Privacy Policy

The Humark platform is owned and operated by AU-SVRN, which acts as the data controller (or, where applicable, the business under CCPA/CPRA) for personal data collected through humark.id and the Humark mobile application. References to "Humark," "we," "us," and "our" throughout this policy refer to AU-SVRN acting through the Humark brand.

For data protection inquiries, including access, deletion, rectification, or objection requests, contact privacy@humark.id. This inbox is monitored on AU-SVRN’s behalf and is the appropriate point of contact for all privacy matters under GDPR, CCPA, BIPA, and other applicable privacy frameworks.

Information about AU-SVRN is available at https://ausvrn.com.

Humark collects the minimum data necessary to provide verifiable provenance for your creative work. This includes:

• Asset hashes (SHA-256 cryptographic hashes and perceptual fingerprints of your hardened assets)
• Public keys (the public portion of your device-generated signing keypair)
• C2PA metadata (Content Credentials manifests that record provenance information)
• Display name (the creator name you choose to associate with your signed work)
• Email address (used for account authentication via one-time passcodes and waitlist registration)
• Apple Sign In identity (if you choose "Sign in with Apple", we receive your name and email address from Apple. If you select "Hide My Email", only Apple's private relay email address is stored. We never receive your Apple ID password.)
• Crash diagnostics (the app uses Sentry for crash reporting. This includes crash logs, device model, and OS version. Crash data is not linked to your user identity or account. See Sentry's privacy policy at https://sentry.io/privacy/.)
• Image thumbnails (compressed, low-resolution previews of your artwork, uploaded for display in your web gallery)

The Humark app requests access to your device photo library so you can select artwork for registration. Here is exactly what happens with your images:

• Your selected image is read on-device to compute a SHA-256 cryptographic hash (a unique fingerprint of the file)
• The hash is sent to the Humark registry as proof of your work. The full-resolution image never leaves your device.
• A compressed thumbnail (400px wide, JPEG at 70% quality) is generated on-device and uploaded for display in your web gallery
• For audio files, only the SHA-256 hash is registered. No audio data is uploaded.
• You can revoke photo library access at any time in your device Settings. This will prevent new artwork registration but will not affect previously registered works.

We want to be unambiguous about this: Humark never collects, stores, transmits, or has access to your biometric data. This includes but is not limited to:

• Face geometry or facial recognition data
• Fingerprint data or fingerprint templates
• Iris scans or retinal data
• Voiceprints or behavioral biometrics
• Raw images or video of your face or body

Your biometric information is used exclusively on your device, within the hardware-secured environment (Secure Enclave on iOS, Keystore on Android), to authorize the creation of a cryptographic signing key. The biometric data never leaves the secure hardware. We only receive the public key — a mathematical value that cannot be reverse-engineered to reconstruct any biometric information.

Humark does not collect, transmit, store, or process raw biometric data. This includes face images, facial geometry, fingerprint templates, iris scans, or any other biometric identifier as defined under BIPA (740 ILCS 14), CCPA/CPRA (Cal. Civ. Code § 1798.140), GDPR (Regulation 2016/679), and applicable state biometric privacy laws.

All biometric operations, including identity verification and cryptographic signing, occur exclusively on the user’s device using the device’s hardware-level Secure Enclave (Apple iOS) or StrongBox / Trusted Execution Environment (Android). The private cryptographic key generated from the biometric process is non-exportable and hardware-bound. It never leaves the device in any form.

Humark’s servers receive only: (a) the user’s public key, (b) cryptographic signatures of asset hashes (not the biometric itself), (c) C2PA manifest metadata, and (d) perceptual and cryptographic hashes of registered assets. None of these data elements can be reverse-engineered to reconstruct biometric data.

We respect and uphold your data protection rights under all applicable privacy legislation.

If you are a resident of Illinois, the following applies to you under the Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14.

Humark does not collect, capture, purchase, receive through trade, or otherwise obtain biometric identifiers or biometric information as those terms are defined under BIPA. Biometric processing occurs exclusively on your device and no biometric data is transmitted to or stored by Humark.

The cryptographic keys generated through the biometric process do not constitute biometric identifiers or biometric information under BIPA because they cannot be used to identify an individual or reconstruct the underlying biometric.

Humark maintains this written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric data, which, in Humark’s case, means the device-side key is destroyed upon device wipe, biometry change, or account deletion as documented herein.

Provenance records (asset hashes, public keys, C2PA manifests, and zero-knowledge proofs) are stored indefinitely in the Humark public registry. This is by design: the value of provenance depends on its permanence. These records form an immutable, tamper-evident ledger that allows anyone to verify the authenticity and origin of creative work at any point in the future.

Account-level data (display name, email address, account preferences) can be deleted upon request. When you request account deletion, we will remove all personally identifiable account data within 30 days. Provenance records will remain in the registry but will be disassociated from any personally identifiable information.

Waitlist email addresses are retained only until the product launches and are deleted within 90 days of your first app login, unless you opt in to continued communications.

In the event of a substantiated Provenance Challenge or determination of fraudulent registration, Humark may retain and preserve registration records, including associated metadata and challenge documentation, for as long as necessary to support legal proceedings, regulatory compliance, or law enforcement requests.

This retention supersedes any account deletion request for records subject to active legal proceedings or law enforcement holds. Users acknowledge this exception to standard data deletion rights as a condition of using the registration service.

Humark may disclose registration records, including cryptographic signatures, asset hashes, device identifiers, and associated metadata, to law enforcement agencies in response to lawful subpoenas, court orders, or legal process.

In cases of suspected fraud, intellectual property theft, or misuse of the Humark platform in furtherance of criminal activity, Humark may proactively refer documented evidence to appropriate authorities. Users acknowledge that the provenance trail created by Humark registration is designed to be accessible to legal process.

If you have questions about this privacy policy, wish to exercise any of your data rights, or need to report a concern, contact us at: