Privacy Policy

Effective: 2026-05-26 · Last updated: 2026-05-26

The short version

FareWitness creates cryptographic seals on your photos, videos, and files so a recipient can independently verify they haven't been altered. The default mode is hash-only: we receive a fingerprint of your file, never the file itself. We collect the minimum data needed to issue and serve your seals — an email address for sign-in, the capture metadata you choose to include (time, GPS, sensor readings), and the seals themselves. We do not run advertising, do not sell or share user data, and do not use third-party analytics or tracking SDKs.

If you opt into Vault mode on a specific upload, we store the file bytes on our servers so a verifier can retrieve the original. Vault is per-upload, never automatic, and requires you to attest that you own the rights to the content and that it's lawful in your jurisdiction.

1. Who we are

"FareWitness" refers to the FareWitness service and the team operating it. We can be reached at support@farewitness.com. This policy covers the FareWitness Capture mobile applications (iOS and Android), the FareWitness dashboard at app.farewitness.com, the static verifier at dev.farewitness.com/v/ (and any successor verifier domain), and the FareWitness backend at dev.farewitness.com/api/.

2. What FareWitness Capture collects on your device

The Capture app uses your device's hardware to gather the information that goes into a seal. Each piece is collected only with your permission, and most are optional.

Required for the app to function

Email address — used to sign you in via a one-time magic link and to email you the cryptographic certificate for each seal.
File hash (SHA-256) — computed on your device from the photo, video, or file you choose to seal. Always sent to our servers as part of the seal request.
Capture timestamp — recorded by your device's operating system at the moment of capture.
NFC token signature — produced by tapping a paired hardware token (Android phone, iPhone, or TruthCoin NFC card) against the device. The token's private key never leaves the secure element on that token.

Optional, controlled by per-permission OS prompts

Camera — only when you tap the shutter to take a new photo or video. The app does not access the camera in the background.
Photo library / file picker — only when you choose to seal an existing file. We do not browse or index your library.
Location (GPS) — only at the moment of capture, only if you grant the "While Using" permission. Embedded in the seal's manifest so a verifier can confirm the location.
Sensors (compass, accelerometer) — sampled at the moment of capture only, for the same evidentiary purpose as location.

You can revoke any permission at any time in your device's settings. Revoking camera or photo library access disables capture; revoking location simply omits location from new seals.

3. What we store on our servers

The Capture app transmits different things to our servers depending on the storage mode you select for each upload.

Default

Hash-only

The app sends a SHA-256 fingerprint of your file plus the signed manifest (timestamp, GPS, sensors, signatures). The file bytes never leave your device. We cannot produce the original file from a hash, nor can anyone we share data with.

Per-upload opt-in

Vault

The app additionally uploads the file bytes to our encrypted storage. Vault requires a per-upload attestation that you own the content and that it's lawful. You can request deletion of any Vault file by emailing us.

For every seal, regardless of mode, we store:

The signed manifest JSON (which contains the file hash, timestamps, sensor data you opted to include, and the cryptographic signatures).
A certificate ID linking the seal to your account.
The RFC 3161 timestamp obtained from DigiCert as part of the seal pipeline.
The Merkle batch position used to anchor the seal on the public Base blockchain.

For your account, we store:

Your email address.
Short-lived sign-in tokens (rotated continuously, expire after inactivity).
The list of paired hardware tokens (their public keys and device identifiers — never private keys).
API keys you generate from the dashboard, if any.

Operational data (kept briefly):

Server access logs (IP address, request path, user agent, response status, response time) for security and debugging. Retained for ~30 days, then deleted.
Application error logs — collected only when something fails; no user content is included.

4. What we do NOT collect

No third-party analytics, tracking pixels, or advertising SDKs. No Google Analytics, no Facebook Pixel, no Mixpanel, no Crashlytics.
No advertising identifiers (IDFA on iOS, AAID on Android). We do not request the iOS "Allow Tracking" permission because we don't track.
No contact list, calendar, or browser history access.
No microphone access for transcription or audio analysis. Microphone is requested only for capturing audio with video evidence.
No background location. Location is only sampled while the app is in the foreground and you are actively capturing.
No file bytes in hash-only mode. This is enforced by the code path — the app's persistMedia function is bypassed entirely for hash-only uploads.

5. How we use the data we collect

To issue your seal. The manifest, signatures, and timestamp combine into a certificate you receive by email and can view on the dashboard.
To enable verification. The static verifier checks signatures and on-chain anchors against the cert; this requires the cert to be retrievable by ID.
To authenticate you. Your email receives sign-in magic links; tokens authorize your dashboard session.
To send transactional email only — magic links and seal confirmations. We do not send marketing email through this system.
To debug operational issues. Server logs help diagnose outages and security events.

We do not use your data to train AI models, to build profiles for advertising, or for any purpose unrelated to operating FareWitness.

6. Third parties we share data with

FareWitness is built on a small set of external services. Each receives the minimum data needed for its role:

Brevo (transactional email provider) — receives your email address and the contents of the magic-link or seal confirmation email. Bound by Brevo's data processing terms. Does not receive any seal contents or file data.
DigiCert (RFC 3161 Time Stamp Authority) — receives the SHA-256 hash of your seal's manifest in order to add a trusted timestamp. Receives no file contents, no user identifiers, no email addresses.
Public Base blockchain RPC nodes (used by the verifier) — receive read-only queries containing the Merkle root of a daily seal batch. Receive no per-user data or file contents.
Hetzner (our hosting provider, Germany) — hosts the FareWitness servers. Bound by Hetzner's standard hosting terms and GDPR.

We do not sell or rent user data, and we do not share user data with advertisers, data brokers, or any party not listed above. We may disclose data when required by law (see Section 10).

7. Cryptographic keys and where they live

Your hardware token's private signing key stays inside the secure element on your token device — Android's StrongBox/TEE on phones, the JCOP secure element on TruthCoin NFC cards. It is generated on first pairing and never transmitted. FareWitness never sees it.
The FareWitness server signing key is held by us in operational storage on our hosting infrastructure. We are working toward HSM-backed storage; that roadmap is documented publicly in our threat model.
Your sign-in tokens are short-lived bearer credentials. Treat them like passwords.

8. Data retention

Certificates — retained while your account exists. Certificates contain no user content in hash-only mode; in Vault mode they reference Vault content.
Vault files — retained until you request deletion or close your account.
Account data (email, paired tokens, API keys) — retained until you request account deletion.
Server access logs — rolling 30 days, then deleted.
Application error logs — rolling 30 days, then deleted.

You can request account deletion by emailing support@farewitness.com. Deletion is processed within 30 days. Note that any certificates you've shared with third parties are not retrievable by us — once a recipient has the cert, only they can decide whether to delete their copy.

9. Your rights

Depending on where you live, you may have legal rights to access, correct, delete, restrict processing of, or export your personal data. We honor these rights for all users regardless of jurisdiction, because they're the right defaults:

Right to access — email us and we'll provide everything we have associated with your account.
Right to delete — email us to request account or Vault deletion at any time.
Right to correct — most data is auto-managed; email us if anything looks wrong.
Right to portability — email us and we'll provide your certificates and account data in a portable format.
Right to object — opt out of any non-essential processing (currently there is none — we only process for service operation).

To exercise any of these, email support@farewitness.com. We respond within 30 days. For EU residents, GDPR Article 77 entitles you to lodge a complaint with your local supervisory authority.

10. Legal disclosure

We do not voluntarily disclose user data to government or law enforcement. We comply with valid legal process under the laws of the jurisdictions we operate in. Where law permits, we will notify affected users before disclosure. We do not store data we do not need; in particular, hash-only mode means we cannot produce file contents in response to legal compulsion, because we never received them.

We will publish a transparency report after the first legal disclosure request, listing the number of requests, the categories of data requested, and our response.

11. International users (GDPR, CCPA, and others)

FareWitness is operated from outside the European Union, but our hosting is within the EU (Germany). EU residents are covered by GDPR. California residents are covered by CCPA / CPRA — under these laws we do not sell user data, do not share personal information for cross-context behavioral advertising, and do not engage in automated profiling.

If you are in a jurisdiction with specific privacy laws not yet enumerated above, we will work in good faith to honor analogous rights. Please email us with any specific request.

12. Children

FareWitness is not directed at children under 13 and we do not knowingly collect data from children under 13. If you believe a child has provided us data, please email support@farewitness.com and we will delete it.

13. Security

We use industry-standard cryptographic primitives — ECDSA P-256, SHA-256, TLS 1.3 — and avoid proprietary or homegrown cryptography. We document our security architecture publicly in our threat model and our concrete trust claims in our trust claims document. We commission third-party cryptographic and application security reviews ahead of production launch; the scope and findings will be published as they complete.

We can be contacted about security issues at support@farewitness.com. We acknowledge reports within 48 hours.

14. Changes to this policy

If we change this policy in a material way, we'll update the "Last updated" date at the top, and (for material changes that affect existing users' rights) email registered account holders. Minor wording or clarification changes will simply update the date.

The current version of this policy is always at https://farewitness.com/privacy.html. Earlier versions are available on request.

15. Contact

For privacy questions, data requests, security disclosures, or anything else covered by this policy, email support@farewitness.com. We acknowledge within 48 hours and respond substantively within 30 days.

For general inquiries about FareWitness, visit farewitness.com.