Privacy Policy

Last updated: January 2026

1. Introduction

xcr.sh Ltd ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

2. Information We Collect

Account Information

When you create an account, we collect your email address, chosen handle, and password (stored as a secure hash). We also generate a cryptographic key pair for you - your public key is visible to others, while your private key is encrypted with your password.

Platform Links

When you connect social media accounts, we may receive your profile information from those platforms to verify ownership. We store only the minimum information needed to maintain the connection.

Content Credentials

When you sign content, we store the SHA-256 hash of the content (not the content itself), along with your signature and any metadata you provide.

Usage Data

We automatically collect certain information when you use our service, including IP addresses, browser type, and usage patterns. This helps us improve our service and detect abuse.

3. How We Use Your Information

We use your information to:

  • Provide, maintain, and improve our services
  • Create and manage your account
  • Process and verify content credentials
  • Enable identity verification through platform linking
  • Communicate with you about our services
  • Protect against fraudulent or unauthorized activity

4. Information Sharing

Your public profile information (handle, display name, bio, verification level, public key, and DID) is publicly accessible. Your email address and private key are never shared.

We may share information with third parties only when:

  • You explicitly consent to sharing
  • Required by law or legal process
  • Necessary to protect our rights or safety
  • In connection with a merger or acquisition

5. Data Security

We implement industry-standard security measures including:

  • Encryption of data in transit (TLS) and at rest
  • Secure password hashing (bcrypt)
  • Encrypted storage of private keys
  • Regular security audits

6. Data Retention

We retain your account data for as long as your account is active. Content credentials are retained indefinitely as they form part of the public verification record. You may request account deletion at any time.

7. Your Rights

Under UK GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Request erasure of your data
  • Object to processing
  • Data portability
  • Lodge a complaint with the ICO

8. Cookies

We use essential cookies for authentication and session management. We do not use tracking cookies or third-party analytics.

9. Children's Privacy

Our service is not intended for users under 18 years of age. We do not knowingly collect information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page.

11. Contact Us

If you have questions about this Privacy Policy, please contact us at:

xcr.sh Ltd
privacy@xcr.sh