VUVU Credentials
Sign InGet Started

Privacy Policy

Last updated: March 2026

1. Introduction

VU Credentials Ltd ("VU Credentials", "we", "us", or "our") is a company registered in Cyprus (EU). We operate a cloud-based Credential-as-a-Service platform that enables organizations to issue W3C Verifiable Credentials via the OIDC4VCI protocol (the "Service").

This Privacy Policy explains how we collect, use, store, and protect personal data when you use our platform, visit our website, or interact with us. We are committed to compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Cyprus data protection legislation.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller

The data controller for the purposes of the GDPR is:

VU Credentials Ltd
Registered in Cyprus (EU)
Email: legal@vucredentials.com

3. Data We Collect

We collect and process the following categories of personal data:

3.1 Account and Organization Data

  • Email address and password (authenticated via Firebase Auth)
  • Organization name and tenant identifier
  • Team member email addresses and assigned roles
  • API key metadata (key names, creation dates, last-used timestamps)

3.2 Credential Claims Data

  • Data submitted by tenants for inclusion in Verifiable Credentials, which may include personal names, dates of birth, KYC verification results, age verification outcomes, phone numbers, email addresses, and other claims defined by the tenant
  • Credential type definitions and schema configurations
  • Issuance records, including credential identifiers and timestamps

3.3 Payment and Billing Data

  • Blockchain wallet addresses used for USDC/USDT payments on the Polygon network
  • Transaction hashes and payment confirmation records
  • Bundle purchase history and remaining balance information

3.4 Usage and Technical Data

  • API request logs (endpoint, timestamp, response status, IP address)
  • Audit log entries (actions performed within the dashboard)
  • Webhook delivery logs (URL, status, timestamps)
  • Browser type, operating system, and device information
  • IP addresses and approximate geolocation

4. How We Use Your Data

We process personal data for the following purposes and legal bases:

  • Contract performance (Art. 6(1)(b) GDPR): To provide the Service, including account management, credential issuance, billing, team management, and technical support.
  • Legitimate interests (Art. 6(1)(f) GDPR): To maintain platform security, prevent abuse, generate aggregated usage analytics, improve Service performance, and enforce our Terms of Service.
  • Legal obligations (Art. 6(1)(c) GDPR): To comply with applicable laws, including financial record-keeping, tax obligations, and responses to lawful requests from authorities.
  • Consent (Art. 6(1)(a) GDPR): Where we send optional marketing communications or use non-essential cookies, we rely on your explicit consent, which you may withdraw at any time.

5. Data Processors and Third Parties

We engage the following third-party processors to operate the Service. All processors are bound by data processing agreements compliant with Article 28 of the GDPR.

  • Google Cloud Platform (Google LLC): Infrastructure hosting via Cloud Run, data storage via Cloud SQL (PostgreSQL), and key management via Cloud KMS. Google is certified under the EU-U.S. Data Privacy Framework.
  • Firebase Authentication (Google LLC): User authentication services for email/password sign-in.
  • Polygon Network: Public blockchain used for USDC/USDT payment processing. Note that blockchain transactions are inherently public and immutable.

We do not sell personal data to third parties. We do not share personal data with third parties for their own marketing purposes.

6. Credential Claims Data — Processor Role

When tenants submit personal data for inclusion in Verifiable Credentials (such as holder names, KYC results, or contact information), VU Credentials acts as a data processor on behalf of the tenant, who remains the data controller for that data. Tenants are responsible for ensuring they have an appropriate legal basis to process the personal data of their credential holders.

We process credential claims data solely for the purpose of generating and delivering Verifiable Credentials as instructed by the tenant. We do not access, analyse, or use credential claims data for any other purpose.

7. Data Retention

  • Account data: Retained for the duration of the account plus 30 days following account deletion, to allow for recovery.
  • Credential claims data: Retained for the duration of the tenant account. Tenants may request deletion of specific issuance records at any time.
  • Billing and payment records: Retained for a minimum of 7 years to comply with Cyprus tax and financial regulations.
  • API and audit logs: Retained for 12 months, then automatically purged.
  • Blockchain transaction data: Transaction hashes and wallet addresses recorded on the Polygon blockchain are permanent and cannot be deleted due to the immutable nature of blockchain technology.

8. International Data Transfers

Our infrastructure is hosted on Google Cloud Platform within the European Union. Where data is transferred outside the EEA (for example, to Google LLC in the United States for certain Firebase services), we rely on:

  • The EU-U.S. Data Privacy Framework, under which Google LLC is certified
  • Standard Contractual Clauses (SCCs) adopted by the European Commission
  • Supplementary technical and organizational measures, including encryption in transit and at rest

9. Your Rights Under GDPR

As a data subject, you have the following rights under the GDPR:

  • Right of access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
  • Right to erasure (Art. 17): Request deletion of your personal data, subject to legal retention obligations.
  • Right to restriction (Art. 18): Request that we limit the processing of your personal data in certain circumstances.
  • Right to data portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interests, including profiling.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent, withdraw your consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at legal@vucredentials.com. We will respond within 30 days. You also have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection in Cyprus or your local supervisory authority.

10. Cookies and Tracking

We use the following types of cookies:

  • Strictly necessary cookies: Required for authentication and session management (e.g., Firebase Auth session tokens). These cookies cannot be disabled as they are essential for the Service to function.
  • Analytics cookies: Used to understand how visitors interact with our website. These are only set with your explicit consent.

We do not use third-party advertising cookies. We do not engage in cross-site tracking or behavioural profiling.

11. Security

We implement appropriate technical and organizational measures to protect personal data, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Cryptographic key management via Google Cloud KMS with hardware security modules
  • API key hashing and secure storage
  • Role-based access control for tenant team members
  • Audit logging of all administrative actions
  • Tenant data isolation at the database level (row-level security via tenant identifiers)

12. Children

The Service is intended for use by organizations and their authorized representatives. We do not knowingly collect personal data from individuals under the age of 16. If you believe a child has provided us with personal data, please contact us at legal@vucredentials.com and we will promptly delete such data.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify registered users of material changes via email or a notice in the dashboard. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

14. Contact

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us: