Legal

Privacy Policy

Effective date: February 22, 2026 — Last updated: February 22, 2026

HumanCred ("we", "us", "our") is committed to being transparent about the data we handle. This policy explains what we collect, why, and how you can control it. We do not sell your data. We build tools to help real people prove they're real.

1. Who we are

HumanCred operates this website and service. We are based in the United States. For any privacy-related questions, email us at privacy@humancred.org.

2. Data we collect

Account information

When you create an account we collect:

  • Email address — used to log in, send credential expiry notices, and respond to support requests.
  • Display name / public ID — the username visible on your public profile and credential. You choose this.
  • Password — stored as a one-way hash (bcrypt). We never store or transmit your password in plain text.

Behavioral signals (verification only)

During the verification flow we collect signals about how you interact with the page: mouse movement patterns, typing cadence, and scroll behavior. These signals are used to compute a humanity score. They are not biometric data — they are statistical patterns used for scoring, not to identify you as an individual. Raw behavioral data is purged automatically on a regular cleanup schedule and is never shared.

Cognitive challenge responses

Your answers to the captcha-style cognitive challenges are recorded to compute your score. They are not used for any other purpose.

Vouch relationships

If you vouch for another user, or receive a vouch, a record of that relationship is stored (using your public ID, not your email). Vouch records contribute to your humanity score.

Credential / badge data

When a credential is issued it contains your public ID, humanity score at issuance, issue date, expiry date, and verification method. This data is intentionally public — that is the purpose of a credential. See Section 4.

Log and audit data

We keep an audit trail of significant account actions (e.g., credential issuance, vouch events, admin actions). These logs are used for abuse prevention and are not exposed publicly.

IP addresses

Your IP address is used for rate limiting (to prevent abuse) and is not persistently linked to your account record. It is not stored in any user-facing log.

3. How we use it

  • To operate your account and provide the service.
  • To compute and issue cryptographically signed humanity credentials.
  • To send transactional emails: credential expiry warnings, password reset links, and email verification.
  • To detect and prevent abuse, spam, and fraudulent verifications.
  • To improve the verification system.

We do not use your data for third-party profiling or any automated decision-making that produces legal effects.

4. What is public by design

HumanCred credentials are designed to be publicly verifiable — that is the point. The following information is publicly accessible to anyone who has your credential ID or visits your profile:

  • Your public ID (username)
  • Your humanity score (at issuance and live)
  • Credential issue date, expiry date, and verification method
  • Your algorithmically generated identicon (derived from your public ID; not biometric)

Your email address is never part of the public credential.

5. Third-party services

We use a small number of external services to operate HumanCred. We do not sell data to any of them, and each receives only what is needed for its function.

Resend (email delivery)

We use Resend to send transactional emails (credential expiry notices, password resets, email verification). Resend receives your email address and the content of the email. Resend Privacy Policy.

Google Fonts

We load fonts from fonts.googleapis.com and fonts.gstatic.com. When your browser fetches these fonts, your IP address is sent to Google. We use a performance-friendly load method (print media swap) that delays this request until after the page is interactive. Google Privacy Policy.

Cloudflare Turnstile

We use Cloudflare Turnstile on the login page as a bot-detection challenge. Turnstile may collect browser characteristics and your IP address. Cloudflare Privacy Policy.

Google reCAPTCHA

Some verification flows use Google reCAPTCHA for bot detection. reCAPTCHA collects browser and interaction data to assess whether you are human. Google Privacy Policy.

No advertising or data broker relationships

Never   We do not share your data with advertisers, data brokers, or marketing platforms.

6. Cookies and local storage

We use the following cookies:

  • session_token — HttpOnly, Secure. Keeps you logged in. Expires when you log out or after inactivity.
  • csrf_token — Readable by our JavaScript only. Used to prevent cross-site request forgery attacks. Not readable by third-party scripts.

We do not use advertising cookies, tracking pixels, or persistent cross-site identifiers. We do not use local storage for personally identifiable data.

7. Data retention

  • Account data — retained while your account is active. Deleted promptly upon a verified deletion request.
  • Behavioral signals — automatically purged on a regular schedule after verification is complete.
  • Session tokens — purged on logout and by an automated cleanup job.
  • Credentials — a credential is a signed artifact; once issued, revocation is recorded but the signed object may persist in external systems where it was shared. We cannot guarantee deletion of copies you have exported and shared.
  • Audit logs — retained for up to 12 months for abuse prevention.

8. Your rights

You may exercise the following rights at any time by emailing privacy@humancred.org:

  • Access — request a copy of the personal data we hold about you.
  • Correction — ask us to correct inaccurate data.
  • Deletion — request that we delete your account and associated personal data. We will action this promptly. Note the credential caveat above.
  • Portability — you can download your credential at any time in Open Badge 3.0 / JSON-LD format from your dashboard. PNG and SVG exports carry your full signed credential as embedded metadata, making them self-contained and verifiable anywhere without needing a link back to HumanCred.

We aim to respond to all privacy requests within 30 days.

9. Children

HumanCred is intended for users 18 years of age and older. We do not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, please contact privacy@humancred.org and we will delete it promptly.

10. Changes to this policy

We may update this policy from time to time. When we make material changes we will update the effective date at the top of this page. Continued use of HumanCred after a policy update constitutes acceptance of the revised terms.

11. Contact

For privacy questions, data requests, or concerns: