Privacy Statement
This Privacy Statement explains what information we collect when you
visit the licensefoundry.com website (the "Site"), how
we use it, and your rights. The Site is operated by
READ BV, a company registered in The Netherlands (KVK 73642673)
("we", "us", or "licensefoundry").
This Statement covers the marketing Site and the public
verification endpoints exposed by the licensefoundry service
(the /.well-known/* and /v1/status-lists/*
URLs at sandbox.licensefoundry.com and, in production,
api.licensefoundry.com). Privacy practices for
authenticated use of the service itself (accessed via
app.licensefoundry.com) are governed by the online
service terms for self-serve accounts — free compliance scoring, the
sandbox, pay-as-you-go, and standard plans — and by a separate Data
Processing Addendum ("DPA") for Enterprise and other customers under a
signed Master Services Agreement.
1. What we collect
The Site is intentionally minimal in data collection. We collect:
- Server access logs. IP address, browser user agent, timestamp, and URLs requested. Collected automatically when you visit any page. Used to detect abuse, diagnose technical issues, and produce aggregate traffic statistics. Retained for 30 days, then deleted.
-
Email content if you contact us. If you send a
message to any address at
licensefoundry.com, we receive your email address and the contents of your message. Used to respond to your inquiry and to maintain our commercial conversations with you. Retained for as long as we maintain active discussions, or 36 months from last contact, whichever is shorter.
We do not collect any other personal data on the marketing Site.
2. What we don't collect
To be specific about what we are not doing:
- No analytics tracking. No Google Analytics, Mixpanel, Amplitude, Segment, Plausible, or equivalent. The Site loads no tracking pixels.
- No advertising tags. No Facebook Pixel, LinkedIn Insight Tag, Google Ads conversion tracking, or equivalent.
- No persistent fingerprinting. No device-fingerprint collection beyond standard server logs.
- No third-party cookies. See "Cookies" below.
- No session recording. No Hotjar, FullStory, LogRocket, or equivalent.
3. Cookies
The Site does not use cookies for tracking, advertising, or analytics purposes. Cookies that may be set by the underlying content delivery network (Cloudflare) for security, abuse prevention, and basic site operation are described in Cloudflare's privacy documentation: cloudflare.com/privacypolicy.
4. Service providers
We use the following third-party services to operate the Site:
- Cloudflare — DNS, content delivery, TLS, and basic security. Cloudflare may process IP addresses and request metadata for security purposes.
- GitHub — source code hosting (does not handle visitor data directly).
-
Email provider — when you email us, your message
is delivered through the email provider associated with the
licensefoundry.comdomain [provider name, e.g. "Cloudflare Email Routing forwarding to Google Workspace"].
Each of these providers operates under its own privacy policy.
5. Public verification endpoints
The licensefoundry service exposes a small set of public endpoints
at sandbox.licensefoundry.com (and, in production,
api.licensefoundry.com) that are part of the W3C
Verifiable Credentials offline-verification protocol. Specifically:
/.well-known/jwks.json— the public JSON Web Key Set used to verify credentials we issued/.well-known/did.json— the DID document describing our issuer identity/v1/status-lists/<period>/<environment>— Bitstring Status List v1.0 credentials that record which of our credentials have been revoked
Any software that verifies a credential we issued necessarily fetches one or more of these URLs — this is how the cryptographic verification works in offline mode. We do not require, or accept, an API key on these endpoints.
When a request reaches one of these endpoints, we log:
- The IP address the request came from
- The
User-Agentheader — your software's self-identification string - The
If-None-Matchheader — your cache state for the resource - The request URL — which of the above endpoints you fetched, and for status lists, which period and environment
We do not log request body content (these are GET requests with empty bodies). We use this data to:
- Operate the service — rate limiting, abuse detection, capacity planning
- Understand aggregate usage patterns — how the verifier surface is used over time, peak times, geographic distribution at the network-operator level
- Identify which organisations are verifying credentials issued under our DID — so we can reach out to those organisations about commercial relationships. Verification activity on our infrastructure is the primary way we discover who consumes the credentials we serve, and this is an explicit purpose of the logging
Raw IP addresses captured by these logs are retained for 60 days. Beyond that we keep only organisation-level aggregates (e.g. autonomous-system identifiers like "AS49678" rather than the underlying IPs).
6. Your rights
Depending on where you are located, applicable data protection law (including the EU General Data Protection Regulation ["GDPR"], the UK Data Protection Act 2018, and the California Consumer Privacy Act ["CCPA"] as amended) gives you rights regarding personal data we hold about you, including:
- Access — request a copy of the personal data we hold about you
- Correction — request correction of inaccurate data
- Deletion — request deletion of your personal data
- Objection — object to certain processing
- Portability — receive your data in a structured, machine-readable format
- Complaint — lodge a complaint with a supervisory authority
To exercise any of these rights, contact info@licensefoundry.com. We will respond within the timeframe required by applicable law (typically 30 days under GDPR).
7. International data transfers
We are based in The Netherlands. If you contact us from outside that jurisdiction, your message will be transferred to and processed in The Netherlands. Where applicable, we rely on appropriate safeguards (such as the EU Standard Contractual Clauses, or the UK International Data Transfer Addendum) for such transfers.
8. Data retention
- Server access logs (marketing Site): 30 days
- Verification-endpoint logs (API): raw IP addresses 60 days; organisation-level aggregates thereafter
- Email correspondence: up to 36 months from last contact, or as required by applicable law
- We do not maintain marketing databases of Site visitors who have not contacted us
9. Children
The Site is intended for business audiences. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently received such data, please contact us and we will delete it.
10. Changes to this Statement
We may update this Privacy Statement from time to time. Material changes will be reflected in the "Last updated" date at the top of this page. Continued use of the Site after changes constitutes acceptance of the updated Statement.
11. Contact
Privacy questions can be sent to info@licensefoundry.com.
Self-serve accounts — the sandbox, pay-as-you-go, and standard plans — operate under the online service terms and need no separate agreement. For Enterprise and other commercial customers under a signed Master Services Agreement, the Data Processing Addendum forms part of that agreement. Contact your account manager (or info@licensefoundry.com) for the current DPA.