CCPA Compliance Statement

Maelstrom AI's compliance with California Consumer Privacy Act

Public

CCPA Compliance Statement

Executive Summary

The Provii zero knowledge age verification architecture is designed to provide simplified CCPA compliance compared to traditional age verification systems. Maelstrom AI-operated services are designed not to collect personal information as defined by CCPA, reducing most compliance obligations while providing strong privacy protections.

Key Compliance Position:

  • NO sale of personal information (not possible by design)
  • Minimal PI collection. Only IP addresses (hashed, 90-day retention; critical security event logs retained up to 365 days)
  • Zero knowledge architecture. During issuance, date of birth is transmitted once for cryptographic commitment computation, then immediately discarded. never stored or logged. During verification, no date of birth is transmitted.
  • Automatic deletion. All ephemeral data auto-expires
  • User control. Credentials stored in user’s wallet, not central database

Table of Contents

  1. Introduction
  2. CCPA Applicability
  3. Personal Information Collected
  4. CCPA Consumer Rights Compliance
  5. CCPA Privacy Policy Requirements
  6. Categories of Personal Information
  7. Business Purposes for Collection
  8. Third-Party Disclosures
  9. Data Subject Access Request Process
  10. CPRA Updates (2023)
  11. Compliance Summary
  12. Technical Privacy Design
  13. Recommendations
  14. Conclusion

Introduction

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA, effective January 1, 2023), establishes privacy rights for California residents. This document demonstrates Maelstrom AI’s compliance with CCPA/CPRA requirements.

Our Unique Position: Our zero knowledge architecture is designed so that we do not process personal information in the traditional sense. This document explains how our technical architecture is intended to provide strong privacy protection while reducing compliance obligations.

Legislative Background

  • CCPA. Enacted 2018, effective January 1, 2020
  • CPRA. Amended CCPA, effective January 1, 2023
  • Scope. Businesses operating in California with significant data processing
  • Enforcement. California Privacy Protection Agency (CPPA)

CCPA Applicability

CCPA Thresholds (Cal. Civ. Code § 1798.140)

CCPA applies to for-profit businesses that:

  1. Have annual gross revenues exceeding $25 million; OR
  2. Buy, sell, or share personal information of 100,000+ California residents/households annually; OR
  3. Derive 50%+ of annual revenues from selling or sharing California residents’ personal information

Maelstrom AI’s Status

Applicability Assessment: Maelstrom AI likely meets CCPA thresholds as a technology company operating in California and serving California-based verifiers and users.

Compliance Posture: Even if CCPA does not strictly apply, Maelstrom AI voluntarily complies with CCPA principles as part of our privacy-by-design philosophy and to enable customers to meet their compliance obligations.

Geographic Scope: While CCPA applies to California residents, Maelstrom AI implements privacy protections globally, exceeding CCPA requirements worldwide.

Personal Information Collected

What Maelstrom AI DOES Collect (Server-Side)

Data ElementPurposeRetentionCCPA Category
IP Addresses (hashed)Anti-abuse, rate limiting90 days; critical security event logs up to 365 daysInternet/Network Activity
Challenge IDsVerification session management5 minutes (auto-expire)Not PI (random UUIDs)
Credential NullifiersReplay preventionChecked against ban listNot PI (one-way hash)
TimestampsOperational loggingTied to retention periodsNot PI (metadata)

Reference: /trust/security/data-retention.mdx

What Maelstrom AI DOES NOT Collect (Zero knowledge Architecture)

Maelstrom AI-operated services are designed not to collect:

NOT COLLECTED (By Design):
❌ Names
❌ Email addresses
❌ Physical addresses
❌ Phone numbers
❌ Dates of birth (transmitted once during issuance for cryptographic commitment computation, then immediately discarded. never stored or logged)
❌ Social security numbers
❌ Driver's license numbers
❌ Passport numbers
❌ Identity document scans
❌ Biometric information
❌ Facial recognition data
❌ Government-issued ID numbers
❌ Financial information
❌ Geolocation data
❌ Browsing history
❌ Search queries
❌ Persistent user identifiers
❌ Cross-site tracking cookies

Evidence:

  • Information Security Policy (Lines 102-109): “Zero knowledge First” principle
  • Privacy Architecture Evidence: Complete data flow analysis
  • Data Retention Policy (Lines 49-64): “What We DON’T Collect”

Why This Matters: CCPA obligations are triggered by processing personal information. Where PI is not collected, most CCPA requirements do not apply.

CCPA Consumer Rights Compliance

Right to Know (CCPA § 1798.100, § 1798.110, § 1798.115)

Consumer Right: Know what personal information is collected, used, disclosed, or sold.

Maelstrom AI’s Compliance

What We Collect:

  • IP addresses (hashed with SHA-256, retained 90 days; critical security event logs up to 365 days)
  • Purpose: Anti-abuse, rate limiting, diagnostics
  • Source: Collected directly from consumer’s device
  • Categories of third parties: Infrastructure provider (Cloudflare)

How to Exercise:

  • Email: privacy@maelstrom.au
  • Response timeframe: 45 days (extendable to 90 days)
  • Verification: Email verification or challenge-response

Simplified Disclosure: Because Maelstrom AI collects almost no personal information, disclosure is straightforward:

“We collect only your IP address (in hashed form) for 90 days to prevent abuse. We do not collect your name, email, date of birth, or any identity documents. Your age verification is performed using zero knowledge proofs that reveal only whether you meet the age threshold.”

Evidence:

  • Privacy Architecture Evidence (UC-001): Data Minimization
  • Data Retention Policy: 90-day IP retention

Right to Delete (CCPA § 1798.105)

Consumer Right: Request deletion of personal information held by the business.

Maelstrom AI’s Compliance

Automatic Deletion:

  1. IP Addresses: Auto-deleted after 90 days via Grafana Cloud (Loki) tenant retention (Cloudflare Workers Logs sink); critical security event logs retained up to 365 days
  2. Challenge Records: Auto-deleted after 5 minutes via KV TTL
  3. Nonce Records: Auto-deleted after 5 minutes via KV TTL

Expedited Deletion:

  • Consumers can request immediate deletion before automatic expiration
  • Process: Email privacy@maelstrom.au with verification
  • Response time: 10 business days acknowledgment, deletion within 45 days

No Deletion Required:

  • Wallet-held credentials. Under user control (delete wallet app)
  • Zero knowledge proofs. Not personal information (cryptographic data)
  • Nullifiers. Not personal information (one-way hashes)

Exceptions to Deletion (CCPA § 1798.105(d)): Maelstrom AI may retain data to:

  1. Detect security incidents and protect against malicious/illegal activity (IP logs)
  2. Debug to identify and repair errors
  3. Comply with legal obligations

Evidence:

  • Data Lifecycle Evidence (UC-103): Automated deletion implementation
  • Data Retention Policy (Lines 109-131): Automated deletion mechanisms
  • Retention Policy Code: provii-verifier/src/storage/retention.rs

Right to Opt-Out of Sale (CCPA § 1798.120)

Consumer Right: Opt-out of sale of personal information.

Maelstrom AI’s Compliance

Status: NOT APPLICABLE - Maelstrom AI does NOT sell personal information.

Definition of “Sale” (CCPA § 1798.140(ad)):

Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration.

Maelstrom AI’s Position:

  • NO sale of personal information occurs
  • NO data sharing for monetary value
  • NO cross-context behavioural advertising
  • NO third-party data brokers

Data Shared with Service Providers:

  • Cloudflare (infrastructure): Processes IP addresses for service delivery under service provider agreement
  • Not a sale. Shared solely for business operations, not for Cloudflare’s independent use

Evidence:

  • Business model: Websites pay per verification, NOT for data access
  • Privacy Architecture Evidence (UC-016): “No PII shared (zero knowledge architecture)”
  • No third-party data monetization

“Do Not Sell My Personal Information” Link:

  • Not required (no sale occurs)
  • Optional. Can provide for transparency: “We do not sell personal information”

Right to Correct (CPRA § 1798.106)

Consumer Right: Request correction of inaccurate personal information.

Maelstrom AI’s Compliance

Status: NOT APPLICABLE - Maelstrom AI stores no correctable personal information.

Rationale:

  • IP addresses are automatically collected (no inaccuracy possible)
  • No names, addresses, dates of birth stored on servers
  • Wallet-held credentials updated by user (client-side)

If Applicable: Users can update date of birth in wallet, generating new credentials automatically.

Right to Limit Use of Sensitive Personal Information (CPRA § 1798.121)

Consumer Right: Limit use and disclosure of sensitive personal information.

Maelstrom AI’s Compliance

Status: NOT APPLICABLE - Maelstrom AI does NOT collect sensitive personal information.

CPRA Sensitive PI Categories (§ 1798.140(ae)):

  • Social security, driver’s license, passport numbers ❌ Not collected
  • Account credentials ❌ Not collected
  • Precise geolocation ❌ Not collected
  • Racial/ethnic origin, religious beliefs ❌ Not collected
  • Health data, sex life, sexual orientation ❌ Not collected
  • Biometric information ❌ Not collected

Evidence: “What We DON’T Collect” list in Personal Information Collected section.

Right to Non-Discrimination (CCPA § 1798.125)

Consumer Right: Not be discriminated against for exercising CCPA rights.

Maelstrom AI’s Compliance

Policy Statement: Maelstrom AI will NOT discriminate against consumers who exercise their CCPA rights by:

  • Denying goods or services
  • Charging different prices or rates
  • Providing different quality of services
  • Suggesting consumer will receive different prices or quality

Implementation:

  • Same age verification service for all users
  • No pricing tiers based on privacy choices
  • No service degradation for rights requests

Financial Incentive Programs: NONE - Maelstrom AI does not offer financial incentives for personal information.

Evidence: Information Security Policy principle of equal treatment.

CCPA Privacy Policy Requirements

Required Disclosures (CCPA § 1798.130(a)(5))

CCPA mandates privacy policies include:

✅ Categories of Personal Information Collected

Disclosure:

“We collect Internet/Network Activity Information (IP addresses, in hashed form) for the purposes of preventing abuse and maintaining service integrity. We do not collect names, contact information, identity documents, biometric data, or dates of birth on our servers.”

✅ Sources of Personal Information

Disclosure:

“IP addresses are collected directly from consumers when they interact with our age verification API.”

✅ Business or Commercial Purposes for Collection

Disclosure:

“We collect IP addresses for the following business purposes:

  1. Detecting security incidents and protecting against malicious activity
  2. Debugging to identify and repair errors
  3. Short-term, transient use (rate limiting)”

✅ Categories of Third Parties with Whom We Share PI

Disclosure:

“We share IP address data with our infrastructure provider, Cloudflare, solely for the purpose of service delivery. We do not sell, rent, or share personal information for marketing or advertising purposes.”

✅ Consumer Rights

Disclosure:

“California residents have the right to:

  • Know what personal information we collect and how we use it
  • Request deletion of personal information (subject to exceptions)
  • Opt-out of sale of personal information (N/A - we do not sell PI)
  • Non-discrimination for exercising these rights

To exercise these rights, contact privacy@maelstrom.au

✅ How to Submit Verifiable Consumer Requests

Disclosure:

“Submit requests via email to privacy@maelstrom.au. We will verify your identity using email verification or challenge-response authentication before fulfilling requests.”

Privacy Policy Location

Current Status: Privacy information documented in:

  • /trust/security/information-security-policy.mdx
  • /trust/security/data-retention.mdx
  • Published at: https://maelstrom.au/trust

Recommendation: Create dedicated “Privacy Policy for California Residents” page consolidating CCPA-required disclosures.

Categories of Personal Information

CCPA PI Categories Analysis

CCPA/CPRA § 1798.140(o) defines 11 categories of personal information. Analysis of Maelstrom AI’s collection:

CCPA CategoryExamplesCollected by Maelstrom AI?RetentionPurpose
A. IdentifiersName, email, SSN, IP address, account namePartial (IP only, hashed)90 days; critical security event logs up to 365 daysAbuse prevention
B. Personal Information (Cal. Civ. Code § 1798.80(e))Name, address, SSN, driver’s license❌ NON/AN/A
C. Protected ClassificationsAge, race, gender, religion, disability❌ NON/AN/A
D. Commercial InformationPurchase history, payment info❌ NON/AN/A
E. Biometric InformationFingerprints, faceprints, voiceprints❌ NON/AN/A
F. Internet/Network ActivityBrowsing history, search history, interaction with websitesYES (IP only)90 days; critical security event logs up to 365 daysAbuse prevention
G. Geolocation DataPhysical location or movements❌ NON/AN/A
H. Sensory DataAudio, electronic, visual recordings❌ NON/AN/A
I. Professional/EmploymentJob history, performance evaluations❌ NON/AN/A
J. Education InformationGrades, transcripts❌ NON/AN/A
K. InferencesProfiles reflecting preferences, behaviour❌ NON/AN/A

Summary: Maelstrom AI collects 1 out of 11 CCPA categories (Internet/Network Activity), and only partially (IP addresses, hashed, for 90 days; critical security event logs up to 365 days).

Evidence:

  • Privacy Architecture Evidence: “What’s NOT Collected (Critical Privacy Evidence)”
  • Data Retention Policy: Table of retention periods

Business Purposes for Collection

Permitted Business Purposes (CCPA § 1798.140(e))

CCPA allows collection for the following business purposes:

1. Detecting Security Incidents, Protecting Against Malicious Activity

Maelstrom AI’s Use: IP address logging for abuse detection, rate limiting, DDoS prevention

Justification: Essential for service security and fraud prevention

2. Debugging to Identify and Repair Errors

Maelstrom AI’s Use: IP logs aid in diagnosing service issues and operational problems

Justification: Necessary for maintaining service quality

3. Short-Term, Transient Use

Maelstrom AI’s Use: Challenge records (5-minute lifetime), nonce records (5-minute lifetime)

Justification: Ephemeral data for active verification sessions

What Maelstrom AI Does NOT Use PI For

NOT USED FOR:
❌ Advertising or marketing
❌ Profiling or behavioral analysis
❌ Selling to third parties
❌ Cross-context behavioral advertising
❌ Building user profiles
❌ Inferring characteristics or preferences
❌ Identity resolution across devices/sites
❌ Targeted advertising

Evidence:

  • Privacy Architecture Evidence (UC-002): Purpose Limitation
  • Information Security Policy: No PII collection principle

Third-Party Disclosures

Service Providers

Cloudflare (Infrastructure Provider)

Category: Cloud infrastructure and security provider

Data Shared:

  • IP addresses (processed for service delivery)
  • Zero knowledge proofs (not PI - cryptographic data)
  • Challenge records (random UUIDs)

Purpose:

  • Service hosting on Cloudflare Workers
  • DDoS protection
  • Content delivery network (CDN)
  • Edge computing infrastructure

Contractual Protections:

  • Service provider agreement
  • Cloudflare SOC 2 Type II certified (supplier-held, via Cloudflare)
  • Cloudflare ISO 27001 certified (supplier-held, via Cloudflare)
  • Standard Contractual Clauses for international transfers

Evidence:

  • Supplier Management Policy: /trust/security/supplier-management.md
  • Vendor Evidence: /trust/compliance/evidence/vendors/third-party-evidence.md

GitHub (Development & CI/CD)

Category: Source code hosting and CI/CD

Data Shared:

  • Source code (public - open source)
  • CI/CD logs (no PI)
  • Build artifacts

Purpose:

  • Code repository management
  • Automated testing and deployment
  • Issue tracking

No PI Shared: GitHub does not receive personal information from Maelstrom AI’s operations.

Sales of Personal Information

Status: Maelstrom AI DOES NOT SELL personal information.

Definition Verification:

  • No data sharing for monetary compensation
  • No data broker relationships
  • No advertising network partnerships
  • No cross-context behavioural advertising data sharing

CCPA “Sale” Exclusions: Even if data sharing occurred, the following would be excluded from “sale”:

  1. Sharing with service providers under written contract (Cloudflare qualifies)
  2. Disclosures required by law
  3. Consumer-directed disclosures

Evidence: Business model analysis - revenue from verification fees, NOT data monetization.

Data Subject Access Request Process

Verifiable Consumer Request (VCR) Procedures

1. Request Submission Methods

Email: privacy@maelstrom.au Subject Line: “CCPA Consumer Request - [Right to Know/Delete/Correct]”

Required Information:

  • Full name
  • California residency confirmation
  • Email address or contact method
  • Description of request (know/delete/correct)
  • Specific data categories requested (if Right to Know)

Web Form: (Recommended) - Create dedicated form at provii.app/privacy-request

2. Identity Verification Process

Verification Standard: Match request to personal information already maintained (CCPA § 1798.140(y))

Maelstrom AI’s Challenge: We collect minimal PI, making traditional verification difficult.

Verification Methods:

Method 1: Email Verification

  • Send confirmation link to requester’s email
  • Confirm email ownership
  • Limitation: Only verifies email, not California residency

Method 2: Challenge-Response Authentication

  • If requester has used the Provii wallet, verify via wallet signature
  • Cryptographic proof of wallet ownership
  • No PII required

Method 3: Attestation (for minimal data requests)

  • Signed declaration of California residency
  • Penalty of perjury statement
  • Acceptable for low-risk requests (Right to Know)

Heightened Verification (for deletion requests):

  • Two-step verification
  • Additional documentation if data sensitivity warrants

Evidence: Planned in UC-005 (User Rights Facilitation)

3. Response Timeline

Acknowledgment: 10 business days from receipt Response: 45 calendar days (extendable to 90 days with notice)

Response Content:

  • Categories of PI collected (IP addresses)
  • Specific pieces of PI (if Right to Know, minimal for Maelstrom AI)
  • Business purposes for collection
  • Categories of third parties shared with
  • Deletion confirmation (if Right to Delete)

Format: Portable format (JSON, CSV) if requested

4. Request Tracking and Records

Retention: Maintain records of consumer requests for 24 months

Logged Information:

  • Date/time of request
  • Type of request
  • Verification method used
  • Response provided
  • Completion date

Evidence: Planned enhancement to audit logging system.

CPRA Updates (2023)

California Privacy Rights Act Compliance

The CPRA (effective January 1, 2023) amended CCPA with new requirements:

New Rights

1. Right to Correction (§ 1798.106)

Maelstrom AI Status: ✅ Compliant (N/A - no correctable PI stored)

Rationale: Maelstrom AI stores no personal information requiring correction. IP addresses are automatically collected and cannot be “incorrect.”

2. Right to Limit Use of Sensitive Personal Information (§ 1798.121)

Maelstrom AI Status: ✅ Compliant (N/A - no sensitive PI collected)

Rationale: Maelstrom AI does not collect any CPRA-defined sensitive personal information:

  • No SSN, driver’s license, passport numbers
  • No precise geolocation
  • No racial/ethnic origin, religious beliefs
  • No health data, sex life, sexual orientation
  • No biometric information

Evidence: Categories of Personal Information table (zero sensitive PI)

3. Opt-Out of Automated Decision-Making (§ 1798.137)

Maelstrom AI Status: ✅ Compliant (N/A - no automated decision-making with legal/similar effects)

Analysis:

  • Age verification is not a “decision” with legal or similarly significant effects
  • No profiling or behavioural analysis
  • Cryptographic proof verification is deterministic, not decision-making

Evidence: Privacy Architecture Evidence (UC-011): “No Automated Decision-Making with Legal Effect”

New “Sharing” Obligations

CPRA Definition of “Sharing”: Disclosing PI to third party for cross-context behavioural advertising

Maelstrom AI Status: ✅ Compliant (N/A - no sharing occurs)

Evidence:

  • No advertising partnerships
  • No data broker relationships
  • Cloudflare sharing is for service delivery, not advertising

Look-Back Period Extended

CPRA Requirement: Right to Know extends to 12 months of data (previously unspecified)

Maelstrom AI Status: ✅ Compliant (data retention < 12 months)

Evidence:

  • IP addresses: 90 days retention
  • Challenge records: 5 minutes retention
  • All operational data < 30 days

Data Minimization Obligation

CPRA § 1798.100(c): Collect PI “reasonably necessary and proportionate” to purposes

Maelstrom AI Status: ✅ Compliant

Evidence:

  • UC-001 (Data Minimization): “Zero knowledge architecture collects NO PII on servers”
  • Architecture is designed to prevent over-collection

Compliance Summary

CCPA Requirements Checklist

RequirementStatusEvidenceNotes
Privacy Policy Published✅ Completemaelstrom.au/trustNeeds CCPA-specific page
Categories of PI Disclosed✅ CompleteThis document1 of 11 categories collected
Business Purposes Disclosed✅ CompleteThis documentAbuse prevention only
Third Parties Disclosed✅ CompleteSupplier management policyCloudflare only
Right to Know Process✅ CompleteEmail privacy@maelstrom.au45-day response commitment
Right to Delete Process✅ CompleteAutomatic 90-day deletionCan expedite on request
Right to Opt-Out Link✅ N/ANo sale occursCan add “We Don’t Sell” page
Non-Discrimination Policy✅ CompleteThis documentEqual service for all
Authorised Agent Process📋 PlannedDSAR proceduresDocument verification steps
CPRA Sensitive PI Limits✅ N/ANo sensitive PI collectedNot possible by design
CPRA Correction Right✅ N/ANo correctable dataIP auto-collected
CPRA Automated Decision✅ N/ANo consequential decisionsZK proof verification only
12-Month Look-Back✅ Complete90-day retentionExceeds by being shorter
Data Minimization✅ CompleteZero knowledge architectureCore design principle

Overall Status: STRONG COMPLIANCE

Gap Summary:

  1. Dedicated CCPA Privacy Policy Page - Recommended (consolidate CCPA disclosures)
  2. Authorised Agent Procedures - Document verification requirements

Technical Privacy Design

Traditional Age Verification vs. Provii

Traditional Age Verification Systems

Data Collection:

  • Full name, date of birth
  • Identity document scans (driver’s license, passport)
  • Selfie photos for facial recognition
  • Address, email, phone number
  • Biometric data

CCPA Compliance Burden:

  • Complex: Must manage all 11 categories of PI
  • High Risk: Data breaches expose sensitive PII
  • Resource Intensive: DSAR fulfillment requires database queries, redaction
  • Sale Concerns: Third-party identity verification vendors may constitute “sale”
  • Deletion Complexity: Must purge from multiple systems, backups
  • Ongoing Costs: Dedicated privacy personnel, legal review, compliance audits

User Trust Issues:

  • Users must trust company with sensitive documents
  • No assurance of data deletion
  • Privacy promises are policy-based, not technically enforced

Provii’s Zero knowledge Approach

Data Collection:

  • ✅ IP addresses only (hashed, 90 days)
  • ✅ No identity documents
  • ✅ No biometric data
  • ✅ No names, addresses, contact info
  • ✅ Date of birth transmitted once during issuance for cryptographic commitment computation, then immediately discarded. never stored, logged, or retained

CCPA Compliance Position:

  • Simple: Only 1 of 11 PI categories collected
  • Lower Risk: Breach reveals no sensitive PII (none collected)
  • Minimal Burden: DSAR response is “We have no PI about you”
  • No Sale: Not possible by design to sell PI
  • Auto-Deletion: Ephemeral data expires automatically
  • Low Cost: Compliance largely automated, minimal manual processes

Privacy Design Strengths:

  • Cryptographic Design: Privacy enforced by cryptography, not policy
  • No “Trust Us” Required: Open source verification
  • User Control: Credentials in wallet, not central database
  • Unlinkability: No cross-site tracking possible

Operational Benefits of Reduced PI Collection

Traditional System Risks:

  • CCPA penalties: $2,500 per unintentional violation, $7,500 per intentional
  • Class action lawsuits (CCPA § 1798.150) for data breaches
  • Attorney General enforcement actions

Maelstrom AI’s Risk Profile:

  • Minimal PI reduces CCPA exposure
  • No breach of PII possible (none collected)
  • Reduced compliance surface area

2. Lower Operational Costs

Traditional Costs:

  • Dedicated privacy team (DPO, privacy engineers, legal counsel)
  • DSAR fulfillment (database queries, manual review, redaction)
  • Privacy audits and assessments
  • Third-party privacy management tools

Maelstrom AI’s Position:

  • Compliance largely automated
  • Minimal DSAR workload
  • Architecture-based privacy reduces manual processes

3. Faster Time to Market

Traditional Delays:

  • Privacy impact assessments for each feature
  • Legal review of data flows
  • Consent management implementation

Maelstrom AI’s Position:

  • Privacy by design reduces review cycles
  • No PII simplifies feature launches
  • Architectural design enables predictable compliance

Recommendations

Immediate Actions (Deferred, Planned H1 2026)

1. Create Dedicated CCPA Privacy Policy Page

Priority: High Effort: Low (2-4 hours) Owner: Legal/Compliance

Content:

  • Consolidate all CCPA-required disclosures
  • Plain language for California consumers
  • “Notice at Collection” compliant
  • Link from all consumer-facing pages

Location: provii.app/privacy/california

Reference: CCPA § 1798.130(a)(5) disclosure requirements

2. Document Authorised Agent Procedures

Priority: Medium Effort: Low (1-2 hours) Owner: Legal

Content:

  • How authorised agents submit requests
  • Verification requirements (signed permission)
  • Response procedures
  • Records retention

Reference: CCPA § 1798.135(b) authorised agent requirements

Medium-Term Enhancements (Planned H2 2026)

4. Add “Do Not Sell My Personal Information” Page

Priority: Low (not required, but good practice) Effort: Low (1 hour) Owner: Legal/Privacy Officer

Content:

“Maelstrom AI does not sell personal information. Our zero knowledge architecture means there is no personal information to sell, because we do not collect it in the first place. Your age verification is performed using cryptographic proofs that reveal nothing about your identity or date of birth.”

Benefit: Proactive transparency

5. Annual CCPA Compliance Review

Priority: Medium Effort: Low (2-4 hours annually) Owner: Privacy Officer / Legal

Scope:

  • Review data collection practices (confirm no new PI)
  • Update privacy policy for regulatory changes
  • Audit DSAR response times
  • Verify deletion automation still functioning
  • Check for new CPRA amendments

Cadence: Annually (Q1) or when regulations change

6. Privacy Training

Priority: Medium Effort: Low (1 hour training) Owner: Privacy Officer

Topics:

  • What is CCPA and why it matters
  • Our minimal data collection position
  • How to respond to consumer requests
  • Escalation procedures
  • “Don’t collect PII” principle reinforcement

Audience: All personnel involved in engineering and support functions

Conclusion

Summary

The Provii zero knowledge age verification architecture is designed to provide strong CCPA compliance through technical design rather than policy promises. Maelstrom AI-operated services are designed to:

  1. Not collect traditional personal information (names, DOB, identity documents)
  2. Not sell personal information (not possible by design)
  3. Automatically delete ephemeral data (90-day maximum retention for IP addresses; critical security event logs up to 365 days)
  4. Provide user control through wallet-based credentials
  5. Implement CCPA principles through privacy-by-design

Key Compliance Achievements

AspectStatusNotes
Data Minimization✅ CompliantCollects 1 of 11 CCPA categories
No Sale of PI✅ By designNo PI collected to sell
Automatic Deletion✅ Complete90-day max retention (IP only)
User Rights✅ SimplifiedMinimal PI reduces DSAR burden
Transparency✅ ImplementedOpen source + published policies
CPRA Compliance✅ AddressedNo sensitive PI, no automated decisions

Technical Differentiation

Provii’s Design Position:

“Traditional age verification requires collecting sensitive personal information. Provii is designed to avoid collecting such data through zero knowledge cryptography, which reduces compliance risk because the personal information that would create compliance obligations is not collected.”

Recommendations Summary

Critical:

  1. Create dedicated CCPA privacy policy page

Important: 2. Document authorised agent procedures 3. Annual CCPA compliance review

Beneficial: 4. Add “We Don’t Sell Your Data” transparency page

Final Assessment

Overall CCPA Compliance: ✅ STRONG COMPLIANCE POSITION

Maelstrom AI’s approach to CCPA compliance is grounded in architectural privacy design. The zero knowledge approach is designed to reduce most CCPA obligations while providing strong privacy protection compared to policy-based systems.

Gaps: Minor documentation improvements (dedicated privacy policy page)

Strengths:

  • Architectural privacy design
  • No sale of PI (no PI collected to sell)
  • Automatic deletion
  • Minimal data collection
  • User control through wallet architecture

References

  1. California Civil Code §§ 1798.100-1798.199: CCPA/CPRA statutory text
  2. California Code of Regulations Title 11, §§ 7000-7102: CCPA regulations
  3. California Privacy Protection Agency: Official guidance and FAQs
  4. CCPA as amended by CPRA: Effective January 1, 2023

Maelstrom AI Documentation

  1. Information Security Policy: /trust/security/information-security-policy.mdx
  2. Data Retention Policy: /trust/security/data-retention.mdx
  3. Privacy Architecture Evidence: /trust/compliance/evidence/privacy-controls/privacy-architecture-evidence.md
  4. Data Lifecycle Evidence: /trust/compliance/evidence/privacy-controls/data-lifecycle-evidence.md
  5. Unified Control Matrix: /trust/compliance/requirements/unified-control-matrix.md
  6. Supplier Management: /trust/security/supplier-management.md

Technical Evidence

  1. Retention Policy Code: provii-verifier/src/storage/retention.rs
  2. Challenge TTL Implementation: provii-verifier/src/routes/challenge.rs
  3. Nonce TTL Implementation: provii-verifier/src/routes/verify.rs
  4. Log Sanitization: provii-verifier/src/security/log_sanitizer.rs

Document Information

FieldValue
Version1.1
Effective Date2026-02-13
Last Updated2026-02-13
OwnerPrivacy Officer
Review FrequencyAnnually
Next ReviewQ2 2027
ClassificationPublic
Approved ByISMS Owner

Revision History

VersionDateAuthorChanges
1.02025-11-08Maelstrom AIInitial creation - CCPA compliance statement
1.12026-02-13Compliance & ISMS SpecialistUpdated stale date references and action timelines