Privacy Policy
Last updated: 6 June 2026
1. About This Policy
This Privacy Policy describes how Ditto.ID Ltd ("Ditto", "we", "us", "our") collects, uses, and protects personal data when you use the Ditto Authenticate mobile application ("App") available on the Google Play Store and Apple App Store.
Ditto Authenticate is a multi-factor authentication (MFA) application that enables you to verify your identity securely using your mobile device. It may be deployed by your employer, a service provider, or used independently depending on your configuration.
We process your personal data in accordance with the UK GDPR, the Data Protection Act 2018, the EU GDPR (Regulation 2016/679), the California Consumer Privacy Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), Brazil's Lei Geral de Proteção de Dados (LGPD), and other applicable data protection laws worldwide.
2. Data We Collect
2.1 Data You Provide
| Data | Why | Stored Where |
|---|---|---|
| Email address | To identify your account and retrieve the server connection required to start an authentication session | Ditto authentication server |
| Activation code (OTP) | One-time code for first-time device enrolment. Passed to server for verification and immediately discarded — not stored | Not retained |
| Password (optional) | If your configuration enables password authentication. Processed by Ditto ID and transmitted securely — never stored in plain text by the app | Ditto authentication server |
2.2 Data Collected Automatically
| Data | Why | Stored Where |
|---|---|---|
| Device identifier (UUID) | To bind your enrolled device to your account | Ditto authentication server |
| Authentication event data (login timestamps, session activity, device enrolment records) | Security auditing and fraud detection | Ditto authentication server — 90 days |
| Device security posture (system, application, and network threat check results) | To assess whether your device meets security requirements | Per-session only — not retained |
| Connection profile (server hostname, port, relay ID) | To re-establish your session on subsequent launches | On-device only, encrypted |
2.3 Data Accessed by the Ditto ID SDK
The Ditto ID authentication SDK declares and may access the following as part of its security and identity verification processes. This is confirmed by the app's merged Android manifest:
| Data | Purpose | Retained? |
|---|---|---|
Precise and approximate location (ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION) | Network and device threat detection during session initialisation | No — transient, not stored |
Phone number and phone state (READ_PHONE_STATE, READ_PHONE_NUMBERS) | SIM-based identity verification and device binding | Only where SIM binding is active in your configuration |
Network and WiFi state (ACCESS_NETWORK_STATE, ACCESS_WIFI_STATE) | Network threat assessment | No — transient, not stored |
Bluetooth state (BLUETOOTH) | Device environment threat assessment | No — transient, not stored |
| Data | Status | Detail |
|---|---|---|
| Device contacts | Not collected | The Ditto ID SDK contains code paths that reference the contacts API, however the app does not declare READ_CONTACTS permission. The Android OS enforces this boundary — no contacts data is accessed, read, or transmitted. |
| Text messages (SMS) | Not collected | The Ditto ID SDK contains code paths that reference SMS APIs, however the app does not declare READ_SMS or RECEIVE_SMS permission. The Android OS enforces this boundary — no SMS content is accessed, read, or transmitted. |
2.4 Biometric Data
The App offers biometric authentication (fingerprint, face recognition, or device passcode) via Local Device Authentication. Biometric data is processed entirely by your device's operating system and is never transmitted to or accessed by Ditto.
2.5 What We Do Not Collect
We do not use third-party analytics SDKs, advertising identifiers, or crash reporting services. We do not collect browsing history, files, calendar data, or microphone input.
3. Why We Collect It
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Authenticate the user and manage sessions | Email, device UUID, authentication events | Performance of contract (Art. 6(1)(b)) |
| First-time device enrolment | Activation code, phone number (if SIM binding enabled) | Performance of contract (Art. 6(1)(b)) |
| Password-based authentication | Password | Performance of contract (Art. 6(1)(b)) |
| Device security posture and threat detection | Threat check results, precise/approximate location, network state, WiFi state, Bluetooth state | Legitimate interests — security (Art. 6(1)(f)) |
| Fraud prevention and audit logging | Authentication event data | Legitimate interests (Art. 6(1)(f)) / Legal obligation (Art. 6(1)(c)) |
| Session re-establishment on relaunch | Connection profile (on-device) | Performance of contract (Art. 6(1)(b)) |
4. App Permissions
| Permission | Purpose | Mandatory? |
|---|---|---|
| Network access | Communicate with Ditto authentication servers over HTTPS | Yes |
Precise location (ACCESS_FINE_LOCATION) | Network and device threat detection during session initialisation | No — app works without it |
Approximate location (ACCESS_COARSE_LOCATION) | Network and device threat detection during session initialisation | No — app works without it |
Phone state and phone number (READ_PHONE_STATE, READ_PHONE_NUMBERS) | SIM-based identity verification and device binding | No — depends on configuration |
| Network state and WiFi state | Threat assessment of network environment | No — transient read only |
| Bluetooth | Device environment threat assessment | No — transient read only |
| Biometric / device credentials | Device-level biometric prompt for Local Device Authentication | No — password fallback available |
You can revoke any permission at any time via your device's privacy or app settings. Revoking a permission may limit certain authentication flows.
5. Third Party Sharing
We do not sell, rent, or trade your personal data.
5.1 Group Companies
We may share data with our parent company and other group companies for internal business administration and consistent service delivery.
5.2 Enterprise Customers
If you use Ditto Authenticate as part of an employer or enterprise deployment, your authentication event data (login timestamps, device enrolment status, session activity) may be accessible to your enterprise administrator for access management and audit purposes. In this case, the enterprise acts as an independent data controller.
5.3 Service Providers
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Ditto ID (authentication SDK) | Core SDK powering authentication, device binding, and threat detection | All authentication flow data | United States |
| Cloud infrastructure provider | Hosting of authentication backend services | Email, device identifiers, session event data | UK / EU / US |
All service providers are bound by data processing agreements and may only process data on our instructions.
5.4 Legal Requirements
We may disclose personal data where required by law, court order, or regulatory authority.
5.5 Business Transfers
In the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will notify you in advance.
6. Data Retention
| Data | Retention Period | Reason |
|---|---|---|
| Email address | Duration of enrolment + 30 days after de-enrolment | Service delivery; post-removal recovery window |
| Device UUID and binding data | Duration of device enrolment | Authentication credential binding |
| Activation code (OTP) | Not retained — discarded after verification | Single-use |
| Password | Until changed or account deleted | Authentication credential |
| Authentication / session event logs | 90 days (or as required by enterprise policy) | Security audit, fraud detection |
| Device threat check results | Per-session only — not retained | Security posture assessment |
| Location, phone state, network/WiFi/Bluetooth state (SDK access) | Not retained — transient use only | Threat detection and device verification |
| Connection profile (on-device) | Until device de-enrolled or app uninstalled | Session re-establishment |
7. International Transfers
Ditto.ID Ltd is based in the United Kingdom. Some service providers are located in the United States. Where we transfer personal data outside the UK or EEA, we rely on:
- UK transfers: International Data Transfer Agreements (IDTAs) issued by the ICO, or EU SCCs supplemented by the UK Addendum.
- EEA transfers: Standard Contractual Clauses adopted by the European Commission (Decision 2021/914).
You may request details of these safeguards by contacting us at privacy@ditto.id.
8. Your Rights
Regardless of your location, you have the following rights in relation to your personal data:
8.1 Right to Access
You may request a copy of the personal data we hold about you, the categories of data, its sources, and how it is used.
8.2 Right to Delete
You may request deletion of your personal data. Some exceptions apply (e.g. where retention is required by law or for fraud prevention). To remove your enrolled device, go to Device List → select device → Delete within the app, or contact us directly.
8.3 Right to Correct
You may request correction of inaccurate or incomplete personal data we hold about you.
8.4 Right to Data Portability
Where processing is based on your consent or a contract and is carried out by automated means, you may request your data in a structured, commonly used, machine-readable format.
8.5 Right to Object
You may object to processing based on legitimate interests at any time. We will cease processing unless we can demonstrate compelling legitimate grounds that override your rights.
8.6 Right to Restrict Processing
You may request that we restrict processing of your data while a dispute is being resolved.
8.7 We Do Not Sell Your Data
We do not sell your personal data to third parties. We do not share your personal data for cross-context behavioural advertising. You therefore have no need to opt out of data sales — but you have the right to know this, and we confirm it here explicitly.
8.8 Right to Know Whether Data Is Shared
We share data only as described in Section 5. You have the right to know the categories of third parties with whom we share data and for what purpose. You may contact us at any time to request this information.
8.9 How to Exercise Your Rights
Email privacy@ditto.id. We will respond within one calendar month. We may ask you to verify your identity before processing your request.
8.10 Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data infringes applicable law. UK residents may contact the Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113. EEA residents may contact their local supervisory authority.
9. GDPR — EU & UK Users
If you are located in the European Union or United Kingdom, the General Data Protection Regulation (GDPR / UK GDPR) applies to our processing of your personal data. Our lawful bases for processing are set out in Section 3. You have the rights described in Section 8, including the right to access, rectify, erase, restrict, port, and object to processing, and the right to lodge a complaint with your local supervisory authority.
For GDPR-related enquiries, contact us at privacy@ditto.id.
10. CCPA — California Users
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you additional rights:
- Right to know what categories of personal information we collect, the sources, the business purpose, and the categories of third parties we share it with.
- Right to delete your personal information, subject to certain exceptions.
- Right to correct inaccurate personal information.
- Right to opt out of sale or sharing — we do not sell or share your personal information for cross-context behavioural advertising.
- Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights.
To exercise these rights, contact us at privacy@ditto.id. You may designate an authorised agent to make requests on your behalf.
11. VCDPA — Virginia Users
If you are a Virginia resident, the Virginia Consumer Data Protection Act (VCDPA) gives you the right to access, correct, delete, and obtain a portable copy of your personal data, and to opt out of the sale of personal data or its use for targeted advertising. We do not sell personal data or use it for targeted advertising. To exercise your rights, contact privacy@ditto.id. If we decline your request, you may appeal by contacting us and we will respond within the timeframe required by applicable law.
12. LGPD — Brazil Users
If you are located in Brazil, the Lei Geral de Proteção de Dados (LGPD — Law No. 13,709/2018) applies. You have the right to confirm whether we process your data, access it, correct it, anonymise or delete it, request portability, and be informed about third parties with whom we share data. Our legal bases for processing are described in Section 3. To exercise your rights, contact privacy@ditto.id.
13. Children's Privacy
Ditto Authenticate is intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us immediately at privacy@ditto.id and we will delete it promptly.
14. Security
- All data in transit is encrypted using TLS (HTTPS only; cleartext traffic is disabled in production).
- Device credentials are cryptographically bound through hardware-backed key binding where supported.
- Sensitive data stored on-device uses the operating system's encrypted storage.
- App data backup is disabled to prevent data being copied to cloud backup services.
- We conduct regular security assessments and penetration testing of the app and backend services.
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, notify affected users directly.
15. Changes to This Policy
We may update this policy from time to time. When we make material changes, we will notify you via an in-app notice prior to the change taking effect and update the "Last Updated" date above. Continued use of the App after changes take effect constitutes acknowledgement of the updated policy.
16. Contact Us
| Role | Details |
|---|---|
| Data Controller | Ditto.ID Ltd, Company No. 16781449 186 Shoreditch High Street, London, E1 6HU, United Kingdom privacy@ditto.id |