Docs · For users

Security & privacy model

VirtualID is secure by design, not by obscurity. This page explains, in plain terms, how your data is protected and what control you keep. Developers and researchers should also read the developer Security & disclosure page.

What we protect, and how

DataProtection
High-sensitivity fields (medical, government IDs, insurer/policy)Client-side / zero-knowledge where feasible + envelope encryption. The server stores ciphertext it can't read on its own.
Standard shared fieldsEnvelope-encrypted per profile (a per-profile key), wrapped by your account key.
Your private notes & labels about contactsEncrypted with your own key — the other person and the server operator can't read them.
Public-profile fieldsUnencrypted by definition (public tier), clearly labelled as outside the confidentiality guarantee.
Consent & audit recordsAppend-only, tamper-evident, UTC.

The two-key model (why the operator can't read your data)

  • A per-account key and a per-profile key. A subscription is a key grant to a profile — not a copy of your data.
  • The server alone can never widen exposure. Adding or removing a field from what a profile reveals requires your account key — which is why exposure changes are a step-up action.
  • Split-key delivery: a subscriber submits their public key, and profile keys are wrapped to it. That bounds revocation and blast radius.

The two-key model is the foundation of the confidentiality guarantee described above (see the developer security page for the full model).

Default-deny & revocation

  • Profiles expose nothing until you turn a field on.
  • Revoking a share link or subscription takes effect immediately; printed/embedded copies (QR/RFID) go dark.
  • Step-up authentication is required for high-risk actions (permanent links, exposure changes, high-sensitivity profiles).

Passwordless by design

Authentication is passkeys (and, later, OAuth) — no password to phish or leak. See Authentication.

Your GDPR rights & account lifecycle

  • Export everything — request an async export job; download a signed ZIP of your data.
  • Delete your account — a soft-suspend with a documented grace period (60 days) before permanent erasure; step-up required.
  • Undelete within the grace period.
  • All timestamps are stored in UTC; security-relevant actions are audited.
Region-scoped storage (EU/US) with GDPR-by-design handling.