Privacy Policy (plain English summary)

A short, plain English summary of what we collect, why, and what rights you have.

Public

Privacy Policy in plain English

Last updated: 13 April 2026

This page is a short summary. It is written in plain words so anyone can follow it. It does not replace the formal Privacy Policy, which is the binding legal text.

Who we are

We are Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust, the Australian company behind Provii Wallet. Our job is to help you prove your age online without handing over your date of birth.

What information we collect

Most of the time, almost nothing. Our system is built so that your age stays on your device, not on our servers.

Here is what we do see, by area:

On our website

Nothing from you. No accounts. No sign-in forms, no email fields, no newsletter pop-ups, no contact forms. Your dark or light mode choice is saved in your own browser and never leaves it.

On our developer docs sandbox

Our docs site has a sandbox area for software developers who are testing Provii. If you use it, we see:

  • A random session ID in a cookie, so your test requests stick together.
  • Basic request data, like a hashed IP address, used to block abuse.
  • Rough browser info, like “this is a Chrome browser on a laptop”, to spot bots.
  • Fake sample data you choose from a list. The sandbox refuses real personal data.

We do not see your name, your email, your phone number, or your address. The sandbox is meant for software developers who are evaluating Provii before they plug it in. It is not a consumer product.

In the wallet app on your phone

Your date of birth and your credential live on your phone. They sit inside the same secure area of the phone that stores your payment cards or your face ID template. We are not designed to read them, and the architecture is designed to make that impractical. Under normal operation, nobody except you should be able to read them.

When you first set up the wallet, your date of birth is sent once to the issuer. An issuer is a trusted party, for example your bank. The issuer uses the date to sign your credential, then throws it away. It is not stored on our side.

On our verification servers

When you verify your age, your device does the maths locally. A proof is sent to our server. The proof shows only “yes, this person meets the age rule” or “no, they do not”. Your date of birth is not sent. Your identity is not sent either.

We also keep short security logs. These hold hashed IP addresses, which are not stored in a form designed to be reversed to the original IP. Most logs are kept for up to 90 days and then deleted. Logs relating to critical security events may be retained for up to 365 days.

Why we collect it

Four plain reasons:

  1. To set up your credential the first time.
  2. To check that proofs sent by the wallet are valid.
  3. To stop bots and abuse.
  4. To help developers test the system safely in the sandbox.

We do not sell data. We do not run ads, profile you, or build up a record of your behaviour over time.

How we use it

Only for the four reasons above. Nothing else. We do not send marketing emails. The wallet and the sandbox are kept apart. We do not combine what we see across sites, across visits, across devices, or across anything else.

Who we share it with

One company, for one job:

  • Cloudflare, which runs our servers and keeps the site safe from attacks. They act on our instructions under a data processing contract.

Businesses that use Provii to check your age receive a simple yes or no answer. They do not get your date of birth or your identity from us.

We will share data with law enforcement or a regulator only if we are legally required to do so. We will tell you when we are allowed to.

How long we keep it

  • Data on your device: until you delete the app or the credential. We are not designed to access it.
  • Issuance data (your date of birth at setup): not kept. Used once, then gone.
  • Security logs with hashed IP addresses: up to 90 days, then deleted. Critical security event logs: up to 365 days.
  • Sandbox session cookie: up to 4 hours, then rotated.
  • Sandbox sample credentials for developers: up to 7 days, then rejected.

No children targeted

The wallet is not aimed at children. It is aimed at anyone who needs to prove an age, of any kind. The developer sandbox is for software engineers, not consumers. We treat data from everyone with the same care, whatever their age.

If you are a parent with a question, you can write to us at the address below.

Your rights

You have rights over your personal information. The main ones are:

  • Ask what we hold about you.
  • Ask us to correct something that is wrong.
  • Ask us to delete something.
  • Complain to a regulator if you are not happy with how we handle it.

In most cases we hold almost nothing about you, so there is nothing to send or delete. That is by design.

If you are in Australia, you can complain to the Office of the Australian Information Commissioner. If you are in the EU or UK, you can complain to your local data protection authority.

How to contact us

Email: privacy@maelstrom.au

Post: PO Box 169, St Arnaud VIC 3478, Australia

We reply to privacy emails within 5 business days. A full answer usually follows within 30 days.

Read the full legal text

The binding version, with all defined terms and legal bases, is at Privacy Policy. If this summary seems to clash with the formal policy, the formal policy wins.