Privacy Policy

1. Who We Are

FaceVault (“we”, “us”, “our”) provides AI-powered identity verification services via the FaceVault API and verification links. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our website (facevault.id), API, developer dashboard, and related services, including our Tor hidden service.

2. What We Collect

Developer account data

When you create a FaceVault developer account, we collect:

Email address
Hashed password (bcrypt — we never store plaintext passwords)
API key prefix (first 8 characters, for identification; the full key is SHA-256 hashed)
Subscription tier and billing data (managed by Stripe — we do not store credit card numbers)

End-user verification data

When an end user completes identity verification through a developer’s integration, we process:

ID document photo (passport, driving licence, national ID)
Selfie photo
Confirmed identity data (full name, date of birth, nationality) if provided by the integrating application
Extracted document data: MRZ (machine readable zone) fields and OCR text from the ID document
Face match score (numerical distance between face embeddings)
Face embedding (512-dimensional ArcFace vector) — stored for repeat-verification fingerprinting if enabled by the developer
Anti-spoofing analysis results (liveness score and signal details)
Document fraud detection results (image forensics scores)
rPPG video frames (short video segments used for remote photoplethysmography liveness detection, if provided)
Session metadata (timestamps, verification status, developer-provided external user ID)

3. Biometric Data

Key point: We process biometric data (facial geometry) for the purpose of identity verification and, when enabled, for repeat-verification fingerprinting. We do not use biometric data for surveillance, advertising, or any purpose beyond what the integrating developer has configured.

During verification, we extract facial embeddings (512-dimensional numerical vectors) from both the ID photo and selfie using the ArcFace neural network. These embeddings are compared to produce a face match score.

Embedding storage: The selfie face embedding may be stored alongside the verification session record to enable the developer to search for returning individuals across sessions (fingerprint search). Stored embeddings are scoped to the developer’s own sessions and are purged automatically when the session expires (see Data Retention).

Client-side liveness detection (head turn sequence) runs entirely in the end user’s browser. No liveness video is transmitted to our servers. rPPG frames, if submitted, are processed server-side and deleted with the session.

4. How We Use Your Data

Identity verification

Processing photos and identity data to verify that the person in the selfie matches the person on the ID document, including face matching, anti-spoofing analysis, document fraud detection, and MRZ/OCR extraction.

Repeat-verification fingerprinting

Storing face embeddings so developers can identify returning individuals across verification sessions. This feature is scoped per-developer — one developer’s embeddings are never accessible to another.

Service delivery

Maintaining your developer account, authenticating API requests, tracking usage for billing, and delivering webhook callbacks with HMAC-signed payloads.

Communication

Sending transactional emails (account verification, password reset, data retention warnings) and critical service announcements. We do not send marketing emails unless you opt in.

5. Data Sharing

We do not sell, rent, or trade personal data. We share data only in the following circumstances:

With the integrating developer — verification results (pass/fail, match score, confirmed identity data, document cross-check, anti-spoofing summary) are delivered to the developer who initiated the session via API response and optional HMAC-signed webhook
Fingerprint search results — developers can query their own sessions to find matching face embeddings. Results are strictly scoped to the querying developer’s data
Service providers — infrastructure providers (hosting, DNS, email delivery) who process data on our behalf under data processing agreements
Payment processor — Stripe processes subscription and billing data; we do not store payment card details
Legal obligations — when required by law, court order, or regulatory authority

6. Data Retention

Verification data retention depends on the developer’s subscription tier. Photos, identity data, and face embeddings are automatically purged when the retention period expires.

Data type	Retention period
Uploaded photos (ID + selfie) & rPPG frames	Free: 7 days · Starter/Pro: 30 days · Enterprise: 90 days (extendable via add-ons)
Face embeddings	Same as photos — purged (set to NULL) when session retention expires
MRZ data, confirmed identity data, document fraud data	Same as photos — purged (set to NULL) when session retention expires
Anti-spoofing signal details	Same as photos — purged (set to NULL) when session retention expires
Session metadata (status, timestamps, match score)	Retained indefinitely for billing and audit (PII fields are NULLed at purge time)
Developer account data	Duration of account, plus 30 days after deletion request

Developers may purchase retention extension add-ons (+30 days, +90 days, or +1 year) for individual sessions.

7. Data Purge & GDPR Erasure

When a session’s retention period expires, we perform a comprehensive purge:

All uploaded photos and rPPG frames are permanently deleted from disk
Face embeddings are set to NULL
MRZ data, confirmed identity data, document fraud data, and anti-spoofing details are set to NULL
The external user ID is replaced with “purged”
The session status is set to “purged”

This process is automated and irreversible. After purge, the session record retains only non-PII metadata (timestamps, pass/fail status, match score) for billing and audit purposes.

8. Security

We implement appropriate technical and organisational measures to protect personal data:

All data in transit is encrypted via TLS 1.3
API keys are SHA-256 hashed before storage
Passwords are hashed with bcrypt (cost factor 12)
Webhook payloads are signed with HMAC-SHA256 so receivers can verify authenticity
Rate limiting on all public endpoints to prevent abuse
HTTPS enforced for all webhook callback URLs (no PII sent over unencrypted connections)
All ML inference runs on our own infrastructure — no photos or biometric data are sent to third-party AI services
Access to production systems is restricted and audited
The service is also available via Tor hidden service for users requiring network-level privacy

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access

Request a copy of the personal data we hold about you.

Rectification

Request correction of inaccurate personal data.

Erasure

Request deletion of your personal data, subject to legal retention requirements. For verification sessions, this triggers the same comprehensive purge described in section 7.

Portability

Request your data in a structured, machine-readable format.

To exercise any of these rights, email privacy@facevault.id. We will respond within 30 days.

10. Cookies

The FaceVault marketing site (facevault.id) does not use tracking cookies or third-party analytics. The developer dashboard uses a session cookie strictly for authentication. No advertising or tracking cookies are used anywhere.

11. Children

FaceVault services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered developers. The “Last updated” date at the top of this page indicates the most recent revision.