Privacy Policy

How Provii Wallet collects, uses, and protects your personal information

Public

Privacy Policy

Last updated: 14 April 2026

Looking for an easier read? A plain English summary of this policy is available at Privacy Policy (plain English summary). The legal text below is the binding version.

Provii Wallet is operated by Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust (ABN 61 633 823 792), PO Box 169, St Arnaud VIC 3478, Australia (“we”, “us”, “our”).

We provide privacy-preserving age verification using zero knowledge proofs. We are committed to protecting your personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This Privacy Policy covers the Provii Wallet website (provii.app), the Provii Wallet mobile application, and our age verification infrastructure (collectively, the “Services”).

In this policy, “personal information” has the meaning given in the Privacy Act 1988. Where we refer to the EU General Data Protection Regulation (GDPR), the equivalent term is “personal data.”

1. Overview of Our Privacy Architecture

Provii Wallet is designed so that your personal information stays on your device. Our age verification system uses zero knowledge proofs, which means businesses can confirm you meet an age requirement without ever learning your date of birth, your exact age, or your identity.

We do not maintain user accounts. We do not require your name, email address, phone number, or any other identifying information to use Provii Wallet.

Our Services implement data protection by design and by default. Data minimisation, pseudonymisation, and purpose limitation are embedded into our technical architecture rather than added as afterthoughts.

2. Information We Collect

We collect personal information only where it is reasonably necessary for the provision of our age verification services (APP 3). The table below summarises what we collect, whether we retain it, and the purpose.

2.1 Website

Our website is a static informational site. It collects minimal data:

  • Theme preference: Your light or dark mode preference is stored locally in your browser (localStorage). This never leaves your device and is not personal information.
  • No application cookies: Our website code does not set any cookies. Cloudflare’s CDN infrastructure may set strictly necessary cookies for security purposes (such as bot protection). See our Cookie Policy for full details.
  • No forms or accounts: We do not collect email addresses, names, or any personal information through the website.
  • No tracking: We do not use Google Analytics, advertising pixels, or any third-party tracking scripts.

2.2 Provii Wallet Mobile Application

The Provii Wallet app stores your age credential securely on your device. Here is exactly what happens with your data:

Stored on your device only (never sent to our servers)

  1. Your date of birth (stored securely in your device’s keychain, protected by biometric authentication)
  2. Your cryptographic credential (the signed attestation proving your age)
  3. A random value that ensures your credential cannot be linked across uses (technically called a “blinding factor”)

Transmitted during credential issuance (one-time setup)

When you first set up your Provii Wallet, a trusted issuer (such as your bank or a government-authorised identity provider) verifies your age and creates a signed attestation. During this process:

  1. Your date of birth and a random blinding factor are sent to our issuance server to compute a cryptographic commitment (a sealed mathematical value that locks in your age without revealing it). This prevents anyone from creating a credential with a false age.
  2. This data is used only in the moment: it is not stored, logged, or retained by our servers.
  3. A one-time-use random number (called a nonce) prevents this process from being replayed.

Although we do not retain your date of birth, we acknowledge that receiving it during issuance constitutes “collection” under the Privacy Act. This collection is reasonably necessary for the purpose of issuing an accurate age credential.

Transmitted during age verification (each time you prove your age)

When you verify your age with a business, the following occurs:

  1. Your device generates a zero knowledge proof locally. This proof mathematically demonstrates that your age meets the required threshold without revealing your date of birth.
  2. The proof is sent to the verification server. The server learns only whether you meet the age requirement (for example, “over 18”), nothing more.
  3. Your date of birth, exact age, and identity are never transmitted during verification.

2.3 Server-Side Logging

Our verification servers maintain security audit logs that contain:

  1. Hashed IP addresses: We apply one-way hashing (SHA-256) to IP addresses before logging, meaning the original IP address cannot be recovered from the hash. This allows us to detect abuse patterns without storing your actual IP address.
  2. Verification event metadata: Timestamps, event types, and the origin domain of verification requests. Challenge identifiers are redacted in logs.

Audit logs are automatically deleted after 90 days; critical security event logs are retained for up to 365 days.

2.4 Unsolicited Personal Information

If we receive personal information that we did not request and that is not reasonably necessary for our services, we will destroy or de-identify it as soon as practicable in accordance with APP 4.

2.5 Developer Documentation Sandbox

The developer documentation at docs.provii.app exposes an interactive sandbox so software developers evaluating Provii can issue test credentials, call the API explorer, and preview verifier styling before integrating. This sandbox is distinct from the production wallet and verifier infrastructure.

Who

Software developers, architects, and integration engineers evaluating Provii for their own services. The sandbox is a pre-contractual onboarding surface. It is not intended for, and is not offered to, end-user consumers.

What we process

  1. A pseudonymous session_id in the __Host-docs_session cookie. This is an opaque random identifier derived server-side; it is not linked to any account, email address, or device fingerprint, and it is never correlated with production verification data.
  2. Request metadata routed through Cloudflare (hashed source IP, user-agent, Cloudflare Bot Management signals) used strictly for abuse prevention and session continuity.
  3. Fixture-only credential inputs. The sandbox accepts pre-defined synthetic fixture IDs; it rejects any raw date of birth at the schema boundary and never processes real personal data from developers or from third parties.

No name, email address, phone number, payment detail, or other directly identifying information is collected through the sandbox. Developers who wish to progress to a commercial relationship contact us separately through channels disclosed in Section 14.

Why (lawful basis)

  • Pre-contractual integration support under Article 6(1)(b) of the GDPR, where the developer has taken steps to evaluate Provii at their own request. The sandbox exists so that a prospective controller or processor can satisfy itself of Provii’s capabilities before entering into a contract.
  • Legitimate interest under Article 6(1)(f) of the GDPR for bot protection, rate limiting, and abuse prevention on a public developer-facing surface. This interest is balanced in our Legitimate Interest Assessment.

We do not rely on consent for this processing. The sandbox does not set advertising or analytics cookies.

Retention

  1. __Host-docs_session cookie: 15-minute sliding TTL with a 4-hour hard cap from first issuance, after which the session identifier is rotated.
  2. Short-lived sandbox credentials stamped with environment: sandbox and synthetic: true are allowlisted for up to 7 days so an evaluating developer can resume an in-progress integration without re-issuing fixtures. After 7 days the credential is no longer accepted by the sandbox verifier and is discarded.
  3. Request telemetry follows the retention rules in Section 2.3 (hashed IP addresses auto-expire within 90 days).

Fixture-input data is not retained. The sandbox generates attestations from fixture IDs in memory and does not persist the inputs.

Cross-border processing

Sandbox traffic is served through Cloudflare’s global network (the same substrate described in Section 6). Requests are handled at the data centre closest to the developer. Cloudflare processes this data as our data processor under a Data Processing Agreement that incorporates the European Commission’s Standard Contractual Clauses (Decision 2021/914, Module 2: controller to processor). Supplementary technical measures listed in Section 6 apply unchanged to the sandbox surface.

Isolation from production

The sandbox shares no data, trust root, or credential surface with the production wallet or verifier services. The sandbox issuer identity is rejected by the production verifier API, and every sandbox attestation is stamped environment: sandbox and synthetic: true so it cannot be replayed against production relying parties.

Further detail for developers

Software developers using the docs sandbox should also read the Developer Privacy Notice, which sets out the full schema for what we process about you, how long we keep it, and the rights you can exercise as a developer data subject under the UK GDPR, EU GDPR, and Australian Privacy Act.

3. How We Use Your Information

The limited information we process is used solely to:

  1. Issue age credentials during initial setup
  2. Verify zero knowledge proofs during age checks
  3. Maintain security and prevent abuse of our infrastructure

We do not use your information for advertising, profiling, direct marketing, or any purpose beyond operating the age verification service. APP 7 (direct marketing) is not engaged.

4. How We Protect Your Information

We implement security measures at every level:

  • On-device security: Credentials are stored in your device’s hardware-backed keychain, protected by biometric authentication (Face ID or Touch ID). Data is marked as non-extractable and accessible only when the device is unlocked.
  • Transport security: All communications use TLS encryption. Our servers enforce HSTS with preloading.
  • Server security: Our infrastructure runs on Cloudflare Workers with rate limiting, content security policies, and strict access controls. We apply data minimisation principles: we do not store what we do not need.
  • Cryptographic design: The zero knowledge proof system is designed so that even if our servers were compromised, an attacker would not be expected to learn users’ dates of birth from verification data.

5. Sharing and Disclosure

We do not sell, trade, or rent your personal information.

When you verify your age with a business, that business receives only a yes or no result; they do not receive your date of birth, your identity, or any other personal information through our system.

Categories of recipients who may receive personal information:

  • Cloudflare, Inc. (infrastructure provider and data processor): processes requests on our behalf under a Data Processing Agreement
  • Requesting businesses: receive only a pass or fail verification result, which does not constitute personal information
  • Authentication providers, which process administrator and officer identity data, sign-in events, and multi-factor authentication factors to authenticate Maelstrom AI staff and verifier organisation administrators. Wallet users never interact with authentication providers, and no age verification data is ever disclosed to them.
  • Email delivery providers, which process administrator and verifier onboarding email addresses and message content to deliver transactional messages such as account invitations and operational notifications. Email delivery providers do not receive wallet data, age verification data, or children’s personal data.
  • Law enforcement or regulatory authorities: only when required by Australian law, a court order, or a lawful government request. We will notify you of such requests where legally permitted.

The concrete sub-processors engaged under each of the recipient categories above, including the “authentication providers” and “email delivery providers” categories newly named in v2.1, are listed with full data-category tables, DPA references, and transfer mechanisms on our Sub-Processors page (v1.1, 14 April 2026).

6. Cross-Border Data Processing

Our infrastructure is hosted on Cloudflare’s global network, which operates data centres in over 300 locations worldwide. Requests are processed at the data centre closest to the user, which means the specific country of processing depends on the user’s location. We cannot reasonably specify all countries in advance, but processing is likely to occur in Australia, the United States, European Union member states, the United Kingdom, Singapore, Japan, and other countries where Cloudflare maintains data centres.

Cloudflare processes personal information on our behalf as a data processor, under a Data Processing Agreement that complies with Article 28 of the GDPR and includes the European Commission’s Standard Contractual Clauses (adopted under Decision 2021/914). We take reasonable steps, as required by APP 8, to ensure that overseas processing of personal information meets protections comparable to the Australian Privacy Principles.

We implement supplementary technical measures including one-way hashing of IP addresses before logging, ephemeral processing of personal information during credential issuance (no data at rest), and a zero knowledge proof architecture that is designed to minimise personal data in the verification flow.

7. Your Rights

Under Australian Privacy Law

You have the right to:

  1. Request access to any personal information we hold about you (APP 12)
  2. Request correction of any inaccurate personal information (APP 13)
  3. Make a complaint about how we handle your personal information

In practice, because we do not maintain user accounts or store personal information beyond hashed IP addresses in temporary audit logs, there is generally no personal information for us to provide access to or correct.

Under the EU General Data Protection Regulation (GDPR)

Provii Wallet’s verification services may be used by businesses established in the European Economic Area. Where our Services are used to verify the age of individuals in the EEA, we act as an independent data controller subject to the GDPR under Article 3(2)(a). Businesses that integrate our verification API are separate controllers responsible for their own GDPR obligations.

We do not process any special categories of personal data as defined in Article 9 of the GDPR. Our zero knowledge proof architecture is designed so that raw biometric data and identity documents do not reach our servers.

We do not rely on consent as a legal basis. Our processing is based on:

  1. Credential issuance (ephemeral processing of date of birth and blinding factor): Contractual necessity (Article 6(1)(b)) because you request the creation of an age credential, and processing your date of birth is necessary to fulfil that request.
  2. Age verification (processing zero knowledge proofs): Legitimate interests (Article 6(1)(f)); our interest is providing a functioning age verification service. This does not override your rights given that the proof reveals only a yes or no result and no personal data is retained.
  3. Security logging (hashed IP addresses, 90-day retention): Legitimate interests (Article 6(1)(f)); our interest is protecting the security and integrity of our infrastructure. This does not override your rights given that IP addresses are hashed before storage and logs are automatically deleted after 90 days.

Data provision

Providing your date of birth during credential issuance is necessary to create your age credential. If you choose not to provide this information, we cannot issue a credential. There is no statutory obligation to provide your data to us.

Automated decision-making

Our verification system produces an automated pass or fail result based on the zero knowledge proof you submit. We do not engage in profiling. The automated verification result does not itself produce legal effects concerning you; any decision to grant or deny access is made by the requesting business under its own policies and legal obligations.

Your GDPR rights

  • Right to access: You may request a copy of any personal data we hold about you (Article 15).
  • Right to rectification: You may request correction of inaccurate personal data (Article 16).
  • Right to erasure: You may request deletion of your personal data (Article 17). Audit logs (including hashed IP addresses) are automatically deleted after 90 days.
  • Right to restriction: You may request that we restrict processing of your personal data (Article 18).
  • Right to portability: You may request your personal data in a structured, machine-readable format (Article 20).
  • Right to object: You may object to processing based on legitimate interests (Article 21).
  • Right to complain: You have the right to lodge a complaint with the data protection supervisory authority in your Member State of habitual residence, place of work, or place of the alleged infringement.

International transfers

Australia does not have an EU adequacy decision. Transfers of personal data outside the EEA are protected by Standard Contractual Clauses (European Commission Decision 2021/914, Module 2: controller to processor) as incorporated in Cloudflare’s Data Processing Agreement. Supplementary technical measures are described in Section 6 above.

Data Protection Officer and EU representative

We have not appointed a Data Protection Officer as our processing activities do not meet the thresholds requiring one under Article 37 of the GDPR. For data protection enquiries from EEA residents, please contact privacy@maelstrom.au.

We have not yet appointed an EU representative under Article 27 of the GDPR. We will designate a representative before actively offering our Services to EU businesses. This section will be updated with representative contact details at that time.

8. Children’s Privacy

Provii Wallet is an age verification service. The wallet application is designed to be used by individuals of all ages who have been issued a credential by a trusted issuer.

We do not knowingly collect personal information from children beyond what is described in this policy. The same privacy protections (on-device storage, zero knowledge proofs, and data minimisation) apply equally to all users regardless of age.

We do not rely on consent as a legal basis for processing, and therefore Article 8 of the GDPR (conditions for a child’s consent in relation to information society services) does not directly apply. We apply enhanced privacy protections to all users regardless of age.

Parents or guardians who have concerns about their child’s use of Provii Wallet may contact us at the address below.

9. Data Retention

  • On-device data: Stored until you delete the app or remove the credential. We have no access to data stored on your device.
  • Issuance data: Not retained. Processed in memory only during credential creation.
  • Audit logs: Retained for 90 days, then automatically deleted.
  • Website data: No personal data is collected or retained by the website.
  • Docs sandbox session cookie: 15-minute sliding TTL, 4-hour hard cap from first issuance.
  • Docs sandbox synthetic credential allowlist: Up to 7 days for evaluating developers to resume integration work, after which the credential is discarded and rejected.

10. Data Breach Notification

If we become aware of grounds to suspect a data breach has occurred, we will conduct an assessment within 30 days to determine whether it is an eligible data breach.

If a breach under Part IIIC of the Privacy Act 1988 is likely to result in serious harm, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable. Notification will include a description of the breach, the kinds of information involved, and recommended steps you should take.

Where a personal data breach affects individuals in the EEA and is likely to result in a risk to their rights and freedoms, we will notify the relevant supervisory authority within 72 hours in accordance with Article 33 of the GDPR. Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay in accordance with Article 34.

Our privacy-preserving architecture significantly reduces breach risk. Because we do not store dates of birth, identity documents, or raw IP addresses, the practical impact of a server-side breach is limited.

11. Australian Regulatory Framework

Provii Wallet’s zero knowledge proof architecture aligns with the privacy principles established by the Australian eSafety Commissioner for age verification technologies. Specifically, our approach satisfies:

  1. Data minimisation: Only age attributes are shared between our technology and content hosts, as required by the eSafety Commissioner’s age verification roadmap.
  2. Privacy protection: Privacy is a core design component, not an afterthought, with privacy-protective settings as the default.
  3. Accuracy and reliability: Cryptographic proofs provide mathematically verifiable age confirmation.
  4. Transparency: Our verification code and ISMS documentation are publicly auditable.

We will comply with any applicable industry codes or standards registered under Part 9 of the Online Safety Act 2021, including the age-restricted material codes that commenced in December 2025. We monitor the eSafety Commissioner’s regulatory guidance and will update our practices as requirements evolve.

12. Open Source

Our cryptographic protocols and client applications are open source. You can inspect exactly how your data is handled at github.com/MaelstromAI.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated policy on this page with a revised “Last updated” date. For material changes, we will provide notice on our website.

13.1 Version history

VersionDateSummary
2.013 April 2026Consolidated docs-sandbox disclosures, APP mapping, and cross-border processing section.
2.114 April 2026Named two additional recipient categories in Section 5: “authentication providers” and “email delivery providers”. Added a cross-link to the Sub-Processors page (v1.1) as the canonical list of the concrete processors engaged under each recipient category. This is a forward disclosure under Article 13(1)(e) of the GDPR and APP 5 for Australian data subjects.

14. Contact Us and Complaints

If you have questions about this Privacy Policy, wish to exercise your rights, or want to make a complaint about how we handle your personal information, please contact us:

Complaint handling

If you make a privacy complaint, we will acknowledge receipt within 5 business days and investigate the matter. We aim to respond with an outcome within 30 days. If we need more time, we will let you know and explain why.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner. If you are in the EEA, you may lodge a complaint with the data protection supervisory authority in your Member State.