Privacy Policy

Last updated: 21 May 2026

Sigil is built around a simple promise: your passport data never leaves your phone. This page explains what that means in practice — what we collect (nothing), what stays on your device, what goes on a public blockchain, and which third-party services your phone talks to while using the app.

1. What Sigil collects from you

Nothing. Sigil has no user accounts, no login, no analytics, no telemetry, no crash-reporting services, and no advertising SDKs. We don't operate any servers that receive data from the app. We don't know you've installed it, opened it, scanned your passport, or sigilized an address.

2. What's processed on your device only

The app reads and processes the following entirely on-device:

• Passport chip data read over NFC: specifically the DG1 data group (your machine-readable zone — name, date of birth, nationality, passport number, expiry) and the SOD (the cryptographic signature of the passport contents). These are used to generate a zero-knowledge proof.
• The MRZ printed on your passport, read via your phone's camera using on-device OCR. The image is processed by Apple's Vision framework (via Google ML Kit's bundled local model on iOS) and discarded; nothing is uploaded.
• QR codes scanned with the camera during wallet connection (the WalletConnect handshake URI).
• Wallet addresses the user authorizes via their connected wallet (MetaMask, Rainbow, Coinbase Wallet, etc.).
• Zero-knowledge proof generation: a Noir circuit compiled to native Rust (via Mopro) runs on a background thread on the device and produces the proof.

None of the above is transmitted to Sigil or to any third party. The passport chip bytes, MRZ values, camera frames, and proof inputs all stay in device memory and are released when the screen is dismissed.

3. What goes on the blockchain

When you sigilize an address, the app submits a single transaction to the Sigil registry smart contract on Base (or Base Sepolia for testing). That transaction contains:

• An opaque nullifier — a one-way hash derived from your passport's cryptographic signature. It cannot be reversed to recover any passport contents.
• An epoch nullifier — a daily one-way hash used to rate-limit new registrations to 10 per passport per day. Also cannot be reversed.
• Your wallet address (the from-field of the transaction).
• The zero-knowledge proof bytes.
• Your passport's expiry date, rounded up to the next 90-day boundary. This rounding collapses the ~365 distinct expiry dates per year into 4 quarterly buckets to reduce identifying information on-chain.

Your name, date of birth, nationality, sex, passport number, MRZ contents, raw chip bytes, and any biometric data are never submitted on-chain or transmitted anywhere.

Multiple addresses sigilized with the same passport share the same opaque nullifier on-chain, meaning they are publicly linkable to one another as belonging to the same person. This is the explicit design — protocols use it for sybil resistance. Addresses you choose not to sigilize remain anonymous.

4. Third-party services the app communicates with

The app makes network requests to the services below for the limited purposes listed. None of them receive passport data.

• WalletConnect relay (operated by Reown): when you connect a wallet, the app uses the WalletConnect v2 protocol. Reown's relay servers route end-to-end encrypted messages between Sigil and your wallet app. Reown's privacy practices: reown.com/privacy-policy.
• Ethereum RPC providers: to read on-chain state and submit transactions, the app sends queries to Base or Base Sepolia RPC endpoints (defaults mainnet.base.org and sepolia.base.org). For ENS name resolution, the app queries an Ethereum mainnet endpoint (default ethereum.publicnode.com). These providers see your IP address and the content of the RPC queries (which addresses you're checking status for) but do not receive passport data.

5. Permissions the app requests

• NFC ("NFC Tag Reading"): required, used to read the passport chip following the ICAO 9303 international standard for electronic Machine Readable Travel Documents. This is the same protocol used by airport e-gates worldwide.
• Camera: used to scan the MRZ printed on your passport (so you don't have to type it manually) and to scan WalletConnect QR codes when connecting a wallet from another device. Camera frames are processed on-device and never uploaded.

6. Data you can delete

• Local app data (tracked addresses, education-modal dismissal flags, WalletConnect session): uninstall the app to clear it entirely. The app stores nothing outside its own sandbox.
• On-chain registrations: open the app, expand the address in your accounts list, and tap "Unregister". This calls the registry contract's unregister function and removes the active registration entry. Note that Ethereum transactions are immutable, so the historical fact that the address was once registered remains visible in chain history.

7. Children

Sigil is intended for adults. The minimum age to use the app is determined by your local jurisdiction's rules for obtaining a passport (typically requires either parental consent for minors or majority age).

8. Changes to this policy

Material changes will be announced on the Sigil GitHub repository (github.com/zksigil/sigil-monorepo) and the "Last updated" date above will be revised.

9. Contact

Sigil is an open-source project. For privacy questions, file an issue at github.com/zksigil/sigil-monorepo/issues.