Real ID Personal Information
Protection Policy

This Real ID APP is developed and operated by Real ID Foundation Limited (hereinafter referred to as "we"). We are committed to protecting your privacy with a high sense of responsibility and complying with privacy data requirements related to the use of personal data. The following will explain in detail how we collect, use, store and protect your personal information, as well as your rights through the Personal Information Protection Policy (hereinafter referred to as "this Policy").

1. Definition

1.1 DID Identifier

That is, a distributed identity (Decentralized Identifier), which identifies the user's autonomous, secure, and privacy-protected identity in the digital world.

1.2 Device Identification

The device identification is generated by collecting and calculating the following device information, including: device manufacturer, device brand, device type and model, device name, device memory and storage size, sensor list, battery and power information, baseband information, boot time, screen brightness and resolution, CPU information, system time zone, system language, charging status, system kernel information, Android ID, BSSID, SSID.

1.3 Personal information

Refers to various information recorded electronically or otherwise that can identify a specific natural person alone or in combination with other information or reflect the activities of a specific natural person. The personal information involved in this policy includes but is not limited to the information you actively provide during the use of products/services and the information generated by the use of products/services.

1.4 Electronic passport information

The information in the electronic passport chip includes field information and passport face photo.

1.5 Live face photo

Face information collected by the mobile device through the camera.

1.6 Real score

The trust score calculated through social connection data to measure the credibility of the identity.

2. How we collect and use your personal information?

2.1 Product/Service Functions and Corresponding Personal Information Collection and Use

2.1.1 Registration

Users’ Real ID types are divided into two categories: seed users and end users.
For seed users:
After you apply to register as a seed user, we will collect and verify your following personal information: email address, device identification, electronic passport information, and live facial photos. The electronic passport information and live facial photos are only collected and verified on the end side, and can be deleted after use without storage. This information is collected to ensure that your identity is authentic and valid, and to generate your DID Identifier. In addition, to ensure that your Real ID can verify your identity in different scenarios, we will also generate biometric similarity ratios, device identification, avatar photos, user public keys, and Real scores, and store them after de-identification.
For end users:
When you apply to register as an end user, we will collect your email address and device ID to help you generate a DID Identifier. In addition, to ensure that your Real ID can verify your identity in different scenarios, we will also de-identify your device ID, profile photo, user public key, and Real score before storing them.

2.1.2 Login

Regardless of your user identity, we will collect your email address to verify your account identity. At the same time, we will generate account holder verification results and login records, and de-identify this information to facilitate the subsequent query of login status services for you and ensure account security.

2.1.3 Social Connection

No matter what user you are, when you use the connection function, we will collect the DID Identifier and signatures of both parties of your connected account. This information is used to establish and manage your social connection with other users. We will de-identify this information, and the relevant data will be stored on the server after effective encryption measures to protect your social data privacy.

2.1.4 Recovery

No matter what user you are, when you need to recover your account, we will collect your email address and generate friend verification information. The friend verification information is stored on the server after effective encryption measures are taken to assist you in completing the account recovery process and ensure the information security during the account retrieval process.

2.2 Application and purpose of mobile device permissions

2.2.1 Camera Permissions

When you perform face recognition, we will apply for camera permissions to obtain your face image for identity verification. This permission is only used when the relevant function is used to ensure the accuracy and security of your identity verification.

2.2.2 Storage Permissions

In order to store temporary data generated during your use of the product/service, such as temporary live images for comparison or for reading image files to set avatars, we may apply for storage permissions. We will strictly manage the storage content to ensure that only necessary temporary data is stored and that the data is cleaned up in a timely manner after use.

2.2.3 Read application list permission

This permission is a required consent item for basic services and is used to generate device identification codes to help us identify device uniqueness, ensure account security, and provide personalized services. We only use this permission to obtain application list information for device identification generation and will not read specific application data content.

2.2.4 Read phone status and identity permissions

For seed users, this permission is a must-have for identity verification and liveness detection; for end users, basic service functions can be used without this permission to reduce unnecessary permission acquisition and protect your privacy.

2.2.5 Network permissions

In order for you to use the various functions of Real ID products/services normally, such as interacting with the Real ID backend and on-chain, loading images, etc., we need to obtain your network permissions to ensure that the device can connect to the Internet and communicate data with relevant servers. We will strictly limit the scope of network data transmission and only transmit data related to the implementation of product functions to ensure the security of your data transmission.

3. How we store your personal information

3.1 Storage location

We will store your personal information on the servers of Real ID Foundation Limited data center to ensure that data storage complies with local laws and regulations.

3.2 Storage Period

We will only retain your personal information for the period necessary to achieve the purposes described in this policy, unless there is a mandatory retention requirement by law. For example, after you use Real ID products and services for identity authentication, we will retain your identity authentication information within the operating period specified by the relevant business to deal with possible identity authentication reviews, etc. When you apply to cancel your account and obtain your consent, we will delete or anonymize it within 30 working days after you cancel your account so that it can no longer identify you personally.

4. Description of Sharing and Transferring Personal Information

4.1 Sharing

We will not share your personal information with other third parties unless we obtain your explicit consent. In the following circumstances, we may share your personal information after fulfilling the necessary obligation to inform and obtaining your consent:
Sharing with developers using Real ID: Real ID supports Zero Knowledge Proof Authentication and Public Key Authentication. In the public key authentication method, we need to output your DID Identifier and your signature to the application organization for identification. We will only share necessary and minimized personal information, subject to the purposes stated in this policy.

4.2 Transfer

We will not transfer your personal information to any third party unless we obtain your explicit consent in advance. In the following circumstances, we may transfer your personal information after fulfilling the necessary obligation to inform and obtaining your consent:
If we change due to mergers, acquisitions, asset transfers, etc., we will inform you of the relevant circumstances and require the new entity to continue to comply with this policy and relevant laws and regulations to protect your personal information, otherwise we will require the entity to obtain your authorization and consent again. During the transfer process, we will ensure the secure transfer of personal information, supervise the recipient's processing of information, and protect your personal information rights and interests from infringement.

5. How do we protect your personal information?

5.1 Technical measures

We use security measures that meet industry standards to protect your personal information and prevent unauthorized access, public disclosure, use, modification, damage or loss of data. For example, we will use encryption technology (such as SSL/TLS encryption protocol) to encrypt, transmit and store your personal information to prevent data from being stolen or tampered with during transmission and storage; we will also use technical means such as anonymization and de-identification to process your personal information so that it cannot be identified without the help of additional information. For sensitive personal information, we will use higher-level encryption algorithms and security protection mechanisms. For example, we only compare and process biometric information on the end side, and only collect feature values ​​and similarities. We will not collect, store or transmit your original biometric information. At the same time, we will regularly scan and repair security vulnerabilities in the system, update security protection technology in a timely manner, and ensure system security.
Establish a complete access control mechanism, set up a strict permission management system, limit only authorized personnel to access your personal information, and record and audit access behavior in detail. For example, different levels of authority are assigned according to employees' job responsibilities and business needs. Only technical personnel with specific authorization can access relevant data within the scope of their duties, and their access operations are fully recorded for traceability and supervision. At the same time, the authority settings are reviewed and adjusted regularly to ensure the rationality and security of authority allocation.

5.2 Management measures

The security team led by the personal information protection officer formulates a strict internal personal information protection management system, clarifies the responsibilities and authority of each team member in personal information protection, and conducts regular training.
Establish an emergency response mechanism and formulate a detailed emergency plan for personal information security incidents. When a personal information security incident occurs, the emergency plan can be quickly activated and effective measures can be taken to reduce losses and impacts, such as immediately suspending relevant data processing operations, evaluating and isolating affected data, and investigating the cause of the incident.

6. Your rights

6.1 Right of access

You have the right to make a request to us to obtain a copy of the personal information we hold about you. You can contact our customer service staff through our product/service interface or through the contact information in this policy and submit a request for access in accordance with the prescribed process. We will process your request within 30 working days after receiving your request and provide you with relevant information. If a reasonable access fee is required, we will inform you of the fee details in advance.

6.2 Right to correction

If you find that the personal information we hold about you is inaccurate or incomplete, you have the right to ask us to correct it. You can submit a correction application through the product/service function or contact customer service and provide relevant evidence. We will verify and process it within a reasonable period after receiving the application. If the information is confirmed to be incorrect, it will be corrected in a timely manner and the relevant information recipient (if any) will be notified.

6.3 Right to object to processing

In certain circumstances, you have the right to object to our processing of your personal information. For example, when we process your personal information based on legitimate interests, you can object and we will stop the relevant processing unless we can prove that there are sufficient legitimate reasons to continue processing. You can make an objection to processing by contacting our customer service staff, and we will evaluate and respond to your request in a timely manner.

6.4 Right to data portability

You have the right to request that we provide you with your personal information in a structured, commonly used and machine-readable format, or directly transfer your personal information to other data controllers. You can make a request for data portability by contacting our customer service staff, and we will process your request within a reasonable period of time.

6.5 Right to restrict processing

In certain circumstances, such as if you object to the accuracy of your personal information or we illegally process your personal information, you have the right to request us to restrict the processing of your personal information. During the period of restricted processing, we will only store your personal information and will not perform other processing operations until the reason for restricting processing is eliminated. You can make a request for restricted processing by contacting our customer service staff, and we will evaluate and take appropriate measures in a timely manner.

7. Protection of Minors

We attach great importance to the protection of minors' personal information. We will not actively collect personal information of minors under the age of 18. We will not collect your age or date of birth, and we have no way to determine whether you are a minor under the age of 18. If you are a minor under the age of 18, please use this product/service and provide the corresponding personal information after your guardian fully understands this policy and agrees to the authorization. If your guardian does not authorize and agree, please do not use this product/service and avoid providing your personal information.

8. Policy Updates

We may update this policy from time to time based on business development, changes in laws and regulations, etc. After the policy is updated, we will post a notice in a prominent position on the Real ID APP to remind you of the policy changes. If you continue to use our products or services after the policy is updated, it will be deemed that you agree to be bound by the updated policy.

9. How to contact us

If you have any questions, comments or suggestions about this policy or our handling of your personal information, or if you want to exercise the above rights, you can contact us in the following ways:
Email: DPO@realid.cc
After receiving your feedback, we will process and respond within the time specified by relevant laws and regulations, try our best to solve your problem and protect your legal rights.
This Privacy Policy was last updated on May 30, 2025.