In July 2024, we committed to something radical: deleting all user data from our systems.
As we shared in our original Becoming Dataless post, central storage of personal data is a structural liability. It’s a risk we’re no longer willing to impose on users. The only way forward is to remove that risk entirely.
As of now, almost 900k user records—representing close to 77.5% of the Fractal ID user base—have been permanently removed from our systems. This includes the personal information that users provided during onboarding and verification, such as: Full names, Date of birth, Nationality, Images of identification documents, Physical addresses, Phone numbers and Wallet addresses (if provided for verification).
The remaining records are planned to be deleted in the coming months as we continue this effort in collaboration with our clients.
Why We Had to Store User Data—and Why Some of It Remains (For Now)
Like any KYC provider, Fractal ID acted as a data processor on behalf of its clients or a data controller. In certain cases, AML regulations and contractual obligations required us to retain user data for compliance purposes.
While we’ve made significant progress in removing the majority of records, we’re still working closely with a few remaining clients to implement solutions that meet both regulatory and technical requirements. This process is ongoing—and we’re fully committed to completing it in the coming months.
What’s Changing
We can’t undo the past, but we can radically change how we operate. We started our journey to become a decentralized identity verification provider in 2017, but the July 2024 data breach, made clear that we had to accelerate our efforts: we must stop storing personal data centrally. The trust users place in us demands not just better protection—but a fundamentally better model.
We’re not just deleting user data data. We have overhauled the whole system to become an identity verification provider that does not store personal user data centrally indefinitely, allowing users to store their own sensitive data in a secure, decentralized storage network where user data is encrypted with their own private key.
The End of Centralized Storage
Centralized storage of user identity data cannot be trusted. Going forward, personal identifiable information (PII) will only be accessible in Fractal ID for a 14-day period. This is needed to be able to assist users and our clients during data provision and verification. After 14 days, the data will be automatically deleted from the system in accordance with our data retention policy. This also extends to our partners that conduct parts of the identity verification and that are instructed to not store the data past the 14-day period, in accordance with GDPR. After the 14-day period, Fractal ID will only keep anonymized system IDs and some metadata — These include event logs related to API token handling, API data access, session vars, and system calls. These will contain contextual data (timestamp, event type) and details about the event itself (internal anonymized user ID, client ID, ingestion ID).
Instead, verified user data will be issued as Verified Credentials, and stored and managed by users themselves via idOS—a decentralized data storage and access management network enabling self-sovereign data ownership. Fractal ID’s clients will be able to access user data from idOS as long as they have an Access Grant shared by the users (that users may revoke). Fractal ID may also request users for an Access Grant to update a user’s credential. You can learn more about data storage and access management in idOS here.
Don’t Trust. Verify.
We know that trust must be earned—and verified. That’s why we will be working closely with Resonance Security on a full audit of our new dataless infrastructure. We plan to open-source the entire system in the near future, enabling anyone to inspect, verify, and even run their own instance of Fractal ID for their own user verifications.
Transparency is not optional. It’s the foundation of how we move forward.
We Can’t Do This Alone
We are not trying to find excuses, but the truth is that centralized data storage was not just a Fractal ID issue. This is an industry-wide issue. If users want a web that respects privacy and decentralization, we all need to act. That means asking the projects and platforms you use to stop hoarding your data and start giving it back to you. Initiatives like idOS, Privado ID, Civic and Cheqd are at the forefront of this transition, and is everyones responsibility to support the change in the industry.
The future of identity in the internet is user-owned. It’s decentralized. And it starts with holding your data in your control—not storing multiple copies in someone else’s centralized server.
Fractal ID was founded on the belief that identity in web3 and the wider internet could be different. That belief hasn’t changed. But how we deliver on it has. And that starts with letting go of what was never ours to keep—your data.
Let us know what you think @Fractal_ID.