Legal

Privacy Policy

Effective Date: April 14, 2026 · Last Updated: April 27, 2026

Overview

Human Presence Protocol ("HPP") is a cryptographic attestation system that proves a human is present at a device — without collecting personal information. Privacy is not a feature of HPP; it is the architecture. This policy describes what HPP collects, what it does not collect, and why.

Core Privacy Principle

Privacy by Design

HPP proves presence, not identity. The system is architecturally incapable of collecting the data it does not need. No name, no email, no location, no browsing history, no device fingerprint crosses the network boundary.

What HPP Collects

HPP transmits the minimum data required to prove a human is present at a specific device at a specific time:

Public key — Generated and stored in the iPhone Secure Enclave. The corresponding private key never leaves the hardware chip. The public key is a pseudonymous identifier — it is not linked to your name, Apple ID, or any personal information.
Digital signature — A cryptographic proof that the private key holder (you, after biometric authentication) signed a specific challenge at a specific time. Single-use; cannot be replayed.
Timestamp — When the attestation occurred.
Site identifier — Which website requested the attestation (e.g., "humanpresenceprotocol.com").
Session token — A server-generated token that grants temporary access. Expires automatically (default: 10 minutes).
Presence Continuity Score band — A general category (e.g., "Emerging", "Consistent") derived from attestation frequency. The raw numeric score stays on your device; only the band label is transmitted.
Age qualification (when applicable) — A boolean value (yes/no) indicating whether a locally-stored date of birth meets a site's minimum age threshold. The date of birth itself never leaves your device.

What HPP Does Not Collect

Name or real-world identity
Email address
Phone number
Apple ID or account credentials
Location or GPS data
IP address (not stored or logged)
Browsing history
Device fingerprint or hardware identifiers
Biometric data (Face ID / Touch ID templates stay in the Secure Enclave and are never accessed by HPP)
Date of birth (stored locally only; never transmitted)
Contacts, photos, or any on-device content

How Data Is Handled

On Your Device

Your private key is generated inside the iPhone Secure Enclave — a dedicated hardware security chip. It cannot be exported, copied, or read by any software, including HPP itself. Biometric authentication (Face ID or Touch ID) is handled entirely by Apple's LocalAuthentication framework; HPP receives only a pass/fail result.

Your date of birth (if provided during onboarding or later via the Verified Attributes detail sheet) is stored in the app's local UserDefaults. You can provide it by typing or by scanning the front of a driver's license. The license-scan flow uses Apple's Vision framework for on-device OCR — it captures a single frame from the camera, parses the date of birth from the recognised text, and discards the image immediately. The image is never written to disk and never transmitted. The date of birth itself is used solely to evaluate age predicates on-device. It is never transmitted to any server.

In Transit

All communication between the HPP app and the verification server uses HTTPS (TLS 1.2+). Challenge-response payloads are cryptographically signed before transmission.

On the Server

The HPP verification server stores:

Challenge records (automatically purged after 300 seconds)
Session tokens (automatically purged after session expiry)
Attestation receipts — chain-linked cryptographic records containing: receipt ID, public key fingerprint, timestamp, site, assurance level, and hash chain pointer. No personal information is included in receipts.

The server does not store IP addresses, user agents, or any data beyond what is listed above.

Reading your own receipts. Receipts are made available for you to read back via an authenticated request to the verifier. Opening Session History → Receipts in the app triggers a GET /receipts/:pubkey read; only receipts belonging to your device's Secure Enclave public key are returned (cross-tenant isolation is enforced server-side — a session token bound to a different key cannot fetch your receipts). The read is rate-limited (default 30 requests per minute per key) and never modifies the receipt chain.

Comparison With Other Systems

Data Point	HPP	Google Sign-In	Email + Password
Real name	Not collected	Collected	Often collected
Email address	Not collected	Collected	Required
Browsing history	Not collected	Tracked	Not collected
Location	Not collected	Often collected	Not collected
Device fingerprint	Not collected	Collected	Not typically
Cross-site tracking	Not possible	Enabled	Not typically
Biometric data transmitted	Never	No	No

Third-Party Services

HPP uses the following third-party services:

Render — Cloud hosting for the verification server (render.com). Subject to Render's privacy policy.
GitHub Pages — Static site hosting for humanpresenceprotocol.com. Subject to GitHub's privacy policy.
Apple TestFlight — Beta distribution platform. Subject to Apple's privacy policy.

HPP does not use any analytics, advertising, or tracking services. No data is sold, shared with, or disclosed to any third party for marketing or advertising purposes.

Children's Privacy

HPP's age verification feature is designed to help websites comply with COPPA, KOSA, and similar regulations. When a website requests age-qualified attestation, the HPP app evaluates the user's locally-stored date of birth against the site's minimum age threshold. Only a boolean result (qualified / not qualified) is transmitted. The date of birth itself never leaves the device.

HPP does not knowingly collect personal information from children under 13. The age verification system is specifically designed to protect minors by enabling age-gated access without collecting identifying information.

Data Retention

Challenge records: Automatically deleted after 300 seconds (5 minutes)
Session tokens: Automatically deleted after session expiry (default: 10 minutes)
Attestation receipts: Retained as part of the tamper-evident chain. Receipts contain no personal information.
On-device data: Attestation history, credits, and date of birth are stored locally and can be deleted by uninstalling the app.

Your Rights

Because HPP collects no personal information, most data subject rights (access, correction, deletion) are satisfied by the architecture itself — there is no personal data to access, correct, or delete. You may:

Uninstall the app to delete all on-device data (keys, history, date of birth)
Disconnect active sessions at any time via the app
Request deletion of server-side receipts by contacting us (though receipts contain no personal information)

Changes to This Policy

We may update this privacy policy to reflect changes in HPP's functionality or applicable regulations. Material changes will be noted in the app and on this page with an updated "Last Updated" date.

Contact

Human Presence Protocol

Privacy inquiries: privacy@humanpresenceprotocol.com

General support: humanpresenceprotocol.com/support