Privacy Policy

Last Updated: January 31, 2026

1. Introduction

Lemma.id ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our cryptographic credential verification service.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Email address, company name, site domain
  • Payment Information: Processed by Stripe (we do not store credit card numbers)
  • API Keys: Generated for your account to access our services

2.2 Information Automatically Collected

  • Usage Data: API calls, verification requests, monthly active users
  • Log Data: IP addresses, user agents, timestamps, request paths
  • Performance Data: Response times, error rates, system metrics
  • Security Events: Authentication attempts, permission grants, access verifications

2.3 Cryptographic Data

  • Credentials: Stored in user's browser wallet (we do not have access to credential contents)
  • Public Keys: Ed25519 public keys for verification (site-specific, stored on your servers)
  • Revocation Data: Bloom filter hashes of credential IDs (cannot reveal original credentials)
  • PPIDs: Pairwise Pseudonymous Identifiers unique per user per site (unlinkable across sites)

3. How We Use Your Information

We use collected information to:

  • Provide and maintain the Service
  • Process payments and billing
  • Send service notifications and updates
  • Monitor usage for billing purposes (MAU tracking)
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations
  • Improve the Service through analytics

4. Privacy-Preserving Features

Lemma.id is designed with privacy as a core principle:

  • Local Verification: Credentials are verified locally using Ed25519 signatures in under 250 microseconds - no API calls to our servers
  • Bloom Filter Revocation: Revocation lists use probabilistic Bloom filters that cannot reveal which specific credentials are revoked
  • Pairwise Identifiers (PPIDs): Each user gets a unique identifier per site, making cross-site tracking impossible
  • Client-Side Storage: Credentials stored in encrypted browser wallet - we never see or store your credential data
  • Zero-Knowledge Architecture: Your server verifies credentials without contacting Lemma.id - we don't know when or where users authenticate
  • No Third-Party Tracking: We do not sell or share your data with advertisers

5. Data Sharing and Disclosure

We do not sell your personal information. We may share data with:

5.1 Service Providers

  • Stripe: Payment processing (PCI DSS compliant)
  • Heroku/AWS: Hosting infrastructure
  • Sentry: Error monitoring (anonymized error data)
  • Email Service: Mailgun or SendGrid for transactional emails

5.2 Legal Requirements

We may disclose information if required by law, court order, or government request, or to protect our rights and safety.

6. Data Security

We implement industry-standard security measures including:

  • Ed25519 Signatures: Cryptographic signatures for credential verification (same algorithm used by SSH)
  • Bloom Filter Revocation: Efficient, privacy-preserving revocation checking
  • Encrypted Browser Wallet: Credentials encrypted at rest in user's browser
  • Passkey Authentication: WebAuthn/FIDO2 passkeys for developer account security
  • Rate Limiting: Protection against brute-force and abuse
  • Audit Logging: Comprehensive logging of all security events

7. Data Retention

  • Account Data: Retained while your account is active
  • Audit Logs:
    • Free Tier: 30 days
    • Starter: 90 days
    • Professional: 1 year
    • Enterprise: 7 years (compliance requirement)
  • After Account Deletion: Data deleted within 30 days, except where legally required to retain

8. Your Rights

You have the right to:

  • Access: Request a copy of your personal data
  • Correction: Update inaccurate or incomplete information
  • Deletion: Request deletion of your data (subject to legal retention requirements)
  • Export: Download your audit logs in CSV or JSON format
  • Opt-Out: Unsubscribe from marketing emails (service emails may still be sent)

To exercise these rights, contact us at [email protected]

9. GDPR Compliance (EU Users)

If you are in the European Economic Area (EEA), you have additional rights under GDPR:

  • Legal Basis: We process data based on contractual necessity and legitimate business interests
  • Data Protection Officer: Contact [email protected]
  • Right to Lodge Complaint: You may file a complaint with your local data protection authority
  • Data Portability: Export your data in machine-readable format

10. CCPA Compliance (California Users)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: What personal information we collect
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: We do not sell personal information
  • Non-Discrimination: We will not discriminate against you for exercising your rights

11. Children's Privacy

Our Service is not intended for users under 18 years of age. We do not knowingly collect information from children. If we learn we have collected information from a child, we will delete it immediately.

12. Data Breach Notification

In the event of a data breach that may compromise your personal information, we will notify you within 72 hours via email and post a notice on our website.

13. Contact Us

For privacy-related questions or to exercise your rights:

Email: [email protected]
Data Protection Officer: [email protected]
Website: https://lemma.id/privacy

Back to Home Terms of Service