1.Overview and Scope
This Privacy Policy describes how The AI Lab Intelligence Unobscured, Inc. ("Company," "we," "us," or "our") collects, processes, stores, and discloses personal data in connection with TIP Protocol, AI Trust ID, AI Trust Registry, and all related services (collectively, the "Services").
This Policy applies to natural persons who register a TIP-ID or use the Services; visitors to theailab.org; developers and commercial licensees operating under the TIP Community License v1.0 (TIPCL-1.0); accredited Verification Providers and their end-users; and any person whose personal data is processed in connection with the TIP DAG.
Privacy as protocol constraint
TIP Protocol is designed from its architectural foundations to collect the minimum personal data necessary, store it in the most privacy-preserving form technically achievable, and give individuals full control over what others see. Privacy is not a feature added to TIP. It is a structural constraint encoded in the genesis block.
This Policy does not apply to third-party websites or applications that integrate TIP Protocol independently under TIPCL-1.0. Each TIPCL-1.0 licensee and Verification Provider is an independent data controller responsible for their own privacy practices, bounded by the use-scope restrictions in TIPCL-1.0 and described in Section 6 of this Policy.
2.Data Controller and Contact Information
The AI Lab Intelligence Unobscured, Inc.
131 Continental Dr, Suite 305, Newark, DE 19713, United States
General
tip@theailab.orgPrivacy / DPO
dpo@theailab.orgLicensing
licensing@theailab.orgSecurity
security@theailab.orgOur Data Protection Officer may be contacted at dpo@theailab.org for all GDPR rights requests, erasure applications, and data protection enquiries. For TIPCL-1.0 licensing compliance questions, contact licensing@theailab.org.
3.Personal Data We Collect
3.1 Data Collected During TIP-ID Registration
- Government-issued identity document: authenticated via OCR and NFC chip validation, used only to confirm identity and age eligibility, and discarded immediately after the verification session. The document number is never stored.
- Three-dimensional facial geometry: depth-mapped facial scan generates a 512-dimensional facial embedding, converted to a SHAKE-256 cryptographic hash within your device's hardware security enclave. The raw embedding is immediately discarded. Only the hash is temporarily held by the VP for deduplication, for a maximum of 72 hours.
- Device public key: generated within your device's hardware security enclave and registered with the TIP DAG. Your private key is generated inside the enclave and never exported.
- Email address: collected for service communications, authentication, and legal notices. Never published to the DAG.
- Region code: a two-letter ISO 3166-1 alpha-2 country code incorporated into your TIP-ID URI. The only geographic information in your TIP-ID.
3.2 What We Explicitly Never Collect
The following items are outside the TIP Protocol data model by architectural design. No TIP node, no VP, and no TIPCL-1.0 licensee may collect or store them:
Government ID number
Verified for authenticity and immediately discarded after the session.
Date of birth
Used only to confirm age of majority, then discarded.
Raw biometric data
Processed to a hash on-device and discarded. Never transmitted in raw form.
Geographic location
No geolocation data is collected at any point.
Browsing history
The extension reads TIP headers only, not page content or browsing history.
Draft content
We never see content before you choose to publish and register it.
Private signing key
Generated in and held exclusively within your device hardware enclave.
Voucher identities
That vouching occurred is public. The identity of your vouchers is private.
3.3 Attribution Data Collected From TIPCL-1.0 Implementations NEW v1.1
TIPCL-1.0 Section 4 requires every implementation to display attribution in one of four forms: full text attribution ("Built on TIP Protocol by The AI Lab Intelligence Unobscured, Inc."); a short-form "Powered by TIP Protocol - theailab.org" notice; the TIP Powered Mark badge; or the X-Powered-By: TIP-Protocol/theailab.org HTTP response header in API calls.
Through these mandatory attribution mechanisms, the Company may receive: (a) the domain name or IP address of TIPCL-1.0 implementations making API requests; (b) the approximate volume of API requests from each implementation; and (c) standard HTTP header metadata. This data is used exclusively for license compliance verification and protocol health monitoring. It is not used for advertising, end-user profiling, or commercial purposes, and is subject to the same 90-day server log retention policy described in Section 7.
Note for end users
If you are an end user of a third-party platform that has integrated TIP Protocol, the X-Powered-By header is transmitted by that platform's server, not by your browser. We receive the platform's server information, not your personal information, through this mechanism.
3.4 Data Collected Through Content Registration
When you register content, the DAG records your CTID (a SHAKE-256 hash of the content - not the content itself), your declared Origin Code, your TIP-ID, a timestamp, and a content status. The actual content is never stored on the DAG or by the Company.
3.5 Data Collected Through Service Use
Standard server logs including IP address, browser type, and access timestamps are collected for security monitoring and abuse prevention. IP addresses are anonymized within 30 days. We use a single session authentication cookie expiring at session end or after 24 hours of inactivity. We do not use advertising cookies, cross-site tracking, or browser fingerprinting.
4.How We Use Your Personal Data
4.1 Legal Bases Under GDPR
- Contract performance (Art. 6(1)(b)): issuing and maintaining your TIP-ID, recording content registrations, computing Trust Score, processing adjudication transactions.
- Legitimate interests (Art. 6(1)(f)): DAG network integrity, fraud and sybil attack prevention, TIPCL-1.0 attribution compliance monitoring, security monitoring, and Terms of Service enforcement.
- Legal obligation (Art. 6(1)(c)): responding to valid legal process and maintaining legally required records.
- Explicit consent (Art. 6(1)(a)): displaying your numeric Trust Score to third parties via FULL_PUBLIC mode only. Withdrawable at any time.
- Vital interests (Art. 6(1)(d)): processing REVOKE_DECEASED transactions where death has been independently verified.
4.2 Specific Processing Purposes
- TIP-ID issuance: biometric verification, generating your TIP-ID, and recording it on the DAG.
- Deduplication: verifying uniqueness using the peppered zero-knowledge proof system (Section 5.1).
- Trust Score computation: calculating your deterministic score from your complete DAG history.
- Content provenance: recording CTID transactions binding declared content origins to your identity.
- Adjudication pipeline: processing Stage 1 automated classification, Stage 2 jury coordination, and Stage 3 expert review.
- TIPCL-1.0 license compliance: verifying that implementations display required attribution and operate within their licensed scope.
- Service communications: transactional emails regarding your TIP-ID, adjudication proceedings, and Trust Score changes.
- Security and integrity: monitoring for unauthorized access, fraudulent registration, and network abuse.
5.Privacy-by-Design Architecture
5.1 Peppered Zero-Knowledge Deduplication (FIX-02)
A 256-bit cryptographically random pepper is generated in your device's hardware security enclave and never transmitted. The deduplication hash is: SHAKE-256(government_id || date_of_birth || country || face_hash || pepper). Because the pepper never leaves your device, this hash is not recomputable by any external party. The ZK proof (zkp:[64-char SHAKE-256 hex]) is published to the DAG instead of the hash. A separate isolated deduplication registry stores ZK proofs only. The Merkle root is published every 6 hours as a MERKLE_ROOT_PUBLISHED transaction. This design is GDPR Article 25 compliant.
5.2 Biometric Hash Protection
Your raw biometric data is processed exclusively within your device and the VP's secure processing environment. The 512-dimensional facial embedding is converted to a SHAKE-256 hash by the VP; the embedding is discarded immediately. This hash is used only for deduplication and is deleted by the VP within 72 hours of successful verification. The biometric hash is not published to the public DAG.
5.3 Trust Score Display Modes
Your Trust Score (0-1000) is not automatically visible to third parties. The default at registration is TIER_ONLY, pursuant to GDPR Article 25 data minimization:
Tier Label Only
GDPR Art. 25 - Data minimization
Only your tier (TRUSTED, HIGHLY_TRUSTED, etc.) is visible. Numeric score is private. Selected automatically at registration.
Full Numeric Score
GDPR Art. 6(1)(a) - Explicit consent
Your numeric score, tier, and history are visible to all third parties. Requires your explicit opt-in. Withdrawable at any time.
Verified / Unverified
GDPR Art. 25 - Minimum data
Only a binary verified/unverified indicator is shared. No score information whatsoever is disclosed to any third party.
All display mode changes are recorded as signed UPDATE_DISPLAY_MODE transactions on the DAG, creating an immutable auditable consent record. Zero-knowledge score threshold proofs are available for relying parties requiring minimum-score verification without disclosure of the numeric value.
5.4 What Is and Is Not on the Public DAG
VISIBLE ON THE PUBLIC DAG
TIP-ID URI
tip://id/US-a3f8... - pseudonymous, contains no name or biometric data
Content CTIDs
Cryptographic hashes of registered content, with Origin Codes
Trust Score tier
Tier label, or numeric score only if FULL_PUBLIC is elected
Adjudication outcomes
CONFIRMED_MISMATCH or CLEARED results
ZK dedup proofs
Proof of uniqueness only - underlying hash never published
MERKLE_ROOT
6-hour hash of dedup registry - no personal data
NOT ON THE PUBLIC DAG
- Your legal name, date of birth, or address
- Your government identity document number
- Your biometric hash or raw biometric data
- Your private signing key
- Your email address
- Your numeric score in TIER_ONLY or VERIFIED_ONLY mode
- The specific identities of your social graph vouchers
- The text, audio, video, or content of registered content
6.TIPCL-1.0 Licensees, Patent Licenses, and Licensee Data PracticesNEW IN v1.1
This section was not present in v1.0 and addresses data-related consequences of the TIPCL-1.0 licensing framework that are material to data subjects.
6.1 Licensee Categories and Data Processing Scope Restrictions
TIPCL-1.0 grants software use rights to implementations in specific categories. Each category carries use-scope restrictions that directly limit what data those implementations may process. Understanding your licensee category protects your data rights:
| Licensee Category | Revenue Limit | Data Processing Scope | License Type |
|---|---|---|---|
| Individual person | Under $100,000 | Personal or professional use. No restriction on data volume. | Free |
| Small business | Under $100,000 | Commercial use permitted within revenue limit. | Free |
| Nonprofit / NGO | Any size | Mission-related use only. | Free |
| Educational institution | Any size | Teaching, research, and institutional identity use. | Free |
| Government entity | Any size | Official governmental functions only. Subject to public records law. | Free |
| Journalism organization | Any size | EDITORIAL USE ONLY. Limited to editorial identity verification and content provenance. May not be used for subscriber management, advertising targeting, or non-editorial commercial purposes. | Free (editorial scope) |
| R&D / Testing | Any size (500 users max, 12 months max) | INTERNAL TESTING ONLY. Must not process real biometric data from real persons. Use synthetic or anonymized test data only. | Free (internal only) |
| Commercial licensee (Micro through Global) | $100,000 or more | Tiered commercial use. Includes essential patent license. Subject to TIPCL-1.0 Section 3 commercial terms. Tier schedule at theailab.org/tip-license. | Paid |
R&D Warning
The R&D/testing free-use category is strictly limited to internal deployments with a maximum of 500 external users and a 12-month term. R&D implementations must not process real biometric data from real persons. This limitation exists because BLOCKING-B2 (ZK proof stub) has not yet been replaced with production-grade snarkjs/Groth16 and real biometric data must not be submitted to a stub proof system.
Journalism use scope
Free use for journalism organizations is limited to editorial identity verification and content provenance purposes only. A journalism platform may not use TIP Protocol for subscriber management, advertising targeting, paywall authentication, or any non-editorial commercial purpose. If you believe a journalism platform is using TIP outside its editorial scope, report it to licensing@theailab.org.
6.2 Sub-licensing Prohibition and Data Chain Limitation
TIPCL-1.0 Section 6 prohibits licensees from sub-licensing commercial rights to third parties. This has a direct data protection consequence: a commercial licensee cannot grant another entity the right to use TIP Protocol in a way that exposes additional user data to that sub-entity. If you use TIP Protocol through a third-party platform, that platform cannot extend its license to sub-processors that collect or use your TIP data beyond what TIPCL-1.0 permits. Report suspected sub-licensing violations to licensing@theailab.org.
6.3 How to Verify an Official TIPCL-1.0 Implementation
TIPCL-1.0 Section 6 prohibits any party from operating a private fork of TIP Protocol while claiming to be the official TIP network. Official implementations must: (a) display the required attribution text ("Built on TIP Protocol by The AI Lab Intelligence Unobscured, Inc.") in a footer, About page, or Help page; (b) include the X-Powered-By: TIP-Protocol/theailab.org header in API responses; and (c) display a valid TIP Powered Mark badge with a link to theailab.org/tip. Platforms lacking these indicators may not be officially licensed. Report suspect implementations to security@theailab.org.
6.4 Copyleft and Modification Transparency (Pre-2031)
Until January 1, 2031, TIPCL-1.0 imposes copyleft on modifications to the protocol core. Any licensee who modifies the protocol core must contribute those modifications back under TIPCL-1.0. This has a data protection benefit: it prevents licensees from making proprietary modifications that weaken the privacy-by-design architecture (ZK proofs, biometric hash protection, data minimization) without those changes being disclosed to the Company and the community.
6.5 Patent Licenses
Free use of TIPCL-1.0 includes a royalty-free patent license covering The AI Lab's essential patent claims for TIP Protocol (pending, claim groups A through J). Commercial licensees receive a broader patent license under TIPCL-1.0 Section 3. If a TIPCL-1.0 licensee initiates patent infringement litigation against The AI Lab, that licensee's patent license terminates immediately. Termination of a licensee's patent license does not directly affect your data rights as an end user, but may affect the service continuity of that licensee's TIP integration. If a licensee's patent license is terminated, their continued operation of TIP Protocol may no longer be authorized and their data handling may no longer be bound by TIPCL-1.0 requirements.
6.6 Licensing Conversion to Apache 2.0 (January 1, 2031)
On January 1, 2031, TIPCL-1.0 converts to Apache License 2.0 for the software license. This affects licensing terms but does not affect your data subject rights under this Privacy Policy. The following TIPCL-1.0 terms that protect data subjects survive permanently: NOTICE file preservation (ensuring attribution remains traceable); all trademark restrictions (preventing impersonation of official implementations); and the AI Trust ID Seal registry-issued-only rule (preventing unauthorized badge issuance). This Privacy Policy remains in effect beyond 2031 regardless of the licensing conversion.
7.Data Retention
Different data types have different retention periods based on technical necessity, legal requirements, and your rights:
| Data Type | Where Stored | Retention Period | User-Deletable? |
|---|---|---|---|
| TIP-ID (public key + URI) | Federated DAG (public) | Permanent - required for content provenance | No |
| Biometric hash (facial) | VP only, isolated registry | Deleted within 72 hours of verification | N/A |
| Device public key | TIP registry + DAG | Permanent - required for signature verification | No |
| Trust Score event history | TIP registry (off-chain) | Until GDPR Art. 17 erasure request | Yes |
| Content CTIDs | Federated DAG (public) | Permanent - required for content verification | No |
| Government ID document | Never stored - discarded on-device | 0 seconds after verification session | N/A |
| Email address | TIP registry (off-chain) | Active TIP-ID + 5 years post-revocation | Yes |
| Session data | TIP registry (off-chain) | 90 days after last active session | Yes |
| Server logs (incl. IP) | Secure log store | 90 days; IP anonymized in 30 days | No |
| Attribution compliance logs | Secure log store | 90 days; licensee domain/IP only, not end users | No |
| ZK dedup proofs | Isolated dedup registry | Permanent - required for uniqueness enforcement | No |
Erasure scope
Trust Score event history is the primary record subject to GDPR Art. 17 erasure. Your TIP-ID, CTIDs, and adjudication outcomes remain on the immutable DAG but are anonymized and no longer associated with your personal identity in API responses following a valid erasure request. Content CTIDs are exempt from erasure under Art. 17(3)(b) as necessary for the public interest in verifiable content authenticity.
8.Sharing and Disclosure of Personal Data
8.1 Public DAG
The TIP DAG is a federated public ledger. Transactions written to it are visible to all network participants worldwide. Section 5.4 enumerates precisely what is and is not on the public DAG.
8.2 Verification Providers
Your personal data is shared with the accredited VP you select to complete biometric verification. VPs are independent data controllers contractually bound by the TIP-VP Code of Conduct to: process data solely for TIP-ID issuance; not retain government documents beyond the verification session; not share biometric data with any third party; publish a quarterly warrant canary; and comply with all applicable data protection laws. Voluntary data sharing by any VP is grounds for immediate revocation of accreditation.
8.3 TIPCL-1.0 Commercial Licensees NEW v1.1
When you access Services through a TIPCL-1.0 licensed platform, that platform is an independent data controller for data it collects through its own interface. The Company does not share your personal data with TIPCL-1.0 licensees beyond what is accessible through the public TIP API (governed by your display mode). TIPCL-1.0 Section 6 prohibits sub-licensing of commercial rights, meaning no licensee can grant another party access to your TIP data beyond the scope of the original license. Review the privacy policy of any TIPCL-1.0 licensed platform through which you access TIP Services.
8.4 Relying Parties
Third parties may query the TIP registry to retrieve your Trust Score tier or numeric score (FULL_PUBLIC mode only), TIP-ID status, and content provenance records. Data accessible to relying parties is governed entirely by your elected display mode.
8.5 Legal Disclosure
We may disclose personal data when required by valid legal process. We maintain a warrant canary at theailab.org/canary. If we receive a compelled request we are prohibited from disclosing, we will update our warrant canary consistent with applicable law.
8.6 What We Will Never Do
- Sell your personal data to any third party for any purpose
- Share your biometric data for any purpose other than TIP-ID issuance
- Provide your personal data to advertisers or data brokers
- Share your data with governments without valid legal process
- Allow a TIPCL-1.0 licensee to sub-license access to your TIP data
- Use attribution compliance data (Section 3.3) to profile end users
9.International Data Transfers
The Company is headquartered in the United States. The TIP DAG is a global federated network. Your personal data may be processed in the United States and other countries. For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses approved by the European Commission. TIPCL-1.0 licensees and VPs in third countries must maintain adequate transfer mechanisms and disclose their data processing jurisdictions in their quarterly Transparency Register publications.
10.Your Data Rights
10.1 GDPR Rights
Request all personal data we hold about you, processing purposes, and third-party sharing details.
Contact: dpo@theailab.org
Request correction of inaccurate personal data. Applies to off-chain records - DAG transactions are immutable.
Contact: dpo@theailab.org
Request deletion. Off-chain records are deleted; DAG transactions are anonymized. Content CTIDs exempt under Art. 17(3)(b).
Contact: dpo@theailab.org
Request processing limitation while other requests are pending, such as a rectification dispute.
Contact: dpo@theailab.org
Receive personal data in a structured, machine-readable format for transfer to another controller.
Contact: dpo@theailab.org
Object to processing based on legitimate interests. We will cease unless compelling grounds override your rights.
Contact: dpo@theailab.org
Withdraw FULL_PUBLIC score display consent at any time without affecting prior processing. Change in account settings.
Contact: Account settings
Trust Score is deterministic. You have the right to human review through Stage 2 jury and Stage 3 expert appeal.
Contact: tip@theailab.org
10.2 Scope and Limitations of the Erasure Right
- What erasure does: removes personal data from API responses; writes a HISTORY_ERASED transaction to the DAG (no personal data); deletes email, session data, and Trust Score event history from off-chain storage within 30 days; resets displayed score to TIER_ONLY.
- What erasure cannot do: delete your TIP-ID transaction, CTIDs, or adjudication outcomes from the DAG ledger. Content provenance records are exempt under Art. 17(3)(b) as necessary for the public interest in content authenticity.
10.3 CCPA Rights (California Residents)
California residents may exercise the following rights under CCPA and CPRA: right to know; right to delete (subject to DAG limitations); right to correct; right to opt-out of sale or sharing (we do not sell or share personal data); and right to non-discrimination. Submit CCPA requests to tip@theailab.org with subject line "CCPA Request."
10.4 Biometric Privacy Rights (Illinois, Texas, and Other States)
Illinois residents: BIPA applies. Texas residents: CUBI applies. We collect biometric data with your express informed consent during registration. We do not sell biometric data. Biometric hash data is deleted by the VP within 72 hours. Contact dpo@theailab.org for biometric privacy requests.
11.Security Measures
Post-Quantum Crypto
ML-DSA-65 (FIPS 204), SLH-DSA-128s (FIPS 205), ML-KEM-768 (FIPS 203), SHAKE-256 (FIPS 202)
Hardware Security Enclaves
Private keys in Apple Secure Enclave, Android StrongBox, or Windows TPM 2.0 - never exported
Zero-Knowledge Dedup
Peppered ZK proofs prevent re-identification even by a nation-state adversary with government ID databases
AES-256 at Rest
All off-chain personal data encrypted at rest. All data in transit uses TLS 1.3 or higher
Access Controls
Least-privilege access with comprehensive audit logging. Personal data accessible only to authorized personnel
Breach Response
Supervisory authority and user notification within 72 hours of a high-risk breach per GDPR Art. 33 and 34
In the event of a personal data breach likely to result in high risk to your rights and freedoms, we will notify you and the applicable supervisory authority within 72 hours, as required by GDPR Articles 33 and 34.
12.Children's Privacy
The Services are not directed to persons under 18. We do not knowingly collect personal data from minors. If we become aware that a TIP-ID has been registered by a person under 18, we will immediately suspend that TIP-ID and delete all associated personal data. Contact dpo@theailab.org if you believe a minor has provided personal data to us.
13.Cookies and Tracking Technologies
We use a single session authentication cookie: secure, HttpOnly, SameSite=Strict, expiring at session end or after 24 hours of inactivity. Contains only an opaque session identifier.
What we do not use
We do not use advertising cookies, cross-site tracking cookies, individual-identifying analytics cookies, third-party tracking pixels, browser fingerprinting, or any persistent tracking technology beyond the single session cookie above. The TIP browser extension reads only TIP protocol HTTP headers embedded by websites. It does not record or transmit browsing history or page content.
14.Third-Party Links and TIPCL-1.0 Integrations
This Policy does not apply to third-party websites. TIPCL-1.0 licensees integrating TIP Protocol are independent data controllers responsible for their own privacy practices and for complying with TIPCL-1.0 use-scope restrictions (Section 6.1). The Company is not responsible for the privacy practices of third-party implementations.
To verify that a TIP Protocol integration is an official TIPCL-1.0 licensed implementation, check for: (a) the required attribution text in the footer, About, or Help page; (b) the X-Powered-By: TIP-Protocol/theailab.org header in API responses; and (c) a valid TIP Powered Mark badge linking to theailab.org/tip. Implementations lacking these indicators may not be officially licensed. Report suspect implementations to licensing@theailab.org or security@theailab.org.
15.Changes to This Policy
We may update this Policy from time to time. Material changes will be communicated by email to your registered address and by prominent notice on theailab.org at least 30 days before the effective date. Prior versions are archived at theailab.org/privacy/archive. Continued use after the effective date constitutes acknowledgment of the updated Policy.
16.Right to Lodge a Complaint
If you are in the European Economic Area, you have the right to complain to the supervisory authority in your EU member state (list at edpb.europa.eu). If you are in the United Kingdom, contact the Information Commissioner's Office (ico.org.uk). We encourage you to contact dpo@theailab.org first so we can address your concerns directly.
17.Governing Law and ArbitrationUPDATED v1.1
This Privacy Policy is governed by the laws of the State of Delaware, United States of America, except where mandatory provisions of applicable data protection law in your jurisdiction provide greater protections.
For any dispute under this Policy that cannot be resolved by contacting dpo@theailab.org, the parties agree to binding arbitration administered by JAMS in Wilmington, Delaware, consistent with TIPCL-1.0 governing terms. This arbitration provision does not limit your right to make a complaint to a supervisory authority under GDPR, which is a separate and independent right.
Correction from v1.0
Version 1.0 of this Policy incorrectly referenced the American Arbitration Association (AAA). The correct arbitration forum, as specified in TIPCL-1.0, is JAMS (Judicial Arbitration and Mediation Services), Wilmington, Delaware. This correction aligns the Privacy Policy with the Terms of Service and TIPCL-1.0.