Privacy Policy — idroot.org

Legal

Last updated: June 02, 2026 · GDPR compliant · Governing law: Federal Republic of Germany · The German version of this Privacy Policy is authoritative. In case of discrepancy between language versions, the German version shall prevail.

        Plain-language summary: We collect the data necessary
        to run this service and ensure its security. We do not sell your data.
        We do not run advertising. While identity verification is processed by
        Didit, we store certain identification details in our secure server logs
        for security reasons. You can also opt-in to store your verified details
        for public profile use. You can request deletion of your data at any
        time.
      

1. Controller

Sebastian Fleckenstein
Erthalstr. 6.
97816 Lohr am Main, Germany
Email: contact@idroot.org

This service is operated by a private individual. No Data Protection Officer (DPO) is required or appointed. For all data protection enquiries, please use the contact above.

2. Applicable law

Processing is governed by Regulation (EU) 2016/679 (GDPR), the Bundesdatenschutzgesetz (BDSG), and the Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TDDDG).

3. Data we collect and why

3.1 Handle registration and account creation

When you register a handle, a user account is created on the idroot.org platform. The following data is collected and stored:

Data	Purpose	Legal basis (GDPR)	Retention
AT Protocol DID	Link handle to your verified identity; provision DNS TXT record	Art. 6(1)(b) — contract	Duration of account + 30 days
Chosen username / handle	Reserve and provision your handle	Art. 6(1)(b) — contract	Duration of account + 30 days
Didit verification status & timestamp	Confirm a real, unique person owns the handle; prevent duplicate registrations	Art. 6(1)(b) — contract; Art. 6(1)(f) — legitimate interest	Duration of account + 30 days
Date and record of acceptance of Terms of Service	Legal compliance; documentation of contractual consent	Art. 6(1)(c) — legal obligation; Art. 6(1)(b) — contract	Duration of account + 30 days
Email address	Notifications about changes to Terms of Service and Privacy Policy; monthly newsletter (only with explicit consent)	Art. 6(1)(b) — contract (account notifications); Art. 6(1)(a) — consent (newsletter)	Duration of account + 30 days
Verified Real Name & Address (Opt-in)	Display on public profile; allow other providers to verify your identity without re-verification	Art. 6(1)(a) — consent	Until consent is withdrawn

3.1.1 AT Protocol authentication and session

To link your AT Protocol account with idroot.org, an authenticated session with your AT Protocol PDS (Personal Data Server) is established. This can be done via one of the following methods:

Password / App Password: Used exclusively to create the AT Protocol session and not stored afterwards.
OAuth: Access is via the `atproto` scope whenever possible, which is limited to authentication and reading basic profile data. If this function is not implemented by your provider, we request full access.

The following data is processed as part of the authentication:

Data	Purpose	Legal basis (GDPR)	Retention
Password / App Password	Creation of the AT Protocol session	Art. 6(1)(b) — contract	Not stored after session creation
Access Token / Refresh Token	Maintaining the authenticated session	Art. 6(1)(b) — contract	Duration of the active session
Email address (via AT Protocol `getSession`)	Transmitted by the AT Protocol PDS during the authentication process and stored for account notifications (see 3.1)	Art. 6(1)(b) — contract	Duration of account + 30 days

We only request the data necessary for authentication and account creation. We do not perform any actions (e.g. posts, follows) on your behalf without you explicitly triggering them in the application.

User account data is stored on the idroot.org backend, hosted on IONOS SE infrastructure in Germany (see § 6.3). Account management is available at dashboard.idroot.org.

We do not store identity document images, facial scan data, or any other biometric data. This is processed exclusively by Didit.

3.2 Server logs

Server logs are generated on infrastructure hosted by IONOS SE (see § 6.3). This server automatically records IP address, timestamp, HTTP method, URL, response code, and user agent for each request.

In addition, for security reasons, we record identification details provided during the verification process, including Full Name, Address, and ID Document Number.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in system security and legal compliance (§ 100 TKG). Retained for 90 days, then automatically deleted.

3.3 Web analytics

We use Cloudflare Web Analytics — cookieless, no personal identifiers, no cross-site tracking. Only anonymised aggregate data (page views, country-level, referrers). Legal basis: Art. 6(1)(f) GDPR — legitimate interest. No consent banner required.

4. What we do not collect

We do not collect or store images of identity documents or biometric data; track users across websites; use advertising cookies or third-party marketing trackers; sell, rent, or share personal data commercially; or profile users or make automated decisions with legal effects.

5. Cookies

idroot.org does not set tracking or analytics cookies. Cloudflare may set strictly necessary technical cookies as part of its CDN/security infrastructure; these do not require consent under applicable law.

6. Data Processors and Third Parties

6.1 Didit (identity verification)

Didit
C/ Nàpols 227, Barcelona, Spain
Contact: hello@didit.me
Privacy policy: didit.me/en/terms/privacy-policy/

Didit acts as a data processor under a Data Processing Agreement (Art. 28 GDPR). When you verify your identity, your ID document and biometric (facial scan) data are processed by Didit. We receive only a pass/fail outcome and a timestamp. Didit stores verification data by default in the EU (AWS infrastructure). Didit is ISO 27001 certified and GDPR-compliant.

Data processed by Didit may be transferred outside the EEA. Such transfers are governed by Standard Contractual Clauses (Art. 46(2)(c) GDPR) and/or applicable adequacy decisions.

6.2 Cloudflare (DNS, CDN, security, analytics)

Cloudflare, Inc.
101 Townsend St, San Francisco, CA 94107, USA

EU representative and German contact point:
Cloudflare Germany GmbH
Rosental 7, c/o Mindspace, 80331 München, Germany
Privacy policy: cloudflare.com/privacypolicy/

All web traffic passes through Cloudflare's network. Cloudflare provides DNS, CDN, DDoS protection, and cookieless web analytics. Cloudflare is certified under the EU-US Data Privacy Framework (DPF) and processes personal data (including IP addresses and technical access data) as a data processor under a Data Processing Addendum (DPA). Transfers to the US are made under the EU-US DPF and Standard Contractual Clauses per Art. 46(2)(c) GDPR.

We use Cloudflare Web Analytics, which is cookieless and collects only anonymised aggregate data (page views, country-level, referrers). No personal identifiers are collected via analytics. No consent banner is required for this use. Legal basis: Art. 6(1)(f) GDPR — legitimate interest in secure and performant website operation.

Cloudflare may set strictly necessary technical cookies as part of its CDN and security infrastructure. These do not require consent under applicable law (§ 25(2) TDDDG).

6.3 Backend hosting (IONOS SE)

IONOS SE
Elgendorfer Straße 57, 56410 Montabaur, Germany
HRB 24498, Amtsgericht Montabaur
Data Protection Officer: datenschutz@ionos.de

The idroot.org backend — including all user account data (DID, handle, verification status, terms acceptance record, optional email) — is hosted on servers operated by IONOS SE in Germany. IONOS SE acts as a data processor under an order processing agreement (Art. 28 GDPR). No personal data from the backend is transferred outside the EEA in the course of hosting.

Legal basis: Art. 6(1)(b) GDPR — processing necessary for the performance of the contract (handle provisioning and account management); Art. 6(1)(f) GDPR — legitimate interest in secure and reliable infrastructure operation.

6.4 AT Protocol network

When you activate your handle, a public DNS TXT record is created associating your username with your DID. This is public by design — it is how AT Protocol handle resolution works and is not a disclosure of personal data by idroot.org beyond what is inherent to the protocol.

7. International data transfers

Where data is transferred outside the EEA (Cloudflare infrastructure in the US), transfers are made under the EU-US Data Privacy Framework and Standard Contractual Clauses per Art. 46(2)(c) GDPR.

8. Your GDPR rights

Contact contact@idroot.org to exercise any of the following rights. We respond within one month (Art. 12(3) GDPR).

Access (Art. 15): Request confirmation of processing and a copy of your data.
Rectification (Art. 16): Request correction of inaccurate data.
Erasure (Art. 17): Request deletion of your data. This will also delete your handle and DNS record.
Restriction (Art. 18): Request restricted processing in certain circumstances.
Portability (Art. 20): Request your data in a structured, machine-readable format where processing is based on
Object (Art. 21): Object to processing based on legitimate interest.
Withdraw consent (Art. 7(3)): Withdraw consent at any time without affecting the lawfulness of prior processing.
Lodge a complaint (Art. 77): You may complain to the BfDI (German Federal Commissioner for Data Protection) or the supervisory authority in your EU member state.

9. Data security

We implement TLS encryption in transit, access controls, server-side encryption at rest, and automated log deletion. In the event of a breach likely to risk your rights, we will notify the competent supervisory authority within 72 hours and affected individuals where required (Art. 33–34 GDPR).

10. Children

Identity verification requires a government-issued ID and users must meet the applicable minimum age. We do not knowingly collect data from children below this threshold and will delete such data if discovered.

11. Changes to this Privacy Policy

We may update this Privacy Policy at any time. Changes will be posted here with an updated date. Where changes are material, we will make reasonable efforts to notify users who have provided an email address.

12. Contact

Sebastian Fleckenstein
Erthalstr. 6.
97816 Lohr am Main, Germany
Email: contact@idroot.org