Legal
insta ID is designed around the principle of data minimization. Personal data from the electronic ID card chip and the content of documents stay on your device. This policy explains exactly what we process, why, and which rights you have.
Last updated: 29 May 2026•Effective date: 29 May 2026
The data controller for personal data under the Law on Personal Data Protection of Montenegro and the General Data Protection Regulation (GDPR) is Bitsync d.o.o., Montenegro. For any privacy-related question, write to privacy@instaid.me.
Over NFC, insta ID reads data from the chip of your Montenegrin electronic ID card (eLK). The data read — name, surname, date of birth, national ID number, card data and cryptographic certificates — stays in device memory and is not sent to our servers. You choose when, and with whom, to share that data (for example by logging in to a portal of your choice or sharing a signed QR identity).
The private signing key never leaves the chip of the card. On the device, insta ID computes a cryptographic hash of the document, sends that hash to the chip, the chip signs it, and the signature is returned to the application. Neither we nor anyone else has access to your private key. The content of the document does not leave the device unless you send it to a recipient of your choosing.
When you use the application to log in to a government e-service portal, the TLS client certificate is presented to the portal you chose, and the chip signs the challenge issued by that portal. The session runs directly between your device (or paired browser) and the portal. Bitsync does not intermediate or retain the content of that session.
Scanned PDFs and photos are stored locally in the application's sandbox on the device. They are shared only on your initiative (for example by sharing to another application or sending by email). We do not have access to them.
PIN, PUK and CAN are entered only at the moment they are needed for an operation on the chip. They are not written to disk, not synced to any cloud, and are cleared from memory at the end of the session. They are never transmitted to our servers.
For pairing with a desktop browser (insta ID Bridge) and for access to portals that use OAuth/Keycloak, security tokens are kept exclusively on your device, in the system Keychain. They are not sent to our servers and not copied to any cloud.
To enable device pairing across different networks, we use a coordination relay that forwards end-to-end encrypted messages between your phone and your paired computer. The content of these messages is opaque to us — we see only the metadata strictly necessary for routing (pairing identifier, timestamps) and a short-lived buffer (up to 60 seconds) if the peer is briefly offline. After delivery or expiry, the payload is removed.
The application contains no third-party analytics library, no advertising SDKs, and does not use IDFA. We do not track your use of the application for marketing purposes. If we later enable crash diagnostics, we will do so only through the Apple MetricKit mechanism — anonymized diagnostic payloads sent to our self-hosted endpoint, without user identifiers, solely for debugging. This clause will be updated when (and if) that feature is enabled.
If you use the video identification feature with a bank officer, the audio and video stream runs directly between your device and the bank's system. Bitsync does not record, store or have access to the content of that call. The processing of that conversation is governed by the bank as an independent data controller.
The application is intended for adult cardholders. We do not address children and do not knowingly collect children's data. If you learn that a child has used the application, contact us so that the data can be deleted.
We process data based on your consent, performance of the contract for the use of the application, and our legitimate interest in operating the service securely (for example, protection of the relay against abuse). Where processing is necessary to meet a legal obligation, we rely on that basis.
We do not retain personal data from the chip or document content. Operational relay metadata is deleted on delivery or after the 60-second buffer expires. Contact messages sent through instaid.me are retained for as long as needed to respond, and no longer than 24 months.
Our infrastructure is hosted in Europe. We do not sell or share personal data with third parties for marketing purposes. Transfers to portals and banks that you choose run directly between your device and their system.
You have the right of access, rectification, erasure, restriction of processing, objection and portability. You can exercise these rights by writing to privacy@instaid.me. You also have the right to lodge a complaint with the Agency for Personal Data Protection and Free Access to Information of Montenegro.
We use industry-standard transport security (TLS), cryptographically attested device pairings and key isolation on the chip. A more detailed description of our principles is available on the "Security and privacy" page.
We may update this policy. We will announce material changes inside the application and on instaid.me. The "Last updated" date at the top of the page always corresponds to the current version.
Questions, access or deletion requests can be sent to privacy@instaid.me. Bitsync d.o.o., Montenegro.