Skip to main content
EguWallet
This page is the official version in English. A Romanian version is available at /ro/privacy/.

Privacy Policy

Last updated: February 23, 2026

1. Introduction

EguWallet ("we", "us", "our") is an EU Digital Identity Wallet application developed by IT Eguilde SRL, compliant with the European Digital Identity framework (eIDAS 2.0, Regulation (EU) 2024/1183). This Privacy Policy explains how we access, collect, use, share, and protect your personal data when you use the EguWallet mobile application ("the App") available on Google Play.

By installing and using the App, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller

IT Eguilde SRL
B-dul Pache Protopopescu nr. 89, Sector 2, Bucharest, Romania
Privacy Contact: privacy@eguwallet.eu

If you have questions, concerns, or requests regarding your personal data, you may contact us at the email address above. We will respond within 30 days.

3. Data We Collect

3.1 Account Registration Data

  • Phone number — for SMS verification during registration
  • Email address — for email verification during registration
  • First name, last name — for identity association with your wallet instance
  • Selfie photo — for liveness verification and identity matching

3.2 Device Information

  • Device identifier (Android ID) — pseudonymous identifier binding wallet to your device
  • Device model and manufacturer — to assess hardware security capabilities
  • Android OS version and security patch level — to verify eIDAS 2.0 security requirements
  • Hardware security capabilities — TEE, StrongBox, biometric sensor availability
  • Biometric enrollment status — whether biometric auth is configured (we never access biometric data itself)

3.3 Camera (android.permission.CAMERA)

  • QR code scanning — to read credential offers and verification requests
  • Identity document scanning — to capture your national ID card or passport for PID issuance
  • Selfie and liveness verification — to confirm you are a real person
  • MRZ reading — to extract data from your identity document using on-device text recognition

On-device processing: All camera images are processed locally using Google ML Kit. Raw images are not uploaded unless you explicitly initiate PID issuance.

3.4 Bluetooth (BLE) and NFC

Used for offline credential presentation per ISO 18013-5. Activated only when you explicitly choose proximity mode. No location data is derived.

3.5 Digital Credentials

Credentials are stored encrypted in Android hardware-backed keystore (TEE/StrongBox). We do not have access to your credential contents. Only fields you explicitly approve are shared via selective disclosure.

3.6 Push Notifications

Firebase Cloud Messaging (FCM) tokens are stored to deliver wallet notifications. You can disable notifications in Android system settings at any time.

4. How We Use Your Data

  • Registration: phone and email used solely for identity verification during wallet setup
  • Wallet attestation: device information used to assess eIDAS 2.0 security requirements (LoA High)
  • Credential issuance: identity data transmitted to PID Provider at your request
  • Credential presentation: only approved fields shared (selective disclosure)
  • Compliance: eIDAS 2.0 mandatory audit records maintained without personal data in logs

5. Third-Party Services

The App integrates: Google Play Integrity API (anonymous device check), Google ML Kit (on-device only), Firebase Cloud Messaging (notification delivery), and EU EUDI libraries (device-to-device, no external transmission). Each operates under their respective privacy policies.

6. Data Storage and Security

  • Cryptographic keys stored in Android hardware-backed keystore — never leave secure hardware
  • Credentials encrypted at rest with hardware-backed keys
  • Local app data encrypted with AES-256-GCM
  • All network communication uses TLS 1.3
  • Server-side data stored exclusively in the EU (Romania)

7. Data Sharing

We do not sell, rent, or trade your personal data. Data is shared only: with verifiers you approve (selective disclosure), with credential issuers at your request, with Google Play Integrity API (anonymous), with Firebase for push notifications, and as required by law. We do not share data with advertisers or data brokers.

8. Your Rights (GDPR)

Under GDPR (EU) 2016/679, you have the right to:

  • Access — request a copy of all personal data we hold about you
  • Rectification — correct inaccurate personal data
  • Erasure — request deletion ("right to be forgotten") — Art. 17
  • Restriction — restrict processing of your data
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — withdraw at any time without affecting prior processing

Contact privacy@eguwallet.eu for GDPR requests. Response within 30 days. You may also lodge a complaint with ANSPDCP (Romanian DPA) or your local data protection authority.

9. Account and Data Deletion

Delete your wallet anytime: in-app (Settings → Delete Wallet) or by emailing privacy@eguwallet.eu. Personal data removed from our servers within 30 days. eIDAS 2.0 audit records (no personal data) retained 7 years as required by regulation.

10. Data Retention

  • Wallet attestations: 7 days (auto-renewed)
  • Verification codes: 15 minutes
  • DPoP nonces: 5 minutes
  • eIDAS 2.0 audit logs: 7 years (regulatory, no personal data)
  • Account data: until wallet deletion

11. Children's Privacy

EguWallet is not intended for use by children under 16. We do not knowingly collect personal data from children under 16. Contact privacy@eguwallet.eu if you believe a child has provided personal data.

12. International Data Transfers

Your personal data is processed and stored exclusively within the EU (Romania). We do not transfer personal data outside the EU/EEA.

13. Legal Basis for Processing (GDPR Art. 6)

  • Consent (Art. 6(1)(a)) — camera access, biometric authentication, push notifications
  • Performance of a contract (Art. 6(1)(b)) — wallet registration, credential issuance and presentation
  • Legal obligation (Art. 6(1)(c)) — eIDAS 2.0 mandatory audit records
  • Legitimate interest (Art. 6(1)(f)) — device security assessment, fraud prevention

14. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted with an updated revision date. Material changes will be communicated through the App or by email.

15. Website eguwallet.eu — No Tracking

The eguwallet.eu website uses no cookies, no tracking scripts, and collects no personal data from visitors. There are no advertisements and no third-party marketing data sharing of any kind.

The web server automatically records standard access logs (IP address, page visited, date and time, browser type) solely for security and technical diagnostics. These logs are retained for a maximum of 30 days and are never used for user profiling.

EguWallet believes in privacy by design. Our product is a digital identity wallet — if we did not respect our own privacy principles, our offering would have no credibility.

16. Contact Us

IT Eguilde SRL
B-dul Pache Protopopescu nr. 89, Sector 2, Bucharest, Romania
Email: privacy@eguwallet.eu