Privacy Policy

We collect the following categories of information:

1.1 Account Information. When you create an account or are invited to an organization, we collect your name, email address, organization name, and role.

1.2 Verification Session Data. When a verification session is initiated, we collect:

• Government-issued identity documents — passport, driver's license, national ID images, and data extracted therefrom (name, date of birth, document number, expiration date, photo).
• Biometric data — facial geometry data extracted from live video sessions and identity document photos for face-matching purposes. This constitutes biometric identifiers under applicable laws including the Illinois Biometric Information Privacy Act (BIPA), Texas Capture or Use of Biometric Identifier (CUBI) Act, and Washington State Biometric Identifiers law (H.B. 1493).
• Liveness detection data — video frames and challenge-response metrics used to verify the subject is a live person and not a deepfake, photo replay, or pre-recorded video.
• Network metadata — IP address, geolocation (country/region level), VPN/proxy detection signals, browser fingerprint, and device information.

1.3 Usage Data. We automatically collect information about how you interact with the Services, including pages visited, features used, actions taken, and timestamps.

1.4 Payment Information. Payment processing is handled by Stripe, Inc. We do not store credit card numbers. We receive and store transaction records, billing addresses, and subscription status from Stripe.

We use your information for the following purposes:

• Identity verification — To perform document verification, liveness detection, face matching, and network forensics as requested by your organization.
• Service delivery — To operate, maintain, and improve the Services.
• Compliance and audit — To maintain SOX-compliant immutable audit trails and support your organization's regulatory obligations.
• Security — To detect and prevent fraud, unauthorized access, and platform abuse, consistent with NIST 800-53 controls (SI-4, AU-6).
• Communication — To send transactional emails, security alerts, and service updates. We do not send marketing emails without your consent.
• Legal obligations — To comply with applicable laws, regulations, and legal processes.

3.1 Purpose. We collect and process biometric data solely for the purpose of identity verification — specifically, to perform 1:1 facial matching between a live video session and an identity document photo.

3.2 Consent. Biometric data is collected only with the informed, written consent of the verification subject. Consent is obtained prior to each verification session through an on-screen disclosure and affirmative action (clicking "I Consent").

3.3 Retention and Deletion. Facial biometric data is automatically purged within 24 hours of verification completion. Verification result metadata (pass/fail, confidence scores) is retained per your organization's configured retention policy but does not contain raw biometric data.

3.4 Protection. Biometric data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. Access is restricted to automated processing systems only — no human reviews biometric data unless explicitly authorized by the verification subject for dispute resolution.

3.5 No Sale or Disclosure. We do not sell, lease, trade, or otherwise profit from biometric data. Biometric data is never shared with third parties except as required by law.

We share your information only in the following circumstances:

• With your organization — Verification results and audit records are shared with the organization that initiated the verification session.
• Service providers — We use third-party service providers including Google Cloud Platform (infrastructure, AI/ML), Stripe (payments), and Firebase (authentication). Each provider is bound by contractual obligations to protect your data. A list of sub-processors is available upon request.
• Legal requirements — We may disclose information when required by law, regulation, subpoena, court order, or government request.
• Business transfers — In the event of a merger, acquisition, or sale of assets, your information may be transferred subject to the same privacy protections described in this policy.

We implement technical and organizational security measures aligned with NIST 800-53 control families to protect your information:

• Access Control (AC-2, AC-3, AC-6) — Role-based access control, least-privilege principles, and multi-factor authentication for all administrative access.
• Audit and Accountability (AU-2, AU-3, AU-6) — Immutable, tamper-evident audit logs for all verification sessions and administrative actions.
• Identification and Authentication (IA-2, IA-5) — Strong authentication mechanisms for all users, including support for SSO/SAML on Enterprise plans.
• System and Communications Protection (SC-8, SC-13, SC-28) — TLS 1.3 for data in transit, AES-256 for data at rest, and validated cryptographic modules.
• Incident Response (IR-4, IR-6) — Documented incident response plan with notification procedures in compliance with applicable breach notification laws.

SOC 2 Type II certification is on our roadmap. We are actively working toward achieving this certification and design all controls to meet SOC 2 Trust Services Criteria.

We retain your information for the following periods:

• Biometric data — Automatically purged within 24 hours of verification completion.
• Verification session metadata — Retained according to your organization's configured retention policy (default: 90 days for Pay As You Go, 1 year for Growth, unlimited for Enterprise).
• Account information — Retained for the duration of your account plus 30 days after account deletion.
• Audit logs — Retained per your plan's audit retention period to support compliance requirements.
• Payment records — Retained as required by applicable tax and financial regulations (typically 7 years).

Your information is processed and stored in the United States using Google Cloud Platform infrastructure. If you are located outside the United States, your information will be transferred to and processed in the United States.

7.1 EU/EEA/UK Transfers. For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on:

• EU Standard Contractual Clauses (SCCs) as adopted by the European Commission (Commission Implementing Decision 2021/914), including the supplementary measures recommended by the EDPB.
• The UK International Data Transfer Addendum to the EU SCCs.

Copies of the executed SCCs are available upon request by contacting privacy@idchecker.ai.

For Enterprise customers, we provide a Data Processing Agreement that includes:

• Processor obligations under GDPR Article 28, including purpose limitation, data minimization, and security requirements.
• Sub-processor management with prior notification of changes.
• Data subject access request (DSAR) assistance procedures.
• Data return and deletion obligations upon contract termination.
• Audit rights for the data controller.

Healthcare organizations may request a HIPAA Business Associate Agreement (BAA) for verification workflows involving Protected Health Information (PHI).

To request a DPA or BAA, contact legal@idchecker.ai.

Depending on your jurisdiction, you may have the following rights regarding your personal information:

9.1 GDPR Rights (EU/EEA/UK). Right of access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, objection to processing, and the right not to be subject to automated decision-making.

9.2 CCPA/CPRA Rights (California). Right to know, right to delete, right to opt-out of sale (we do not sell personal information), right to non-discrimination, and right to correct inaccurate personal information.

9.3 Biometric Privacy Rights. Under BIPA (Illinois), CUBI (Texas), and similar state laws, you have the right to informed consent before biometric data collection, the right to know retentiondestruction schedules, and the right to have biometric data destroyed in accordance with published schedules.

To exercise any of these rights, contact privacy@idchecker.ai. We will respond within 30 days (or sooner as required by applicable law).

We use essential cookies required for the Services to function (authentication, session management). We do not use advertising or tracking cookies. We do not participate in cross-site tracking or sell personal information to advertisers.

The Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact privacy@idchecker.ai immediately.

We may update this Privacy Policy from time to time. Material changes will be communicated via email to account administrators and posted on this page with an updated "Last updated" date. Your continued use of the Services after such changes constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or our data practices, contact us at:

IDChecker AI LLC
Attn: Privacy Officer
6688 Nolensville Rd, Ste 108-315
Brentwood, TN 37027
United States
Email: privacy@idchecker.ai

EU Representative. If you are located in the EU/EEA and have concerns about our data processing, you may also contact your local data protection authority.