Privacy Policy
Last updated: April 27, 2026
Issued by IT Brains SASU (a company registered in France), operating under the brand ProofAge — privacy@proofage.xyz
1. About This Policy and Our Role
This Privacy Policy describes how IT Brains SASU (a company registered in France, operating under the brand "ProofAge", "we", "us") processes personal data in connection with our age verification and identity verification (KYC) services.
ProofAge provides its services to businesses ("Service Providers") who integrate our API into their own platforms. When end users complete a verification, they interact with ProofAge's technology on behalf of that Service Provider.
Our Role Under GDPR
Data Controller
The Service Provider — the company whose platform directs you to a ProofAge verification. They decide why your data is processed and are responsible for their own privacy practices.
Data Processor
ProofAge (IT Brains SASU) — we process personal data exclusively on documented instructions from the Service Provider and for no other purpose, except as required by applicable law.
This policy covers two groups of people whose data ProofAge processes:
- Business customers who integrate the ProofAge API
- End users who complete a verification through a Service Provider's platform
This policy is governed by Regulation (EU) 2016/679 (GDPR) and the French Data Protection Act (Loi n° 78-17 du 6 janvier 1978 modifiée, "Loi Informatique et Libertés").
2. Business Customers (Data Controllers)
When you register for and use the ProofAge API as a business, we process the following data for which ProofAge acts as a Data Controller in its own right:
Data collected
- Company name, registered address, and business contact details
- Account credentials (email, hashed password)
- API keys and workspace configuration
- Billing and payment information (processed by our payment processor)
- API usage data and request logs
- Support communications
Legal basis and purpose
- Contract performance (GDPR Art. 6(1)(b)) — to provide the ProofAge service, manage your account, and process billing
- Legal obligation (GDPR Art. 6(1)(c)) — to comply with tax, financial, and regulatory obligations
- Legitimate interest (GDPR Art. 6(1)(f)) — to maintain API security, prevent abuse, and improve our service
Retention
Account data is retained while your account is active and for up to 5 years after closure to satisfy legal and contractual obligations. API logs are retained for 12 months.
3. End Users — Age Verification
When you complete a face-based age verification through a Service Provider's platform, ProofAge acts as a Data Processor on behalf of that Service Provider.
Data collected
- A live facial photograph captured via your device camera
- A face embedding — a mathematical vector representing your facial geometry (see Section 5)
- Age verification result: whether the 18+ threshold is met
- IP address and approximate geolocation (country / city)
- User-Agent string (browser and device information)
- Device fingerprint hash (a pseudonymous identifier for fraud prevention)
- Timestamps of session events
- Consent record: version accepted, date, and time
Purpose and legal basis
| Purpose | Legal basis |
|---|---|
| Estimating whether you are 18 or older | GDPR Art. 9(2)(a) — Explicit consent |
| Deriving and retaining a face embedding for fraud prevention | GDPR Art. 9(2)(a) — Explicit consent |
| IP geolocation for fraud prevention | GDPR Art. 9(2)(a) — Explicit consent |
| Device fingerprinting for fraud prevention | GDPR Art. 9(2)(a) — Explicit consent |
Retention
| Data | Retention | Reason |
|---|---|---|
| Facial photograph | 30 days | Dispute resolution, technical audit |
| Face embedding (geometry vector) | 12 months | Fraud prevention |
| Verification result | 30 days | Dispute resolution |
| IP address + geolocation | 30 days | Fraud prevention, dispute resolution |
| Device fingerprint hash | 12 months | Fraud prevention |
| Consent record | Duration of legal obligation | Compliance audit |
After each retention period, data is permanently and irreversibly deleted. The Service Provider's own retention practices are governed by their privacy policy.
4. End Users — Identity Verification (KYC)
KYC verification is either initiated directly by the Service Provider or triggered as an escalation from face-based age verification when confidence is insufficient. It requires a separate explicit consent, additional to any age verification consent.
Data collected
Images:
- Live selfie photograph
- Identity document — front image (all document types)
- Identity document — back image (ID cards and driver's licences)
Biometric data (special category, GDPR Art. 9):
- Face embedding from selfie (see Section 5)
- Face embedding from document photo
- Face matching result: similarity score, threshold, decision (matched / not matched)
Identity document data extracted automatically:
- Full legal name, date of birth, nationality, gender
- Document type, number, issuing country, issue and expiry dates
- Machine Readable Zone (MRZ) data
Document validation and technical data:
- MRZ checksum, field format and consistency validation, expiry status
- IP address, geolocation, User-Agent, device fingerprint hash, timestamps
- Consent record: version, date, time
Retention
| Data | Retention | Reason |
|---|---|---|
| Selfie photograph | 30 days | Dispute resolution, technical audit |
| Document images (front + back) | 30 days | Dispute resolution, document authenticity audit |
| Face embedding — selfie | 12 months | Fraud prevention |
| Face embedding — document photo | 12 months | Fraud prevention |
| Extracted document fields (name, DOB, etc.) | 30 days | Dispute resolution |
| Face matching result | 30 days | Technical audit |
| IP address + geolocation | 30 days | Fraud prevention, dispute resolution |
| Device fingerprint hash | 12 months | Fraud prevention |
| Consent record | Duration of legal obligation | Compliance audit |
5. Fraud Prevention and Face Embeddings
A face embedding is a mathematical vector derived from a facial image. It represents the relative distances between facial landmarks as a series of numbers. A face embedding cannot be used to reconstruct or display a photograph.
ProofAge retains face embeddings for 12 months after each verification session for the following fraud prevention purposes:
- Comparing a new verification attempt against a list of previously blocked profiles
- Detecting repeated attempts by the same person under different identities
- Protecting Service Providers and their users from identity fraud
Face embeddings are stored in encrypted form within the EEA. They are not shared with Service Providers or any third party. After 12 months they are permanently and irreversibly deleted.
The retention of face embeddings is covered by the explicit consent you provide before each verification. If you withdraw consent, your face embedding will be deleted within 30 days of your request.
6. International Data Transfers
All verification data — photographs, face embeddings, identity document data, and session metadata — is stored and processed exclusively within the European Economic Area (EEA), on Google Cloud Platform infrastructure in EU regions.
Exception — IP Geolocation
To determine the approximate geographic location associated with a user's IP address (for fraud prevention), the IP address is transmitted to third-party geolocation service providers that may be located outside the EEA, including the United States. These transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Decision 2021/914). Only the IP address is transmitted — no photographs, embeddings, or document data are shared with these providers.
7. Data Security
ProofAge implements appropriate technical and organisational measures (TOMs) to protect personal data against unauthorised access, accidental loss, destruction, or alteration. Measures include, but are not limited to:
- Encryption in transit (TLS) and at rest
- Role-based access controls and authentication
- Regular security assessments
- Data minimisation — only data necessary for each purpose is collected
- Sub-processors operating under binding data processing agreements
ProofAge does not sell, rent, or otherwise commercially exploit biometric data or identity document information. Data is disclosed only to:
- The Service Provider (Data Controller) — verification result only (approved / declined)
- Cloud infrastructure sub-processors — operating within the EEA under data processing agreements
- Competent authorities or courts — when required by applicable law
8. Your Rights Under GDPR
If you have undergone a verification through a Service Provider's platform, you have the following rights with respect to data processed by ProofAge:
Right of Access (Art. 15)
Obtain a copy of your personal data held by ProofAge.
Right to Rectification (Art. 16)
Request correction of inaccurate data.
Right to Erasure (Art. 17)
Request deletion of your personal data ("right to be forgotten").
Right to Restriction (Art. 18)
Request that we limit how we use your data.
Right to Portability (Art. 20)
Receive your data in a structured, machine-readable format.
Right to Withdraw Consent (Art. 7(3))
Withdraw your consent at any time without affecting prior processing.
Right re. Automated Decisions (Art. 22)
Request human review of an automated verification decision through the Service Provider.
How to exercise your rights
Email privacy@proofage.xyz and include your verification session URL or token. This allows us to locate your data without requiring you to provide additional identity documents.
If you no longer have your session token, provide the approximate date and time of your verification and the name of the Service Provider. ProofAge will respond within 30 days.
For data held by the Service Provider, contact them directly using the details in their own privacy policy.
9. Automated Decision-Making
ProofAge verification processes involve fully automated decision-making as defined by GDPR Article 22. No human routinely reviews your photograph, face embedding, or identity document.
The automated system produces a binary outcome (approved / declined) which is communicated to the Service Provider. The Service Provider then determines whether to grant you access to their service.
In accordance with Art. 22 GDPR, you have the right to:
- Request human review of the decision by contacting the Service Provider
- Express your point of view
- Contest the decision
You also have the right to contact ProofAge at privacy@proofage.xyz if you believe the automated result was technically incorrect.
10. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. When we do, we will update the "Last updated" date at the top of this page.
Material changes that affect end users will be reflected in an updated consent version presented at the next verification. Business customers will be notified by email.
11. Contact and Supervisory Authority
Data Protection Contact
IT Brains SASU
operating under the brand ProofAge
Email: privacy@proofage.xyz
We respond to all data subject requests within 30 days.
Supervisory Authority
Commission Nationale de l'Informatique
et des Libertés (CNIL)
3 Place de Fontenoy, 75007 Paris, France
Website: www.cnil.fr
Tel: +33 (0)1 53 73 22 22
You have the right to lodge a complaint with the CNIL if you believe your personal data has been processed in violation of the GDPR.