Legal · Privacy Policy

Privacy Policy.

Effective May 22, 2026 Version 1.0 Governs inkid.io

1. Introduction & scope

This Privacy Policy (the "Policy") describes how InkID, Inc. ("InkID," "we," "us") collects, uses, shares, and protects information when you visit inkid.io and its subdomains (collectively, the "Site"). The Site is the umbrella marketing surface for the InkID protocol and the products that implement it.

The Site itself is information-only. It does not provide accounts, file storage, content submission, payments, behavioral data collection, or any feature that captures, uploads, or stores user-generated content. The data footprint of a typical visit is intentionally minimal — standard server access logs and standard browser cache behavior. This Policy describes that footprint honestly.

What this Policy does not cover. The InkID protocol is exposed through separate products — including the InkWave mobile application, the InkTrust publisher dashboard, the InkVerify public resolver, and others. Each of those products has its own privacy policy presented in or for that product. If you use one of those products, the data practices applicable to your use are governed by that product's privacy policy, not by this one. This Policy applies to the inkid.io Site only.

2. Who we are

The data controller for personal information collected through the Site is:

InkID, Inc.
Delaware C-Corporation
Privacy inquiries: privacy@inkid.io

For users in the European Union or United Kingdom, our designated contact for data-protection inquiries is reachable at the same address.

3. Information we collect

The information collected as a result of your visit to the Site falls into three narrow categories.

3.1 Standard server access logs

The Site is delivered by Firebase Hosting, operated by Google. When you request a page, Firebase Hosting records standard web-server access information for operational, security, and abuse-prevention purposes. The information typically logged includes:

IP address
Truncated or hashed by Firebase per Google's standard practice; used for rate-limiting, abuse prevention, and to determine the nearest CDN edge.
User-agent string
Your browser and operating-system identifier, sent by your browser.
Requested URL
The path of the page or asset you requested on the Site.
Referrer
The URL of the page that linked you here, if any, sent by your browser.
Timestamp
When the request occurred.
Response code & bytes
Whether the request succeeded, and how much data was returned.

These logs are generated by Firebase's hosting infrastructure and are retained per Google's default schedules for hosting access logs. InkID does not enrich them, link them to other data, sell them, or use them for advertising or profiling.

3.2 Google Fonts requests

The Site loads typography (the Inter and JetBrains Mono typefaces) from Google Fonts. When your browser fetches a font file, it makes a direct request to fonts.googleapis.com and fonts.gstatic.com servers operated by Google. That request includes your IP address and User-Agent header by necessity of the HTTP protocol. Google's handling of that request is governed by Google's Privacy Policy; the Google Fonts service is documented to use that information only for the purpose of serving the fonts. We do not control and do not receive a copy of those requests.

3.3 Information you provide voluntarily

If, in the future, we add a waitlist form, contact form, account-creation flow, or any other feature that asks you to submit information, we will (a) describe what is collected at the point of collection, (b) explain the purpose of collection, and (c) update this Policy to reflect the new processing. As of the Effective date above, no such feature is wired on the Site.

3.4 What we do NOT collect from Site visitors

For clarity, the Site does not collect any of the following:

  • Behavioral data of any kind (keystroke counts, typing rhythm, mouse-movement patterns, dwell time, etc.)
  • Biometric data of any kind (fingerprints, voiceprints, face geometry, behavioral biometric signatures)
  • Audio recordings or voice data
  • Health, medical, or wellness data
  • Sensitive personal information as defined under California law (precise geolocation, racial or ethnic origin, religious beliefs, etc.)
  • Payment card information
  • Authentication credentials (the Site has no account system)
  • Children's personal information (see §12)

The Site does not use any third-party analytics service (Google Analytics, Mixpanel, Segment, Amplitude, or similar). The Site does not deploy any advertising trackers, retargeting pixels, conversion pixels, or cross-context behavioral advertising technology. The Site does not set first-party cookies (see §7).

4. The InkVerify demo widget

The Site's homepage includes a small interactive widget that returns illustrative sample records for two pre-defined sample identifiers (the "Demo Widget"). The Demo Widget operates entirely in your browser. Any identifier you type into the input box is processed by client-side JavaScript locally; nothing you enter is transmitted to InkID or to any third party. If you enter one of the two pre-defined sample identifiers, the widget displays a hard-coded illustrative record stored in the page's JavaScript; for any other input, it returns a "not found" response, also produced locally. The Demo Widget does not place a cookie, write to local storage, or initiate any network request.

Production resolution of real InkIDs is a separate service operated under the InkVerify product, accessible at verify.html and (where applicable) at the InkVerify resolver site. Data practices for the production resolver are governed by InkVerify's own privacy policy, presented at that surface.

5. How we use information

The narrow categories of information described in §3 are used for the following purposes:

  1. Operating the Site. Serving pages, delivering fonts, ensuring assets load.
  2. Security & abuse prevention. Detecting and mitigating malicious traffic patterns, denial-of-service attempts, and unauthorized scraping.
  3. Aggregate operational understanding. Knowing roughly how much traffic the Site receives and which pages are most reached, derived from server logs in aggregate form.
  4. Legal compliance. Responding to lawful requests from authorities where we are legally required to do so.

We do not use Site data for advertising, profiling, automated decision-making, or any purpose other than the four above. We do not enrich Site data with information from other sources or sell access to it.

5.1 Legal bases (EU / UK users)

For visitors in the European Union, the European Economic Area, or the United Kingdom, the legal basis for the processing described above is our legitimate interest (GDPR Article 6(1)(f) / UK GDPR equivalent) in operating, securing, and understanding traffic to the Site — a low-risk interest that is balanced against your privacy interests by the data-minimization practices described in this Policy. For any future feature that requires more substantial processing (e.g., a waitlist form requiring an email address), the legal basis will be your explicit consent (Article 6(1)(a)) provided at the point of collection.

6. Sharing & disclosure

InkID does not sell, rent, lease, trade, or otherwise share personal information collected through the Site with third parties for their marketing or independent commercial purposes. We have not done so in the preceding twelve (12) months and have no plans to do so.

We share information only as follows:

  1. Service providers (processors). The Site's hosting infrastructure (Firebase Hosting, operated by Google) and typography (Google Fonts, operated by Google) inherently receive the information described in §§3.1 and 3.2 in the course of delivering the Site to you. Those providers are bound by their own contractual data-protection obligations and privacy policies.
  2. Legal obligations. We may disclose information if we are legally required to do so by a valid subpoena, court order, regulatory request, or other lawful process; if necessary to investigate fraud, security incidents, or violations of our Terms; or if necessary to protect the safety of any person.
  3. Business transfers. If InkID is involved in a merger, acquisition, reorganization, or sale of assets, information collected through the Site may be transferred to the successor entity, which will be bound by this Policy or an equivalent one.

7. Cookies & similar technologies

The Site does not set first-party cookies. The Site does not use localStorage, sessionStorage, IndexedDB, or any other client-side storage mechanism for visitor tracking, behavioral analytics, or fingerprinting.

Your browser may, by default, perform standard caching of Site assets (HTML, CSS, JavaScript, images, fonts) to speed up subsequent visits. That caching is governed by HTTP cache headers we serve and by your browser's settings — not by any cookie or persistent identifier.

When your browser fetches a font from fonts.gstatic.com (Google Fonts), Google may set technical cookies or similar identifiers per its own privacy practices; we do not control that and do not receive a copy of those identifiers. See the Google Fonts privacy documentation linked in §8.

8. Third-party services

The Site relies on the following third-party services to function:

Firebase Hosting
(operated by Google)
Serves the Site's pages and assets. Receives the request information described in §3.1.
Privacy: firebase.google.com/support/privacy
Google Fonts
(operated by Google)
Serves the Inter and JetBrains Mono typefaces used by the Site. Receives the request information described in §3.2.
Privacy: policies.google.com/privacy

The Site also links to several third-party resources from informational content (for example, links to the FreeTSA Time-Stamp Authority documentation, the C2PA standard, AppStore listings, news coverage, and partner sites). Visiting any of those linked sites is a fresh request to that site, governed by that site's own privacy policy and terms — we are not responsible for their practices.

9. International data transfers

The Site is operated from and hosted in the United States. If you access the Site from outside the United States, the standard server-log information described in §3.1 will be processed in the United States by Google's hosting infrastructure. For visitors in the European Union, European Economic Area, or United Kingdom, transfers to the United States are conducted under (a) the EU–US Data Privacy Framework where applicable; (b) Google's incorporation of Standard Contractual Clauses approved by the European Commission (Decision 2021/914); and (c) the UK International Data Transfer Addendum.

Because the Site's collection footprint is minimal, the volume and sensitivity of personal data subject to international transfer is correspondingly low.

10. Data retention

Server access logs (§3.1) are retained per the default Firebase Hosting retention schedule. InkID does not maintain a separate copy of those logs, and does not associate them with any persistent profile. There is no other personal data collected through the Site as of the Effective date that requires a separate retention schedule.

If you have submitted information through any future Site feature, the retention schedule applicable to that information will be described at the point of collection and incorporated into this Policy.

11. Security

InkID applies security measures commensurate with the limited data we process through the Site. These include:

  1. Transport encryption. All Site traffic is served over HTTPS with modern TLS configurations; HTTP requests are upgraded to HTTPS. Strict-Transport-Security headers are sent.
  2. Content security headers. The Site sends a Content-Security-Policy that restricts asset sources to InkID's origin and the third-party services described in §8, plus X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers.
  3. Hosting hardening. Firebase Hosting provides DDoS mitigation, infrastructure-level security, and a globally distributed CDN.
  4. Minimization. The Site does not store, accumulate, or process personal information beyond what is necessary to operate it. Most security exposure scenarios are not applicable because the corresponding data simply does not exist on our side.

No system is perfectly secure. If we become aware of an incident that affects information collected through the Site, we will notify affected individuals and applicable regulators as required by law, including within 72 hours where GDPR Article 33 applies.

12. Children's privacy

The Site is not directed at, and is not intended for, children under the age of sixteen (16). We do not knowingly collect personal information from individuals under 16 through the Site. If you are a parent or guardian and believe a child under 16 has provided personal information to the Site, please contact us at privacy@inkid.io and we will take prompt action to investigate and, where applicable, delete the information. We comply with the Children's Online Privacy Protection Act (COPPA), GDPR Article 8 child-consent rules in member states that set the threshold at 16, and equivalent provisions in other jurisdictions.

13. Your privacy rights

Regardless of your location, you have the following rights with respect to personal information InkID holds about you in connection with the Site, to the extent any exists:

  1. Access. Request a copy of the personal information we hold about you.
  2. Correction. Request correction of inaccurate personal information.
  3. Deletion. Request deletion of your personal information, subject to limited legal exceptions.
  4. Restriction. Request that we restrict the processing of your personal information.
  5. Objection. Object to processing of your personal information.
  6. Portability. Receive a copy of your personal information in a structured, commonly used, machine-readable format.
  7. Withdrawal of consent. Where processing is based on consent, withdraw that consent at any time.

To exercise any of these rights, email privacy@inkid.io. We will respond within the timeframe required by your applicable law (typically 30 days for GDPR / UK GDPR; 45 days for CCPA, extendable in either case where the request is complex). We may need to verify your identity before responding; verification will be no more onerous than necessary.

13.1 EU / UK supervisory authority

If you are in the European Union or United Kingdom, you have the right to lodge a complaint with your local data-protection supervisory authority. UK residents may contact the Information Commissioner's Office at ico.org.uk.

14. California privacy rights (CCPA / CPRA)

This section provides the specific disclosures required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, "CCPA").

14.1 Categories of personal information collected

In the preceding twelve (12) months, InkID has collected the following CCPA categories of personal information through the Site:

  • Identifiers (limited to IP address, contained in server access logs as described in §3.1)
  • Internet or other electronic network activity information (limited to the standard request metadata described in §3.1)

14.2 Categories not collected

InkID does not collect, through the Site, the following CCPA categories: personal identification information beyond the IP address noted above; protected classification characteristics; commercial information; biometric information; geolocation data beyond what is approximated by IP address for CDN routing; sensory data; professional or employment information; education information; inferences drawn from any of the foregoing; or sensitive personal information.

14.3 Sources, business purposes, and recipients

The information described in §14.1 is collected directly from your browser when you visit the Site. It is collected for the business purposes described in §5 (operating the Site, security and abuse prevention, aggregate operational understanding, legal compliance). It is disclosed only to the service providers (processors) described in §8.

14.4 California consumer rights

California residents have the following rights:

  1. Right to know what personal information has been collected, used, disclosed, and (if applicable) sold or shared about you in the preceding twelve months.
  2. Right to delete personal information collected from you, subject to legal exceptions.
  3. Right to correct inaccurate personal information.
  4. Right to opt out of "sale" or "sharing" of personal information. InkID does not "sell" or "share" personal information as those terms are defined under CCPA, and does not engage in cross-context behavioral advertising. No opt-out is necessary because no such activity occurs.
  5. Right to limit use and disclosure of sensitive personal information. Inapplicable here — see §14.2.
  6. Right to non-discrimination for exercising any of the rights above. InkID will not discriminate against you for exercising these rights.
  7. Right to authorized agent. You may designate an authorized agent to make a request on your behalf. We will require written authorization and reasonable verification.

To exercise any California right, contact privacy@inkid.io. We will respond within 45 days (extendable by an additional 45 days where reasonably necessary, with notice to you).

15. Changes to this Policy

InkID may update this Policy from time to time to reflect changes in our practices, legal obligations, or Site features. When we do, we will revise the Effective date at the top of this page. For changes that materially affect how we collect, use, or share personal information, we will provide additional notice (for example, a prominent banner on the Site, or — where you have provided contact information through any future Site feature — an email notice) at least 30 days before the change takes effect. Continued use of the Site after the effective date of an updated version constitutes acceptance of the updated Policy.

16. Contact

Questions about this Policy or about how we handle personal information through the Site:

InkID, Inc.
Privacy inquiries: privacy@inkid.io
Legal inquiries: legal@inkid.io

Email contact addresses will be activated as the InkID email infrastructure is provisioned. Until then, please direct inquiries to the address listed on a current product page or InkID's verified social channels.