Privacy Policy — SecureID

Effective: March 12, 2026

1. Data Controller

SaltRock GmbH
Bonner Str. 12
51379 Leverkusen
E-Mail: hello@secureid.app

2. Overview

SecureID is a digital identity wallet app for secure building access, biometric signing, and contactless payments. This privacy policy explains what data the app processes and how we protect your privacy.

3. Data We Process

Data TypePurposeStorageSharedDisplay nameCredential holder identificationServer (Supabase)NoBiometric identifiersTransaction authorizationOn-device only (Secure Enclave / Android Keystore)NoCryptographic keysDigital signatures (ECDSA P-256)On-device only (hardware security module)No — only public keys are transmittedCamera imagesQR code scanning during enrollmentNot stored — real-time processingNoNFC dataBuilding access (Tap-to-Open)Not storedLocal door station onlyPayment approvalsContactless payment confirmationServer (transient, in-memory)NoX.509 certificatesIdentity attestationServer + deviceNo

4. What We Do NOT Do

• We use no analytics or tracking SDKs.

• We display no advertisements.

• We do not share data with third parties.

• We do not store biometric data on servers — it never leaves your device.

• We do not collect location data.

5. Cryptography and Security

All private keys are generated and stored in your device's hardware security module (Secure Enclave on iOS, Android Keystore on Android). Private keys cannot be extracted or exported. Every signing operation requires biometric confirmation.

All network communication uses HTTPS (TLS 1.2+). Cleartext HTTP is only permitted for local network addresses (LAN).

6. Data Retention and Deletion

Your credential record is stored on the server as long as your account is active. When a credential is revoked, associated certificates are invalidated. You may request deletion of your data at any time by contacting us at privacy@saltlock.de.

7. Your Rights (GDPR)

As a user in the EU, you have the following rights:

• Access — Know what data is stored about you

• Rectification — Correct inaccurate data

• Erasure — Delete your personal data

• Portability — Export your data

• Objection — Object to certain processing

Contact: privacy@saltlock.de

8. Legal Basis

Processing is based on Art. 6(1)(b) GDPR (contractual necessity — providing identity wallet functionality) and Art. 6(1)(f) GDPR (legitimate interest — system security).

9. Changes

We may update this privacy policy. The current version is always available at this URL.