Privacy and Security

Localcredit is built with privacy as a core, non-negotiable foundation. We believe your financial reputation should benefit you without exposing you to surveillance, data breaches, or monetization by third parties. The app is also designed with robust security measures to protect your access and interactions, ensuring a safe experience from onboarding to daily use.

We Follow Strict Data Minimization Localcredit never collects, stores, or processes unnecessary personal information.

  • No personal data storage: We do not maintain centralized databases of names, addresses, emails, phone numbers, ID documents, or full credit reports.

  • Ephemeral processing only: Any sensitive data (e.g., ID uploads during optional KYC, OAuth tokens for X or traditional credit) is processed temporarily in memory, used solely to generate a cryptographic proof, and then permanently discarded.

  • No raw transaction history stored: On-chain activity is read directly from public blockchains or trusted oracles when needed for scoring without copying or archiving your full wallet history.

All verifications and signals are converted into zero-knowledge proofs (ZKPs) using industry-standard circuits (Groth16).

  • You prove attributes without revealing underlying details. Examples:

    • "My phone number is verified" (without showing the number)

    • "My FICO score is ≥ 700" (without sharing the exact score or report)

    • "I own this X account and it is older than 2 years" (without exposing the handle publicly)

    • "I passed full KYC/AML checks" (without sharing documents or results)

  • These proofs are small cryptographic commitments stored on-chain and linked to your abstract identity.

  • No one, not Localcredit, lenders, or observers, can reverse-engineer the original data from the proof.

We store only the minimum required for the protocol to function:

  • Hashes and ZK proof commitments on-chain (publicly verifiable but meaningless without the private inputs)

  • Anonymous scoring metadata (e.g., normalized signal values used in the formula)

  • Your opt-in preferences (e.g., which offers to show)

No personally identifiable information (PII) is ever persisted.Third-Party Integrations Are Privacy-FirstWe partner only with providers that support limited, read-only scopes and data minimization.

  • Traditional credit connections use official OAuth flows with restricted summary access.

  • KYC/AML providers process documents ephemerally and return only boolean ZK attestations.

  • X/Twitter verification uses OAuth and optional limited post sampling for VADER sentiment (anonymized, never stored).

You always control what is shared and can revoke any connection instantly from your Profile settings.App Security MeasuresThe Localcredit Mini App prioritizes security to prevent unauthorized access, phishing, or other issues. All interactions are secured end-to-end.

  • Wallet-Based Authentication: Primary login is via your TON wallet signature (no passwords stored). This eliminates traditional account hacks.

  • Two-Factor Authentication (2FA): For sensitive actions like adding/removing verifications, staking $CREDIT, or revoking proofs, 2FA is required. It uses wallet-based challenges combined with optional time-based one-time passwords (TOTP) from authenticator apps (e.g., Google Authenticator) or hardware keys.

  • Encrypted Sessions: All app communications use HTTPS/TLS encryption. Data in transit is protected against interception.

  • Rate Limiting & Anti-Bot Measures: Limits on API calls and actions per session prevent brute-force attacks or automated abuse.

  • Session Management: Automatic logout after inactivity; secure token refresh for long sessions without re-authentication.

  • Phishing Protection: Deep links and redirects are validated; warnings appear for suspicious external links.

  • Audits & Bug Bounty: All smart contracts and app code undergo independent security audits. An ongoing bug bounty program rewards ethical hackers for reporting vulnerabilities.

Compliance Without CompromiseThe architecture is designed to be compatible with major data protection regulations (GDPR, CCPA, etc.) by default:

  • No ongoing personal data processing results in minimal compliance burden

  • Users retain full control and can request proof deletion at any time

Localcredit proves that strong privacy and powerful credit scoring can coexist. You build reputation on your terms without surrendering your personal information.If you have questions about a specific verification flow or want to review the open-source ZK circuits, everything is publicly available in our repositories.

PreviousBest Practices for building a strong scoreNext For Developers & Builders

Last updated