humanpass is operated by Jordi, an individual based in the EU. For any questions about this policy or your data, contact info@human-pass.org.
What humanpass does
humanpass lets you prove you're a real person using your device's biometrics (Face ID, fingerprint). You get a short-lived verification link that anyone can check. We also offer a Chrome browser extension that provides the same functionality.
Legal basis for processing (GDPR Art. 6)
We process your data based on legitimate interest: providing the verification service you chose to use. We only process the minimum data necessary for the service to function.
What we store
A random user ID (not linked to your real identity)
Your passkey's public key, credential ID, and authenticator metadata (generated by your device)
Your verification link short codes and creation timestamps
A session cookie to keep you logged in
We do not collect your name, email, phone number, or any other directly identifying information.
What we do NOT store or access
Your biometrics — Face ID, fingerprints, etc. never leave your device. We only receive a cryptographic signature that proves the check passed.
Tracking data — No analytics, no third-party scripts, no advertising.
Temporary data
During the verification flow, we temporarily store:
Session tokens — expire after 60 seconds.
QR sync tokens — used to connect your phone to your desktop; expire after 5 minutes.
Referrer origins — the origin of the site where a verification link is clicked, stored temporarily to detect fraud; expire after 5 minutes.
Data retention
Verification links — expire after 60 seconds.
Sessions — expire after 60 seconds.
User accounts and passkey credentials — stored until you request deletion.
Temporary data (challenges, sync tokens, referrer checks) — automatically deleted within 5 minutes.
Cookies
We use a single session cookie (session) to authenticate you. It is strictly functional — no tracking, no analytics. It expires when your session ends (60 seconds).
Chrome extension
The humanpass Chrome extension communicates only with human-pass.org to poll for QR sync status and display your verification link. It does not access your browsing data, read page content, or communicate with any other server.
Where your data lives
Data is stored on Cloudflare's infrastructure (D1 database and Workers KV). Cloudflare acts as our data processor under their Data Processing Addendum.
Third parties
We do not sell, share, or transfer your data to any third party. The only sub-processor is Cloudflare, which hosts the infrastructure.
Your rights (GDPR)
You have the right to:
Access — request a copy of the data we hold about you.
Deletion — request that we delete your account and all associated data.
Rectification — request correction of inaccurate data.
Portability — request your data in a machine-readable format.
Object — object to our processing of your data.
Complaint — lodge a complaint with your local data protection authority.