Privacy Policy

Privacy Policy

This Privacy Policy explains how myID, a product of pocketOne ("we", "us", "our"), processes personal data collected through the myID digital identity wallet and related services. We are committed to protecting your privacy and processing personal data in accordance with GDPR and other applicable data protection laws.

1. Who We Are

myID is jointly operated by:

• pocketOne OÜ — Harju maakond, Tallinn, Estonia (EU entity, GDPR data controller)
• pocketOne Ltd. — Premises No. GA-00-SZ-L1-RT-208, DIFC, Dubai, United Arab Emirates

Website: https://myid.africa
Privacy Team: privacy@pocket.one
Data Protection Officer: dpo@pocket.one

2. Data Transmitted to Our Servers

During onboarding and identity verification, the following data is transmitted to our servers for processing:

• Phone number — for SMS OTP verification only; stored ephemerally in our verification cache and deleted after verification completes.
• Email address — for email OTP verification only; stored ephemerally and deleted after verification completes.
• Document MRZ data (document number, date of birth, date of expiry) — transmitted during NFC chip verification; stored in a session cache with a 5‑minute time‑to‑live, then automatically purged.
• Biometric photo (DG2 from travel document chip) — transmitted for liveness comparison; processed in memory only, never persisted to disk.
• Liveness selfie — transmitted for face‑matching against the document photo; processed in memory only, never persisted to disk.
• PII hashes (BLAKE3) — one‑way cryptographic hashes of identity attributes, used for credential binding; the original plaintext is never stored server‑side.
• Credential attributes (name, date of birth, nationality, document number, portrait) — transmitted during credential issuance and cryptographically signed into your on‑device credential; not retained server‑side after issuance.

3. Data Stored Only on Your Device

The following data never leaves your device:

• Your full legal name, date of birth, and address (entered during onboarding)
• Your issued credentials (mDL, eIDAS PID, DTC, SD‑JWT, Verifiable Credentials)
• Your cryptographic keys (passkeys, DPoP keys, device keys)
• Your document type selection and onboarding progress
• Biometric templates and settings

4. QES (Qualified Electronic Signature) Data

When you use the Qualified Electronic Signature function, the following additional data is processed:

• QES signing key — an EC P‑256 private key generated and stored within a Hardware Security Module (HSM). The key is non‑exportable and never transmitted. It is referenced by a key label derived from your authenticated identity.
• X.509 certificate — a signing certificate associated with your key, containing your name and issuer information. Certificate data (subject, issuer, serial number, validity period) is stored as part of each signature's evidence package.
• Document hash — a SHA‑256 cryptographic fingerprint of each document you sign. The hash is computed server‑side and stored immutably with the signature record. This is a one‑way function; the document content cannot be derived from the hash.
• Signature and timestamp — the ECDSA signature value and an RFC 3161 timestamp obtained from an independent Timestamp Authority. Both are stored as part of the evidence package.
• Certificate revocation checks — when verifying a signature, the app contacts an OCSP responder to check whether the signing certificate has been revoked. This transmits the certificate serial number only; no document content or personal data is disclosed to the OCSP service.
• Imported certificates — if you import a personal certificate (e.g., from ssl.com) or use a FIDO2 hardware token (e.g., YubiKey PIV slot), the certificate data is stored locally on your device. Certificate metadata (issuer, subject, validity) may be transmitted to the server for trust chain validation.
• Evidence packages — for each QES signature, an immutable evidence package is generated containing: document hash, signature, timestamp, certificate snapshot, verification results, and an event timeline. This package is retained for a minimum of 7 years (see Section 9).

5. Session and Audit Data

• Presentation sessions — when you share credentials with a verifier, session metadata (session ID, requested claims, approved claims, timestamps) is stored for audit purposes. No personal identity data is stored — only the fact that a session occurred.
• Audit logs — anonymised session metadata retained for regulatory compliance (see Section 9).
• QES audit events — every signing and verification action is recorded in an append‑only audit log. Events include: signing session creation, intent confirmation, authentication method, signing completion, and verification results. IP addresses are stored as one‑way hashes for privacy. Audit events cannot be modified or deleted.

6. Data Collected Automatically

• Device type and operating system (for compatibility)
• IP address (in server access logs, rotated every 90 days)
• App version and crash reports
• Essential cookies for website functionality (see Section 12)

7. Why We Process Your Data (Lawful Bases)

We process data under the following legal bases (GDPR Article 6):

• Consent (Article 6(1)(a)) — for identity verification, credential issuance, and QES enrollment
• Contract (Article 6(1)(b)) — to provide the myID wallet service, including QES signing and document verification
• Legal obligation (Article 6(1)(c)) — to comply with eIDAS 2.0 trust service record‑keeping requirements (Article 24(2)), ICAO 9303, and anti‑fraud regulations
• Legitimate interest (Article 6(1)(f)) — for security monitoring, fraud prevention, and maintaining the integrity of the signing infrastructure

For QES evidence packages: the lawful basis for 7‑year retention is legal obligation under eIDAS Article 24(2)(h), which requires qualified trust service providers to retain records of all transactions for an appropriate period. This constitutes a GDPR Article 17(3)(b) exception to the right of erasure.

8. Sharing Your Data

We do not sell, trade, or rent your personal information. We may share data only:

• With your explicit consent (e.g., when you approve a credential presentation)
• To comply with legal obligations, court orders, or regulatory requirements
• To protect against fraud or security threats
• With infrastructure providers under strict data processing agreements (hosting, SMS delivery)

9. International Data Transfers

Data is primarily processed within the European Union (Estonia). If data is transferred outside the EU, we ensure appropriate safeguards including Standard Contractual Clauses or adequacy decisions under GDPR Chapter V.

10. Retention

• OTP verification data (phone, email) — deleted automatically after verification or OTP expiry (minutes)
• Session cache (MRZ, session keys) — automatically purged after 5 minutes
• Liveness/biometric images — processed in memory, never persisted
• Server access logs — rotated every 90 days
• Credential audit logs — retained for 7–10 years as required by eIDAS 2.0 regulatory framework; anonymised upon account deletion (session IDs and timestamps retained, personal identifiers removed)
• QES evidence packages — retained for a minimum of 7 years from the date of signing, as required by eIDAS Article 24(2)(h). Evidence packages contain: document hash (not document content), signature, timestamp, certificate snapshot, and verification results. Upon account deletion, the document content is deleted but the evidence metadata is retained in anonymised form for the statutory period.
• QES signing certificates — certificate metadata (subject, issuer, serial, validity) retained alongside evidence packages. The signing key is destroyed upon account deletion or key revocation.
• QES audit events — append‑only, retained for 7 years. Cannot be modified or deleted. IP addresses stored as one‑way hashes.

Regulatory retention obligations under GDPR Article 17(3)(b) and eIDAS Article 24(2) may require us to retain anonymised audit records and QES evidence packages beyond your deletion request.

11. Your Rights

Under GDPR, UAE Federal Decree‑Law No. 45 of 2021, and other applicable privacy laws, you have the right to:

• Access (Article 15) — request a copy of any personal data we hold about you
• Rectification (Article 16) — correct inaccurate data
• Erasure (Article 17) — request deletion of your data (see Section 14)
• Restriction (Article 18) — request we limit processing of your data
• Portability (Article 20) — receive your data in a structured, machine‑readable format
• Object (Article 21) — object to processing based on legitimate interests
• Withdraw consent — at any time, without affecting prior lawful processing

To exercise your rights, contact us at privacy@myid.africa or dpo@pocket.one. We will respond within one month.

12. Security

• TLS 1.3 encryption for all data in transit
• AES‑256‑GCM encryption for data at rest on your device and on our servers (envelope encryption)
• Hardware Security Module (HSM) integration for QES signing keys — keys are generated inside the HSM and are non‑exportable
• DPoP (Demonstrating Proof‑of‑Possession) authentication on all QES endpoints
• Step‑up biometric authentication required before each QES signing operation
• Document hash‑locking before signing to prevent wrong‑document attacks
• Idempotency controls and nonce binding to prevent replay of signing requests
• OCSP certificate revocation checking during signature verification
• Redis TLS cluster with mutual authentication for session data
• Append‑only audit logs that cannot be modified or deleted
• Regular security audits and penetration testing

13. Cookies

The myID mobile app does not use cookies or third‑party tracking. Our website uses only essential functionality cookies. We do not share data with advertisers.

14. Children

myID is not intended for users under 16 years of age. We do not knowingly collect personal data from children under 16. If we discover such data, we will delete it promptly.

15. Account and Data Deletion

In‑App Deletion (Recommended): Open the myID app → Settings → Delete Account → type DELETE to confirm. This sends a deletion request to our servers to purge any data transmitted during verification, and clears all locally stored data from your device. This action is permanent and irreversible — we do not hold backups of your local data.

Web Deletion Request: If you no longer have access to the app, submit a deletion request at myid.africa/delete-account.

Uninstalling the App: Uninstalling removes all local data. To ensure complete server‑side deletion, use the in‑app Delete Account feature or the web form before uninstalling.

16. Regulatory Compliance

• EU: General Data Protection Regulation (GDPR) — pocketOne OÜ is the data controller
• UAE: Federal Decree‑Law No. 45 of 2021 on Personal Data Protection
• International: eIDAS 2.0, ISO 18013‑5, ICAO Doc 9303

17. Changes

We may update this Privacy Policy periodically. We will notify you of material changes via the app or email. Continued use after changes constitutes acceptance of the updated policy.

18. Contact

For privacy‑related questions or to exercise your rights:

• Privacy Team: privacy@pocket.one
• Data Protection Officer: dpo@pocket.one
• myID Support: privacy@myid.africa

EU Representative (GDPR): pocketOne OÜ, Harju maakond, Tallinn, Estonia — eu-rep@pocket.one

You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of alleged infringement.