Privacy Policy — idroot.org

Legal

Last updated: May 3, 2026 · GDPR compliant · Governing law: Federal Republic of Germany · The German version of this Privacy Policy is authoritative. In case of discrepancy between language versions, the German version shall prevail.

Plain-language summary: We collect the minimum data necessary to run this service. We do not sell your data. We do not run advertising. Your identity documents are processed by Didit and never stored by us — we only store whether your verification passed. You can request deletion of your data at any time.

1. Controller

Sebastian Fleckenstein
Erthalstr. 6.
97816 Lohr am Main, Germany
Email: contact@idroot.org

This service is operated by a private individual. No Data Protection Officer (DPO) is required or appointed. For all data protection enquiries, please use the contact above.

2. Applicable law

Processing is governed by Regulation (EU) 2016/679 (GDPR), the Bundesdatenschutzgesetz (BDSG), and the Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TDDDG).

3. Data we collect and why

3.1 Handle registration

Data	Purpose	Legal basis (GDPR)	Retention
AT Protocol DID	Link handle to your identity; provision DNS TXT record	Art. 6(1)(b) — contract	Duration of handle + 30 days
Chosen username	Reserve and provision your handle	Art. 6(1)(b) — contract	Duration of handle + 30 days
Didit verification status & timestamp	Confirm a real, unique person owns the handle; prevent duplicates	Art. 6(1)(b) — contract; Art. 6(1)(f) — legitimate interest	Duration of handle + 30 days
Email address (optional)	Service notifications	Art. 6(1)(a) — consent	Until consent is withdrawn

We do not store identity documents, facial scan data, or any other biometric data. This is processed exclusively by Didit.

3.2 Server logs

Our backend server (hosted in Germany) automatically records IP address, timestamp, HTTP method, URL, response code, and user agent for each request. Legal basis: Art. 6(1)(f) GDPR — legitimate interest in system security and legal compliance (§ 100 TKG). Retained for 7 days, then automatically deleted.

3.3 Web analytics

We use Cloudflare Web Analytics — cookieless, no personal identifiers, no cross-site tracking. Only anonymised aggregate data (page views, country-level, referrers). Legal basis: Art. 6(1)(f) GDPR — legitimate interest. No consent banner required.

4. What we do not collect

We do not collect or store identity documents or biometric data; track users across websites; use advertising cookies or third-party marketing trackers; sell, rent, or share personal data commercially; or profile users or make automated decisions with legal effects.

5. Cookies

idroot.org does not set tracking or analytics cookies. Cloudflare may set strictly necessary technical cookies as part of its CDN/security infrastructure; these do not require consent under applicable law.

6. Data processors and third parties

6.1 Didit (identity verification)

Didit (didit.me) acts as a data processor under a Data Processing Agreement. When you verify, your ID document and facial scan are processed by Didit. We receive only a pass/fail outcome and timestamp. See didit.me/privacy.

6.2 Cloudflare

Cloudflare, Inc. provides DNS, CDN, DDoS protection, and web analytics. All web traffic passes through Cloudflare. Cloudflare is certified under the EU-US Data Privacy Framework. SCCs apply per Art. 46(2)(c) GDPR. See cloudflare.com/privacypolicy.

6.3 Backend hosting

The idroot.org backend is hosted on servers located in Germany. No personal data from the backend is transferred outside the EEA except as described above.

6.4 AT Protocol network

When you activate your handle, a public DNS TXT record is created associating your username with your DID. This is public by design — it is how AT Protocol handle resolution works and is not a disclosure of personal data by idroot.org.

7. International data transfers

Where data is transferred outside the EEA (Cloudflare infrastructure in the US), transfers are made under the EU-US Data Privacy Framework and Standard Contractual Clauses per Art. 46(2)(c) GDPR.

8. Your GDPR rights

Contact contact@idroot.org to exercise any of the following rights. We respond within one month (Art. 12(3) GDPR).

Access (Art. 15): Request confirmation of processing and a copy of your data.
Rectification (Art. 16): Request correction of inaccurate data.
Erasure (Art. 17): Request deletion of your data. This will also delete your handle and DNS record.
Restriction (Art. 18): Request restricted processing in certain circumstances.
Portability (Art. 20): Request your data in a structured, machine-readable format where processing is based on consent or contract.
Object (Art. 21): Object to processing based on legitimate interest.
Withdraw consent (Art. 7(3)): Withdraw consent at any time without affecting the lawfulness of prior processing.
Lodge a complaint (Art. 77): You may complain to the BfDI (German Federal Commissioner for Data Protection) or the supervisory authority in your EU member state.

9. Data security

We implement TLS encryption in transit, access controls, server-side encryption at rest, and automated log deletion. In the event of a breach likely to risk your rights, we will notify the competent supervisory authority within 72 hours and affected individuals where required (Art. 33–34 GDPR).

10. Children

Identity verification requires a government-issued ID and users must meet the applicable minimum age. We do not knowingly collect data from children below this threshold and will delete such data if discovered.

11. Changes to this Privacy Policy

We may update this Privacy Policy at any time. Changes will be posted here with an updated date. Where changes are material, we will make reasonable efforts to notify users who have provided an email address.

12. Contact

Sebastian Fleckenstein
Erthalstr. 6.
97816 Lohr am Main, Germany
Email: contact@idroot.org