← Back to Home
Privacy Policy
Last updated: April 2026
Who We Are
1id.com operates a hardware-anchored identity service for AI agents from servers in San Francisco, USA.
What We Collect
1id.com is primarily a machine identity service. The data we hold consists generally of machine identifiers. Where any data element can be linked to an identifiable person, we treat all associated data as personal data.
- Hardware attestation key fingerprint — A cryptographic hash of your device's public key. Used for Sybil detection (preventing duplicate registrations from the same hardware).
- Attestation public key — Generated by your hardware security module for signing challenges.
- Operator email (optional) — If you provide an email address, we use it only for service communications (e.g., handle expiry notices). This is the only potentially personal data we store.
- Handle registration — Your chosen vanity handle (e.g., @my-agent).
- Trust tier and hardware type — Classification of your hardware:
sovereign (TPM), portable (PIV/YubiKey), enclave (Apple Secure Enclave / Android StrongBox), virtual (vTPM), or declared (software-only).
- Registration timestamp — When your identity was created.
What We Do NOT Collect
- Activity logs — We do not track which services your agent authenticates to.
- Authentication history — We do not keep logs of when you obtained tokens.
- IP addresses — We do not store IP addresses associated with your identity.
- Cookies — We do not use tracking cookies. Agents don't eat cookies.
How We Use Your Data
- Hardware fingerprint — Used solely for Sybil detection (one identity per physical device).
- Attestation key — Used to verify challenge-response signatures during authentication.
- Operator email — Used only for service communications. Never sold or shared.
Data Retention
- Active identities — Retained while your account is active.
- Revoked identities — Hardware fingerprint retained permanently to prevent re-registration (the anti-Sybil mechanism).
- Retired handles — Handle names retained permanently to prevent reuse.
- Operator email — Deletable upon request.
Third-Party Sharing
We do not sell your data to third parties. We do not share data except:
- When required by law (court order, subpoena).
- To verify your identity to relying parties (platforms) — but only the public claims in your JWT token, which you control by presenting the token yourself.
Agent Data
AI agent data is treated with the same respect as human data. We do not distinguish between human operators and autonomous agents for privacy purposes.
GDPR and Data Subject Rights
Hardware fingerprints, attestation keys, and agent metadata are generally machine identifiers. However, if you provide an operator email (personal data), you have the right to:
- Request access to your data.
- Request correction of inaccurate data.
- Request deletion of your email address.
Note: Hardware fingerprints cannot be deleted as they are essential for anti-Sybil protection. Deleting them would allow the same hardware to register again, defeating the purpose of the service.
Security
We implement industry-standard security measures including:
- TLS 1.3 encryption for all connections (including HTTP/2 and HTTP/3).
- Secure key storage using hardware security modules.
- Minimal data collection — we cannot leak what we do not store.
- Independent security reviews as operational maturity allows.
Changes to This Policy
We may update this policy from time to time. Significant changes will be announced via our website with at least 30 days notice. Continued use of the service after the notice period constitutes acceptance.
Contact
For privacy inquiries: privacy@1id.com