cardano foundation logo

Identity Wallet Privacy Policy

1. Introduction

Cardano Foundation (Cardano Stiftung) is a not-for-profit organisation based in Zug, Switzerland tasked with advancing the Cardano blockchain as a public infrastructure across a wide range of industries. Our registered address is: Cardano Stiftung, Dammstrasse 16, 6300 Zug, Switzerland.

2. Scope of this Privacy Policy

This Privacy Policy specifically applies to the decentralised identity solution developed by the Cardano Foundation known as Veridian. Veridian is designed using the Key Event Receipt Infrastructure (KERI) protocol to provide identity management services to users worldwide (the “Services”).
Veridian is comprised of multiple integrated components, which operate in two distinct environments (collectively “Veridian”):

  • Production Environment
    This is the live, operational system where real users generate and manage their digital identities (AIDs) and credentials. Infrastructure and tooling in the production environment are not hosted on our infrastructure.
  • Sandbox Environment
    This is a non-production, containerized environment hosted on the Cardano Foundation’s on-premise servers, provided solely for testing, evaluation, and demonstration purposes. The Sandbox includes a version of our credential management tooling (which is open source and available on GitHub) that is limited to testing use and is not intended for production or commercial use. Access to the Sandbox is granted via a request process and is governed by separate terms.

The integrated components of Veridian include:

  • Wallet (Edge Agent)
    The Veridian wallet is the user-facing application that aggregates, displays, and allows you to manage your digital identity credentials. Through the wallet, you generate your digital identifier (the “AID”), control it with cryptographic keys, approve or decline identity-related requests, and decide when and how your credentials are shared.
  • Infrastructure
    This comprises production cloud agents, independent Witnesses, Cardano Services, and other supporting systems that securely relay and verify your encrypted data.
  • Credential Management Tooling
    A suite of tools that facilitate the creation, issuance, verification, and revocation of digital credentials.
  • Browser Extension
    A browser extension that leverages the KERI and ToIP ACDC protocols for enhanced identity management and verifiable data.

This privacy policy (“Policy”) explains and sets out the basis for why and when we collect, use, store, and share personal information of people who use the Veridian Services, and/ or interact with us in any other way related thereto. It explains and sets out how we collect and use personal data, the conditions under which we may disclose it to others and the measures we take to keep it secure.
If you transmit or disclose data about other persons such as family members, employees, work colleagues, etc., we assume that you are authorized to do so, that this data is correct and that we may process it as described here. By transmitting such data, you confirm this. Please also ensure that these third parties have been informed of this Policy.

We may amend this Policy from time to time so please check it occasionally to ensure that you are aware of any changes.

3. How you can contact us

Please use the following contact information to report any concerns related to data protection:
FAO: Cardano Stiftung, Rykestraße 26, 10405 Berlin, Germany
privacy@cardanofoundation.org

4. How we collect information about you

Veridian is designed with ‘privacy by design’ in mind. We aim to process only the minimum data necessary to deliver our Services securely.

We do not collect any personal information at registration. You are not required to provide conventional personal details to access the Services, such as your name, email address, phone number, photograph, date of birth, and similar information related to your business, its employees, officers, representatives, or affiliates. Instead, Veridian allows you to generate a unique cryptographic identity (AID) that is entirely under your control.

You are not obliged to disclose your personal data to us. However, we may collect and process the following types of information about you:

4.1 Information you provide us

You may provide us with personal information by contacting user support, or by corresponding with us by e-mail, web form, live chat, phone, letter or other means of communication. We collect the data exchanged between you and us, including your contact details and the marginal data of the communication. Any personal information you choose to share is retained solely for the purpose of resolving your query.

Additionally, you may provide personal information when registering to participate in the Sandbox environment. This data will be used only for granting you access to the Sandbox and delivering the associated services.

4.2 Technical Data for Service Functionality

In the production environment, technical data required for secure operation typically remains on your device and is not collected by us. However, as part of our mobile security tooling, limited anonymous diagnostic data (as described in Section 4.3) may be transmitted off-device via the freeRASP SDK to support runtime protection and threat detection.

In the Sandbox environment, we may record timestamped requests—including associated IP addresses—for testing and security monitoring purposes, with such data retained only as long as necessary.

4.3 Diagnostic Data

To enhance fraud prevention and user safety, the Veridian wallet integrates the freeRASP SDK (provided by Talsec). This SDK collects a limited set of anonymous diagnostic data off-device solely for security threat detection.

  • Category: Application Info and Performance
    Diagnostics: Information about the integrity of the app and the operating system (e.g., rooting, emulator usage, presence of hooking frameworks)
  • Category: Device and Other Identifiers
    Device-related data: Anonymous device model and hashed identifiers to ensure that the app instance is running on the originally installed device. This is used to prevent threats such as bot abuse or API misuse.

4.4 Data Collection in the Sandbox Environment

For users accessing the Sandbox environment—a controlled, non-production testing environment hosted on our on-premise servers—we expect that fictitious data will be used. The Sandbox is intended solely for evaluation and testing purposes, and real personal data should not be processed. All data collected or processed in the Sandbox environment is segregated from production data and will be securely destroyed once the testing engagement concludes.

4.5 Information we receive from other sources

Veridian does not actively aggregate data from third-party sources. Should any additional information be received (for example, through optional integrations), it is processed only to the extent necessary for the intended functionality and under strict confidentiality.

5. How your information is used

We may use personal information about you for the following purposes:

  • to manage relationships with suppliers and fulfil contractual obligations (Article 6 para 1 letters a and b GDPR if applicable);
  • to send you personalised communications which you have requested and that may be of interest to you, which may be based on your activity on our Website or the website of our partners. These may include information, suggestions and recommendations about new offers, campaigns, activities and events (Article 6 para 1 letters a and b GDPR if applicable);
  • to understand and measure the effectiveness of how we serve you and others (Article 6 para 1 letters b and f GDPR if applicable);
  • to ensure compliance with legal obligations and official orders, including communication with authorities and courts; enforcement of and defence against legal claim (Article 6 para 1 letter f GDPR if applicable).

6. Security and Data Integrity

Veridian employs robust security measures to ensure your digital identity, and any personal information that you have bound to it, remains secure and fully under your control:

6.1 Local Data Management

Most operations—including key generation, authentication, and signing—occur directly on your device via the mobile edge agent. Sensitive details (such as your application password or a label you assign to your digital identity) are stored locally using advanced encryption and secure enclave technologies.

6.2 Encryption

Any data transmitted externally—whether for credential issuance, verification, or other interactions—is encrypted at the edge (ie. on your device) before being sent to the cloud agent or third parties.

6.3 Cloud Agent Selection

You have full control over selecting the cloud agent infrastructure that best suits your needs, for transmitting encrypted messages;. In the production environment, the Cardano Foundation does not currently host any cloud agents on its own servers, while in the Sandbox environment, you have the option to use non-production cloud agents hosted on Cardano Foundation’s infrastructure or deploy your own cloud agent on your own infrastructure.

6.4 Verifiable Credentials/ Personal Information

You may optionally choose to bind personal information (such as university degrees or passports) to your AID. While you control this data through the Veridian wallet, the information itself is stored with the independent cloud agent.

6.5 Controlled Data Sharing

Your device acts as the primary data controller. Identity data exchanges occur only with your explicit consent and include only the information you choose to share.

6.6 Decentralised Verification

Each AID is supported by a Key Event Log (KEL) managed within the IDW app. When you rotate your keys or sign an event, the updated KEL is transmitted to your chosen cloud agent, where independent third-party Witnesses verify the change. This verification process generates a Key Event Receipt Log (KERL), a tamper-proof record of the event. The Witnesses then submit the KERL to Cardano nodes, which store it on the Cardano blockchain to ensure its integrity. In addition, global monitoring services—referred to as Global Watchers—can access these KERLs to verify the cryptographic authenticity of your AID, ensuring that outdated or compromised keys are not used.

7. Who has access to your information

We do not pass on personal data to third parties without the consent of the person concerned, unless this is necessary for the purposes described in this Policy and except to third parties such as service providers, agents, subcontractors and other associated organisations engaged by us for processing for the purposes of completing tasks and providing services to you on our behalf, or if we are legally obliged to do so or if it is necessary to protect our interests, e.g. to combat abuse or to protect the law, to authorities or other third parties and within the framework of tracking technologies as described in this Policy.

If we use third party service providers, we disclose only the personal information that is necessary to deliver the service and we have a contract in place that requires them to keep your information secure.

8. Where we store your personal information

The data that we collect from you may be transferred to, and stored in, a country outside the European Economic Area (EEA), i.e. worldwide, in particular Switzerland, the United Kingdom and the USA. The laws in some countries may not provide the same legal protection for your information as in the EEA. In these cases, we only transfer personal data after we have implemented the legally required measures, such as the conclusion of standard contractual clauses on data protection or obtaining the consent of the data subjects. If you are interested, the documentation on these measures can be obtained from the address mentioned above.

We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Policy.

The transmission of information via the internet is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of your information; any transmission is at your own risk. Once we have received your information, we will use good procedures and strong security features to try to prevent unauthorised access.

9. How long will we keep your data

We will hold your personal information on our systems for as long as is necessary for the relevant activity. They are then either deleted or anonymized, unless we need them for longer in exceptional cases, e.g. due to statutory retention and documentation obligations or our legitimate interests, e.g. to protect rights to which we are entitled or to defend against claims.

10. Security measures to protect your information

We take appropriate administrative, technical and physical safeguards to protect the confidentiality, integrity and availability of personal data. We use strict procedures and security features, including encryption techniques, and take all steps reasonably necessary to ensure that personal data is processed securely and in accordance with this Policy.

Non-sensitive details such as your email address may be transmitted unencrypted over the Internet, and so may not be guaranteed to be 100% secure. While we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk.

11. Your choices and your rights

If you choose to provide any personal data (for example, during support interactions or optional features), you retain the following rights under applicable data protection laws (such as the GDPR):

  • Right of Access:
    You may request a copy of any personal data we hold about you.
  • Right to Rectification:
    If any personal data is inaccurate or incomplete, you can request its correction.
  • Right to Erasure:
    You may request the deletion of your personal data when it is no longer necessary for our purposes.
  • Right to Restrict Processing:
    You can ask us to limit the processing of your personal data under certain circumstances.
  • Right to Data Portability:
    You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
  • Right to Object:
    You may object to the processing of your personal data, including for direct marketing purposes.
    You have the right to request a copy of your personal data as well as the right to have your personal data corrected or deleted.

You have the right to lodge a complaint with the competent data protection authority. The competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner. Competent data protection authorities of EU countries can be accessed through this link.

12. Review of this Policy

We periodically review and update this Privacy Policy to ensure it remains current with our practices and legal obligations. Any material changes will be communicated through the Veridian Wallet application. We encourage you to review this Policy regularly.

Last updated: 26 March 2025