Privacy Policy

Privacy Policy

This Privacy Policy explains how myID, a product of pocketOne ("we", "us", "our"), processes personal data collected through the myID digital identity wallet and related services. We are committed to protecting your privacy and processing personal data in accordance with GDPR and other applicable data protection laws.

1. Who We Are

myID is jointly operated by:

• pocketOne OÜ — Harju maakond, Tallinn, Estonia (EU entity, GDPR data controller)
• pocketOne Ltd. — Premises No. GA-00-SZ-L1-RT-208, DIFC, Dubai, United Arab Emirates

Website: https://myid.africa
Privacy Team: privacy@pocket.one
Data Protection Officer: dpo@pocket.one

2. Data Transmitted to Our Servers

During onboarding and identity verification, the following data is transmitted to our servers for processing:

• Phone number — for SMS OTP verification only; stored ephemerally in our verification cache and deleted after verification completes.
• Email address — for email OTP verification only; stored ephemerally and deleted after verification completes.
• Document MRZ data (document number, date of birth, date of expiry) — transmitted during NFC chip verification; stored in a session cache with a 5‑minute time‑to‑live, then automatically purged.
• Biometric photo (DG2 from travel document chip) — transmitted for liveness comparison; processed in memory only, never persisted to disk.
• Liveness selfie — transmitted for face‑matching against the document photo; processed in memory only, never persisted to disk.
• PII hashes (BLAKE3) — one‑way cryptographic hashes of identity attributes, used for credential binding; the original plaintext is never stored server‑side.
• Credential attributes (name, date of birth, nationality, document number, portrait) — transmitted during credential issuance and cryptographically signed into your on‑device credential; not retained server‑side after issuance.

3. Data Stored Only on Your Device

The following data never leaves your device:

• Your full legal name, date of birth, and address (entered during onboarding)
• Your issued credentials (mDL, eIDAS PID, DTC, SD‑JWT, Verifiable Credentials)
• Your cryptographic keys (passkeys, DPoP keys, device keys)
• Your document type selection and onboarding progress
• Biometric templates and settings

4. Session and Audit Data

• Presentation sessions — when you share credentials with a verifier, session metadata (session ID, requested claims, approved claims, timestamps) is stored for audit purposes. No personal identity data is stored — only the fact that a session occurred.
• Audit logs — anonymised session metadata retained for regulatory compliance (see Section 9).

5. Data Collected Automatically

• Device type and operating system (for compatibility)
• IP address (in server access logs, rotated every 90 days)
• App version and crash reports
• Essential cookies for website functionality (see Section 12)

6. Why We Process Your Data (Lawful Bases)

We process data under the following legal bases (GDPR Article 6):

• Consent — for identity verification and credential issuance
• Contract — to provide the myID wallet service
• Legal obligation — to comply with eIDAS 2.0, ICAO 9303, and anti‑fraud regulations
• Legitimate interest — for security monitoring and fraud prevention

7. Sharing Your Data

We do not sell, trade, or rent your personal information. We may share data only:

• With your explicit consent (e.g., when you approve a credential presentation)
• To comply with legal obligations, court orders, or regulatory requirements
• To protect against fraud or security threats
• With infrastructure providers under strict data processing agreements (hosting, SMS delivery)

8. International Data Transfers

Data is primarily processed within the European Union (Estonia). If data is transferred outside the EU, we ensure appropriate safeguards including Standard Contractual Clauses or adequacy decisions under GDPR Chapter V.

9. Retention

• OTP verification data (phone, email) — deleted automatically after verification or OTP expiry (minutes)
• Session cache (MRZ, session keys) — automatically purged after 5 minutes
• Liveness/biometric images — processed in memory, never persisted
• Server access logs — rotated every 90 days
• Audit logs — retained for 7–10 years as required by eIDAS 2.0 regulatory framework; anonymised upon account deletion (session IDs and timestamps retained, personal identifiers removed)

Regulatory retention obligations under GDPR Article 17(3)(b) and eIDAS 2.0 may require us to retain anonymised audit records beyond your deletion request.

10. Your Rights

Under GDPR, UAE Federal Decree‑Law No. 45 of 2021, and other applicable privacy laws, you have the right to:

• Access (Article 15) — request a copy of any personal data we hold about you
• Rectification (Article 16) — correct inaccurate data
• Erasure (Article 17) — request deletion of your data (see Section 14)
• Restriction (Article 18) — request we limit processing of your data
• Portability (Article 20) — receive your data in a structured, machine‑readable format
• Object (Article 21) — object to processing based on legitimate interests
• Withdraw consent — at any time, without affecting prior lawful processing

To exercise your rights, contact us at privacy@myid.africa or dpo@pocket.one. We will respond within one month.

11. Security

• TLS encryption for all data in transit
• AES‑256 encryption for data at rest on your device
• Hardware Security Module (HSM) integration for cryptographic signing
• Redis TLS cluster with mutual authentication for session data
• Regular security audits and penetration testing

12. Cookies

The myID mobile app does not use cookies or third‑party tracking. Our website uses only essential functionality cookies. We do not share data with advertisers.

13. Children

myID is not intended for users under 16 years of age. We do not knowingly collect personal data from children under 16. If we discover such data, we will delete it promptly.

14. Account and Data Deletion

In‑App Deletion (Recommended): Open the myID app → Settings → Delete Account → type DELETE to confirm. This sends a deletion request to our servers to purge any data transmitted during verification, and clears all locally stored data from your device. This action is permanent and irreversible — we do not hold backups of your local data.

Web Deletion Request: If you no longer have access to the app, submit a deletion request at myid.africa/delete-account.

Uninstalling the App: Uninstalling removes all local data. To ensure complete server‑side deletion, use the in‑app Delete Account feature or the web form before uninstalling.

15. Regulatory Compliance

• EU: General Data Protection Regulation (GDPR) — pocketOne OÜ is the data controller
• UAE: Federal Decree‑Law No. 45 of 2021 on Personal Data Protection
• International: eIDAS 2.0, ISO 18013‑5, ICAO Doc 9303

16. Changes

We may update this Privacy Policy periodically. We will notify you of material changes via the app or email. Continued use after changes constitutes acceptance of the updated policy.

17. Contact

For privacy‑related questions or to exercise your rights:

• Privacy Team: privacy@pocket.one
• Data Protection Officer: dpo@pocket.one
• myID Support: privacy@myid.africa

EU Representative (GDPR): pocketOne OÜ, Harju maakond, Tallinn, Estonia — eu-rep@pocket.one

You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of alleged infringement.