Menu

Menu

Menu

Privacy Policy for Hopae Auth

Last updated

Feb 14, 2026

1. Introduction 

At Hopae Inc. (hereinafter referred to as “we,” “us,” or “our”), we are committed to respecting and safeguarding your personal data in accordance with the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and any related data protection laws.

This Privacy Policy explains how we collect, use, disclose, and otherwise process personal data in connection with Hopae Auth (our “services”), and details your rights and our obligations.

Hopae Auth is an integration that allows applications to support EUDI Wallet–based login by connecting to identity and access management (“IAM”) platforms and services and the relevant EUDI Wallet infrastructure, including authorized intermediaries.

2. Scope 

This Privacy Policy applies to the processing of personal data by us in the context of Hopae Auth when:

2.1 Service Providers (our customers) use Hopae Auth to enable EUDI Wallet–based login and authenticate user credentials in their applications.

2.2 We interact with external authorities or infrastructure (e.g., government eID systems, certificate authorities, EUDI Wallet intermediaries) to confirm the validity of credentials and wallet-based assertions.

2.3 We communicate with Service Providers and, where applicable, end users in the course of delivering our services (for example, to support an authentication or verification flow, provide support, or ensure secure interactions).

This Policy does not replace or limit any privacy notices that our customers (Service Providers) must provide to their own end users.

3. Definitions 

GDPR”: The General Data Protection Regulation, which governs the protection of personal data within the EU.

Personal Data”: Any information related to an identified or identifiable natural person.

Processing”: Any operation performed on personal data, such as collection, storage, use, disclosure, or destruction, whether automated or manual.

Data Subject”: Any individual whose personal data is processed by Hopae Auth.

Data Controller”: The entity that determines the purposes and means of processing personal data.

Data Processor”: The entity that processes personal data on behalf of a controller.

Service Provider”: The entity (for example, an online service, application operator, or organization) that uses Hopae Auth to enable EUDI Wallet–based login or to verify user identities and credentials. As the Data Controller, the Service Provider determines the purpose and means of processing personal data, while we act as a Data Processor for those activities. The Service Provider is responsible for obtaining any necessary user consent and ensuring compliance with data protection laws.

4. Roles and Responsibilities 

We may act in different capacities depending on the context:

  • As a Data Processor, when we process personal data strictly on behalf of Service Providers who use Hopae Auth in their applications. In such cases, the Service Provider acts as the primary Data Controller, and we process personal data under their documented instructions.

  • As a Data Controller, for certain limited data sets, such as our own customer account data, billing information, and service usage data necessary to operate and improve Hopae Auth.

When acting as a Processor, we will enter into a Data Processing Agreement (DPA) with the controller to ensure GDPR compliance, including confidentiality obligations, sub‑processor management, and appropriate data protection measures.

4.1 Data Processor 

When acting as a Data Processor, we process personal data—such as identity attributes, authentication assertions, or cryptographic proofs—solely on behalf of Service Providers, who act as the Data Controllers. This data is processed only for the duration of the authentication or verification session and is securely erased or anonymized once it is no longer needed for that purpose, subject to any limited retention of logs as described in Section 7.

We enter into DPAs with each Service Provider to ensure GDPR compliance. These agreements cover confidentiality, oversight of sub‑processors, and robust safeguards to protect personal data throughout the Hopae Auth login and verification flows.

5. What Personal Data We Process 

The personal data processed by Hopae Auth depends on how each Service Provider configures their integration and which EUDI credentials are involved. We strive to minimize personal data processing and to rely on pseudonymous identifiers wherever possible.

5.1 Identity Data 

Personal data submitted via EUDI Wallet flows may include the following identity attributes, depending on the requirements of the Service Provider and the type of credential:

  • Full name (e.g., given name and family name)

  • Date of birth

  • Place of birth

  • Gender (where provided)

  • Nationality or citizenship

  • Government‑issued identifier (e.g., national ID number, passport number), where explicitly requested

  • Issuing authority (e.g., the government agency or issuer of the credential)

  • Credential or document expiration date (where applicable)

  • Document type (e.g., eID card, passport, driving license)

  • Photograph or digital portrait (for visual identification, if required by the Service Provider)

  • EUDI Wallet identifiers and cryptographic proofs, such as digital signatures or zero‑knowledge proofs used to confirm authenticity and integrity of assertions.

The exact attributes processed will depend on the credential type and the configuration chosen by the Service Provider.

5.2 Technical and Log Data 

To operate and secure Hopae Auth, we may process:

  • System and application logs: IP addresses, HTTP headers, timestamps, session identifiers, and error logs.

  • Authentication and verification audit trails: records linking specific login or verification events, including success/failure outcomes, protocol messages, and relevant identifiers.

5.3 Operational Metadata 

We may process operational metadata such as:

  • Transaction/session metadata: time of the login or credential check, credential or assertion type, IAM platform or service involved, EUDI Wallet usage, and internal validation status within Hopae Auth.

  • Configuration data: information about how a Service Provider has configured their Hopae Auth integration (for example, what attributes they request, which IAM tenant or environment they use).

We limit processing to data that is necessary to perform EUDI Wallet login and related verification services.

6. Purposes and Legal Bases for Processing 

We may process personal data for the following purposes:

6.1 Identity Verification and Authentication 

Purpose:
To validate user credentials, confirm their authenticity, and enable EUDI Wallet–based login to Service Provider applications via IAM platforms and services.

Legal Basis:

  • GDPR Article 6(1)(b) – performance of a contract or pre‑contractual measures, where processing is necessary for the provision of services requested by the data subject (for example, access to an online service that requires EUDI Wallet login); and/or

  • GDPR Article 6(1)(f) – legitimate interests, such as ensuring secure and reliable authentication, preventing fraud, and protecting the integrity of Service Provider systems.

In this context, we typically act as a Data Processor on behalf of the Service Provider.

6.2 Compliance with Legal Obligations 

Purpose:
To comply with obligations under EU or Member State laws, regulatory requirements, or court orders (for example, retention required by law, cooperation with supervisory authorities).

Legal Basis:

  • GDPR Article 6(1)(c) – processing is necessary for compliance with a legal obligation.

6.3 Service Operation, Security, and Improvement 

Purpose:
To operate, maintain, and improve Hopae Auth, including monitoring performance, debugging issues, enhancing security, and developing new features.

Legal Basis:

  • GDPR Article 6(1)(f) – our legitimate interests in operating a secure, reliable, and improved service for our customers.

Where possible, we use aggregated or anonymized data for analytics and improvement.

6.4 Customer Relationship Management 

Purpose:
To manage relationships with Service Providers, including billing, customer support, service communications, and contract administration.

Legal Basis:

  • GDPR Article 6(1)(b) – performance of a contract with the Service Provider; and

  • GDPR Article 6(1)(f) – legitimate interests in maintaining and growing our business relationships.

7. Retention Periods 

We keep personal data only as long as necessary to fulfill the purposes described above or comply with legal obligations.

  • Verification and authentication data: Processed during the active session and retained only for as long as required to complete the authentication/verification and, where applicable, to support short‑term troubleshooting or audit requirements, unless further retention is mandated by law, contract, or security needs.

  • Log data: Maintained for a reasonable duration (e.g., up to 90 days) for error diagnosis, security monitoring, and audit controls, subject to longer retention where legally required or justified by legitimate security needs.

  • Customer account and contract data: Retained for the duration of the customer relationship and for a subsequent period as necessary to comply with legal obligations (for example, tax and accounting rules) and to manage potential disputes.

Once data is no longer required, we securely delete or anonymize it.

8. Sharing of Personal Data 

We may share personal data with the following categories of recipients, where necessary and subject to appropriate safeguards:

  • External verification entities and EUDI infrastructure: Government eID systems, certification authorities, EUDI Wallet intermediaries, or other trusted parties solely to confirm credential authenticity and perform EUDI Wallet login.

  • IAM platforms, services, and Service Provider applications: IAM services and the Service Provider’s own systems, to deliver identity attributes and assertions required for login and authorization.

  • Sub‑processors: Cloud hosting, infrastructure, logging/monitoring, and other specialized partners bound by strict data protection agreements ensuring GDPR compliance. We use Amazon Web Services (AWS) as a cloud infrastructure provider, which may act as a sub‑processor; we ensure AWS has robust data protection measures in place and that any sub‑processing relationship complies with the GDPR.

  • Corporate affiliates: Entities under Hopae’s control, subject to internal data handling rules offering equivalent protection.

  • Regulatory or law enforcement authorities: Where required by law, legal processes, or to defend our legal rights.

Our sub‑processors are subject to Data Processing Agreements and are only permitted to process personal data as necessary to provide services to us.

We will never sell or rent personal data to third parties.

9. International Data Transfers 

We have implemented measures to ensure that personal data collected within the European Economic Area (EEA) is stored and processed in compliance with EU data protection requirements. Where personal data is transferred outside the EEA, such transfers occur only where necessary (for example, to fulfill contractual obligations or comply with legal requirements) and are governed by appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs): Transfers are subject to the European Commission’s SCCs, ensuring enforceable data‑protection obligations on recipients;

  • Supplementary technical and organizational measures: End‑to‑end encryption where appropriate, pseudonymization, strict access controls, and data minimization;

  • Recipient due diligence: Prior to any transfer, we verify that the recipient maintains data‑protection standards at least equivalent to those required under EU law.

10. Data Subject Rights 

Under the GDPR, individuals have the following rights regarding their personal data:

  • Right of access (Article 15): Request information on whether and how we process your personal data, and obtain a copy.

  • Right to rectification (Article 16): Correct inaccuracies or incomplete data.

  • Right to erasure (Article 17): Request deletion of your data, subject to legal or contractual limitations.

  • Right to restrict processing (Article 18): Ask us to limit certain processing under specific circumstances.

  • Right to data portability (Article 20): Obtain your personal data in a structured, commonly used format and transfer it to a third party, where technically feasible.

  • Right to object (Article 21): Object to processing based on legitimate interests.

  • Right not to be subject to automated decision‑making (Article 22): Where applicable, request human review of automated decisions that significantly affect you.

How to Exercise Your Rights 

If you are an end user of a Service Provider that uses Hopae Auth, you should first contact that Service Provider directly, as they are typically the Data Controller. We will cooperate with our customers to respond to data subject requests in accordance with applicable law and contractual obligations.

If you contact us directly, we may need to refer you to the relevant Service Provider or work with them to resolve your request.

We aim to respond to requests within one month, in line with GDPR requirements.

11. Security Measures 

We employ robust security controls to protect personal data, including:

  • Encryption of data in transit (TLS/SSL) and, where appropriate, at rest;

  • Role‑based access controls to ensure only authorized personnel have access to personal data;

  • Network security measures, including firewalls and regular vulnerability assessments;

  • Security policies, procedures, and training for staff to handle personal data responsibly;

  • An incident response plan to detect, investigate, and address data breaches promptly.

Despite our best efforts, no security measure is entirely infallible. We regularly review and update our protections to minimize risks and to align with industry best practices.

12. Automated Decision‑Making 

Hopae Auth may rely on automated checks (for example, cryptographic validation and protocol‑level verification) to evaluate credential integrity and authentication events. However, significant decisions that materially impact individuals (such as granting or denying access to a specific service) are typically made by the Service Provider’s systems and policies.

If you believe you have been subject to an unfair automated decision, you may request human intervention under GDPR Article 22, primarily via the relevant Service Provider.

13. Contact Information 

For inquiries, questions, or requests concerning this Privacy Policy or Hopae Auth, you may reach us at:

Hopae Inc.
Address: 166 Geary St. 15th Floor, San Francisco, CA 94108, United States
Email: dpo@hopae.com
Phone: +82‑70‑8098‑4532
Data Protection Officer (DPO): Eric Kim

You also have the right to lodge a complaint with your local supervisory authority if you believe we have not addressed your data protection concerns appropriately.

14. Changes to This Privacy Policy 

We may update this Policy to reflect changes in our business, services, or legal obligations. Any significant modifications will be posted with a revised “Last Updated” date. We encourage you to review this Policy periodically to remain informed about our data practices.

By using our services, you acknowledge that you have read and understood this Privacy Policy, including how we process and protect your personal data, and that we are committed to upholding the GDPR principles of transparency, fairness, and lawfulness.