This Privacy Policy describes how co-mission LLC ("shyware") processes personal data in connection with the shyware SDK, hosted services, and related infrastructure. shyware acts as a data processor for customer controllers deploying the SDK, and as a data controller only for limited operational data (support, billing, security logs).
The Structural Anonymity Guarantee
The shyware protocol writes every submission as two permanently disjoint canonical records:
- List 1 — a direction-free submission identifier. No participant identity.
- List 2 — a pseudonymous participant identity hash. No submission payload or direction.
No join key between List 1 and List 2 is ever written to the canonical ledger. Anonymity is a structural property of the write path, not a policy applied on top of it. This is verified by 208 passing test assertions across 13 deployment embodiments. DPIA evidence →
What Data shyware Processes
| Category | What is held | Where |
|---|---|---|
| Direction-free submission IDs | List 1 canonical records — no identity, no direction | Canonical ledger (public) |
| Pseudonymous identity hashes | List 2 canonical records — no payload or direction | Canonical ledger (public) |
| Off-chain linkage data | Per-participant receipts under access control | Reconciling authority data store |
| Account credentials | Username, session token, account sub claim | Account authentication provider |
| Biometric attestation | Enrollment and attestation records (if IDV configured) | Identity verification provider |
| Operational logs | Access logs, security events, support interactions | Infrastructure providers |
Sub-processors
shyware uses the following sub-processor categories. Named providers and DPA schedules are published at /legal/privacy/dpia/dpa/.
| Role | Schedule |
|---|---|
| Identity Verification | /legal/privacy/dpia/dpa/schedule-verification |
| Compute and Signing | /legal/privacy/dpia/dpa/schedule-compute |
| Off-chain Linkage Database | /legal/privacy/dpia/dpa/schedule-database |
| Token Issuer (shywire-v1 only) | /legal/privacy/dpia/dpa/schedule-token |
Data Subject Rights
Data subjects exercise rights (Art. 15–22 GDPR) by contacting the customer controller who deployed shyware. shyware assists controllers as described in the Data Processing Agreement. For shyware's own controller processing: privacy@shyware.fyi.
DPIA and Compliance
A full Data Protection Impact Assessment package, Stack 4 test evidence (208/208 assertions), and compliance documentation are at /legal/privacy/dpia/.
Changes
Material changes are published at least 30 days before taking effect. Controllers with an active DPA are notified directly.