Privacy Policy

Effective date: April 17, 2026

BKey Inc ("BKey," "we," "us," or "our") operates the BKey ID mobile application and related services. This Privacy Policy explains what data we collect, why we collect it, how we use it, who we share it with, and how we protect it.

1. Data We Collect

Account Information

When you create an account, a biometric face scan is required. You may optionally provide additional profile information, including:

  • Email address
  • Phone number
  • Full name (first, middle, last)
  • Date of birth
  • Country and state/province
  • Profile photo

All of the above fields are optional.

Biometric Data

BKey ID uses your device's front-facing camera for biometric verification and liveness detection. During this process:

  • A face scan is performed entirely on your device using the BKey SDK.
  • Raw face images are never stored or transmitted. They are processed in real time and discarded immediately after use.
  • An encrypted biometric template (a mathematical representation, not a photograph) is derived from the scan and stored to enable future authentication.
  • Liveness detection confirms you are a real person and prevents spoofing. This also happens on-device.

Device Information

We collect basic device information including device model, operating system, and app version to ensure compatibility and support troubleshooting.

Usage Analytics

We collect anonymized usage data (screens viewed, features used, errors encountered) to improve the app experience. This data is processed by PostHog, our analytics provider.

2. How We Use Your Data

  • Account creation and authentication — to create your decentralized identity (DID) and verify you each time you sign in.
  • Identity verification — to confirm your identity using biometric verification.
  • Secure vault operations — to encrypt and decrypt sensitive data stored in your personal vault using keys derived from your biometrics.
  • Push notifications — to send you alerts about account activity, access requests, and security events.
  • Product improvement — to understand how the app is used and fix issues.
  • Payment processing — to facilitate transactions through Stripe when applicable.

3. Decentralized Identity (DID)

BKey ID creates a Decentralized Identifier (DID) for each user. Your DID is a cryptographic identifier derived from your public key. It contains no personally identifiable information. Only your DID and associated public keys are stored in the DID registry. Your name, email, phone number, biometric data, and other personal information are never placed on any blockchain or public ledger.

4. Data Storage and Security

On Your Device

  • Authentication tokens and cryptographic keys are stored in your device's secure enclave (iOS Keychain / Android Keystore), protected by hardware-level encryption.
  • Vault data is encrypted with AES-256-GCM using keys derived from your biometric features. Only you can decrypt it.

On Our Servers

  • Account data (name, email, phone, date of birth, country) is stored in encrypted databases.
  • Encrypted biometric templates are stored server-side to enable re-enrollment and account recovery. These templates cannot be reversed into face images.
  • Profile photos are stored in encrypted cloud storage.
  • All data in transit is protected by TLS (HTTPS).

5. Third-Party Services

We use the following third-party services that may process your data:

ServicePurposeData Shared
OneSignalPush notificationsDevice token, user segment tags
PostHogProduct analyticsAnonymized usage events, device type
StripePayment processingTransaction data (when applicable)
MailgunTransactional emailEmail address
Cloudflare R2Photo storageProfile photo (encrypted)
Coinbase (x402 facilitator)Submitting signed payment authorizations to the Base blockchain when you use the self-custody USDC wallet featureSigned EIP-3009 payment authorizations, wallet addresses, payment amounts. Coinbase may screen recipients against sanctions lists and reject flagged payments.
AlchemyBlockchain RPC for reading wallet balances and transaction history (self-custody wallet feature only)Wallet addresses queried

We do not sell, rent, or trade your personal data to advertisers or data brokers.

6. Data Retention

  • Account data is retained for as long as your account is active.
  • If you request account deactivation, your account is marked inactive. We may retain certain data as required for legal compliance, fraud prevention, or dispute resolution.
  • Encrypted biometric templates are retained to support account recovery and re-enrollment.
  • Analytics data is retained according to our analytics provider's standard retention policies.

7. Your Rights

You have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate personal data.
  • Request deactivation of your account through the app settings.
  • Withdraw consent for biometric processing by deactivating your account. Note that biometric verification is required for the core functionality of BKey ID.

To exercise these rights, contact us at privacy@bkey.id.

8. Children's Privacy

BKey ID is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

9. Permissions

The app requests the following device permissions:

  • Camera — required for biometric face verification.
  • Face ID / Biometrics — used for secure device-level authentication.
  • Notifications — to receive alerts about account activity and access requests.
  • Photo Library — to upload documents or save images for account verification.

All permissions are requested at the time of use and can be revoked in your device settings.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the app or by email. The "Effective date" at the top of this page indicates when the policy was last revised.

11. Self-Custody Wallet and On-Chain Transactions

If you enable the self-custody USDC wallet feature, additional privacy considerations apply:

Cryptographic Keys

  • Your wallet's private key is derived on your device from your biometric enrollment. It is never stored, logged, or transmitted to BKey.
  • Because BKey does not hold your private key, we cannot recover your wallet or its USDC balance if you lose access to your device or re-enroll your biometric identity. Your wallet is your sole responsibility.
  • Your public wallet address is stored by BKey to display your balance, route payment authorizations, and match incoming notifications.

On-Chain Transaction Data

  • Payments you authorize are settled on the Base blockchain, a permissionless public ledger. Your wallet address, recipient addresses, and transaction amounts become part of Base's public record and can be viewed by anyone.
  • BKey has no ability to delete, redact, or anonymize on-chain data.
  • Before submitting a payment to the blockchain, BKey temporarily stores your signed payment authorization so the Coinbase x402 facilitator can submit it. Signed authorizations expire within minutes and are not kept after settlement.

Sanctions and Jurisdiction

BKey is a US company. The self-custody wallet is non-custodial under FinCEN 2019 guidance (we do not hold or move your funds), but we expect users to comply with applicable sanctions regimes including OFAC (Office of Foreign Assets Control). Coinbase's x402 facilitator performs its own sanctions screening, which may result in rejected payments. BKey reserves the right to suspend wallet features for users who appear on sanctions lists or who access BKey from embargoed jurisdictions.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

BKey Inc
Email: privacy@bkey.id
Web: https://bkey.id