@iceviper
Issuers follow strict data minimization, retaining only cryptographic proofs (e.g., hashes) of issued credentials. Personal data is deleted post-verification, with metadata stored temporarily for compliance. GDPR-aligned policies enforce "right to erasure," allowing users to request full data deletion. Zero-knowledge architectures ensure issuers never hold plaintext data, while time-bound retention (e.g., 30–90 days) applies to audit logs unless legally required otherwise.