Privacy Policy

• Identity management: Associate your DID and public key with your email and display name so others can verify content you have signed.
• Signature verification: Store content hashes and signatures so that anyone with a verification link can confirm the signer's identity and the integrity of the content.
• Reputation system: Calculate and display your reputation score based on signing activity, referral contributions, and community trust signals.
• Referral program: Track referral codes and attribute reputation boosts when new users join through your referral link.
• Notifications: Send push notifications about sync status, reputation changes, and referral activity.
• Service improvement: Analyze aggregate, anonymized usage patterns to improve reliability and user experience.
• Security: Detect and prevent fraud, abuse, and unauthorized access.

The Cygn mobile app requests the following device permissions, each for a specific purpose:

You can revoke any permission at any time through your device settings. Denying a permission only disables the associated feature; the rest of the app continues to function.

We do not sell, trade, or rent your personal information to third parties. We do not share your data with advertising networks.

We may share limited information in the following cases:

• Public verification: When someone scans a verification QR code or visits a cygn.me verification link, they can see the signer's display name, DID, tier, provenance grade, and timestamp. This is the core purpose of the Service - proving content authenticity.
• Service providers: We use Vercel (hosting), Upstash (database), Cloudflare (CDN/security), Sentry (error monitoring), Resend (transactional email), Stripe and Razorpay (payment processing). These providers process data only as necessary to provide their services and are bound by their own privacy policies.
• Legal obligations: We may disclose information if required by law, subpoena, court order, or governmental request, or if necessary to protect our rights, safety, or property.
• With your consent: We may share information with third parties when you explicitly authorize it (e.g., sharing your signed content via the native Share Sheet).

• Access: You can view all data associated with your identity in the app's Identity and Settings screens.
• Correction: You can update your first name, last name, display name, and profile photo at any time in Settings.
• Deletion: You can permanently delete your account and all associated data at any time from Settings > Delete Account (on the web at cygn.me/app/settings or in the mobile app). This removes your account data, signing records, linked devices, and reputation from our servers, and erases your private key from the device. Account deletion is immediate and irreversible. You may also contact privacy@cygn.me to request deletion.
• Portability: You can export your private key (with biometric authentication) for backup or migration to another device.
• Revoke permissions: You can revoke camera, microphone, photo library, or notification permissions at any time in your device settings.
• Opt out of notifications: Disable push notifications in your device settings or within the app.
• Opt out of error reporting: Error reporting is disabled in development builds and can be controlled through app settings.

If you are a resident of the European Economic Area (EEA), United Kingdom, or California, you may have additional rights under GDPR, UK GDPR, or CCPA respectively, including the right to lodge a complaint with a supervisory authority. Contact us to exercise these rights.

The Cygn mobile app includes an audio watermark detection feature for verifying caller identity. When you activate this feature:

• Audio is captured from your device's microphone in short 2-second segments.
• Audio is processed entirely on-device for watermark detection. When the native Rust DSP core is available, processing happens in real-time on your device. In development mode, a mock detection algorithm is used.
• Audio segments are immediately discarded after processing. We do not store, transmit, or retain any audio recordings.
• No audio data is ever sent to our servers or any third party.

When you sign an image using Cygn:

• The image is processed entirely on your device. A SHA-256 hash is computed locally.
• The hash is signed with your Ed25519 private key (requiring biometric authentication).
• A verification badge with QR code is composited onto the image on-device using local rendering.
• Only the hash, signature, and metadata (title, provenance grade, badge position, timestamp, device name) are sent to our server for registration. The original image is never uploaded.
• Signed images are saved to a dedicated "Cygn" album on your device.
• Two provenance grades are supported: "Captured" (taken with the device camera at signing time) and "Cygned" (selected from your photo library).

Cygn integrates with the Coalition for Content Provenance and Authenticity (C2PA) standard for media provenance. When C2PA signing is used, provenance metadata is embedded directly into the media file according to the C2PA specification. This metadata is public by design and viewable by anyone inspecting the file's Content Credentials.

On the cygn.me website:

• We use essential cookies for authentication session management (HTTP-only, secure, same-site).
• Cryptographic keys for the PWA (Progressive Web App) are stored in IndexedDB, which is local to your browser and not transmitted to our servers.
• We use Vercel Analytics, which does not use cookies and does not track users across websites.
• We do not use tracking cookies, advertising cookies, or third-party analytics that track individual behavior.

Cygn is not directed at children under 13 (or under 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at privacy@cygn.me and we will promptly delete it.

Our servers are located in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

Cygn acts as a Data Controller for account data (your email, profile, and payment information) and as a Data Processor for enterprise API data (media files and content processed through our APIs, as defined in our Data Processing Agreement).

For transfers from the European Economic Area (EEA) or United Kingdom to the United States, we rely on the European Commission's Standard Contractual Clauses (SCCs), adopted pursuant to Commission Implementing Decision (EU) 2021/914, and other lawful transfer mechanisms where required by applicable law.

Our sub-processors and their locations are listed in our Data Processing Agreement. For enterprise customers, the DPA governs all data processing activities performed on your behalf.

Cygn is built on the Vouch Protocol, an open-source standard for cryptographic identity and provenance. The protocol specifications are being donated to the W3C. The core cryptographic operations (key generation, signing, verification) are implemented using the open-source protocol and can be independently audited. This Privacy Policy applies to the Cygn commercial service; the Vouch Protocol itself is governed by its own Privacy Policy.

We use the following third-party services:

Each service has its own privacy policy governing how it handles data. We encourage you to review their policies.

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top and, where appropriate, notify you via email or in-app notification. Your continued use of the Service after changes constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy, your data, or your rights, contact us at:

For GDPR-related inquiries, data subject access requests (DSARs), or to exercise your rights under applicable data protection law, contact our Data Protection team:

Email: privacy@cygn.me

For enterprise data processing matters, please refer to our Data Processing Agreement.

We aim to respond to all data protection requests within 30 days.

If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR):

• Right of access (Article 15): Request a copy of your personal data.
• Right to rectification (Article 16): Request correction of inaccurate data.
• Right to erasure (Article 17): Request deletion of your personal data. You can delete your account from Settings or via the API.
• Right to restrict processing (Article 18): Request restriction of processing in certain circumstances.
• Right to data portability (Article 20): Export your data in a machine-readable format from Settings → Export My Data, or via GET /api/v1/account/export.
• Right to object (Article 21): Object to processing based on legitimate interests.
• Right to withdraw consent: Withdraw consent at any time where processing is based on consent. This does not affect the lawfulness of prior processing.
• Right to lodge a complaint: You may lodge a complaint with your local supervisory authority.

To exercise any of these rights, email privacy@cygn.me or use the self-service tools in your account Settings at cygn.me/app/settings.