This Privacy Policy explains what information is collected when you use the Shark WebAuthn demonstration portal ("Portal"), how it is used, and your rights regarding that information. This Portal is operated as a non-commercial demonstration of the Shark WebAuthn library for .NET and is not intended for production use or the storage of real personal data.

1. Scope and Applicability

This Policy applies to all visitors of the Portal at https://shark-fido2.com/ and its sub-pages, including the Documentation, Discoverable Credentials, and Conditional Mediation pages. It is intended to comply with applicable privacy laws in the United States (including the California Consumer Privacy Act, CCPA) and the European Union (General Data Protection Regulation, GDPR).

2. Data Controller

The operator of this Portal acts as the data controller for purposes of GDPR. Contact information for privacy-related inquiries is available via email at moc.2odif-krahs@nimda.

3. Information We Collect

3.1 Passkey Demonstration Data

When you use the passkey creation and authentication features of the Portal, the following technical data is temporarily collected and stored in a server-side memory cache:

• Credential identifier (a cryptographic handle, e.g. a Base64-encoded value)
• User handle (a Base64-encoded opaque identifier)
• Username – any string you choose to enter; it does not need to be a real name
• Display name – any string you choose to enter; it does not need to be a real name
• Signature counter (sign count)
• Public-key algorithm identifier (e.g. RS256 – RSASSA-PKCS1-v1_5 using SHA-256)
• Transport mechanisms (e.g. "internal")
• Timestamps of credential creation, last update, and last use (UTC)

All passkey data is stored exclusively in volatile server memory and is automatically erased within 24 hours. No passkey data is written to any persistent database, disk, or backup.

3.2 Analytics Data (Google Analytics)

The Portal uses Google Analytics to collect basic, aggregated usage statistics. Google Analytics may collect:

• Approximate geographic location (country/region level)
• Browser type and version
• Device type and operating system
• Pages visited and time spent on each page
• Referral source

This data is processed by Google LLC under their own privacy policy. No advertising or remarketing features of Google Analytics are enabled. You may opt out of Google Analytics tracking by using the Google Analytics Opt-out Browser Add-on (available at https://tools.google.com/dlpage/gaoptout) or by configuring your browser to block analytics scripts.

3.3 Data We Do Not Collect

The Portal does not collect, process, or store any of the following:

• Passwords, authentication tokens, or credentials for any external service
• Payment information
• Real names, email addresses, phone numbers, or any verified personal identifiers
• Cookies (no cookies are set by the Portal itself)
• Data from social login providers such as Google or Facebook
• Advertising identifiers or behavioural profiles

4. Purpose and Legal Basis for Processing

Passkey demonstration data is processed solely for the purpose of illustrating the operation of the WebAuthn/FIDO2 authentication standard. The legal basis under GDPR Article 6 is legitimate interest (Art. 6(1)(f)): enabling users to test passkey functionality in a controlled, clearly labelled demonstration environment.

Analytics data is processed on the basis of our legitimate interest in understanding aggregate Portal usage to improve documentation and demonstration quality (GDPR Art. 6(1)(f)).

5. Data Retention

Passkey demonstration data is stored in volatile memory only and is permanently deleted, at the latest, 24 hours after creation. In practice, data is deleted whenever the server process is restarted.

Analytics data is retained by Google LLC according to their standard retention settings (typically 14 or 26 months, configurable per Google's policies).

6. Data Sharing and Transfers

Passkey demonstration data is never shared with third parties. Analytics data is shared with Google LLC, which may store and process it in the United States or other countries. Google LLC participates in the EU-U.S. Data Privacy Framework, providing appropriate safeguards for cross-border transfers from the EU to the US.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Right of access – to know what personal data is held about you
• Right to erasure – to request deletion of your data
• Right to restrict processing
• Right to data portability
• Right to object to processing based on legitimate interests
• Right to lodge a complaint with your local supervisory authority (EU users)
• Right to opt out of the sale of personal information (California residents)

Because passkey data is automatically erased within 24 hours and no real personal identifiers are required or stored, these rights can typically be exercised by simply not using the Portal, or by restarting a new session after 24 hours. For any formal request, contact us at moc.2odif-krahs@nimda.

8. Security

Passkey data exists only in volatile server memory and is never persisted. The Portal is served over HTTPS. No special security measures are claimed beyond these inherent characteristics of the demonstration architecture.

9. Children

The Portal is not directed at children under the age of 16. We do not knowingly collect any information from children. If you believe a child has submitted data, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Policy from time to time. The effective date at the top of this document will reflect the most recent revision. Continued use of the Portal after any update constitutes acceptance of the revised Policy.

11. Contact

For privacy-related questions or to exercise your rights, please contact us at moc.2odif-krahs@nimda.