Privacy Policy

Last updated: March 3, 2026

Stellar ZK Login is an open-source, educational demo that demonstrates zero-knowledge social authentication on the Stellar blockchain. This policy explains how data is handled when you use the demo at stellar-zklogin-demo.pages.dev.

What We Collect

Google Sign-In

When you sign in with Google, the demo receives your email address, user ID (sub), and email verification status from Google’s OAuth service. These values are used only to compute a one-way identity hash:

identityHash = SHA-256("gmail:{email}:{sub}:verified:{emailVerified}")

The identity hash is a cryptographic digest. Your email address and user ID cannot be recovered from the hash. The raw email and user ID are processed in memory during the request and are never stored on any server or database.

Passkey Authentication

If you use passkey authentication, a WebAuthn credential is created in your browser. The credential ID is hashed to produce an identity anchor. No personal information is collected or transmitted.

ZK Proofs

Groth16 proofs are generated entirely in your browser. Private witness data (identity hash, blinding factor, nullifier secret) never leaves your device. Only the proof and public signals (commitment, nullifier hash) are submitted for verification.

Wallet

Stellar keypairs are generated and stored in your browser’s localStorage. Secret keys are never transmitted to any server. The demo operates on Stellar Testnet only — no real assets are involved.

What We Do NOT Collect

• No cookies (no session cookies, no tracking cookies)
• No analytics or tracking scripts
• No advertising identifiers
• No IP address logging
• No persistent storage of personal data

Data Processing

All server-side processing runs on Cloudflare Workers — a stateless, edge-compute platform. Requests are processed in memory and discarded. There is no database, no log retention, and no data replication.

Third-Party Services

• Google Identity Services — OAuth token issuance. See Google’s Privacy Policy.
• Cloudflare Pages — Hosting and edge compute. See Cloudflare’s Privacy Policy.
• Stellar Testnet — Blockchain transactions (testnet only, no real value).

Open Source

This entire application is open source under the Apache 2.0 license. You can inspect exactly how data is processed: github.com/nobak-net/stellar-zklogin.

Children’s Privacy

This demo is an educational developer tool. It is not directed at children under 13 and does not knowingly collect data from children.

Changes

This policy may be updated as the demo evolves. Changes will be reflected on this page with an updated date.

Contact

Questions or concerns? Open an issue on GitHub.