how you can exercise your legal rights. We collect what we need and nothing more.
Two roles, two postures
UIP operates in two distinct capacities, and the posture differs in each:
- Controller — for the personal data of our business customers (the people who sign up for an account, log in, and use the dashboard). We decide why and how that data is processed.
- Processor / intermediary — for the personal data of the end users your application routes through UIP (signers, identity subjects). We process that data on our customers' instructions and, where applicable, under the intermediary regime of the EU Digital Identity Wallet framework (EUDI ARF). We do not store the credential attributes returned by wallets; we route signed presentations to the requesting customer and retain only an audit row.
Who is responsible for your data
The controller of your personal data — for account and dashboard data — is Universal Identity Protocol.
- General contact: [email protected]
- Privacy / data-subject requests: [email protected]
- Legal: [email protected]
Registered legal entity name and address will be listed here at general availability. For data-subject requests in the interim, use [email protected].
Data we collect
We collect data in the categories below. Each category is tied to a specific purpose and legal basis listed further down.
Customer account data
When you create a UIP account, we use Google's Firebase Authentication to handle sign-up, sign-in, and session management. Depending on the method you choose:
- Email + password: your email address, a salted hash of your password (we never see the plaintext), and your optional display name.
- Google sign-in: your email address, Google account identifier, display name, and profile photo URL (if you expose them).
- GitHub sign-in: your email address, GitHub account identifier, display name, and profile photo URL (if you expose them).
- Sign-in timestamps, the IP address used for the most recent session, and a Firebase-issued user identifier (UID).
Business customer data (B2B)
When you operate a business that integrates UIP, we additionally process:
- Business legal name, jurisdiction, and registration evidence (where required for intermediary sub-registration)
- The natural person who registered the business and the wallet credential used to verify them (for intermediary KYC)
- API keys, webhook URLs, and integration metadata
- Billing data, if applicable, processed by our payment provider
Wallet presentations (routed, not stored)
When an end user approves a request through their government wallet (e.g. an mDL attribute or a document signature), the signed presentation flows through UIP to the requesting customer. We do not persist the credential attributes themselves. Under the EUDI intermediary regime we are legally restricted from doing so, and the same posture applies globally regardless of the wallet ecosystem.
Audit chain
For each transaction we write an append-only audit row containing:
- A hash of the document or attribute set requested (not the document itself)
- The wallet's signed presentation hash and issuer certificate chain
- The requesting customer's identifier
- The trust state snapshot (cert chains, OCSP responses, RFC 3161 trusted timestamp)
- UIP's own HSM-backed signature over the row
The audit row is the evidence of a transaction. It lets any holder of the original document and the row independently verify the signature without trusting UIP. Personal identifiers (name, document number, etc.) appear only as hashes unless the customer explicitly opts to retain attributes for their own records.
Website & technical data
- IP address, approximate location derived from IP, user agent, and request timing
- Rate-limit counters and abuse-protection signals
- Aggregated, IP-anonymized usage statistics collected by Google Analytics, only after you grant analytics consent in our cookie banner
Why we collect it (purposes & legal bases)
For users in the European Economic Area (EEA), United Kingdom, and Switzerland, the table below sets out our purposes and the GDPR/UK GDPR Article 6 legal basis for each.
| Purpose | Data categories | Legal basis |
|---|---|---|
| Operating the customer dashboard | Account data | Contract (Art. 6(1)(b)) |
| Routing wallet presentations | Wallet presentations (transient) | Processor on customer's instructions (Art. 28) |
| Producing an audit trail of signatures and attestations | Audit chain | Legal obligation (Art. 6(1)(c)) and contract |
| Website analytics | Technical, aggregated usage | Consent (Art. 6(1)(a)) |
| Fraud prevention & abuse protection | Technical, audit | Legitimate interests (Art. 6(1)(f)) |
| Service operation & security | Account, technical | Contract / legitimate interests |
| Compliance with legal obligations | Audit, account | Legal obligation (Art. 6(1)(c)) |
Wallet biometrics — handled by the wallet, never by UIP
When an end user approves a request, their wallet (Apple Wallet, Google Wallet, an EUDI Member State wallet, etc.) performs biometric verification on the device — Face ID, Touch ID, fingerprint, or equivalent. The biometric template never leaves the user's device and is never transmitted to UIP. The wallet provider, not UIP, is the controller of that biometric data. UIP only receives the signed cryptographic response.
Who we share with (sub-processors)
We do not sell your personal data. We share data only with carefully vetted sub-processors that act on our written instructions under data-processing agreements. The current list is published on our sub-processor page. Categories:
- Google (Firebase Authentication): account creation, sign-in, password reset, and Google / GitHub OAuth handling
- Google (Firestore): primary database for customer accounts, business records, application state, and enterprise sales inquiries
- Google (Analytics): consent-gated, IP-anonymized website usage measurement
We do not share your personal data with advertisers or data brokers. We disclose information to law enforcement only when required by a binding legal order, and we challenge orders we consider overbroad.
International data transfers
UIP is operated from the United States, and several of our sub-processors store or process data in the United States. For EEA, UK, and Swiss data subjects, we rely on the following transfer mechanisms:
- EU Standard Contractual Clauses (2021/914): in place with each sub-processor that processes data outside the EEA
- UK International Data Transfer Addendum: applied where data leaves the UK
- Transfer Impact Assessments: conducted for each non-EEA recipient
How long we keep your data (retention)
| Category | Retention |
|---|---|
| Customer account data | For the life of your account; deleted within 30 days of account deletion |
| Business records (legal name, integration metadata) | Life of the business account; retained for up to 6 years after closure where required for tax or regulatory reasons |
| Wallet presentations (transient) | Processed in memory and routed to the customer; not persisted |
| Audit chain rows | 10 years (typical regulatory minimum for signed transactions); longer where the customer's regulatory regime requires |
| Technical logs | 90 days, then aggregated |
| Analytics data | Per Google Analytics' default retention (currently 14 months from last activity); anonymized at collection |
Your rights
Rights under GDPR / UK GDPR (EEA, UK, Switzerland)
- Access — request a copy of your personal data (Art. 15)
- Rectification — correct inaccurate data (Art. 16)
- Erasure — request deletion (Art. 17)
- Restriction — pause processing while a dispute is resolved (Art. 18)
- Portability — receive your data in a machine-readable format (Art. 20)
- Objection — object to legitimate-interests processing (Art. 21)
- Withdraw consent — withdraw consent at any time for processing based on consent (Art. 7)
- Lodge a complaint — with your national supervisory authority (Art. 77)
Rights under CCPA / CPRA (California)
- Right to know what personal information we collect, use, and share
- Right to delete personal information
- Right to correct inaccurate personal information
- Right to opt out of sale / sharing — UIP does not sell personal information, and we do not share for cross-context behavioral advertising
- Right to non-discrimination for exercising your rights
How to exercise these rights
Email [email protected] from the address associated with your account, or use the Delete Account control in your dashboard settings. We respond within 30 days for GDPR requests and 45 days for CCPA requests, extendable once where lawful. You may authorize an agent in writing to act on your behalf.
Cookies & similar technologies
We use strictly-necessary cookies for sign-in, security, and core site features (these are always on). Analytics and marketing cookies are off by default and only loaded if you consent through our cookie banner. You can change your choices at any time by clearing your browser's storage for this site, which will re-prompt the banner.
Security
We protect your data with transport encryption (TLS 1.2+), at-rest encryption on all stored data, role-scoped database access via Firestore Security Rules, secret rotation, and continuous monitoring. Customer authentication is handled by Firebase Authentication, which uses Google's identity infrastructure (including bcrypt-family password hashing and risk-based account protection). Sensitive audit-chain operations are signed by hardware-backed keys.
Children's privacy
UIP is not intended for users under 18 (or the local age of digital consent, whichever is higher). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, contact us at [email protected] and we will delete it.
Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top of the page reflects the most recent change. Material changes will be announced by email where we have a contact for you, with at least 30 days' notice before they take effect. Continued use of UIP after the effective date constitutes acceptance of the updated policy.
Contact & complaints
Questions, requests, or complaints about how we handle your data:
- Privacy contact: [email protected]
- General contact: [email protected]
- Legal: [email protected]
If you are in the EEA, UK, or Switzerland you also have the right to lodge a complaint with your national data protection supervisory authority.