Career Passport Privacy Policy

Effective date: June 11, 2026

Welcome to Career Passport. Career Passport is designed to help California residents receive, store, manage, and share digital credentials related to education, skills, training, licenses, employment, and other career-related records.

Career Passport is built around user control. Your credentials are held in your wallet. You decide whether to accept a credential, keep it, delete it, or share it. Spruce does not sell your personal information, does not use your credential information for advertising, does not build behavioral profiles from your credentials, does not maintain a centralized repository of your credentials, and does not store your private cryptographic keys.

When you share a credential with an employer, school, licensing body, public agency, or other verifier, the App is designed to show you what information is being requested before you decide whether to share it. Spruce does not share your credentials with verifiers unless you approve the sharing flow or otherwise direct the App to do so.

This Privacy Policy explains the limited information we process to operate the App, support credential issuance and sharing, keep the App secure, troubleshoot issues, and comply with applicable law.

For the purposes of this Privacy Policy, we refer to the Career Passport mobile application and related wallet services as the “App.” The App is provided by Spruce Systems, Inc. dba SpruceID (“SpruceID,” “we,” “us,” or “our”). This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use the App.

By using the App, you agree to the collection and use of information in accordance with this Privacy Policy.

Information We Collect

We may collect the following types of information.

Account Information

If the App requires you to create an account or authenticate to use certain features, we may collect information such as your name, email address, phone number, authentication method, or other information you provide during account creation, sign-in, support, or communications with us.

Credential Content

For the purposes of this Privacy Policy, “Credential Content” means the information contained in digital credentials you receive, store, display, or share through the App. Credential Content may include information such as your name, school, program, degree, certificate, skills, competencies, achievements, training completion, license status, employment-related records, credential issuer, issue date, expiration date, or other information included by the credential issuer.

Credential Content may include Personal Information. In some cases, it may also include education, employment, licensing, or workforce-related information.

The App is designed so that Credential Content is controlled by you. SpruceID does not maintain a centralized repository of your credentials, and SpruceID does not store your private cryptographic keys. Credential Content is generally stored in your wallet and used locally on your device, except where limited processing is necessary to receive, display, back up, recover, transmit, or share credentials at your direction, or as otherwise described in this Privacy Policy.

Issuance Information

When you receive a credential from a participating issuer, such as an educational institution, public agency, workforce organization, licensing body, training provider, or other credential provider, the App may process information needed to complete the issuance flow. This may include issuer metadata, credential offer information, authentication status, credential status information, and technical data needed to receive and store the credential.

The issuer is responsible for determining what information it includes in a credential and for its own privacy practices. You should review the privacy policy or notices of any issuer that provides you with a credential.

Presentation and Sharing Information

When you choose to share a credential, the App may process the information necessary to complete that sharing interaction. This may include the credential or selected fields from the credential, the verifier’s request, the verifier’s identity or metadata when available, the date and time of the request, and technical information needed to complete the presentation.

Where supported by the credential format and verifier request, the App may support selective disclosure, which allows you to share only certain information from a credential rather than the entire credential. Before you share, the App is designed to show you what information is being requested so you can approve or decline the request.

Some credential types, issuer configurations, or verifier requests may not support selective disclosure. In those cases, sharing may require disclosure of the full credential or a larger set of information. The App will aim to make this clear before you proceed.

Local Activity History

The App may maintain a local activity history on your device so you can see credentials you have received, shared, or used. This history may include information such as what credential was shared, with whom, and when. Unless otherwise disclosed to you, this local activity history is not transmitted to SpruceID by default. You may be able to view or delete local activity records in the App.

Device, Usage, and Technical Data

We collect limited technical information needed to operate, secure, troubleshoot, and improve the App. This may include device type, operating system, app version, crash logs, diagnostic data, performance data, and limited usage events.

Technical and usage data is not intended to include the contents of your credentials. We do not use technical or usage data to sell advertising, build advertising profiles, or profile your education, skills, employment history, or career pathway.

Camera and QR Code Data

The App may ask for access to your device camera so you can scan QR codes to receive or share credentials. Camera access is used for the functionality you request. The App does not use your camera for unrelated purposes.

Communications and Support

If you contact us for support, feedback, or other communications, we may collect your name, contact information, message content, and any information you choose to provide.

Cookies and Similar Technologies

If the App includes web-based features or links to web pages, we or our service providers may use cookies, web beacons, local storage, or similar technologies to support authentication, security, preferences, analytics, and app functionality.

How We Use Your Information

We may use the information we collect to:

Provide, operate, maintain, and improve the App;
Enable you to receive, store, manage, display, and share credentials;
Authenticate users and protect account access;
Facilitate credential issuance and presentation flows;
Show you what information is being requested before you share a credential;
Support selective disclosure where supported by the credential format and verifier request;
Monitor, troubleshoot, and improve App performance, reliability, and security;
Provide customer support and respond to inquiries;
Detect, prevent, and respond to fraud, misuse, security incidents, or technical issues;
Comply with legal, contractual, and regulatory obligations; and
Generate aggregated or de-identified insights about App performance and usage.

How Credential Sharing Works

The App is designed to give you control over when and how you share your credentials. A verifier may be an employer, school, licensing body, public agency, workforce organization, service provider, or another third party that asks you to present a credential.

When you choose to share information with a verifier, that verifier will receive the information you approve for sharing. SpruceID does not control how the verifier uses information after you share it. You should only share credentials with verifiers you trust and should review any privacy notices provided by the verifier.

Where possible, the App uses privacy-preserving credential presentation methods that allow verifiers to confirm credential validity without requiring the issuer or SpruceID to be contacted each time you present a credential. This helps reduce unnecessary tracking and metadata leakage. However, the exact privacy properties of a credential presentation may depend on the credential format, issuer configuration, verifier request, and technical standards used.

How We Share Information

We do not sell or rent your personal information. We may share information in the following situations.

At Your Direction

We share information when you choose to disclose it through the App. For example, if you approve a request to share a credential with an employer, school, licensing body, verifier, or other third party, the App will transmit the approved information to that third party.

With Issuers

When you request, receive, refresh, or recover a credential, we may process or transmit information needed to complete that interaction with the credential issuer. The issuer may receive information necessary to authenticate you, issue the credential, reissue the credential, or manage credential status.

With Verifiers

When you approve a credential presentation, the verifier receives the information you approve for sharing. This may include a full credential or selected claims from a credential, depending on the credential type and presentation flow.

With Service Providers

We may use third-party service providers to help us provide, secure, monitor, analyze, and support the App. These providers may assist with hosting, infrastructure, authentication, analytics, crash reporting, customer support, communications, security, and other operational services. To the extent these providers have access to information, they are permitted to use it only to perform services for us and are not permitted to use it for their own unrelated purposes.

With Program Partners

The Career Passport program may involve public agencies, educational institutions, workforce organizations, credential issuers, and other authorized program partners. We do not share your Credential Content with program partners for their independent use unless you direct us to do so, such as by accepting a credential from an issuer, requesting credential recovery or reissuance, or approving a credential presentation to a verifier.

We may provide program partners with aggregated, de-identified, or operational information needed to administer, secure, evaluate, or improve the Career Passport program. For example, this may include information about app performance, credential issuance volumes, successful or failed technical flows, or support needs. We do not use these reports to disclose the contents of your credentials or to create advertising profiles.

For Legal Compliance and Protection

We may disclose information if required to do so by law, subpoena, court order, legal process, or governmental request. We may also disclose information when we believe it is necessary to protect the rights, safety, security, or integrity of SpruceID, users, the App, program partners, or others.

Business Transfers

We may transfer information to a successor entity in connection with a merger, acquisition, financing, reorganization, bankruptcy, sale of assets, or similar transaction involving SpruceID. If your information becomes subject to a different privacy policy as a result of such a transaction, we will provide notice where required by law.

Your Credentials and Private Keys

The App is designed to avoid custodial control of your credentials and cryptographic keys.

By default, credentials and associated private keys are stored under your control through the App and your device. Private keys are not transmitted to or stored by SpruceID systems in a way that allows SpruceID to independently present credentials on your behalf.

SpruceID does not maintain a centralized credential repository that allows us to view, index, or profile all of your Credential Content or presentation activity. Some technical services may temporarily process limited information to facilitate issuance, presentation, backup, recovery, support, security, or troubleshooting, but we aim to minimize that processing.

If backup or recovery features are made available, those features may involve encrypted backup, user-managed recovery materials, or reissuance from participating issuers. We will provide additional information in the App about how those features work.

Data Retention

We retain information only for as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Credential Content stored locally in your wallet remains under your control. You can delete credentials from the App, subject to the functionality available in the App. Deleting a credential from your App does not necessarily delete the underlying record maintained by the issuer or any copy you previously shared with a verifier.

Technical logs, support records, analytics, and security records may be retained for a reasonable period to operate, secure, troubleshoot, and improve the App.

Security

We use commercially reasonable administrative, technical, and organizational safeguards designed to protect information processed through the App. These safeguards may include encryption, access controls, secure development practices, monitoring, and data minimization.

However, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security. You are responsible for maintaining control of your device, account credentials, passcodes, biometric access, and any recovery materials associated with the App.

Your Choices and Rights

Depending on your location and applicable law, you may have rights to access, correct, delete, or receive a copy of certain personal information, or to object to or restrict certain processing.

You can also make choices directly in the App, such as choosing whether to accept a credential, whether to share a credential, whether to approve a verifier request, whether to allow camera access, and whether to delete locally stored credentials or activity history.

To exercise privacy rights or ask questions about your information, contact us at [insert privacy contact email].

California Privacy Rights

This App is intended for California residents participating in the Career Passport program. California residents may have rights under California privacy law, including the right to know what personal information is collected, used, disclosed, or shared; the right to request access to personal information; the right to request deletion or correction of certain personal information; the right to limit certain uses of sensitive personal information where applicable; and the right not to be discriminated against for exercising privacy rights.

We do not sell personal information. We also do not use Credential Content to build advertising profiles.

We do not knowingly sell or share the personal information of users under 16. If we ever engage in activity that California law treats as a “sale” or “sharing” of personal information involving users under 16, we will obtain the required affirmative authorization before doing so.

To submit a California privacy request, contact us at [insert privacy contact email].

Children’s and Minors’ Privacy

The App is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13 without appropriate consent.

Career Passport may be used by students, learners, job seekers, or other California residents, including users who are under 18, when made available through a participating school, educational institution, public agency, workforce organization, credential issuer, or other authorized program partner. If the App is made available to minors through such a partner, that partner is responsible for providing any required notices and obtaining any required consents under applicable law, including laws that may apply to student records, education records, or minors’ data.

We do not sell personal information, including personal information of users under 16. We also do not use Credential Content to build advertising profiles.

If we learn that we have collected personal information from a child under 13 without appropriate consent, we will take reasonable steps to delete that information or obtain appropriate consent. If you believe a child under 13 has provided personal information to us without appropriate consent, please contact us at [insert privacy contact email].

Third-Party Links and Services

The App may link to or interoperate with third-party websites, issuers, verifiers, identity providers, app stores, or other services. We are not responsible for the privacy practices of third parties. Their use of your information is governed by their own privacy policies and notices.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make changes, we will update the effective date above and post the revised Privacy Policy. Where required by law, we will provide additional notice or request consent.

You should review this Privacy Policy periodically for updates.