Legal

Privacy Policy

Effective date: March 2026

The short version: HumanStamp is built to prove you're human without knowing anything about you. We collect one thing — a random device ID — and use it for nothing except token verification. We don't see your messages. We don't see your face. We don't sell anything.

What we collect

One thing: a device identifier.

When you first open HumanStamp, the app generates a random UUID (a string like a3f1…) and stores it on your device. This ID is paired with a cryptographic public key that lives in your device's Secure Enclave. The public key is registered with our server at api.humanstamp.io so that Human Presence Tokens (HPTs) you sign can be verified by recipients.

That's it. We don't collect your name, email, phone number, location, or any other identifying information.

What we don't collect

Biometric data. Face ID and Touch ID are handled entirely by Apple's operating system. Your biometric data never reaches HumanStamp — not our app, not our servers, not us.
Message content. HumanStamp signs a cryptographic hash of your message. We never see the message itself.
Analytics or advertising data. We use no third-party SDKs, trackers, or ad networks.
IP addresses beyond normal server operation. HTTPS connections to our API transit your IP address as a technical necessity of the internet, but we do not log or store it.

How data is used

The device identifier and its associated public key are used for one purpose: allowing recipients to verify that a Human Presence Token was signed by a registered device. Nothing else.

We do not sell data. We do not share data with third parties. We do not use data for advertising, profiling, or any purpose other than token verification.

Data retention

Your public key record remains on our servers for as long as your device is registered. You can delete your device registration at any time from within the app (Profile → Remove Device). Deletion is permanent and immediate.

Signed tokens (HPTs) contain only your device ID, a hash of the message, and a timestamp. Tokens are not stored on our servers — they travel with your messages.

Your rights

GDPR (EU/EEA/UK users). The device identifier and public key constitute personal data under GDPR. You have the right to access, rectify, or erase this data at any time. To exercise these rights, use the in-app deletion flow or contact us at the address below.

CCPA (California users). We do not sell personal information. California residents may request disclosure of what data we hold by contacting us below.

All users. You may remove your device registration at any time. Because we hold no other data about you, deletion is complete.

Contact

Questions about this policy? Email us at [email protected].

HumanStamp is operated by the HumanStamp team. For legal correspondence: [email protected].