This Privacy Policy describes how co-mission LLC ("shyware") processes personal data in connection with the shyware SDK, hosted services, and related infrastructure. shyware acts as a data processor for customer controllers deploying the SDK, and as a data controller only for limited operational data (support, billing, security logs).
The shyware protocol writes every submission as two permanently disjoint canonical records:
No join key between List 1 and List 2 is ever written to the canonical ledger. Anonymity is a structural property of the write path, not a policy applied on top of it. This is verified by 208 passing test assertions across 13 deployment embodiments. DPIA evidence →
| Category | What is held | Where |
|---|---|---|
| Direction-free submission IDs | List 1 canonical records — no identity, no direction | Canonical ledger (public) |
| Pseudonymous identity hashes | List 2 canonical records — no payload or direction | Canonical ledger (public) |
| Off-chain linkage data | Per-participant receipts under access control | Reconciling authority data store |
| Account credentials | Username, session token, account sub claim | Account authentication provider |
| Biometric attestation | Enrollment and attestation records (if IDV configured) | Identity verification provider |
| Operational logs | Access logs, security events, support interactions | Infrastructure providers |
shyware uses the following sub-processor categories. Named providers and DPA schedules are published at /legal/privacy/dpia/dpa/.
| Role | Schedule |
|---|---|
| Authentication Provider | /legal/privacy/dpia/dpa/schedule-auth |
| Identity Verification | /legal/privacy/dpia/dpa/schedule-verification |
| Compute and Signing | /legal/privacy/dpia/dpa/schedule-compute |
| Off-chain Linkage Database | /legal/privacy/dpia/dpa/schedule-database |
| Device Attestation | /legal/privacy/dpia/dpa/schedule-attestation |
| Token Issuer (shywire-v1 only) | /legal/privacy/dpia/dpa/schedule-token |
| EHR / FHIR Health Records | /legal/privacy/dpia/dpa/schedule-health |
Data subjects exercise rights (Art. 15–22 GDPR) by contacting the customer controller who deployed shyware. shyware assists controllers as described in the Data Processing Agreement. For shyware's own controller processing: privacy@shyware.fyi.
A full Data Protection Impact Assessment package, Stack 4 test evidence (213/213 assertions), and compliance documentation are at /legal/privacy/dpia/.
Material changes are published at least 30 days before taking effect. Controllers with an active DPA are notified directly.