Privacy Policy

Effective Date: May 10, 2026  |  Last Updated: May 18, 2026

Vector Normal, Ltd. (“Vector Normal,” “we,” “us,” or “our”) respects your privacy. This Privacy Policy explains how we collect, use, share, and protect personal information when you visit be-authentic.me, create a BE Authentic™ account, register or interact with an object that has been authenticated using the BE Authentic verification platform, use any BE Authentic platform-level service we operate (including the Studio practice tools, the Archive viewer, and recording playback), or otherwise interact with us (collectively, the “Services”).

BE Authentic was designed around a simple principle: an object should carry its own story without becoming a tracking device for the person who owns it. We have designed our verification technology to prove what you choose to record — and nothing more. This Policy reflects that commitment.

By using the Services, you agree to this Privacy Policy. If you do not agree, please do not use the Services.

1. Who We Are and How to Reach Us

Vector Normal, Ltd. is a Colorado limited liability company that designs, builds, and operates the BE Authentic verification platform. BE Authentic is a horizontal trust and verification layer that enables physical objects to carry cryptographically signed records of their interactions and provenance. Vector Normal owns the patents, protocols, software, and infrastructure that constitute BE Authentic, and licenses portions of that technology to third-party verticals (each a “Licensee”) that build vertical-specific products and services on top of the platform — for example, Arcform Musical Instruments, LLP, the first BE Authentic vertical, builds and authenticates musical instruments using the platform.

For privacy questions, requests, or complaints, contact us at:

• Email: privacy@be-authentic.me
• Mail: Vector Normal, Ltd. — Attn: Privacy, 1521 Blake St STE 38939, Denver, CO 80202

2. Scope of This Policy

This Policy applies to personal information processed by Vector Normal in connection with the Services. It covers data collected through:

• The be-authentic.me website and any subdomains we operate;
• BE Authentic platform-level applications, including web and mobile applications operated by Vector Normal under the BE Authentic brand, as well as Licensee-published mobile applications that connect to and exchange platform-level data with the BE Authentic verification platform — including, without limitation, the Arcform Authentic mobile application published by Arcform Musical Instruments, LLP for iOS and Android;
• NFC verification taps performed on objects that carry a BE Authentic authentication module;
• Account registration, identity verification, object claiming, ownership transfer, lending, practice tracking, recording capture and playback, group sessions, household features, skill credentials, and customer support delivered through BE Authentic platform services;
• Email, push notifications, and other communications you receive from us; and
• Events, demonstrations, and other in-person interactions where you provide information to us.

Licensee-operated services. Many of the consumer-facing applications you use to interact with BE Authentic are operated by Licensees rather than by Vector Normal directly. For example, when you purchase an instrument through arcformguitars.com, browse the Arcform Archive, or list an instrument in The BE Hive marketplace, those activities are operated by Arcform Musical Instruments, LLP under its own privacy policy and terms of service. Vector Normal acts as a service provider and trust-layer operator with respect to that data. The relationship between BE Authentic platform-level data and Licensee-operated data is described in Section 5.4 (The Licensee Model) and Section 16 (The Licensee Model in Detail).

3. Information We Collect

We collect three categories of information: information you provide, information generated through your use of the Services, and information we receive from third parties (including Licensees).

3.1 Information You Provide

• Account information. Email address, password (stored as a salted hash), display name, and any optional profile details you choose to add (avatar, biography, city, state, country, phone number).
• Identity verification information. Where you choose a higher identity-verification level (for example, to elevate the trust signal on your provenance entries or to facilitate transactions through a Licensee marketplace), we may collect government-issued identifiers, address verification information, or similar data through vetted identity-verification providers.
• Object information. Names, photos, written stories or notes, condition descriptions, maintenance records, and any other content you choose to associate with an authenticated object. The specific object types and data fields available depend on the Licensee that authenticated the object.
• Household, group, and lending information. If you create or join a household, ensemble, or lending arrangement on a BE Authentic platform service, we collect membership details, role assignments, and shared-object designations you choose.
• Communications. Information you submit through contact forms, support tickets, surveys, event sign-ups, or correspondence with us.
• User-attested metadata. Notes, descriptions, location names, occasion descriptions, or other context you choose to associate with verified interaction events. These are recorded as user-provided information and are not independently verified by us.

3.2 Information Generated by Your Use of the Services (BE Authentic Verification Data)

When you tap your phone or another NFC-enabled device against an object that carries a BE Authentic authentication module, the cryptographic module embedded in the object generates a small data packet that includes:

• A unique identifier (UID) for that specific authentication module;
• A monotonically increasing counter value; and
• A cryptographic signature (CMAC) computed over the UID and counter.

When this packet reaches our verification server (in combination with your authenticated session), we record a verified interaction event consisting of: the object’s UID, the counter value, the timestamp the event was received, your authenticated user identifier, your verification level at the time of the event, the event type, and any user-attested metadata you choose to add. We then sign the resulting record with a Vector Normal-controlled signing key, producing a server signature that any third party can verify against our published public key without our cooperation.

Across many interactions, these events accumulate into a Provenance Record for the object and a personal interaction history for you.

In addition, our systems may automatically collect:

• Practice and session data. Session start and end times, duration, exercises completed, streak counts, points and badges earned, and (if you opt in to recording) audio you choose to capture during a session.
• Group session data. Check-in records, ensemble participation, and credentials earned through group activities.
• AI engine attribution data. Identifiers, version numbers, and signatures of any AI engines whose output is bound to your verified interactions (see Section 14).
• Device and technical information. Device type, operating system and version, browser type, IP address (used for fraud prevention, regional language and content selection, and security; not used to map your physical movements), approximate region derived from IP, app version, crash logs, and diagnostic information. In our mobile applications, crash and performance diagnostics are collected via Sentry (stack traces, device model, and operating system version only). This diagnostic data is used solely to identify and fix bugs and is not linked to your account; it is associated with an opaque per-install identifier that we cannot tie back to your identity.
• Usage data. Pages viewed, features used, links clicked, search queries within the Services, referral source, and timestamps of activity. Aggregate usage statistics (without personal identifiers) inform our site analytics.
• Cookies and similar technologies. See Section 11 (Cookies and Tracking Technologies).

What BE Authentic does not collect: BE Authentic does not use GPS, does not perform passive or ambient scanning, and does not include any battery or always-on radio. The cryptographic module is dormant until you intentionally tap it, in the same way an EMV credit card chip is dormant until presented to a reader. We do not collect continuous location, do not log your physical movements between taps, and do not infer patterns of life from interaction events.

What BE Authentic Is	What BE Authentic Is Not
A certificate of authenticity inside the object	A tracking device
Activated only when you tap	Always-on monitoring
Proof of what is yours and what you have done	Surveillance of where you have been
Your story, recorded under your control	Data collection without your consent

3.3 Information We Receive from Third Parties

• Licensees. When a Licensee (such as Arcform Musical Instruments, LLP) authenticates an object, registers a tag in the BE Authentic system, processes a transaction involving an authenticated object, or otherwise interacts with the platform on your behalf, we receive limited data necessary to operate the platform — including the object’s identifying metadata, your account identifier (if you are an existing BE Authentic user), and any cross-platform claim or transfer signals required to keep your provenance record consistent.
• Identity verification providers. Pass/fail or scored results, and limited verified attributes (for example, name match, age over 18, jurisdiction).
• Authentication providers. If you sign in using a third-party identity provider, we receive the identifiers and basic profile information that provider sends, subject to your settings with that provider.
• Service providers and analytics. Our hosting, analytics, customer support, email-delivery, and push-notification providers share aggregated and event-level data necessary to operate the Services.

Vector Normal does not directly process payments through the BE Authentic platform-level Services. Where you complete a transaction (for example, purchasing an instrument or completing a marketplace sale), payment is processed by the Licensee operating that transaction, under that Licensee’s privacy policy. We may receive a non-payment confirmation event (for example, “transfer completed”) from the Licensee in order to update the relevant Provenance Record.

4. How We Use Your Information

We use personal information to:

• Provide, maintain, and improve the Services, including processing object registration, ownership transfers, lending, practice tracking, group sessions, recording capture and playback, accolade management, household features, and customer support;
• Operate the BE Authentic verification system, including validating cryptographic signatures, validating counter sequences, recording verified interaction events, signing those events with our server key, and maintaining Provenance Records;
• Operate the AI engine registry, dual-sign AI-generated outputs that are bound to verified interactions, and maintain the public engine attestation system described in Section 14;
• Authenticate you, secure your account, and detect, prevent, and respond to fraud, abuse, theft, and other prohibited activity;
• Calculate provenance scores, points, levels, badges, streaks, and other recognition features;
• Communicate with you about your account, your authenticated objects, security, product updates, and (with your consent where required) information about new BE Authentic features or new Licensees;
• Personalize the Services, including content recommendations that are not based on sensitive personal information;
• Operate Licensee transparency commitments, including the publicly accessible Licensee registry described in Section 16;
• Conduct research, perform analytics on aggregated and de-identified data, and develop new features and platform-level capabilities;
• Comply with legal obligations, enforce our Terms of Service, and protect our rights, your rights, and the rights of others; and
• With your express, per-request consent, share or generate verified credentials about your physical experience with objects to third parties such as employers, educators, or insurers (see Section 5.3).

5. How We Share Information

We share personal information only as described below.

5.1 With Other Users

Certain features are inherently social and require sharing of information with other users:

• Public profile information you choose to make visible (display name, avatar, member since, level, badges);
• Provenance entries on objects you have owned or interacted with, which become part of that object’s history and remain visible to subsequent owners (you control whether your real name or only your display name appears, in accordance with your settings);
• Group session participation, ensemble credentials, and (where applicable) leaderboard entries;
• Recordings and accolades you choose to publish to the public Recording playback page.

You can adjust visibility for many of these elements in your account settings. Most user-generated activity defaults to private; making something public is an opt-in action.

5.2 With Service Providers

We share personal information with vendors that perform services on our behalf, including hosting, infrastructure, identity verification, customer support, email delivery, push-notification delivery, analytics, security and fraud prevention, and data backup. These vendors are bound by contractual obligations to use personal information only as necessary to provide their services to us.

5.3 With Your Consent (Verified Credentials and Third-Party Verification)

BE Authentic supports user-authorized verification of your physical experience with objects to third parties such as employers, educators, and insurers. We will not release credential data to a third party without your affirmative, per-request consent. We log all third-party verification requests in an audit trail accessible to you, and you can revoke third-party access to credential data at any time.

5.4 With Licensees

BE Authentic is designed to be used by multiple Licensees, each operating its own vertical platform on top of the BE Authentic trust layer. We share personal information with Licensees only as necessary to:

• Operate the verification, claim, transfer, and provenance flows for objects authenticated by that Licensee;
• Maintain consistent ownership records across the Licensee’s platform and BE Authentic;
• Allow Licensees to identify their own users for the purpose of operating their vertical-specific products and services;
• Comply with applicable law and contractual obligations that flow to Licensees.

Each Licensee is contractually required to honor BE Authentic’s privacy-by-design principles described in this Policy, to maintain its own privacy policy that meets or exceeds applicable law, and to use personal information only as necessary for its stated purposes. The current list of active Licensees is published at be-authentic.me/wp-json/arcform/v1/licensees. The list will grow as additional Licensees come online; we will not silently add new Licensees that change the categories of personal information shared. Material changes to the data-sharing relationship with Licensees will be reflected in updates to this Policy.

5.5 With Affiliates

We may share information with affiliated entities under common control with Vector Normal for IP, security, and infrastructure purposes, subject to the same protections described in this Policy.

5.6 In Business Transactions

If Vector Normal is involved in a merger, acquisition, financing, reorganization, bankruptcy, sale of all or part of our assets, or similar transaction, personal information may be transferred as part of that transaction, subject to commercially reasonable efforts to ensure the recipient honors this Policy or provides equivalent protections.

5.7 For Legal and Safety Reasons

We may disclose personal information if we believe in good faith that disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or enforceable governmental request; (b) enforce our agreements; (c) detect, prevent, or address fraud, security, or technical issues; or (d) protect the rights, property, or safety of Vector Normal, our users, our Licensees, or the public.

5.8 What We Do Not Do

We do not sell or share your personal information as those terms are defined under the California Consumer Privacy Act, the California Privacy Rights Act, or analogous state privacy laws. We do not use BE Authentic data to enable any party (including ourselves, Licensees, advertisers, defense or law-enforcement entities, or any commercial partner) to perform retroactive surveillance — that is, we do not provide a mechanism to answer the question “show me everywhere a person has been.” Our system is designed to support forward verification only: “was this person here, for this specific interaction.”

We do not engage in cross-context behavioral advertising and we do not share your personal information with third parties for their own independent advertising or profiling purposes.

6. Your Privacy Rights and Choices

6.1 Account Controls

You can review, update, or delete much of your information directly through your account settings, including profile fields, notification preferences, and per-record visibility settings (private, public, locked) on your verified interaction events, practice sessions, recordings, group session memberships, and uploaded media.

Deleting your account. To permanently delete your BE Authentic account, use the in-app Delete Account flow available in our mobile applications at Profile → Delete Account, or write to privacy@be-authentic.me from your account email. Account deletion removes your personal account information (display name, email, profile data, password hash) from our active systems within a commercially reasonable period. Your verified interaction events may remain associated with the objects you owned or interacted with as part of those objects’ Provenance Records (for example, as “Previous Owner” rather than your name), as described in Section 6.4 below. Deletion is permanent and cannot be reversed.

6.2 Statutory Rights (Subject to Applicable Law)

Depending on where you live, you may have some or all of the following rights with respect to your personal information:

• Right to know / access. Request confirmation of whether we process your personal information and a copy of that information.
• Right to correct. Request correction of inaccurate personal information.
• Right to delete. Request deletion of personal information, subject to legal exceptions (for example, completed transactions, anti-fraud requirements, and the integrity of provenance records associated with objects you no longer own).
• Right to portability. Request a copy of personal information you provided to us in a structured, commonly used, machine-readable format.
• Right to opt out. Opt out of “sale” or “sharing” of personal information, targeted advertising, and certain profiling, where applicable. As described in Section 5.8, we do not sell or share personal information or engage in cross-context behavioral advertising.
• Right to restrict or object to processing. Request restriction of, or object to, certain processing under the EU/UK GDPR or similar laws.
• Right to withdraw consent. Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.
• Right to non-discrimination. Receive equal service and pricing even if you exercise your privacy rights.
• Right to lodge a complaint. Residents of the EU/UK and certain other jurisdictions may lodge a complaint with their supervisory authority. Colorado residents may contact the Colorado Attorney General. California residents may contact the California Privacy Protection Agency.

6.3 How to Exercise Your Rights

Submit requests to privacy@be-authentic.me from the email address associated with your account, or through the in-app privacy controls. We will verify your identity using account-based authentication, and where necessary, additional verification proportionate to the sensitivity of the request. You may use an authorized agent where permitted by law; we will require written proof of authorization.

We will respond within the time period required by applicable law (typically 45 days under U.S. state laws, with one extension where reasonably necessary; one month under the GDPR, with extensions where permitted).

If your request relates to data held by a Licensee on its own platform (for example, payment information held by Arcform’s payment processor), we will route your request to the appropriate Licensee or direct you to the Licensee’s privacy contact.

6.4 Limits Specific to Provenance

Provenance Records are designed to be cumulative and durable so that future owners can rely on them. If you delete your BE Authentic account, we will remove or de-identify your personal account information; however, the verified interaction events you contributed during your ownership of an object may remain associated with that object as part of its Provenance Record (for example, as “Previous Owner” rather than your name) where retention is required by law or by the legitimate interests of subsequent owners in the durability and verifiability of the record. When you make a deletion request that touches a Provenance Record, we will explain to you in our response what was retained, why, and what balancing test we applied, so that the decision is auditable.

6.5 Right to Independently Verify

BE Authentic is designed so that the cryptographic integrity of your verified interaction events does not depend on Vector Normal’s continued cooperation. Every signed event we produce can be independently verified against our public signing key, which is published at be-authentic.me/wp-json/arcform/v1/provenance/public-key. You may export your signed event records and verify them yourself, or share them with a third party for verification, without notifying us. This right is platform-level; it does not require our cooperation, and we do not log it.

7. Data Retention

We retain personal information for as long as needed to provide the Services and for the additional periods required by our legal, accounting, dispute-resolution, fraud-prevention, and provenance-integrity needs. Where retention extends for the life of an authenticated object, that retention is based on the legitimate interests of the object’s current and future owners in the durability and verifiability of the Provenance Record. We have documented this balancing test internally and will summarize it on request.

Category	Retention Period
NFC verification events	At least two years in primary storage; archived for the life of the authenticated object as part of its Provenance Record (legitimate-interest basis)
Practice sessions and recordings	Session metadata retained as part of skill credential history; practice audio retained for one year by default and may be archived or deleted thereafter, subject to your deletion requests
Ownership transfer snapshots	Life of the authenticated object, to maintain Provenance Record integrity for subsequent owners
Group session and credential records	Retained as part of participating users’ skill credential history
AI engine attestation records	Life of the bound output, so that any third party can independently verify the chain of custody
Account information	As long as your account is active; deleted or de-identified within a commercially reasonable period after deletion, subject to legal-hold and provenance-record requirements
Backup copies	A limited period beyond active deletion to maintain disaster-recovery integrity

8. Children’s Privacy

The Services are not directed to children under the age of 13 (or the equivalent minimum age in your jurisdiction), and we do not knowingly collect personal information from children under that age.

BE Authentic household features are not available to children under the age of 13. For household members aged 13 to 17, the household’s primary account holder must affirm at the time of adding the household member that they are the parent or legal guardian of the minor and that they consent on the minor’s behalf to our collection and use of the minor’s personal information for the household’s purposes. Reduced-data settings are enabled by default for any household member designated as a minor and cannot be silently overridden.

If you believe a child has provided personal information to us without proper consent, please contact privacy@be-authentic.me and we will take appropriate steps to delete it.

9. International Users and Data Transfers

Vector Normal is based in the United States and processes personal information primarily in the United States. If you access the Services from outside the United States, your personal information may be transferred to and processed in the United States and other countries with data-protection laws different from those of your country.

Where we transfer personal information out of the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards permitted by applicable law (for example, the European Commission’s Standard Contractual Clauses and the UK Addendum). You may request a copy of the safeguards by writing to privacy@be-authentic.me.

10. Security

We use administrative, technical, and physical safeguards designed to protect personal information, including:

• Encryption in transit (TLS 1.2 or higher) for communication between your device, BE Authentic mobile and web applications, and our servers;
• Encryption at rest for sensitive data, including BE Authentic SDM keys (AES-256-CBC under a dedicated wp-config-stored encryption key);
• Salted password hashing using industry-standard algorithms;
• Cryptographic verification (CMAC) of every NFC interaction event, with monotonic counter checks to prevent replay or fabrication;
• Ed25519 signing of every recorded provenance event by a Vector Normal-controlled key, with the corresponding public key published openly so any third party can independently verify event integrity;
• Hardware-backed key storage on supported mobile devices (Apple Secure Enclave, Android Keystore) for credentials such as refresh tokens;
• On-device biometric authentication (for example, Face ID, Touch ID, fingerprint) used only locally to unlock cached credentials — your biometric data never leaves your device and is not stored or transmitted to Vector Normal;
• Role-based access controls, least-privilege practices, and audit logging on production systems;
• Strict separation between Vector Normal-operated platform infrastructure and Licensee-operated payment-processing infrastructure, so that we do not store full payment card numbers or analogous high-sensitivity payment data.

No system is perfectly secure. If we become aware of a security incident affecting your personal information, we will notify you and applicable authorities as required by law.

11. Cookies and Tracking Technologies

We use cookies, web storage, software development kits in our mobile apps, and similar technologies to operate the Services and remember your preferences. We use:

• Strictly necessary cookies for authentication, session management, security, fraud prevention, and load balancing. These cannot be disabled through our cookie controls.
• Functional cookies to remember settings such as language, theme, and notification preferences.
• Analytics cookies to understand how the Services are used in aggregate. We configure our first-party site analytics to use IP-address hashing (SHA-256 with a per-site salt; raw IPs are never persisted) and to apply per-IP-per-day deduplication so that individual visitors are not profiled.

For users in the European Economic Area, the United Kingdom, and other jurisdictions that require prior consent for non-essential cookies, we present a consent interface on first visit and only set non-essential cookies after you affirmatively opt in. You can change your cookie preferences at any time through the cookie preference center linked in the site footer.

We do not use cookies for cross-context behavioral advertising or for selling personal information. You can control cookies through your browser settings and through any cookie preference center we offer in the Services. Browser “Do Not Track” signals and Global Privacy Control (GPC) signals are honored to the extent required by applicable law; we treat a GPC signal as an opt-out of “sale” and “sharing” of personal information for users in jurisdictions where that signal carries that legal effect.

12. Notices for Specific Jurisdictions

12.1 California Residents (CCPA/CPRA)

Categories of personal information we collect, the sources, business purposes, and categories of recipients are described in Sections 3 through 5. We do not knowingly sell or share personal information of consumers under the age of 16. California residents have the rights described in Section 6 and may designate an authorized agent. To exercise rights, contact privacy@be-authentic.me or use the in-app privacy controls. We will not discriminate against you for exercising your rights.

12.2 Colorado Residents (CPA)

Colorado residents have the rights to access, correct, delete, port, and opt out of targeted advertising, sale, and certain profiling, as described in Section 6. You may appeal a refusal of a privacy request by replying to our response or writing to privacy@be-authentic.me. If you remain dissatisfied, you may contact the Colorado Attorney General.

12.3 Other U.S. State Residents

Residents of Connecticut, Virginia, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws have rights similar to those described above, subject to each state’s requirements and exceptions.

12.4 EEA, UK, and Switzerland Residents (GDPR)

Where the GDPR applies, Vector Normal acts as the controller of your personal information unless otherwise specified. Our legal bases for processing are: (a) performance of a contract with you; (b) compliance with legal obligations; (c) our legitimate interests in operating, securing, improving, and marketing the Services in a manner consistent with your reasonable expectations; and (d) your consent, where required (for example, for certain marketing communications and for any release of credential data to third parties). You may object to processing based on legitimate interests, withdraw consent at any time, and lodge a complaint with your supervisory authority.

13. Third-Party Links and Services

The Services may contain links to third-party websites and services, and may incorporate features provided by third parties (such as identity verification and authentication providers, and Licensee-operated platforms). This Policy does not govern those third parties. We encourage you to review their privacy policies before providing them with personal information.

14. AI Features and the Engine Registry

BE Authentic supports AI-assisted features, such as AI-generated practice curricula, that produce outputs bound to verified human interactions. We treat AI accountability as a platform-level commitment, not a private implementation detail.

14.1 Engine Registration and Attestation

Every AI engine whose output is recorded against a BE Authentic account is registered in our public AI engine registry, available at be-authentic.me/wp-json/arcform/v1/ai-engines. The registry records, for each engine, its identifier, version, type (cloud, embodied, or hybrid), and (where applicable) its public signing key. AI outputs are dual-signed: by the engine’s own key (where the engine has one) and by the Vector Normal verification server.

14.2 What This Means For You

For any AI output associated with your account, you may always determine:

• Which AI engine produced the output;
• The verified human interaction (NFC tap) that authorized the AI to act on your behalf;
• Whether the engine ran in the cloud or on a physical/embodied device;
• The exact input that was sent to the engine.

The chain of custody for AI-generated content is recorded with the same cryptographic rigor as for human-generated content, and is independently verifiable against the public signing keys.

14.3 Human Review

Where AI is used to assess your skill level for credentialing purposes, the resulting assessment is treated as user-attested or AI-assessed metadata (clearly distinguished from cryptographically verified metrics in your User Skill Credential). You may request human review of any AI-generated assessment that produces a legal or similarly significant effect.

14.4 On-Device AI

Some AI features may run on your device. Where these features run on-device, your inputs and intermediate results are not transmitted to our servers; only the outputs you choose to save are recorded against your account.

15. BE Authentic Architectural Commitments

Several privacy commitments are designed into the BE Authentic protocol itself, not just into our policies. These include:

• User-initiated only. Verification requires a deliberate physical tap. The cryptographic module is dormant and cannot be passively scanned.
• Data sovereignty. You can view, export, and delete your interaction history through standard account controls.
• No retroactive surveillance. Our database structure is designed to answer “was this user present at this interaction?” and is not designed to answer “where has this user been?”
• Minimization by design. We capture the minimum data necessary to prove an interaction. We do not perform metadata harvesting, behavioral analytics for surveillance purposes, or pattern-of-life inference.
• Independent verifiability. Every signed event can be verified against our published public key without our cooperation. The privacy you have today does not depend on us continuing to behave well; it is enforced by cryptography.
• Auditable implementation. As we publish portions of the BE Authentic protocol specification, the privacy architecture becomes externally inspectable.

16. The Licensee Model in Detail

BE Authentic is a horizontal trust layer used by multiple verticals. Vector Normal operates the platform; Licensees operate vertical-specific products and services on top of it.

16.1 Roles

• Vector Normal is the controller of your BE Authentic account, your verification events, your provenance records, and the platform-level Services described in Section 2.
• Licensees are independent entities that build vertical-specific products on top of BE Authentic. Each Licensee is a separate controller for the personal information processed within its own platform (for example, payment data, marketplace listings, vertical-specific account fields). Licensees are responsible for their own privacy policies, terms of service, and regulatory compliance.

16.2 What Data Crosses Between

The data that necessarily crosses the boundary between BE Authentic and a Licensee includes: object identifiers, your account identifier, claim and transfer events, and the cryptographic verification data needed to authenticate physical interactions. The list of categories shared per Licensee is documented in our public Licensee registry. Categories beyond this require either your explicit consent or a written contractual addition that is reflected in this Policy.

16.3 Public Licensee Registry

The current list of active Licensees, including the categories of data shared with each, is published at be-authentic.me/wp-json/arcform/v1/licensees. Each registered Licensee carries a cryptographic attestation linking its registration to a verified provenance event.

16.4 If a Licensee Is Removed

If a Licensee’s relationship with BE Authentic ends, we will: (a) update the Licensee registry to mark the Licensee inactive; (b) cease sharing new personal information with that Licensee; and (c) instruct the Licensee to delete or return personal information held about you, in accordance with the Licensee’s contractual obligations to Vector Normal. Verified interaction events that occurred during the active relationship will remain in the relevant Provenance Records, since their cryptographic validity does not depend on the Licensee’s ongoing status.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The “Last Updated” date at the top reflects the most recent revision. If we make material changes, we will notify you by email, in-app notice, or other reasonable means before the change takes effect. Material changes that increase your obligations or reduce your rights will not apply retroactively to existing transactions or to disputes that arose before the change. Your continued use of the Services after the effective date of an updated Policy constitutes acceptance of the updated Policy.

18. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact:

Vector Normal, Ltd.
Attn: Privacy
Email: privacy@be-authentic.me
Mailing address: 1521 Blake St STE 38939, Denver, CO 80202