Privacy and erasure
Agreely is built so that proving consent does not require holding the data, and so that erasing consent destroys the readable claim rather than promising to. This page covers two distinct rights that are easy to conflate, and the crypto-shred that backs the erasure of Agreely's own copy.
Withdrawal is not erasure
Two different rights sit behind "stop using my data," and Agreely keeps them apart on purpose.
- Withdrawal (section 8) ends a live consent. It flips the enforcement
record to
revoked, and the very next check denies. Withdrawal deliberately keeps a record: theconsentRef, the receipt, and the anchored commitment all survive, because being able to prove that a consent existed and was then withdrawn is itself the accountability Law 25 asks for. - Erasure (article 23) is a request to destroy. It is not a status flip; it crypto-shreds Agreely's own readable copy of the cell and produces a request the company must honor in its own systems. Agreely cannot reach into your database, so erasure is Agreely's part plus your obligation, not a single switch.
Erasure is Agreely's copy plus your obligation
Erasing a cell destroys the readable claim Agreely held for it. It does not, and cannot, reach into the company's own systems. The company remains the responsable de la protection des renseignements personnels for the data it holds and must honor the erasure in its own stores. See honest boundaries.
Crypto-shred erasure
Agreely implements erasure of its own copy per-cell as a crypto-shred. Each consent cell is bound by a commitment:
commitment = keccak256( JCS(claim) || salt32 )
The 32-byte salt is the cell's only secret and the only thing that makes the
commitment reversible to the claim. Erasing a cell destroys that salt (and the
readable claim rows around it), while keeping the commitment so the surviving
cells of the same consent still verify against the Merkle root. The synchronous
check default-denies the instant
the erase transaction commits.
The honest boundary
It is tempting to claim erasure is instantaneous and total everywhere. It is not, and Agreely states the boundary plainly rather than overclaiming.
The exact claim Agreely makes
Live database anonymized immediately (no readable category/purpose claim survives); full physical destruction within the documented retention window.
Concretely, the moment the erase transaction commits:
- the salt is gone from the live row, so the retained
commitmentis a one-way hash that is not reversible to the claim; - the readable claim row (the plaintext category/purpose) is deleted;
- the synchronous check default-denies and the dashboard no longer lists the cell.
What still exists, until the retention window passes, is an unreadable
residual that carries no category or purpose claim: the on-chain commitment is an
orphan with its salt destroyed, and the remaining linkage ties a DID to an opaque
random consent_ref that reveals nothing. Full physical destruction completes
within the documented retention window.
What Agreely does NOT claim
Agreely does not claim "irreversibly destroyed everywhere at all times," and it does not tell a person "Agreely can't read your data." The citizen-facing wording is deliberately narrower: "Agreely destroys its record of this consent; what remains on-chain is an unreadable orphan." The exact wording, which distinguishes de-identification (section 12), a reversible interim state, from anonymization or destruction (section 23 para. 2 to 3), is reviewed by privacy counsel before launch.
Why the residual carries no identity
Erasure can keep a consent_ref-to-DID linkage as a Merkle sibling without that
residual carrying any readable identity, because the consent_ref is a fresh,
opaque random value that reveals nothing about who the person is. That property
is unlinkability, and it is what lets Agreely
retain the cryptographic proof of a consent while destroying its readable form.
The full account, including the precise boundary of what unlinkability does and
does not hide, lives on its own page.
Independent verifiability
None of this requires trusting Agreely. The artifacts a person or auditor holds, the receipt, the DID documents, and the on-chain anchor, are enough to verify a grant end to end. See the verify recipe.
Next
- Unlinkability: the full company/citizen non-correlation model.
- Honest boundaries: why "destroyed everywhere at all times" is a claim Agreely refuses to make.