Privacy Policy

This Privacy Policy explains how AgeEvidence processes personal data in two contexts:

• Website & business communications (sales/support/contact)
• Verification Services (when an individual completes an age/identity verification flow)

This policy is designed to be compatible with GDPR/UK GDPR expectations and other applicable privacy laws where relevant. Specific rights and requirements vary by jurisdiction.

• Privacy contact: Contact form (select Privacy)
• DPO (if appointed): Contact form (select Privacy)

AgeEvidence may act as a processor (processing data on behalf of a business customer) or as a controller (determining purposes/means), depending on how the Services are deployed.

If you are verifying for access to a platform that directed you to AgeEvidence, that platform is typically the controller for the access decision and the broader user relationship. You should review that platform's privacy policy as well.

The exact data processed depends on the verification level (full_kyc, full_age, age_only) and configuration. We may process:

4.1 Identity document data (full_kyc / full_age)

• government-issued ID images (front/back where applicable)
• extracted fields/signals (e.g., name, date of birth, document number, expiry) where captured
• document quality/authenticity signals (tamper/spoof indicators)

4.2 Liveness media and face data (full_kyc / full_age / age_only)

• liveness capture media (e.g., selfie video used for challenges)
• face descriptors/embeddings derived from captures (used for matching and fraud prevention)
• anti-spoofing signals and challenge metadata
• for age_only: face age estimation outputs (approximate)

4.3 Technical/session data

• IP address, user agent/device/browser signals
• country-level geolocation signals
• timestamps, session identifiers, audit trail events
• security and access logs

Note on biometrics: face embeddings used for identity matching may be treated as biometric data under certain laws. We process such data only for verification, fraud prevention, and security purposes.

• contact details (name, email, company, role)
• messages sent via the contact form (including IP address and user agent for abuse prevention)
• security logs for website operation

• to perform age/identity verification and produce Verification Results
• to detect and prevent fraud, abuse, and account takeover
• to maintain security monitoring, auditability, and incident response
• to meet legal obligations and respond to lawful requests
• to operate our website and communicate with business customers

We do not sell verification data. We do not use verification data to market products to verification subjects.

Legal bases depend on role and context. Common bases include:

• Contract / steps prior to contract (providing verification requested by a customer/platform)
• Legitimate interests (fraud prevention, security, service integrity)
• Legal obligations (where record-keeping or lawful requests apply)
• Consent (where required, including explicit consent for biometric processing in certain jurisdictions)

Where we act as a processor, the customer/controller is responsible for selecting the lawful basis and providing required notices.

Certain verification flows generate face embeddings/descriptors to compare liveness capture against an ID photo (where applicable) and/or to detect spoofing. In some jurisdictions this may be regulated as biometric information.

• We use biometric-derived data only for verification, fraud prevention, and security.
• We do not sell, lease, or trade biometric data.
• We retain biometric-derived data only for the periods described in the Retention section (unless law requires longer).

AgeEvidence is designed to store and process verification data using infrastructure located in Germany and/or Switzerland.

If we change hosting regions or add subprocessors, we will provide notice to affected customers.

We share personal data only as necessary:

• With the business customer/platform: verification outcome/status and agreed fields needed for compliance workflows
• With subprocessors: hosting and infrastructure providers under contract
• With authorities: when required by valid legal process or where legally required

If personal data is accessed or transferred outside the European Economic Area and Switzerland, we implement appropriate safeguards where required (such as Standard Contractual Clauses) and apply supplementary security measures as appropriate.

Retention depends on configuration, contractual requirements, and legal obligations. Our default targets are:

• full_kyc (identity + record-keeping workflows): retained for 7 years from record creation or last update, and longer where required by law or ongoing legal needs.
• full_age / age_only: retained until the verification expires (per configuration), plus 1 year.
• access/security logs: up to 7 years where necessary for auditability, abuse prevention, and legal defense.

When retention periods expire, data is securely deleted or anonymized, unless we must retain it for legal obligations or disputes.

We implement technical and organizational measures designed to protect personal data, including access controls, least-privilege administration, encryption in transit, logging, and security monitoring. No system is perfectly secure.

Depending on where you live, you may have rights to access, correct, delete, or restrict processing of your personal data, and to object to certain processing. If you completed verification for a platform, you should generally contact that platform first (as it controls access decisions).

You can also reach us via our contact form (select Privacy).

AgeEvidence is not intended for children. If we have reason to believe verification data relates to a minor attempting to access adult-restricted services, we block the verification and take additional steps consistent with applicable law and safety obligations.

We may update this policy to reflect changes in practices, security, or legal requirements. The "Last updated" date indicates when it was revised.