How does the data flow happen

Subhash Karri
Jul 31, 2025
How does the data flow happen
LegalEducational

Overview of Reclaim Protocol

Reclaim Protocol enables users to securely create digital proofs of their personal data (such as bank balance or employment status) directly from websites they already have legitimate access to. Users fully control what information they share, and the entire cryptographic proof generation occurs privately on their devices.

Key things to note:

Data Access: Who sees what?

A core reason Reclaim’s solution is legally safe is that it clearly delineates who can access data – and it keeps almost everything in the hands of the user. Here’s a breakdown of data access and flow:

This clear allocation of data access – user sees all and decides, Reclaim sees effectively nothing sensitive, verifier sees only the attested snippet – means there is no hidden or inappropriate data flow. The user is effectively exercising their own right to access and share their personal data. From a legal perspective, this setup helps in several ways: it minimizes personal data handling by third parties, it ensures transparency (the user knows exactly what is shared), and it avoids creating new troves of personal data that could be regulated or breached.

Reclaim Protocol is purposefully aligned with global data protection and privacy standards.

Compliance with Website Terms of Service (ToS)

Reclaim Protocol aligns with common provisions found in most website ToS:

In situations where websites maintain stricter policies, users are advised to review those terms carefully and confirm compliance independently.

Reclaim Protocol vs. Web Scraping

Reclaim Protocol does not function as traditional web scraping:

Reclaim Protocol simply provides a secure, verifiable, and user-driven approach to data portability. Its like you copying a number from your screen and sending it to someone, but safer.

Data Roles: Controller vs. Processor

Addressing Liability Concerns

Reclaim Protocol is structured to clearly distinguish its role as a neutral technological enabler:

Class Action Litigation Considerations

Reclaim Protocol's design inherently reduces class-action risks:

Historical class action suits target large-scale misuse or mishandling of user data—risks which Reclaim Protocol explicitly mitigates.

Summary

Reclaim Protocol is a responsible, compliant, and secure solution that empowers users to exercise their data rights safely and transparently. Its privacy-focused, user-centric design aligns seamlessly with global data protection principles, positioning it as a trusted partner for enterprise clients seeking secure and compliant data verification solutions.


Appendix

How Reclaim Protocol Works

Reclaim Protocol allows a user to prove a fact about their data on a website without involving that website’s API or support.

Reclaim achieves this, by

At first glance, this might sound like some kind of automated web scraping, but it’s not– the user is directly involved and the process uses cryptography rather than unauthorized data harvesting.

How it works: Reclaim is essentially a lightweight browser environment (available via an SDK) that the user interacts with to log into the target website. When the user initiates a proof creation, they log in to the desired site through Reclaim’s embedded browser interface. The login request and response are routed through an attestor which monitors the encrypted traffic between the user’s browser and the website. The attestor does not and cannot decrypt this traffic on its own – the data is protected by normal TLS encryption – but the user selectively shares some keys or non-sensitive parts of the request with the attestor so it can verify the request details (for example, confirming the correct URL and query was requested). The attestor can thus see the structure of the request (minus private info like passwords) and can cryptographically sign off that the right request was made to the legitimate website.

The website’s response, still encrypted, is then passed into a zero-knowledge proof circuit on the user’s device, which uses the session’s decryption key (known only to the user) as a private input to extract just the specific piece of information needed – for example, a regex match of the account balance or a status on the page. The attestor also vouches that the encrypted response fed into the ZK-proof indeed came from the website (it saw the ciphertext in transit). In the end, the user obtains a signed proof/attestation containing only the selective data they chose to prove, along with cryptographic signatures from the attestor and the proof itself, which any third-party can verify as authentic (i.e. originating from that website). Crucially, the third-party never needs to contact the original website – they can check the proof offline using the signatures and public keys, which is why we say the proof is portable and verifiable by any relying party.

High-level architecture of Reclaim Protocol

image.png

In this simplified flow, the user logs into a website through a Reclaim attestor running locally on their device, which passes the encrypted HTTPS traffic to the site. The attestor, having partial insight into the request (but not the user’s credentials), signs a statement that the correct request was made. The encrypted response is fed into a zero-knowledge circuit that extracts the required data point (e.g. a confirmation of some account detail) without revealing other information. The attestor then attests that this data came from the genuine response. The final output is a cryptographically signed proof that the user’s claim (e.g. “I have an active payroll at Company X”) is true, backed by the website data. The user can now share this proof with a third-party, who verifies the attestation’s signatures to gain confidence in the claim without ever seeing the user’s login or unrelated data.

Additional Resources

Copyright © 2025 Reclaim Protocol. All rights reserved.