This policy is short because we keep almost nothing. PoR is built on a simple idea: the data we never hold can't be leaked, sold, or subpoenaed. Here is exactly what we receive, what we never see, and what lives on a public blockchain.
PoR ("Proof of Real") is made by UIG Studios LLC. Contact: tjagodka@gmail.com. We answer privacy mail fast.
When you mint a credential with a passkey (Touch ID, Face ID, or PIN):
If you use "Sign in with Google" to get a Sui address: your Google sign-in token is processed transiently to derive your address (via a salted hash of token identifiers). Your email is displayed back to you in your own browser and is not stored or logged on our servers.
Almost nothing. Our verification server keeps a short-lived challenge in memory only while you complete a passkey ceremony — it disappears within minutes and is never written to disk. We operate no database of users or verifications.
Our hosting provider (Render) keeps standard, short-lived infrastructure logs (such as request IPs) as virtually all web hosts do; we don't mine or export them.
Your credential is a soulbound object on the Sui blockchain. It contains: an assurance level (L0–L3), issue and expiry timestamps, the hashed device commitment, and the attestor's address. It contains no name, no email, no biometric — it is pseudonymous: it proves "a verified human holds this address," not who that human is.
Blockchain data is permanent and public. Credentials expire (currently 90 days) and can be revoked; expiry and revocation make a credential invalid, though the historical object remains visible on-chain, as with all blockchains.
If our actual data handling changes, this page changes first, with a new date at the top. We won't quietly broaden what we collect — narrow is the product.