Privacy Policy

Our privacy policy is based on the terms used by the European legislator for the adoption of the General Data Protection Regulation (GDPR).

General information

  • The whole process of generating the pass file happens locally in your browser. For the signing step, only a hashed representation of your data is sent to the server.
  • Your data is not stored beyond the active browser session and the site does not use cookies.
  • No data is sent to third parties.
  • We transmit your data securely over https.
  • Our server is hosted in Nuremberg, Germany.
  • The source code of this site is available on GitHub.
  • By default, Apple Wallet passes are accessible from the lock screen. This can be changed in the settings.
  • The server provider processes data to provide this site. In order to better understand what measures they take to protect your data, please also read their privacy policy and the data privacy FAQ.


Donatus Wolf and Philipp Trenz
Kiepenheuerallee 5
14469 Potsdam

Simplified explanation of the process

This process is only started after accepting this policy and clicking on the Add to Wallet button.
First, the following steps happen locally in your browser:

  • Scanning and extracting the QR code data from your selected certificate via the camera of your device
  • Decoding your personal and health-related data from the QR code payload
  • Assembling an incomplete pass file out of your data
  • Generating a hashes of the data stored in the pass file
  • Sending only the hashes to our server

Second, the following steps happen on our server:

  • Receiving and checking the hashes which were generated locally
  • Signing the file containing the hashes
  • Sending the signature back

Finally, the following steps happen locally in your browser:

  • Assembling the signed pass file out of the incomplete file generated locally and the signature
  • Saving the file on your device

Locally processed data

The following data is processed on in your browser to generate the pass file.
Processed personal data contained in the QR code:

  • Your first and last name
  • Your date of birth

For each vaccination certificate contained in the QR code, the following data is processed:

  • Targeted disease
  • Vaccine medical product
  • Manufacturer/Marketing Authorization Holder
  • Dose number
  • Total series of doses
  • Date of vaccination
  • Country of vaccination
  • Certificate issuer
  • Unique certificate identifier (UVCI)

For each test certificate contained in the QR code, the following data is processed:

  • Targeted disease
  • Test type
  • NAA Test name
  • RAT Test name and manufacturer
  • Date/Time of Sample Collection
  • Test Result
  • Testing Centre
  • Country of test
  • Certificate Issuer
  • Unique Certificate Identifier (UVCI)

For each recovery certificate contained in the QR code, the following data is processed:

  • Targeted disease
  • Date of first positive NAA test result
  • Country of test
  • Certificate Issuer
  • Certificate valid from
  • Certificate valid until
  • Unique Certificate Identifier (UVCI)

The Digital Covid Certificate Schema contains a detailed specification of which data can be contained in the QR code.

Server provider

Our server provider is Hetzner Online GmbH. The following data may be collected and stored in the server log files:

  • The browser types and versions used
  • The operating system used by the accessing system
  • The website from which an accessing system reaches our website (so-called referrers)
  • The date and time of access
  • The pseudonymised IP addresses

We evaluate these server log files for error analysis and to improve the user experience.

Your rights

In accordance with the GDPR you have the following rights:

  • Right of access to your data: You have the right to know what data has been collected about you and how it was processed.
  • Right to be forgotten: Erasure of your personal data.
  • Right of rectification: You have the right to correct inaccurate data.
  • Right of data portability: You have the right to transfer your data from one processing system into another.

Third parties linked


Privacy policy authoritatively prepared by Marvin Sextro (see here)
With excerpts from:
Translated with (free version)