Privacy Policy

Last updated: November 11, 2025 | Effective: Beta

Summary

PYLON is a developer-first API for European Digital Identity verification. We collect minimal data, store it only in the EU, never sell it, and delete it after 30 days. You own your customer data.

1. What We Collect

When you use PYLON, we collect:

Verification requests: Age/credential type, timestamp, result (verified/not verified)
Webhook delivery: API key (hashed), delivery status, timestamp, signature
API usage: Endpoint called, request ID, response time, HTTP status
Errors: Error type, stack trace (no credential data logged)

        We explicitly do NOT collect: Credential content, wallet identity, user PII, biometric data, or any data beyond verification metadata.
      

2. Legal Basis

We process your data under contractual necessity—to verify credentials and deliver webhook results—and legitimate interest—to debug errors and improve reliability.

You are the data controller for end-user credentials. PYLON is your data processor.

3. Data Retention

        30-day automatic deletion: Verification logs, webhooks, errors, and API usage are deleted after 30 days. Audit trails are retained for compliance purposes (automated retention policies coming Q1 2026).
      

4. Data Location & Security

EU data residency: All data stored in Germany (Vlotho)
No US sub-processors: Zero data transfer to US companies
Encryption in transit: TLS 1.3, HTTPS only
Encryption at rest: AES-256-GCM for sensitive fields
No logging of credentials: Cryptographic proofs validated server-side; raw proofs never logged

5. Your Rights (GDPR Articles 15–22)

You have the right to:

Access (Art. 15): Request all data we hold about your account
Correction (Art. 16): Fix inaccurate data
Deletion (Art. 17): Delete your data (processed immediately)
Portability (Art. 20): Export data in machine-readable format (JSON)
Object (Art. 21): Opt out of analytics/debugging

How to exercise rights: Email privacy@pylonid.eu with your request. We respond within 30 days.

6. Third Parties

We share your data only with:

EUDI issuers: To validate credential authenticity (your API request initiates this)
Your webhooks: We POST verified results to your endpoint (you control this)
EU authorities: If legally required (we notify you unless prohibited by law)

We never sell data. We never share data with marketing companies, brokers, or US entities.

7. Infrastructure

PYLON is self-hosted on dedicated EU infrastructure with no external sub-processors.

Servers: Germany-based (on-premises)
Database: On-premises (encrypted at rest)
Backups: Automated daily backups with 30-day retention

        Zero external sub-processors currently. All data infrastructure is self-controlled.
      

8. Compliance

GDPR: Articles 5, 6, 15–22, 32–33 compliant
eIDAS 2.0: Security requirements met (cryptographic validation, audit logging)
EU Data Act (Sept 2025): Data portability (export to JSON), switching rights (no lock-in)

9. Cookies & Analytics

Our website uses no tracking cookies. We do not use analytics during beta.

10. Data Breach Notification

If a breach affects your data, we notify you within 72 hours (per GDPR Art. 33). Contact: security@pylonid.eu

11. Contact & Data Protection

Privacy questions: privacy@pylonid.eu
Legal compliance: legal@pylonid.eu
Legal complaints: File with your national data protection authority

Note: All email addresses are operated by the sole developer during beta.

12. Changes to This Policy

We update this policy as needed. Material changes are notified via email 30 days in advance.