Website↗Github↗Twitter↗Discord↗

Privacy Policy

Effective Date: [Apr 6 2025]

1. Introduction

Purpose of This Policy

This Privacy Policy explains how zkPass (“zkPass,” “we,” “our,” or “us”) handles information relating to your use of our website www.zkpass.org (the “Site”) and our protocol and related services (together, the “Services”). It describes what information we may collect, how that information is used, how it is safeguarded, and what rights you may have under applicable data-protection laws such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

About zkPass

zkPass is a decentralized protocol that enables users to generate zero-knowledge proofs (ZKPs) from Web2 data sources through zkTLS. Our protocol is designed to allow individuals to prove facts about themselves—such as legal identity, financial information, educational records, or achievements—without ever disclosing or uploading the underlying documents. By default, zkPass does not collect or store personal data from users of the protocol.

Scope

This Privacy Policy applies to:

  • Visitors to the zkPass Site.

  • Users interacting with the zkPass protocol and developer tools, to the extent that technical data is transmitted.

  • Individuals engaging with zkPass through official communication channels such as mailing lists, forums, or community servers.

This Privacy Policy does not apply to:

  • Third-party wallets, decentralized applications (dApps), or blockchains that may interface with zkPass.

  • External websites, platforms, or services that may be linked from our Site.

2. Definitions

For the purposes of this Privacy Policy:

  • “Personal Data” means any information relating to an identified or identifiable natural person, including but not limited to names, identification numbers, location data, online identifiers, or factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity. Under GDPR and certain other laws, IP addresses and cookie identifiers may also be considered Personal Data.

  • “Non-Personal Data” refers to information that does not identify you as an individual, such as aggregated analytics, device types, or anonymized technical logs.

  • “Protocol Data” refers to zero-knowledge proofs, zkSBTs, cryptographic keys, and related information generated and stored locally on a user’s device when interacting with the zkPass protocol. Protocol Data is never collected or retained by zkPass.

  • “Site Data” refers to technical information automatically collected when you visit our Site, such as IP address, browser type, and cookies.

  • “Processing” means any operation performed on data, whether automated or not, including collection, storage, use, disclosure, or deletion.

  • “Services” means the zkPass Site, protocol, developer SDKs, and official community engagement channels.

3. Core Privacy Principles

zkPass is built on the philosophy of privacy by design. The following principles govern our approach to handling information:

  1. Privacy by Default The zkPass protocol is designed so that users retain custody of their sensitive data at all times. Zero-knowledge proofs are generated locally and never transmitted to zkPass servers.

  2. Minimal Collection zkPass does not collect, process, or store personal identity documents, financial records, healthcare data, or other sensitive user data. Any technical data collected from the Site is limited to what is strictly necessary for functionality, analytics, and security.

  3. Selective Disclosure The zkPass protocol enables users to disclose only the attributes required for a given interaction (for example, “over 18,” “holds a university degree,” “account balance above threshold”) without revealing full underlying data.

  4. User Sovereignty Users control the proofs they generate and decide when and where to disclose them. zkPass does not act as a custodian or central repository of user data.

  5. Transparency and Accountability We are committed to clear communication about what information is collected, why it is processed, and how it is protected. Where applicable, we comply with GDPR, CCPA, and other data-protection obligations.

4. Information We Collect

zkPass is designed to minimize data collection and to ensure that sensitive user data remains under the control of the user. We distinguish between three categories of information: Protocol Data, Site Data, and Community Data.

4.1 Protocol Data

  • zkPass does not collect, process, or store personal identity documents, financial records, healthcare information, or educational transcripts.

  • All zero-knowledge proofs (ZKPs), zkSBTs, and cryptographic keys are generated locally on the user’s device through zkTLS. These remain fully under user custody and are not transmitted to zkPass servers.

  • zkPass does not operate as a data custodian, identity provider, or credential repository.

4.2 Site Data

When you access our Site, limited technical information may be automatically collected, which may be considered “personal data” under applicable laws:

  • IP address and approximate geolocation

  • Browser type, version, and language settings

  • Operating system and device information

  • Date, time, and duration of visits

  • Referring URLs and clickstream activity

  • Cookie identifiers or equivalent technologies (see Section 7 for details)

This data is collected primarily for security, operational, and analytical purposes.

4.3 Community and Voluntary Data

If you choose to interact with zkPass through official communication channels, we may collect information you voluntarily provide:

  • Email subscriptions: When you sign up for newsletters or mailing lists, we collect your email address and related communication preferences.

  • Community servers: If you join zkPass-managed channels (e.g., Discord, Telegram, Discourse), we may collect your username, account identifier, and any information you voluntarily disclose.

  • Events and programs: If you register for hackathons, beta tests, or ambassador programs, we may process your contact details and participation records.

4.4 Sensitive Data

  • zkPass does not knowingly collect “special categories of data” under GDPR (such as racial or ethnic origin, political opinions, religious beliefs, biometric data, or health data).

  • If you voluntarily disclose such information in a community forum or event, it will be processed only to the extent necessary for that interaction and at your discretion.

4.5 Anonymized and Aggregated Data

  • We may aggregate Site Data in a way that no longer identifies individual users.

  • Aggregated data may be used for analytics, protocol improvement, or reporting purposes.

5. How We Use Information

zkPass applies a principle of minimal processing. Information is collected and used strictly for limited purposes aligned with protocol operation, website maintenance, and community engagement.

5.1 Protocol Data

  • zkPass does not use Protocol Data for any processing.

  • All ZKPs, zkSBTs, and cryptographic keys remain on the user’s device and are disclosed only by the user to third parties at their discretion.

5.2 Site Data

We may use technical Site Data for the following purposes:

  • Site operation: To provide core functionality of the Site and ensure availability of resources.

  • Security: To detect, investigate, and prevent fraudulent activity, abuse, or unauthorized access.

  • Analytics and improvement: To analyze aggregated usage patterns, monitor traffic, and improve Site performance.

  • Legal compliance: To comply with obligations under applicable law, including log retention for security purposes.

5.3 Community and Voluntary Data

We may use community and voluntary data to:

  • Administer newsletters, announcements, and updates.

  • Respond to inquiries, support requests, or feedback.

  • Manage participation in hackathons, grants, reward campaigns, or ambassador programs.

  • Enforce community standards and prevent abuse.

5.4 Exclusions

  • We do not use collected information for targeted advertising or profiling.

  • We do not sell or monetize user data.

  • We do not combine Protocol Data with Site Data or Community Data.

6. Legal Basis for Processing (GDPR)

Where GDPR applies, zkPass processes information under one or more of the following legal bases:

6.1 Consent

  • When you voluntarily subscribe to newsletters, mailing lists, or community programs, you consent to the processing of the information you provide (such as your email address or username).

  • You may withdraw consent at any time by unsubscribing or contacting us at [email protected].

6.2 Legitimate Interests

  • We may process limited Site Data, such as IP addresses and log files, to operate, secure, and improve our Site.

  • This processing is balanced against your privacy rights and is performed only where necessary to maintain functionality and security.

6.3 Legal Obligations

  • We may retain or disclose information where required to comply with applicable laws, regulations, or governmental requests.

  • This may include server log retention for cybersecurity compliance or responding to lawful requests by regulators.

6.4 Contractual Necessity

  • If you participate in zkPass-operated programs (for example, hackathons or grants), processing of voluntary information may be necessary to fulfill the terms of your participation.

7. Cookies and Tracking Technologies

7.1 What Are Cookies

Cookies are small text files placed on your device when you access websites. They allow websites to recognize your browser, remember preferences, and analyze traffic. In addition to cookies, we may use similar technologies such as local storage or tracking pixels.

7.2 How We Use Cookies

zkPass uses cookies and related technologies in a limited manner. These technologies help us:

  • Ensure the basic functionality and security of the Site.

  • Understand how the Site is used through aggregated analytics.

  • Improve user experience by remembering certain preferences.

zkPass does not use cookies for behavioral advertising or cross-site tracking.

7.3 Categories of Cookies

Category
Purpose
Examples of Data Collected
Retention Period
Can You Disable?

Strictly Necessary

Essential for the Site to function properly, such as security and session management.

Session ID, login status, basic preferences

Session only

No (required for operation)

Functional

Enhance usability by remembering your preferences.

Language settings, layout preferences

Up to 12 months

Yes

Analytics

Provide aggregated insights on how users interact with the Site.

IP (anonymized), page views, clickstream

Up to 24 months

Yes

Performance

Monitor errors, performance metrics, and load times.

Error logs, device type, browser info

Up to 12 months

Yes

Marketing

zkPass does not use marketing cookies. If such cookies are introduced, this Policy will be updated.

N/A

N/A

N/A

7.4 Third-Party Cookies

Certain service providers (for example, analytics providers or hosting platforms) may place cookies when you access our Site. These third-party cookies are subject to their own privacy policies. We encourage you to review those policies.

7.5 Managing Cookies

You can manage or disable cookies through your browser settings. Please note that disabling certain cookies may affect Site functionality.

For instructions, see:

8. Information Sharing and Disclosure

zkPass does not sell or rent your information to third parties. Information may only be disclosed under the following limited circumstances:

8.1 Service Providers

We may engage trusted third-party service providers to support the operation of our Site and Services. These providers may have access to limited Site Data or Community Data strictly for the purpose of performing services on our behalf, such as:

  • Hosting and cloud infrastructure (e.g., AWS, Cloudflare).

  • Analytics and performance monitoring.

  • Email delivery and community management tools.

All service providers are contractually bound to use the information solely for the intended purpose and to apply appropriate security measures.

8.2 Legal and Regulatory Compliance

We may disclose information when required to comply with applicable laws, regulations, legal processes, or enforceable governmental requests. Examples include:

  • Responding to law enforcement requests supported by lawful authority.

  • Retaining server logs for cybersecurity or regulatory compliance.

  • Meeting obligations under financial, tax, or anti-abuse frameworks applicable to zkPass operations.

8.3 Business Transfers

In the event of a merger, acquisition, or corporate restructuring involving zkPass, relevant information may be transferred as part of the transaction, subject to equivalent privacy safeguards and this Policy.

8.4 Protection of Rights

We may disclose information if we believe it is reasonably necessary to:

  • Protect the safety, rights, or property of zkPass, our users, or the public.

  • Detect, prevent, or otherwise address fraud, security issues, or misuse of our Services.

9. Data Retention

zkPass follows a principle of data minimization and retains information only for as long as necessary for the purposes described in this Policy.

9.1 Protocol Data

  • zkPass does not retain Protocol Data such as ZKPs, zkSBTs, or cryptographic keys.

  • These remain exclusively under user control and are never stored on zkPass servers.

9.2 Site Data

  • Technical logs (such as IP addresses and error logs) are retained only for security, troubleshooting, and analytics purposes.

  • Typical retention period is up to 90 days, after which data is either deleted or aggregated/anonymized.

9.3 Community and Voluntary Data

  • Contact information provided for newsletters or community programs is retained until you unsubscribe, withdraw consent, or request deletion.

  • Participation records for hackathons, ambassador programs, or grants may be retained as long as necessary to administer the program and comply with any legal requirements.

9.4 Legal Retention Obligations

  • In certain cases, we may be legally required to retain limited information for a longer period (for example, to comply with applicable accounting, taxation, or regulatory obligations).

  • When retention is no longer required, data will be securely deleted or anonymized

10. International Data Transfers

zkPass operates globally. As such, technical and community-related data that we collect may be processed or stored in jurisdictions outside of your country of residence.

10.1 Data Locations

  • zkPass infrastructure may be hosted in multiple regions, including the European Union, the United States, and Asia-Pacific.

  • Data may be accessed by authorized personnel or service providers located in different jurisdictions for the purposes described in this Policy.

10.2 Legal Safeguards (GDPR)

Where GDPR applies, and data is transferred outside the European Economic Area (EEA), we implement appropriate safeguards, which may include:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.

  • UK Addendum to SCCs for data transfers from the United Kingdom.

  • Swiss equivalents for transfers from Switzerland.

  • Additional technical and organizational measures such as encryption and access restrictions.

10.3 User Acknowledgment

By using our Site or Services, you acknowledge that your non-personal or voluntarily provided community information may be transferred and processed outside your country of residence, subject to the safeguards above.

11. User Rights

zkPass recognizes that users may have certain rights under applicable data-protection laws, particularly the GDPR (European Union / EEA residents) and the CCPA (California residents).

11.1 GDPR Rights

If you are located in the European Union, EEA, or Switzerland, you may have the following rights:

  • Right of Access: To request a copy of the data we hold about you.

  • Right to Rectification: To request correction of inaccurate or incomplete data.

  • Right to Erasure (“Right to be Forgotten”): To request deletion of data where there is no lawful basis for retention.

  • Right to Restriction of Processing: To request a temporary halt on processing under certain conditions.

  • Right to Data Portability: To request a copy of data in a machine-readable format for transfer to another provider.

  • Right to Object: To object to processing based on legitimate interests.

  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.

11.2 CCPA Rights

If you are a resident of California, you may have the following rights:

  • Right to Know: To request information about the categories and specific pieces of personal information collected.

  • Right to Delete: To request deletion of personal information, subject to certain exceptions.

  • Right to Opt-Out: To opt out of the sale or sharing of personal information (note: zkPass does not sell personal data).

  • Right to Non-Discrimination: To be free from discrimination for exercising your CCPA rights.

11.3 Exercising Your Rights

You may exercise your rights under GDPR or CCPA by contacting us at: Email: [email protected]

We may need to verify your identity before fulfilling your request. We will respond within the time frames required by applicable law (for example, 30 days under GDPR).

11.4 Limitations

  • As zkPass does not collect or store Protocol Data (such as identity documents or ZKPs), certain rights (such as rectification or portability of those proofs) may not apply.

  • For Site Data and Community Data, rights will be honored to the fullest extent permitted by law.

12. Children’s Privacy

12.1 Age Restrictions

Our Services are not directed to, and should not be used by, individuals under the age of 18. We do not knowingly collect personal information from children.

12.2 Parental Consent

If we become aware that we have inadvertently collected personal information from a child without appropriate parental or guardian consent, we will take immediate steps to delete such information.

12.3 User Responsibility

By accessing or using the Services, you represent that you are at least 18 years of age or that you are accessing the Services under the supervision of a parent or guardian who agrees to this Privacy Policy.

13. Data Security

zkPass is committed to protecting the integrity and confidentiality of the limited information we handle. Our approach combines technical safeguards, organizational measures, and user education.

13.1 Technical Measures

  • Encryption: All traffic between your browser and our Site is secured via TLS encryption.

  • Access Controls: Internal access to logs and community data is strictly limited to authorized personnel.

  • Monitoring: We use monitoring and intrusion detection systems to identify and mitigate threats.

  • Data Minimization: We collect and retain only the minimum amount of data necessary to operate our Site and Services.

13.2 Organizational Measures

  • Confidentiality: All team members and service providers with access to data are bound by confidentiality obligations.

  • Training: Staff with access to user-related data receive training on data-protection practices.

  • Vendor Management: Third-party service providers are vetted for compliance with security and privacy standards.

13.3 User Responsibilities

  • Private Keys: Users are responsible for safeguarding their private cryptographic keys, which remain under their sole control.

  • Device Security: Users should take appropriate steps to secure their devices, including using strong passwords and enabling system-level protections.

  • Disclosure Control: Users decide when and where to disclose zero-knowledge proofs; zkPass cannot revoke or retract proofs once voluntarily shared.

13.4 No Absolute Guarantee

While we employ industry-standard measures to secure information, no system can guarantee complete security. Users acknowledge that the use of the internet carries inherent risks, and zkPass cannot fully eliminate those risks.

14. Data Breach Notification

14.1 Internal Procedures

zkPass maintains internal procedures for detecting, investigating, and responding to potential data breaches involving Site Data or Community Data.

14.2 Notification to Regulators

Where required by applicable law, including GDPR, zkPass will notify the relevant supervisory authority of a personal data breach without undue delay, and in any event within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.

14.3 Notification to Users

If a breach is likely to result in a high risk to your rights and freedoms, we will notify affected users promptly, providing:

  • A description of the nature of the breach.

  • The categories of information affected.

  • The likely consequences of the breach.

  • Measures taken or proposed to address the breach.

  • Guidance on steps you can take to protect yourself.

14.4 Exclusions

  • Protocol Data (such as ZKPs, zkSBTs, or cryptographic keys) is never stored by zkPass, and therefore cannot be subject to a breach of zkPass servers.

  • If you voluntarily disclose proofs to third parties, zkPass is not responsible for breaches occurring outside our control.

15. Third-Party Links and Services

15.1 External Links

Our Site may contain links to third-party websites, applications, or services. zkPass is not responsible for the privacy practices or content of such external sites. We encourage you to review the privacy policies of any third-party services you access.

15.2 Wallets and dApps

zkPass may be integrated with wallets, decentralized applications (dApps), or blockchain services operated by third parties. Your interactions with these services are governed by their respective terms and privacy policies. zkPass does not control how they handle your information.

15.3 Analytics and Hosting Providers

We may use third-party providers for analytics (e.g., website usage statistics) or hosting infrastructure. These providers may collect or process limited technical information as described in Section 4. Such processing is subject to contractual safeguards and the providers’ own privacy policies.

15.4 Community Platforms

If you engage with zkPass through third-party community platforms (such as Discord, Telegram, or Twitter/X), your use of those platforms is subject to their privacy policies. zkPass does not control how those platforms process your information.

15.5 Disclaimer

Inclusion of a third-party link or integration does not imply endorsement by zkPass. Your interactions with third-party services are at your own discretion and risk.

16. Governance and Applicable Law

16.1 Responsible Entity

The zkPass protocol is operated by zkPass Association, a non-profit association established under the laws of Switzerland. The Association is responsible for governance of the protocol and the administration of this Privacy Policy.

16.2 Applicable Law

This Privacy Policy and any disputes arising from or relating to it are governed by the laws of Switzerland, without regard to conflict of law principles.

16.3 Jurisdiction

Unless otherwise required by mandatory law, any disputes relating to this Privacy Policy shall fall under the exclusive jurisdiction of the competent courts of Zurich, Switzerland.

16.4 International Compliance

zkPass intends for this Privacy Policy to be interpreted consistently with global data-protection frameworks, including but not limited to:

  • The General Data Protection Regulation (GDPR) of the European Union.

  • The California Consumer Privacy Act (CCPA) and related U.S. state privacy laws.

  • The Swiss Federal Act on Data Protection (FADP).

  • Other applicable national or regional privacy frameworks.

17. Changes to This Policy

17.1 Right to Modify

We may update or amend this Privacy Policy from time to time to reflect:

  • Changes in legal or regulatory requirements.

  • Evolving industry standards and best practices.

  • Updates to our technology, Services, or governance structure.

17.2 Notification of Changes

  • Material changes will be communicated prominently on the Site prior to their effective date.

  • Where legally required, we will obtain your consent before implementing changes that materially affect how we handle your personal data.

17.3 Effective Date of Updates

Each revised version of this Privacy Policy will be identified by its effective date, which will be updated at the top of the document.

17.4 Archival of Previous Versions

To ensure transparency, zkPass may maintain an archive of prior versions of this Privacy Policy, which will be available upon request

18. Contact Information

If you have any questions, requests, or concerns regarding this Privacy Policy or zkPass’s data-handling practices, you may contact us using the following details:

Conclusion

zkPass is designed with privacy by default and verifiability without disclosure at its core. Unlike traditional services that centralize and monetize user information, zkPass does not collect or store personal identity documents, financial records, or sensitive credentials. All zero-knowledge proofs are generated and remain under the control of the user.

This Privacy Policy demonstrates our commitment to transparency, compliance, and security. By setting clear limits on the information we collect, applying strong legal and technical safeguards, and honoring user rights under frameworks such as GDPR, CCPA, and the Swiss FADP, we aim to ensure that zkPass not only advances the future of verifiable data but also upholds the fundamental right to privacy.

PreviousTerms & Conditions

Last updated