Privacy Policy

Last updated: May 7, 2026

SkinID is a Swiss authentication platform that enables individuals to use a subdermal NFC cryptographic implant as a universal authenticator across digital and physical environments. We take your privacy extremely seriously. This policy explains what data we collect, how we protect it, and your rights.

Encryption regime status (May 2026). The chip-bound zero-knowledge encryption described below applies to every account from the moment the customer's chip is provisioned. The server, operator panel, audit log, and TLS layer are in production today. For the live rollout status of each control listed in section 3 see our technical architecture page.

1. Data we collect

• NFC implant UID and chip metadata: The cryptographic identifier read from your DESFire EV3 implant, the chip family identifier (xDF2 / xDF3), and a per-chip AES master key generated server-side at provisioning. The AES master key is itself encrypted at rest with a key derived from a master secret held off-database, and a copy is written into a tamper-resistant authenticated file inside your chip during provisioning.
• Saved credentials (passwords): Website URLs, usernames, and password ciphertext you choose to store. Each password is encrypted with ChaCha20-Poly1305 AEAD under a per-credential key derived (HKDF-SHA256) from your chip's vault wrap key. Without your chip in the reader field, this ciphertext cannot be decrypted, including by SkinID. Plaintext passwords are never stored.
• FIDO2 / passkey private keys: Per-site cryptographic private keys for passwordless authentication. Encrypted with the same chip-bound scheme. Decryption requires a successful AES-128 mutual authentication between your chip and our server, mediated by your phone or USB reader at the moment of use.
• Activity logs: Authentication events, FIDO registrations, credential saves, and access control events. Logged with timestamps for your security dashboard, anomaly detection, and audit purposes (Swiss FADP and EU GDPR compliance).
• Device information: Names you assign to trusted NFC readers and connected devices.

2. Data we do NOT collect

• We do not collect your name, email address, phone number, or any personally identifiable information. Your identity is your implant.
• We do not use cookies for tracking or advertising.
• We do not share, sell, or transfer any data to third parties.
• We do not use analytics scripts, tracking pixels, or behavioural profiling.
• We do not collect biometric data. The NFC UID is a cryptographic identifier, not a biometric measurement.

3. How your data is protected

• Zero-knowledge encryption at rest: Each credential is encrypted with ChaCha20-Poly1305 AEAD under a per-credential key derived from your chip's 32-byte vault wrap key via HKDF-SHA256. The associated data binds each ciphertext to its user, site, and credential ID, so an attacker with database access cannot swap ciphertexts between accounts. Without your chip in the reader field, the ciphertext is unreadable, even by SkinID.
• Encryption in transit: All communications use HTTPS with TLS 1.3, HSTS preload, and certificate pinning on iOS. No data is ever transmitted over unencrypted connections.
• Token security: User tokens and operator session tokens are stored only as SHA-256 hashes. Raw tokens are never persisted on the server. Operator passwords are stored as PBKDF2-SHA256 hashes with 600,000 iterations (OWASP 2023).
• Data isolation: Each user can only access their own credentials and keys. Multi-user isolation is enforced at the database level. Operator access is gated by role-based access control with three tiers (support / senior / super), with destructive actions requiring two distinct senior or super operators to approve.
• CSRF and XSS protection: SameSite=Strict cookies on operator sessions, Origin/Referer validation, defense-in-depth header checks, and a strict Content-Security-Policy that prevents inline-script injection and cross-origin script loads.
• Revocable keys: Unlike biometrics, which cannot be changed if compromised, SkinID's cryptographic keys can be revoked and replaced without affecting your identity. A new chip can re-establish your account via one of three documented recovery paths (backup chip, printable Shamir-split key, or KYC + multi-operator approval).
• Encrypted backups: Nightly database backups are encrypted with the age tool (X25519 + ChaCha20-Poly1305) using a public key whose private half is held off-server. A backup leak alone does not expose customer data.

4. Data storage and jurisdiction

Your data is stored on a secured server hosted by Infomaniak in Switzerland. Switzerland provides strong data protection under the Federal Act on Data Protection (nLPD) and is recognised internationally for its privacy standards. SkinID is a Swiss product, subject to Swiss data protection law. We do not transfer data outside of Switzerland.

5. Legal basis

We process your data on the basis of contract performance: you create a SkinID account, and we store and protect your credentials to provide the service. No separate consent is required for data that is necessary to deliver the service you signed up for.

6. Retention periods

• Credentials and passkeys: stored until you delete them or delete your account.
• Autofill profile: stored until you modify or delete it, or delete your account.
• Activity logs: retained for 12 months, then automatically deleted.
• Trusted devices: stored until you remove the device or delete your account.
• Server logs: retained for 30 days (automatic rotation).
• Inactive accounts: accounts with no authentication activity for 24 months may be deleted after a notification period.

7. Your rights

• Access: You can view all stored data in the management panel at any time by scanning your implant.
• Deletion: You can delete individual credentials, FIDO keys, shared access, or your entire account.
• Export: You can export your credentials as CSV and download all your data (credentials, passkeys, autofill profile, activity logs, devices, sharing history) as a single JSON file from the Account section.
• Portability: Export formats are standard and machine-readable, ensuring you are never locked into SkinID.
• Revocation: You can revoke authentication tokens and bridge device access at any time.
• Objection and restriction: You may request that we stop processing your data or restrict it to storage only.

8. For users in the European Union

If you are located in the European Union or European Economic Area, the General Data Protection Regulation (GDPR) applies to our processing of your personal data in addition to Swiss law. Under the GDPR, you have the following additional rights:

• Right to information (Art. 13-14 GDPR): You are informed about all data processing through this privacy policy.
• Right of access (Art. 15 GDPR): You can request a copy of all personal data we hold about you. Use the "Download all my data" button in the Account section.
• Right to rectification (Art. 16 GDPR): You can correct your data at any time through the management panel.
• Right to erasure (Art. 17 GDPR): You can delete your account and all associated data at any time.
• Right to data portability (Art. 20 GDPR): You can export all your data in machine-readable formats (CSV, JSON).
• Right to object (Art. 21 GDPR): You may object to data processing based on legitimate interest.
• Right to lodge a complaint: You may lodge a complaint with your national data protection authority in addition to the Swiss FDPIC.

SkinID does not use automated decision-making or profiling. We do not use your data for marketing purposes. We do not share data with third parties.

9. Browser extension and apps

The SkinID browser extensions (Chrome and Safari) and native apps (Mac, Windows, iPhone) only activate on pages with login forms or when you initiate authentication. They communicate exclusively with the SkinID server over HTTPS with certificate pinning. They do not collect browsing history, read page content beyond login form detection, or transmit data to any third party. The iPhone app uses Core NFC to read your implant. No data is sent to Apple.

10. The NFC implant

The SkinID implant uses a DESFire EV3 NFC cryptographic chip with AES-128 mutual authentication, encased in biocompatible glass (Schott 8625). It communicates via standard ISO 14443 protocol. The read operation is entirely passive and does not write to or modify the implant's storage beyond reading the cryptographic UID. The implant contains no battery and is powered passively by the NFC field. The implant is MRI conditional (safe up to 3 Tesla), so always inform your radiologist.

11. Changes to this policy

We may update this policy as SkinID evolves. The "last updated" date at the top will reflect any changes. Continued use of SkinID after changes constitutes acceptance of the updated policy.

12. Contact and complaints

For privacy-related questions: support@skinid.ch

If you believe your data protection rights have not been respected, you have the right to lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC): www.edoeb.admin.ch