Privacy Policy

Last updated: 6 June 2026

1. About This Policy

This Privacy Policy describes how Ditto.ID Ltd ("Ditto", "we", "us", "our") collects, uses, and protects personal data when you use the Ditto Authenticate mobile application ("App") available on the Google Play Store and Apple App Store.

Ditto Authenticate is a multi-factor authentication (MFA) application that enables you to verify your identity securely using your mobile device. It may be deployed by your employer, a service provider, or used independently depending on your configuration.

We process your personal data in accordance with the UK GDPR, the Data Protection Act 2018, the EU GDPR (Regulation 2016/679), the California Consumer Privacy Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), Brazil's Lei Geral de Proteção de Dados (LGPD), and other applicable data protection laws worldwide.

This policy covers the Ditto Authenticate mobile app only. For our website privacy practices, see the Ditto Privacy Policy.

2. Data We Collect

2.1 Data You Provide

DataWhyStored Where
Email addressTo identify your account and retrieve the server connection required to start an authentication sessionDitto authentication server
Activation code (OTP)One-time code for first-time device enrolment. Passed to server for verification and immediately discarded — not storedNot retained
Password (optional)If your configuration enables password authentication. Processed by Ditto ID and transmitted securely — never stored in plain text by the appDitto authentication server

2.2 Data Collected Automatically

DataWhyStored Where
Device identifier (UUID)To bind your enrolled device to your accountDitto authentication server
Authentication event data (login timestamps, session activity, device enrolment records)Security auditing and fraud detectionDitto authentication server — 90 days
Device security posture (system, application, and network threat check results)To assess whether your device meets security requirementsPer-session only — not retained
Connection profile (server hostname, port, relay ID)To re-establish your session on subsequent launchesOn-device only, encrypted

2.3 Data Accessed by the Ditto ID SDK

The Ditto ID authentication SDK declares and may access the following as part of its security and identity verification processes. This is confirmed by the app's merged Android manifest:

DataPurposeRetained?
Precise and approximate location (ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION)Network and device threat detection during session initialisationNo — transient, not stored
Phone number and phone state (READ_PHONE_STATE, READ_PHONE_NUMBERS)SIM-based identity verification and device bindingOnly where SIM binding is active in your configuration
Network and WiFi state (ACCESS_NETWORK_STATE, ACCESS_WIFI_STATE)Network threat assessmentNo — transient, not stored
Bluetooth state (BLUETOOTH)Device environment threat assessmentNo — transient, not stored
DataStatusDetail
Device contacts Not collected The Ditto ID SDK contains code paths that reference the contacts API, however the app does not declare READ_CONTACTS permission. The Android OS enforces this boundary — no contacts data is accessed, read, or transmitted.
Text messages (SMS) Not collected The Ditto ID SDK contains code paths that reference SMS APIs, however the app does not declare READ_SMS or RECEIVE_SMS permission. The Android OS enforces this boundary — no SMS content is accessed, read, or transmitted.

2.4 Biometric Data

The App offers biometric authentication (fingerprint, face recognition, or device passcode) via Local Device Authentication. Biometric data is processed entirely by your device's operating system and is never transmitted to or accessed by Ditto.

2.5 What We Do Not Collect

We do not use third-party analytics SDKs, advertising identifiers, or crash reporting services. We do not collect browsing history, files, calendar data, or microphone input.

3. Why We Collect It

PurposeData UsedLegal Basis (GDPR)
Authenticate the user and manage sessionsEmail, device UUID, authentication eventsPerformance of contract (Art. 6(1)(b))
First-time device enrolmentActivation code, phone number (if SIM binding enabled)Performance of contract (Art. 6(1)(b))
Password-based authenticationPasswordPerformance of contract (Art. 6(1)(b))
Device security posture and threat detectionThreat check results, precise/approximate location, network state, WiFi state, Bluetooth stateLegitimate interests — security (Art. 6(1)(f))
Fraud prevention and audit loggingAuthentication event dataLegitimate interests (Art. 6(1)(f)) / Legal obligation (Art. 6(1)(c))
Session re-establishment on relaunchConnection profile (on-device)Performance of contract (Art. 6(1)(b))

4. App Permissions

PermissionPurposeMandatory?
Network accessCommunicate with Ditto authentication servers over HTTPSYes
Precise location (ACCESS_FINE_LOCATION)Network and device threat detection during session initialisationNo — app works without it
Approximate location (ACCESS_COARSE_LOCATION)Network and device threat detection during session initialisationNo — app works without it
Phone state and phone number (READ_PHONE_STATE, READ_PHONE_NUMBERS)SIM-based identity verification and device bindingNo — depends on configuration
Network state and WiFi stateThreat assessment of network environmentNo — transient read only
BluetoothDevice environment threat assessmentNo — transient read only
Biometric / device credentialsDevice-level biometric prompt for Local Device AuthenticationNo — password fallback available

You can revoke any permission at any time via your device's privacy or app settings. Revoking a permission may limit certain authentication flows.

5. Third Party Sharing

We do not sell, rent, or trade your personal data.

5.1 Group Companies

We may share data with our parent company and other group companies for internal business administration and consistent service delivery.

5.2 Enterprise Customers

If you use Ditto Authenticate as part of an employer or enterprise deployment, your authentication event data (login timestamps, device enrolment status, session activity) may be accessible to your enterprise administrator for access management and audit purposes. In this case, the enterprise acts as an independent data controller.

5.3 Service Providers

ProviderPurposeData SharedLocation
Ditto ID (authentication SDK)Core SDK powering authentication, device binding, and threat detectionAll authentication flow dataUnited States
Cloud infrastructure providerHosting of authentication backend servicesEmail, device identifiers, session event dataUK / EU / US

All service providers are bound by data processing agreements and may only process data on our instructions.

5.4 Legal Requirements

We may disclose personal data where required by law, court order, or regulatory authority.

5.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will notify you in advance.

6. Data Retention

DataRetention PeriodReason
Email addressDuration of enrolment + 30 days after de-enrolmentService delivery; post-removal recovery window
Device UUID and binding dataDuration of device enrolmentAuthentication credential binding
Activation code (OTP)Not retained — discarded after verificationSingle-use
PasswordUntil changed or account deletedAuthentication credential
Authentication / session event logs90 days (or as required by enterprise policy)Security audit, fraud detection
Device threat check resultsPer-session only — not retainedSecurity posture assessment
Location, phone state, network/WiFi/Bluetooth state (SDK access)Not retained — transient use onlyThreat detection and device verification
Connection profile (on-device)Until device de-enrolled or app uninstalledSession re-establishment

7. International Transfers

Ditto.ID Ltd is based in the United Kingdom. Some service providers are located in the United States. Where we transfer personal data outside the UK or EEA, we rely on:

You may request details of these safeguards by contacting us at privacy@ditto.id.

8. Your Rights

Regardless of your location, you have the following rights in relation to your personal data:

8.1 Right to Access

You may request a copy of the personal data we hold about you, the categories of data, its sources, and how it is used.

8.2 Right to Delete

You may request deletion of your personal data. Some exceptions apply (e.g. where retention is required by law or for fraud prevention). To remove your enrolled device, go to Device List → select device → Delete within the app, or contact us directly.

8.3 Right to Correct

You may request correction of inaccurate or incomplete personal data we hold about you.

8.4 Right to Data Portability

Where processing is based on your consent or a contract and is carried out by automated means, you may request your data in a structured, commonly used, machine-readable format.

8.5 Right to Object

You may object to processing based on legitimate interests at any time. We will cease processing unless we can demonstrate compelling legitimate grounds that override your rights.

8.6 Right to Restrict Processing

You may request that we restrict processing of your data while a dispute is being resolved.

8.7 We Do Not Sell Your Data

We do not sell your personal data to third parties. We do not share your personal data for cross-context behavioural advertising. You therefore have no need to opt out of data sales — but you have the right to know this, and we confirm it here explicitly.

8.8 Right to Know Whether Data Is Shared

We share data only as described in Section 5. You have the right to know the categories of third parties with whom we share data and for what purpose. You may contact us at any time to request this information.

8.9 How to Exercise Your Rights

Email privacy@ditto.id. We will respond within one calendar month. We may ask you to verify your identity before processing your request.

8.10 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data infringes applicable law. UK residents may contact the Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113. EEA residents may contact their local supervisory authority.

9. GDPR — EU & UK Users

If you are located in the European Union or United Kingdom, the General Data Protection Regulation (GDPR / UK GDPR) applies to our processing of your personal data. Our lawful bases for processing are set out in Section 3. You have the rights described in Section 8, including the right to access, rectify, erase, restrict, port, and object to processing, and the right to lodge a complaint with your local supervisory authority.

For GDPR-related enquiries, contact us at privacy@ditto.id.

10. CCPA — California Users

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you additional rights:

To exercise these rights, contact us at privacy@ditto.id. You may designate an authorised agent to make requests on your behalf.

11. VCDPA — Virginia Users

If you are a Virginia resident, the Virginia Consumer Data Protection Act (VCDPA) gives you the right to access, correct, delete, and obtain a portable copy of your personal data, and to opt out of the sale of personal data or its use for targeted advertising. We do not sell personal data or use it for targeted advertising. To exercise your rights, contact privacy@ditto.id. If we decline your request, you may appeal by contacting us and we will respond within the timeframe required by applicable law.

12. LGPD — Brazil Users

If you are located in Brazil, the Lei Geral de Proteção de Dados (LGPD — Law No. 13,709/2018) applies. You have the right to confirm whether we process your data, access it, correct it, anonymise or delete it, request portability, and be informed about third parties with whom we share data. Our legal bases for processing are described in Section 3. To exercise your rights, contact privacy@ditto.id.

13. Children's Privacy

Ditto Authenticate is intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us immediately at privacy@ditto.id and we will delete it promptly.

14. Security

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, notify affected users directly.

15. Changes to This Policy

We may update this policy from time to time. When we make material changes, we will notify you via an in-app notice prior to the change taking effect and update the "Last Updated" date above. Continued use of the App after changes take effect constitutes acknowledgement of the updated policy.

16. Contact Us

RoleDetails
Data Controller Ditto.ID Ltd, Company No. 16781449
186 Shoreditch High Street, London, E1 6HU, United Kingdom
privacy@ditto.id