Privacy Notice

Version 4.7


Table of Contents

Tools for Humanity Privacy Notice
Thank you for choosing to be part of the Worldcoin Community! Worldcoin is an open-source protocol, supported by a global community of developers, individuals, and other contributors.
This Privacy Notice covers the data you provide to us through your use of our websites, applications (“App”), and other services linked to this Privacy Notice (collectively, the “Services”). This Privacy Notice is incorporated into and governed by the User Terms and Conditions (“User Terms”). Tools for Humanity Corporation (“TFH US”), along with its German subsidiary Tools for Humanity GmbH (“TFH Germany”; together, “TFH” or “we,” “us”), is contributing to the initial development and growth of the Worldcoin protocol (“Worldcoin”).
The California Consumer Privacy Act, as amended by the California Privacy Rights Act, does not presently apply to us.
  1. Controllers
We are the data controller of all “App Data”: Tools for Humanity Corporation, 548 Market Street, PMB 49951, San Francisco, CA 94104 USA.
“App Data” means all personal data collected and processed through your use of the World App, as defined further in Section 5 below, except any personal data related to your use of the Worldcoin protocol or the Worldcoin tokens (such as your wallet address and the transactional data, which we do not collect).
  1. Updates to this Privacy Notice
We update this Privacy Notice sometimes. If we make major changes, such as how we use your personal information, then we'll let you know via an email or a message in your App.
  1. What is in this Privacy Notice?
  • Our commitment to protecting your privacy and data
  • Information we collect and why
  • How we use the data we collect
  • Where we process your data
  • When we share your data
  • How your data is recorded on public blockchain
  • How we use cookies
  • How long we keep your data
  • How this Privacy Notice differs for children and teens
  • The statutory rights you have under GDPR
  • How to contact us about this Privacy Notice
  1. Our Commitment to Protecting your Privacy and Data
We are deeply committed to protecting your privacy and securing your data. We recognize that we can only fulfill our mission of distributing our digital tokens fairly to as many people as possible if people trust us, and privacy and data security are central to earning your trust.
We have designed our products and services with your privacy in mind. We collect data to improve our product and services. We will always tell you, here in this Privacy Notice or in data consent forms for specific products or services, what data we are collecting, why we are collecting that data, and what we do with it.
Data Security
We have a dedicated team to look after your data and have implemented physical and electronic safeguards that protect your data both in transit and at rest. At the same time, no service can be completely secure. If you have any concerns about your account or your data, please contact us through our Request Portal or write to us at Tools For Humanity Corporation, 548 Market Street, PMB 49951, San Francisco, CA 94104 USA.
  1. Information We Collect and Why
5.1 Data You Provide To Us
As a user, you are not required to provide any data to access the App. However, you may need to provide us with certain data in order to use a feature within the Services. The legal grounds for processing in the cases below are the user’s consent and the performance of a contract (our commitment to provide the Services). Below is a list of data that you may provide and what we may use the data for:
  • First and last name. You may choose to enter your name to associate it with your account. We and other users may see your name when they choose to interact with your account. We may require your name when you submit a data subject request. The legal basis for processing this data is performance of the Service under the User Terms.
  • Email address. You may choose to enter your email to associate it with your account. You may also provide your email to subscribe to our mailing list to stay up-to-date with the Worldcoin project. We may require your email when you submit a data subject request. The legal basis for processing this data is performance of the Service under the User Terms.
  • Phone number. You may choose to enter your phone number to associate it with your account. With your permission, other users may be able to find your account through your phone number. We may require a phone number when you submit a data subject request.The legal basis for processing this data is performance of the Service under the User Terms.
  • Feedback and correspondence from you. These include any emails, chat messages, or other communications that you send us via email or third-party social media websites. We may use a third-party service provider to facilitate surveys about your use of our Services. The legal basis for processing this data is performance of the Service under the User Terms.
  • Address book contacts. You may provide the App with access to your address book to enable the feature that makes it easy for you to find and interact with other users who may be in your address book. The address book information remains on your device. The legal basis for processing this data is the legitimate interest of the subject to be found within the App and the interest of the sharing user to find her contacts in the App.
Please note: You are responsible for ensuring that sharing your contacts’ information complies
with applicable laws. This may require that you obtain your contacts’ permission. You can change
your mind and turn off our access to your contacts at any time in your device settings. If you elect to import your device’s address book contacts to the App to find out which of your contacts uses our Services or invite them to join you in using our Services, we will periodically sync your contacts’ phone numbers to those numbers and corresponding wallet addresses provided by other users on our servers.
  • Location information. You may decide to enable a location-based service (such as a feature allowing you to find an Orb Operator near you). We may collect information about your location through GPS, IP address, cell tower information, or Wi-Fi access point information. The type of location data collected depends on the service you are using, the device you're using (for example, Apple or Android), and your device's settings (whether permissions are enabled or disabled). You can change your permissions any time in your device's settings. The legal basis for processing this data is compliance with legal obligations.
  • Enterprise Data. If you have a business relationship with us (such as if you are an Orb Operator or a supplier), then we may require information such as names, mailing address, email, phone number, wallet address, and other documentation (such as your government ID) as part of furthering that business relationship and to satisfy our know-your-customers obligations. We may use third-party services, such as Onfido, to help us collect and review the information and documentation above to satisfy the know-your-customers obligations. The legal basis for processing this data are compliance with legal obligations, namely, know-your customer (KYC) and know-your business (KYB) obligations as required by law.
  • P2P Marketplace. If you use the P2P Marketplace Services (where available) that allow you to purchase digital tokens from other users, then we may collect additional information such as your wallet address, your contact information (i.e. your phone number), and your account number associated with the transaction (such as your M-PESA number). We log the transaction data as part of providing the P2P Marketplace Services. We may also collect additional information to comply with applicable KYC requirements. The legal basis for processing this data is performance of the Services under the User Terms and compliance with legal obligations.
  • Application data. If you want to work for us you have to send us your application that includes your cover letter and CV as well as the personal information you wish to disclose. The legal basis of processing are steps at the request of the data subjects prior to entering into a contract.
5.2 Data We Collect From Third-Party Sources
From time to time, we may obtain information about you from the following third-party sources:
  • Blockchain Data. We may analyze public blockchain data to ensure parties utilizing our Services are not engaged in illegal or prohibited activity under the User Terms, and to analyze transaction trends for research and development purposes. The legal basis for processing this data is compliance with legal obligations.
  • Identity Verification Services. We may obtain information from third-party services using your data to verify your identity if required by law (such as applicable know-your-customer requirements). To clarify, we do not use your biometric data when we verify your identity as required by law. The legal basis for processing this data is compliance with legal obligations.
  • Talent data bases. We may collect data from various sources to make job offers to talented individuals. The legal basis of processing those are legitimate interests. The legitimate interests pursued are our interest to recruit individuals and the individual’s interest to receive job offers that entail an exciting mission and a high compensation.
5.3 Data We Collect Automatically
If permitted under applicable law, we may collect certain types of data automatically when you interact with our Services. This information helps us address customer support issues, improve the performance of the Services, provide you with a streamlined and personalized experience, and secure your Account credentials. Information collected automatically includes:
  • Online Identifiers: Geo-location and tracking details (see above), computer or mobile phone operating system, web browser name and version, and IP addresses. The legal basis for processing this data are compliance with legal obligations (in very limited cases as these data are also fed into our fraud and illicit financial flow detection detection) and performance of contract as we wish to provide a stable and fraud-free experience of our software.
  • Usage Data: Authentication data, security questions, and other data collected via cookies and similar technologies. The legal basis for processing this data is performance of our service under the User Terms.
  • Cookies: small data files stored on your hard drive or in-device memory that help us improve our Services and your experience, see which areas and features of our Services are popular, and count visits. For the legal basis processing those data please refer to our Cookie Policy where we explain the different kinds of cookies we are using.
Similarly, the App gathers information for troubleshooting and improvement. We use third-party services, such as or PostHog, to view aggregated information about end user usage and interactions. Where possible, we take steps to minimize or mask the information sent to third parties (such as encoding the data). The legal basis for processing the above mentioned data is the legitimate interest of operating the App and the website.
5.4 Anonymized and Aggregated Data
Anonymization is a data processing technique that modifies personal data so that it cannot be associated with a specific individual. Examples of anonymized data include:
  • Transaction data
  • Click-stream data
  • Performance metrics
  • Fraud indicators
We also aggregate data, combining large amounts of information together so that it no longer identifies or references an individual.We use anonymized or aggregate data for our business purposes, such as understanding user needs and behaviors, improving our Services, conducting business intelligence and marketing, detecting security threats, and training our algorithms.

The legal basis for processing the above mentioned data is the legitimate interest of a functioning app or website, business insights and fraud prevention.
  1. How We Use the Data We Collect
We must have a valid reason (or “lawful basis for processing”) to use your personal information. In instances when you'd reasonably expect us to use your personal information and our use of that information complies with applicable laws, we don't ask for your express permission.We use your data for the following purposes:
  • To provide and maintain our products and services under the User Terms. These services include:

    • The App where users can manage their World ID and digital tokens as well as learn about cryptocurrency in general and the Worldcoin project in specific;
    • The Operator App where Orb Operators can manage and oversee their Orbs under management and their statistics;
    • The P2P Marketplace where we connect users with agents;
    • The legal basis for all these cases is performance of a contract, namely, the User Terms.
  • To improve and develop our products and services, including to debug and repair errors in our Services. The legal basis of this processing are legitimate interests. The interests pursued are providing a stable and safe experience of our software and hardware.
  • To conduct data science research. The legal basis of this processing are legitimate interests of providing a better user experience, greater support, and more useful features in the Services.
  • To analyze your use of our Services to provide better support. The legal basis of this processing are legitimate interests. The interests pursued are providing better experience of our soft- and hardware;
  • To enable you to publish information on a blockchain to prove your uniqueness. The legal basis of this processing is your explicit consent;
  • To use your wallet address to send you digital tokens we support. The legal basis of this processing is performance of a contract, namely, the User Terms.;
  • To comply with applicable law such as anti-money-laundering law and sanctions. This entails:

    • Using your IP address to block individuals whose country does not allow them to access the Services;
    • To answer data subject requests under the applicable data protection laws like requests for access or deletion;
    • Monitor potentially illicit financial flows e.g. from blacklisted wallets; and
    • The legal basis for this processing data is compliance with legal obligations.
  • To handle your customer service requests, complaints and inquiries. The legal basis for this processing is performance of a contract, namely, the User Terms.
  • To resolve disputes, troubleshooting issues, and enforcing our agreements with you, including this Privacy Notice and the User Terms. The legal basis of this processing is performance of a contract, namely, the User Terms and legitimate interests where the interests pursued are the defense of legal claims; and
  • To contact you regarding updates to the Services.The legal basis of this processing is performance of a contract, namely, the User Terms.
  1. Where We Process Your Data
7.1 Data Transfer.
When you provide us with your data, it may be transferred, stored, or processed in a location outside of where your data was originally collected. The country in which your data is transferred, stored, or processed may not have the same data protection laws as the country in which you initially provided the data.
We adhere to the principles stated in the European Union’s General Data Protection Regulation (GDPR), even when not required. For example, when we work with data processors that operate outside the European Economic Area (EEA), we ensure that they are in compliance with GDPR. We only share data with data processors outside of the EEA if such a transfer is lawful and if we are confident that the data processor will protect your data as required under applicable laws and, further, in accordance with our standards. When transferring data to a country that does not have an adequacy decision, we utilize the EU Standard Contractual Clauses.
7.2 Risks of Transfer
Below is a list of possible risks that may arise if we transfer your data to the United States, the European Union, or another country. Below we also summarize how we mitigate the respective risks.
  • While we do what we can to ensure that our subcontractors are contractually obligated to adequately protect your data, these subcontractors may not be subject to the data privacy law of your country. If the subcontractors were to illegally process your data without authorization, then it may be difficult to assert your privacy rights against that subcontractor. We mitigate this risk as we close strict data processing agreements with our subcontractors that oblige them to protect the data at a GDPR level and fulfill subjects’ requests.
  • It’s possible that the data privacy law in your country is inconsistent with the data privacy laws in the U.S. or in the E.U. We always try to adhere to the highest standard of data protection we are subject to. So far, we found this to be GDPR and are treating all data as if it were governed by GDPR.
  • It may be possible that your data will be subject to governmental access of officials and authorities. In those cases we have committed ourselves to challenge any invalid, overbroad, or unlawful governmental request to access in court. We further use advanced encryption to hinder unauthorized access.
Please note that this list contains examples, but may not include all possible risks to you.
The European Union Commission responsible for making determinations of the adequacy of the Privacy Laws of other jurisdictions in comparison to the GDPR has not yet positively established that the country-specific level of personal data protection in the United States, where part of your data is processed, provides the same level of protection as the Privacy Laws in the European Union.
  1. When We Share Your Data
We will never sell your data.
When we share your data outside of of our organization, we will always:
  • Share it in a reasonably secure way;
  • Take steps to ensure that it is handled in a manner that is consistent with our commitment to your privacy ; and
  • Prohibit other companies from using it for their own purposes.
We do share your data in these limited ways:
  • With Worldcoin Foundation: Data, including your personal information, may be shared with Worldcoin Foundation or a subsequent organization responsible for promoting and furthering the mission of the Worldcoin project.
  • Within our organization: We only disclose data to our team members who require access in order to perform their tasks and duties. We only disclose as much data as is needed to perform specific tasks and duties and have a system of strict access control.
  • With vendors and service providers outside of our organization: We only disclose data to service providers whose services we rely on in order to process the data and provide our Services to you. We only disclose data with identity verification vendors if required by Law (i.e., know-your-customer requirements).
  • The categories of such service providers are:
  • Cloud service providers (all data types)
  • SaaS providers; we use SaaS products in the following categories:

    • Database and infrastructure management
    • Data security
    • Recruiting
    • Communication
    • Surveys
    • KYC/KYB i.e. checking official documents
    • Data subject request management
    • Technical support
    • User support
  • External experts

    • Specialist software developers
    • Legal specialists
    • Tax advisors
  • Banks
  • Labeling service providers (only under special safeguards)
  • Background check services for applicants and Orb Operators
  • With law enforcement, officials, or other third parties: We may disclose your data in order to comply with applicable laws and respond to mandatory legal demands. We will carefully consider each request to determine whether the request complies with the law and, where appropriate, we may challenge invalid, overbroad, or unlawful requests. We may share personal data with police and other government authorities where we reasonably believe it to be necessary to comply with law, regulation or other legal process or obligation.
  • We may share your personal information if we believe that your actions are inconsistent with our User Terms, if we believe that you have violated the law, or if we believe it is necessary to protect our rights, property, and safety, our users, the public, or others.
  • We may share your personal information with our lawyers and other professional advisors where necessary to obtain advice or otherwise protect and manage our business interests.
  • We may share your personal information in connection with, or during negotiations concerning, any merger, sale of company assets, financing, or acquisition of all or a portion of our business by another company.
  • Data, including your personal information, may be shared between and among our current and future parents, affiliates, and subsidiaries and other companies under common control and ownership.
  • We may share your personal information with your consent or at your direction.

  1. How Your Data is Recorded on Public Blockchain
Transaction information related to your use of our Services may be recorded on a public blockchain.
Please note: Blockchains are public ledgers of transactions that are maintained on decentralized networks operated by third parties that are not controlled or operated by Worldcoin. Due to the public and immutable nature of blockchain ledgers, we cannot guarantee the ability to amend, erase, or control the disclosure of data that is uploaded and stored on a blockchain
  1. How We Use Cookies
We use cookies to help our Services work better. In addition to cookies, we may use other similar technologies, like web beacons, to track users of our Services. Web beacons (also known as "clear gifs") are tiny graphics with a unique identifier, similar in function to cookies. Our Cookie Policy, incorporated herein by reference.
We also use Google Analytics. More information on how Google uses your data when you use its partners’ websites and applications: By using the Services, you consent to us storing and accessing cookies and other data on your computer or mobile device and the use of Google Analytics in connection with such activities. Please read the information at the link provided so you understand what you are consenting to.
  1. How Long Do We Keep Your Data?
We retain your data for as long as is reasonably necessary to provide our Services to you, serve our legitimate business purposes, and comply with our legal and regulatory obligations. If you close your account with us, we will delete your account data within one month; otherwise we will delete your account data after 2 years of inactivity. If required by law, we will continue to retain your personal data as necessary to comply with our legal and regulatory obligations, including fraud monitoring, detection, and prevention, as well as tax, accounting, and financial reporting obligations.
Please note: Blockchains are decentralized third-party networks that we do not control or operate. Due to the public and immutable nature of blockchain technology, we cannot amend, erase, or control the disclosure of data that is stored on blockchains.
  1. How this Privacy Notice Differs for Children and Teens
Individuals under the age of 18 are not allowed to use the Services, and we do not knowingly collect data from individuals under the age of 18. If you believe that your child under the age of 18 has gained access to the Services without your permission, please request the deletion of their data by contacting us through our Request Portal.
If we learn that we have collected data about a child under age 18, we will delete such data as quickly as possible. We have taken steps like implementing an automated age detection AI-model, instructions to operators and self-confirmations to restrict use of the Services to those who are at least 18 years old. We do not market products or services to children.
  1. The statutory rights under GDPR
This section applies if the processing of your data falls under the GDPR’s scope of application (e.g., if you are a resident of the European Economic Area). You may have additional rights under GDPR as listed below. To exercise your rights available under GDPR, please contact us at our Request Portal.
  • You have the right to obtain from us at any time upon request information about the personal data we process concerning you within the scope of Art. 15 GDPR.
  • You have the right to demand that we immediately correct the personal data concerning you if it is incorrect.
  • You have the right, under the conditions described in Art. 17 GDPR, to demand that we delete the personal data concerning you. These prerequisites provide in particular for a right to erasure if the personal data are no longer necessary for the purposes for which they were collected or otherwise processed, as well as in cases of unlawful processing, the existence of an objection or the existence of an obligation to erase under Union law or the law of the Member State to which we are subject.
  • You have the right to demand that we restrict processing in accordance with Art. 18 GDPR.
  • You have the right to receive from us the personal data concerning you that you have provided to us in a structured, commonly used, machine-readable format in accordance with Art. 20 GDPR.
  • You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out, inter alia, on the basis of Article 6 (1) sentence 1 lit. f GDPR, in accordance with Article 21 GDPR.
  • You have the right to contact the competent supervisory authority in the event of complaints about the data processing carried out by the controller. The responsible supervisory authority is: the Bavarian State Office for Data Protection Supervision (Bayerisches Landesamt für Datenschutz).
  • If the processing of personal data is based on your consent, you are entitled under Art. 7 GDPR to revoke your consent to the use of your personal data at any time with effect for the future, whereby the revocation is just as easy to declare as the consent itself. Please note that the revocation only takes effect for the future. Processing that took place before the revocation is not affected.
  1. How to Contact us About this Privacy Notice
You may choose to delete your data from within the App under the Settings menu. If you have questions or concerns regarding this Privacy Notice, wish to exercise your rights, or to contact our Data Protection Officer (DPO), please submit your request through our Request Portal or write to us at Tools For Humanity Corporation, 548 Market Street, PMB 49951, San Francisco, CA 94104 USA. We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. You can also delete your data from within the App.
If you have an unresolved privacy or data use concern that we have not satisfactorily addressed, please contact the data protection regulator in your jurisdiction. If you reside in the EU, then you can find your data protection regulator here.