Privacy Policy

Last updated: March 3, 2026

Our core principle: Your identity is yours. We designed Tacit Protocol so that private keys never leave your device, agents exchange trust tokens instead of raw data, and every interaction requires your explicit consent.

1. What We Collect

Information You Provide

Account information: Email address, display name, bio, and profile details you choose to share
Connected accounts: OAuth tokens from Google, GitHub, or LinkedIn when you verify your identity (we store the connection, not your password)
Contact form submissions: Name, email, organization, and message when you reach out to us

Information Generated by the Protocol

Decentralized Identifier (DID): A cryptographic identifier generated on your device using Ed25519 key pairs
Trust score: An algorithmically derived score based on account tenure, credential consistency, and network attestations
Engagement data: Introduction requests, match status, and messaging metadata

Information We Do NOT Collect

Private keys: Generated and stored locally on your device (IndexedDB). We never have access to them.
Passwords from connected accounts: OAuth grants access without sharing credentials
Browsing data: We do not use tracking pixels, third-party analytics, or advertising cookies

2. How We Use Your Data

Identity verification: To compute trust scores and generate Verifiable Credentials
Matchmaking: To connect users with compatible intents (seeking/offering alignment)
Messaging: To facilitate direct communication between matched users
Service improvement: Aggregate, anonymized usage data to improve the protocol
Communication: To respond to inquiries and send service-related notifications

3. Cryptographic Privacy

Tacit Protocol is designed with privacy as architecture, not policy:

Key pairs: Ed25519 keys are generated client-side and stored in your browser's IndexedDB. The server never sees your private key.
Trust tokens: When agents exchange identity verification, they share cryptographic proofs — not raw personal data.
Double opt-in: Every introduction, match, and data sharing request requires explicit consent from both parties.
Progressive reveal: You control what information is shared at each stage of an interaction.

4. Data Storage and Security

Database: Profile data and messages are stored in Supabase (PostgreSQL) with Row Level Security (RLS) policies ensuring users can only access their own data
Encryption in transit: All communications use TLS/HTTPS
File storage: Avatars are stored in Supabase Storage with per-user access controls
Local storage: Private keys and sensitive data are stored in your browser's IndexedDB, not on our servers

5. Data Sharing

We do not sell, rent, or trade your personal data. We may share data only in these circumstances:

With your consent: When you explicitly choose to share information with another user through the match/introduction system
Legal obligations: When required by law, subpoena, or legal process
Safety: To prevent fraud, abuse, or threats to safety

6. Your Rights

You have the right to:

Access: View all data we hold about you through your Profile and Settings pages
Correction: Update your profile information at any time
Deletion: Delete your account and all associated data through Settings. This removes your profile, messages, credentials, and engagement history from our systems
Portability: Your DID and cryptographic keys are already under your control and can be used independently of our Services
Objection: Contact us to object to specific data processing activities

7. GDPR Compliance

For users in the European Economic Area (EEA), we process data under these legal bases:

Consent: For account creation and identity verification
Legitimate interest: For service improvement and security
Contract: For providing the Services you requested

You may exercise your GDPR rights by contacting tacitprotocol@proton.me.

8. Cookies

We use only essential cookies required for authentication and session management. We do not use:

Advertising or tracking cookies
Third-party analytics cookies
Social media tracking pixels

9. Data Retention

Active accounts: Data is retained as long as your account is active
Deleted accounts: All data is deleted within 30 days of account deletion
Contact form submissions: Retained for up to 2 years for business purposes
Cryptographic attestations: Trust attestations signed by your DID may persist on the network as verifiable records, as they are cryptographically independent of our systems

10. Children's Privacy

The Services are not intended for users under 16 years of age. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes through the Services or by email. The "Last updated" date at the top indicates when the policy was last revised.

12. Contact

For privacy-related questions or to exercise your rights:

Email: tacitprotocol@proton.me
GitHub: Open an issue

← Back to Tacit Protocol · Terms of Service