Privacy Policy

Effective Date: March 18, 2026 · Last Updated: March 18, 2026

Rifftlo Inc. ("Company," "we," "us," or "our") is committed to protecting the privacy of individuals who use the PCRCI Identity application ("App"), website (rifftlo.com), and related services ("Services"). This Privacy Policy describes what data we collect, how we use it, and your rights regarding your information.

This policy is designed to comply with the requirements of the Apple App Store, Google Play Store, the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and applicable data protection laws in our countries of operation.

1. Data Controller

Rifftlo Inc.
Incorporated in Delaware, United States
Email: support@rifftlo.com
Website: rifftlo.com

2. Data We Collect

2.1 Subject Enrollment Data

Data Type	Required	Purpose	How Stored
Full name	Yes	Identity record	Encrypted in Firestore
Estimated birth year / birthday	Yes	Identity record	Encrypted in Firestore
Tribe / clan name	Optional	Cultural identity context	Encrypted in Firestore
Preferred language	Yes	Communication accessibility	Encrypted in Firestore
GPS coordinates	Optional	Enrollment location, fraud detection	Encrypted in Firestore
Facial geometry hash	Optional	Biometric deduplication & re-authentication	SHA-256 hash only; raw image immediately discarded
Gender	Optional	Identity record	Encrypted in Firestore

2.2 Agent Data

Data Type	Purpose	How Stored
Government ID photo hash	Agent verification	SHA-256 hash only
Registered GPS location	Fraud geo-fencing	Encrypted in Firestore
NFC badge DID	Agent authentication	Encrypted in Firestore
Promo code	Authorization verification	Hashed after validation

2.3 Attestor Data

Data Type	Purpose	How Stored
Government ID type & hash	Attestor verification	SHA-256 hash only; raw ID never stored
Attestor type	Attestation weighting	Encrypted in Firestore
Attestation count & history	Fraud detection velocity limits	Encrypted in Firestore

2.4 Automatically Collected Data

Activity logs: Every action (login, enrollment, attestation, NFC operation, fraud flag) is recorded in an append-only, hash-chained activity log for audit and compliance purposes.
Device connectivity status: Used to manage offline-to-online sync queuing.
Session data: Session identifiers and timestamps for security.

2.5 Website Data

When you use rifftlo.com, we collect:

Email and password (if you create an account) — stored in Firebase Auth.
Firebase Analytics data (if enabled) — anonymous usage statistics.

3. Biometric Data Handling

This is a critical privacy safeguard. PCRCI never stores, transmits, or retains raw biometric data. Our process:

A photograph is captured via the device camera during enrollment or verification.
Google ML Kit (running entirely on-device) extracts facial geometry landmarks (eye, nose, mouth positions).
Landmarks are rounded to a 10-pixel grid for tolerance and concatenated.
The concatenated landmarks are hashed using SHA-256.
The original photograph is immediately and permanently discarded. It is never saved to device storage, uploaded to any server, or transmitted over any network.

Only the irreversible SHA-256 hash is stored. It is mathematically impossible to reconstruct a face from this hash. The hash is used solely for deduplication (detecting if two enrollments are the same person) and re-authentication at government kiosks.

4. How We Use Your Data

Identity registration and verification — creating and maintaining identity records.
Confidence scoring — calculating attestation-based trust scores.
Fraud detection and prevention — enforcing velocity limits, geographic boundaries, and biometric deduplication.
Audit compliance — maintaining tamper-evident activity logs for regulatory compliance.
Service delivery — enabling institutions to verify identity for banking, healthcare, land registration, and government services.
System improvement — aggregated, anonymized statistics to improve service quality.

5. Data Sharing

We share data only in the following circumstances:

Authorized institutions — via the Government API, which provides only confidence scores, threshold status, and aggregated data. No personal identifiable information (PII) is exposed through the API.
Infrastructure providers — Google Firebase and Google Cloud process data as described in Section 8. They act as data processors under our instructions.
Legal requirements — when required by law, court order, or government request.
Safety — to prevent fraud, abuse, or threats to safety.

We do not sell, rent, or trade personal data to third parties for marketing or advertising purposes.

6. Data Storage and Security

6.1 Storage Architecture

Local device: SQLite database for offline-first operation. Data is encrypted at the device level.
Cloud: Google Cloud Firestore (asia-southeast1 region) with default Google Cloud encryption at rest.
Multi-tenant isolation: Data is namespaced by country code (e.g., /ph/, /pg/, /tl/) ensuring complete data isolation between jurisdictions.

6.2 Security Measures

All data in transit is encrypted via TLS 1.2+.
All data at rest is encrypted via Google Cloud default encryption (AES-256).
Append-only, hash-chained activity log — no log entries can be modified or deleted (enforced by Firestore security rules).
Role-based access control (RBAC) with seven distinct roles and granular permissions.
Webhook signatures using HMAC-SHA256 for all outgoing notifications.
Rate limiting on all API endpoints (60 requests/minute per key).
API key and OIDC OAuth 2.0 authentication for institutional access.

7. Data Retention

Identity records: Retained as long as the identity record is active or until deletion is requested.
Activity logs: Retained indefinitely as part of the immutable audit trail for regulatory compliance. Logs contain event types, timestamps, and actor identifiers — not personal data.
Biometric hashes: Retained as long as the associated identity record is active.
Website accounts: Retained until you request deletion or deactivation.

8. Third-Party Data Processors

Service	Provider	Data Processed	Processing Location
Firebase Auth	Google LLC	Email, password, auth tokens	Global
Cloud Firestore	Google LLC	Identity records, attestations, activity logs	asia-southeast1
Cloud Run	Google LLC	API requests, verification queries	asia-southeast1
Cloud Storage	Google LLC	Document uploads (if applicable)	asia-southeast1
Google ML Kit	Google LLC	Facial geometry extraction	On-device only — no cloud processing

All third-party processors are bound by their respective data processing agreements. See: Firebase Privacy Information, Google Cloud Privacy.

9. Device Permissions

Permission	Purpose	Data Handling
Camera	Face capture for biometric hash	Image processed on-device, hashed (SHA-256), then immediately discarded
Biometric (Fingerprint / Face ID)	Agent authentication	Processed by device OS; never accessed or stored by the App
Location (Fine & Coarse)	Fraud geo-fencing (agent within 500m of registered area)	Coordinates logged for fraud detection; not shared externally
NFC	Read/write DID to NTAG215/216 cards	Only DID string written to card — no personal data on card
Microphone	Speech-to-text for name entry	Processed on-device by Android SpeechRecognizer; audio never recorded or stored
Internet	Sync local data to Firestore	Only hashes, scores, and metadata transmitted over TLS

10. Your Rights

Depending on your jurisdiction, you may have the following rights:

Right to access: Request a copy of the personal data we hold about you.
Right to rectification: Request correction of inaccurate data.
Right to deletion: Request deletion of your identity record. Contact support@rifftlo.com or a local government officer. We will process deletion requests within 30 days.
Right to restrict processing: Request that we limit how we use your data.
Right to data portability: Request your data in a structured, machine-readable format.
Right to object: Object to processing of your data for specific purposes.
Right to withdraw consent: Withdraw your enrollment consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email support@rifftlo.com. We will respond within 30 days.

11. Children's Privacy

The PCRCI application is intended for users aged 18 and older. We do not knowingly collect personal data from children under 13. If we become aware that we have collected data from a child under 13, we will take steps to delete that data promptly. If you believe a child under 13 has provided us with personal data, please contact us at support@rifftlo.com.

12. International Data Transfers

PCRCI operates in the Philippines, Papua New Guinea, Timor-Leste, Solomon Islands, Vanuatu, Fiji, and Indonesia. Data is stored in Google Cloud's asia-southeast1 region (Singapore). Data may be processed in the United States by Rifftlo Inc. for administration and support purposes.

For users in the European Economic Area (EEA), transfers to the United States are conducted under appropriate safeguards including Standard Contractual Clauses as adopted by the European Commission.

13. Cookies and Tracking

The rifftlo.com website does not use cookies for advertising or tracking. We use:

Firebase Auth session persistence — to maintain your login state (functional, not tracking).
sessionStorage — temporary session data cleared when the browser tab is closed.

The mobile App does not use cookies or third-party tracking SDKs.

14. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

Notify affected individuals within 72 hours of becoming aware of the breach.
Notify relevant supervisory authorities as required by applicable law.
Take immediate steps to contain and remediate the breach.
Provide details on the nature of the breach, the data affected, and recommended actions.

15. Regulatory Compliance

PCRCI is designed to align with:

GDPR (EU General Data Protection Regulation) — data minimization, purpose limitation, consent, and data subject rights.
CCPA (California Consumer Privacy Act) — right to know, right to delete, right to opt-out.
FATF Guidance on Digital Identity — tiered KYC based on risk assessment.
World Bank ID4D Principles — inclusion, privacy, governance, proportionality.
eIDAS (EU Electronic Identification) — compatible identity assurance levels.
ISO/IEC 29115 — entity authentication assurance framework.
ISO 27001 — information security management (audit logging).
Apple App Store Guidelines — Section 5.1 (Privacy), transparency, consent, data minimization.
Google Play Developer Policy — Data Safety section, permission justifications, privacy policy requirements.

16. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated through the App or via email. The "Last Updated" date at the top of this page reflects the most recent revision. Your continued use of the Services after changes are posted constitutes acceptance of the revised policy.

17. Contact Us

For privacy-related inquiries, data requests, or complaints:

Rifftlo Inc.
Email: support@rifftlo.com
Website: rifftlo.com

If you are in the EEA and are unsatisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.