Privacy Policy

During the pre-launch phase (Insider, Pioneer, Pioneer Plus signups):

Your email address, your queue position, and your referral activity. For Pioneer Plus, your shipping address.

During product use (after launch):

• NFC implant UID and chip metadata. The cryptographic identifier read from your DESFire EV3 implant and a per-chip AES master key generated server-side at provisioning. The AES master key is encrypted at rest with a key derived from a master secret held outside the database.
• Saved credentials (passwords). Website URLs, usernames, and password ciphertext you choose to store. Each password is encrypted with ChaCha20-Poly1305 AEAD under a per-credential key derived (HKDF-SHA256) from your chip's vault wrap key. Without your chip in the reader field, this ciphertext cannot be decrypted, including by SkinID. Plaintext passwords are never stored.
• FIDO2 / passkey private keys. Per-site cryptographic private keys for passwordless authentication, encrypted with the same chip-bound scheme.
• Activity logs. Authentication events, FIDO registrations, credential saves, and access control events. Logged with timestamps for your security dashboard, anomaly detection, and audit purposes (Swiss FADP and EU GDPR compliance).
• Device information. Names you assign to trusted NFC readers and connected devices.

• We do not use cookies for tracking or advertising.
• We do not use analytics scripts, tracking pixels, or behavioural profiling.
• We do not sell or transfer your data to third parties for marketing purposes.
• We do not collect biometric data. The NFC UID is a cryptographic identifier, not a biometric measurement.

To deliver our service, we work with the following trusted partners under data processing agreements:

• Infomaniak (Switzerland): server hosting and backups, fully Swiss-based.
• Stripe: payment processing for paid tiers (subject to Stripe's own privacy policy).
• Email provider: transactional emails for pre-launch tier confirmations and account notifications.

All processors are bound by contract to protect your data and may not use it for their own purposes. We do not transfer your data outside of Switzerland for storage.

• Zero-knowledge encryption at rest. Each credential is encrypted with ChaCha20-Poly1305 AEAD under a per-credential key derived from your chip's 32-byte vault wrap key via HKDF-SHA256. The associated data binds each ciphertext to its user, site, and credential ID, so an attacker with database access cannot swap ciphertexts between accounts. Without your chip in the reader field, the ciphertext is unreadable, even by SkinID.
• Encryption in transit. All communications use HTTPS with TLS 1.3 and HSTS preload. No data is ever transmitted over unencrypted connections.
• Token security. User tokens and operator session tokens are stored only as SHA-256 hashes. Raw tokens are never persisted on the server. Operator passwords are stored as PBKDF2-SHA256 hashes using the OWASP recommended iteration count.
• Data isolation. Each user can only access their own credentials and keys. Multi-user isolation is enforced at the database level. Operator access is gated by role-based access control with three tiers (support, senior, super), and destructive actions require multi-operator approval.
• CSRF and XSS protection. SameSite Strict cookies on operator sessions, Origin/Referer validation, defense-in-depth header checks, and a strict Content Security Policy that prevents inline-script injection and cross-origin script loads.
• Revocable keys. Unlike biometrics, which cannot be changed if compromised, SkinID's cryptographic keys can be revoked and replaced without affecting your identity. A new chip can re-establish your account via one of three documented recovery paths (backup chip, printable Shamir-split key, or identity verification with multi-operator approval).
• Encrypted backups. Database backups are encrypted with the age tool (X25519 with ChaCha20-Poly1305) using a public key whose private half is held on a separate isolated system. A backup leak alone does not expose customer data.

Your data is stored on a secured server hosted by Infomaniak in Switzerland. Switzerland provides strong data protection under the revised Federal Act on Data Protection (FADP) and is recognised internationally for its privacy standards. SkinID is a Swiss product, subject to Swiss data protection law. We do not transfer data outside of Switzerland.

We process your data on the basis of:

• Contract performance (Art. 6.1.b GDPR / Art. 31 FADP): for creating and operating your SkinID account.
• Legitimate interest (Art. 6.1.f GDPR): for activity logs, anomaly detection, security audits, and backup creation.
• Consent (Art. 6.1.a GDPR): for pre-launch email signups.

• Credentials and passkeys: stored until you delete them or delete your account.
• Autofill profile: stored until you modify or delete it, or delete your account.
• Activity logs: retained for 12 months, then automatically deleted.
• Trusted devices: stored until you remove the device or delete your account.
• Server logs: retained for 30 days (automatic rotation).
• Pre-launch email addresses: retained until you unsubscribe or product launch is complete.
• Inactive accounts: accounts with no authentication activity for 24 months may be deleted after a notification period (notification sent to the email on file, if any).

• Access. You can view all stored data in the management panel at any time by scanning your implant.
• Deletion. You can delete individual credentials, FIDO keys, shared access, or your entire account.
• Export. You can export your credentials as CSV and download all your data (credentials, passkeys, autofill profile, activity logs, devices, sharing history) as a single JSON file from the Account section.
• Portability. Export formats are standard and machine-readable, ensuring you are never locked into SkinID.
• Revocation. You can revoke authentication tokens and bridge device access at any time.
• Objection and restriction. You may request that we stop processing your data or restrict it to storage only.

If you are located in the European Union or European Economic Area, the General Data Protection Regulation (GDPR) applies to our processing of your personal data in addition to Swiss law. Under the GDPR, you have the following additional rights:

• Right to information (Art. 13-14 GDPR): you are informed about all data processing through this privacy policy.
• Right of access (Art. 15 GDPR): you can request a copy of all personal data we hold about you. Use the “Download all my data” button in the Account section.
• Right to rectification (Art. 16 GDPR): you can correct your data at any time through the management panel.
• Right to erasure (Art. 17 GDPR): you can delete your account and all associated data at any time.
• Right to data portability (Art. 20 GDPR): you can export all your data in machine-readable formats (CSV, JSON).
• Right to object (Art. 21 GDPR): you may object to data processing based on legitimate interest.
• Right to lodge a complaint: you may lodge a complaint with your national data protection authority in addition to the Swiss FDPIC.

SkinID does not use automated decision-making or profiling. We do not use your data for marketing purposes. We do not share data with third parties for their own use.

The SkinID browser extension (Chrome) and native apps (Mac, Windows, iPhone) only activate on pages with login forms or when you initiate authentication. They communicate exclusively with the SkinID server over HTTPS. They do not collect browsing history, read page content beyond login form detection, or transmit data to any third party. The iPhone app uses Core NFC to read your implant. No data is sent to Apple.

The SkinID implant uses a DESFire EV3 NFC cryptographic chip with AES-128 mutual authentication, encased in biocompatible glass (Schott 8625). It communicates via standard ISO 14443 protocol. The read operation is entirely passive and does not write to or modify the implant's storage beyond reading the cryptographic UID. The implant contains no battery and is powered passively by the NFC field. MRI compatibility may vary by chip generation: always inform your radiologist of the implant before any MRI examination.

We may update this policy as SkinID evolves. The “last updated” date at the top will reflect any changes. Continued use of SkinID after changes constitutes acceptance of the updated policy.

For privacy-related questions: support@skinid.ch

If you believe your data protection rights have not been respected, you have the right to lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC): www.edoeb.admin.ch