zkRune is the privacy-preserving age-assurance layer for platforms in scope of the EU Digital Services Act, the UK Online Safety Act, and the growing patchwork of US state age-gating laws. One ZK widget, three jurisdictions, no government-ID retention, no breach surface.
Outside age-gating scope? See the full regulations matrix (AI Act, MiCA, eIDAS 2.0, DORA, NIS2, GDPR).
Most platforms address UK OSA and US state laws by collecting government-issued ID. That data immediately becomes a GDPR liability, a breach target, and an irreversible privacy cost on the user. zkRune lets you satisfy the same regulatory tests without ever receiving the underlying document.
We do not collect government IDs. That is the point. The widget integrates with your existing identity stack (Onfido, Yoti, iProov, Veriff) as the privacy-preserving evidence path — replacing the raw-ID-retention default with a cryptographic proof that regulators can inspect.
Bumble, Hinge, Grindr, Tinder, Match Group, Discord, Reddit, BeReal, TikTok regional ops
Drop-in widget verifies age before any DM, photo upload, or account upgrade. Your service receives the assertion ('age ≥ 18') and the cryptographic proof hash — never the birthdate. Ofcom's 'highly effective' age-assurance criteria and DSA Art. 28 risk assessments map directly to the widget's output.
Pornhub / Aylo, OnlyFans, Fanvue, BrewDog DTC, Pernod Ricard online, Juul / Vuse direct-to-consumer
The two highest-risk verticals under UK OSA and US state regimes (TX HB 1181, LA HB 142, UT, MS, VA + 7 more in pipeline). Same widget; per-jurisdiction minimum age via a single config flag. Proof hash gives you the audit log without the data-breach liability.
DraftKings, FanDuel, bet365, Entain, Flutter, Evolution Gaming partner platforms
Sophisticated AML / KYC stack already in place; zkRune adds a privacy-preserving age and jurisdictional-eligibility layer that differentiates your registration UX without adding regulatory risk. Composable with existing identity orchestrators (Onfido, Sumsub, Veriff) — slots underneath, not in place of.
Mapping is informational; minimum-age thresholds and accepted assurance methods vary by jurisdiction. Consult your DPO and the relevant national authority before claiming certification.
Jurisdiction
EU — Digital Services Act Art. 28
Online platforms accessible to minors must implement appropriate measures to ensure a high level of privacy, safety, and security. VLOPs face additional risk-assessment obligations under Art. 34–35.
zkRune circuit
age-verificationNotes
Widget output binds an age assertion to a cryptographic proof. DSA risk assessment can cite the proof hash as the integrity anchor. No raw birthdates collected = data-minimisation argument under GDPR Art. 5(1)(c) is automatic.
Jurisdiction
UK — Online Safety Act 2023, Part 5
Providers must use 'highly effective age assurance' to keep children from accessing pornographic content. Ofcom is enforcing actively and naming non-compliant platforms publicly.
zkRune circuit
age-verificationNotes
Maps to Ofcom's Method 2 (facial age estimation) → Method 5 (digital identity wallets) range. Crucially: with zkRune, the underlying signal stays on the user's device; the platform only sees the proof. Closes the GDPR exposure that government-ID collection creates.
Jurisdiction
US — Texas HB 1181 (and equivalents)
Commercial entities publishing material that is harmful to minors must verify users are at least 18 using a 'reasonable age verification method'.
zkRune circuit
age-verification · range-proofNotes
TX, LA, MS, UT, VA, and 7+ others in the pipeline. Patchwork of state laws with conflicting evidentiary standards — zkRune's per-jurisdiction config lets you set minimum age and accepted assurance method without recoding the integration.
Jurisdiction
EU — DSA Art. 35 risk assessments
VLOPs and VLOSEs must annually assess systemic risks including age-inappropriate access, and document mitigations.
zkRune circuit
age-verification · anonymous-reputationNotes
Anonymous-reputation circuit lets risk-assessment teams demonstrate moderation outcomes (e.g. 'X% of flagged accounts cleared age assurance') without retaining any user-level reputation history.
Audited circuits
14 production Groth16 circuits
Age-verification is the workhorse — used in production on the zkRune homepage demo. Same circuit underpins this entire compliance surface.
Proof generation
Sub-second in-browser
Critical for conversion: a UK OSA-style flow that takes more than 5 seconds bleeds funnel. Age-verification proof: ~200 ms median on mobile, ~80 ms on desktop.
Proof size
~200 bytes
Compact. Suitable for the multi-year retention requirements Ofcom and the EU Commission expect to inspect on demand.
Mainnet anchors
Solana · Base · Sui
Ofcom inspectors, EU national authorities, or US state attorneys-general can independently re-verify any proof against the on-chain key — no dependency on the platform or zkRune as a vendor.
Licence
MIT / Apache-2.0
Open source by default. The widget code is auditable by your security team and any regulator that asks. No vendor lock-in.
Audit
Q3–Q4 2026 (planned)
Third-party security audit scheduled. Honest disclosure of current posture at /trust — including what we have not yet proved.
The list below is what existing T&S vendors and identity providers already handle. zkRune slots underneath as the privacy-preserving evidence path — not as a replacement for the orchestration you already trust.
Ofcom inspectors, EU national authorities, US state attorneys-general, or your own internal audit can independently re-verify any proof against the on-chain key — no dependency on the platform or zkRune as a vendor.
We work directly with Trust & Safety leads, DPOs, and product engineers at platforms in scope of UK OSA, DSA Art. 28, and US state laws. The fastest path is a 30-minute technical session with the widget integration and trust documentation ready to forward to your security team.
zkruneprotocol@gmail.com · @rune_zk on X · github.com/louisstein94/zkrune