GDPR Compliance

Last updated: February 15, 2026

Xident B.V. is committed to protecting the privacy and security of personal data in compliance with the General Data Protection Regulation (GDPR). This page explains how we comply with GDPR requirements.

1. Our Role Under GDPR

Xident's role under data protection legislation depends on the specific processing activity:

  • Data Controller: When End Users create a Xident ID, Xident independently determines the purposes and means of processing. Xident acts as data controller for Xident ID account data and cross-platform token verification.
  • Data Processor: When providing verification services via API or SDK on behalf of our business Customers, Xident acts as a data processor under the Customer's documented instructions. Processing is governed by our Data Processing Agreement.

Face embeddings stored for Customer-specific features (face 2FA, blacklist checks) are strictly isolated per Customer (tenant) at the database level. Embeddings are never shared or reused across Customers.

2. Legal Bases for Processing

We process personal data based on the following legal bases under Article 6 of GDPR:

  • Consent (Article 6(1)(a) and Article 9(2)(a)): For biometric data processing, we obtain explicit, informed, and freely given consent before processing facial images or creating face embeddings. Consent for biometric processing is collected separately from service terms acceptance and may be withdrawn at any time.
  • Contract (Article 6(1)(b)): Processing necessary to provide our verification services as agreed in our Terms of Service.
  • Legal Obligation (Article 6(1)(c)): Processing required to comply with applicable data protection, consumer protection, and age verification laws.
  • Legitimate Interests (Article 6(1)(f)): Processing for fraud prevention, security monitoring, and service improvement, where our interests do not override your fundamental rights.

Where we rely on legitimate interests, we have conducted a balancing assessment to ensure our interests are not overridden by your fundamental rights and freedoms. Details of these assessments are available upon request.

3. Special Category Data

Biometric data used to uniquely identify individuals is considered "special category" data under GDPR Article 9. We process this data only with your explicit consent (Article 9(2)(a)) for the specific purpose of age verification and identity confirmation.

Consent for biometric processing is collected separately from general service terms acceptance and may be withdrawn at any time without affecting the lawfulness of processing before withdrawal.

4. Your Rights Under GDPR

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights:

Right to Access (Article 15)

You can request a copy of the personal data we hold about you, including information about how we process it and who we share it with.

Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data.

Right to Erasure (Article 17)

You can request deletion of your personal data in certain circumstances, such as when the data is no longer necessary or you withdraw consent.

Right to Restrict Processing (Article 18)

You can request that we limit how we use your data while we verify its accuracy or consider your objection.

Right to Data Portability (Article 20)

You can request your data in a structured, commonly used, machine-readable format and have it transferred to another controller.

Right to Object (Article 21)

You can object to processing based on legitimate interests. We will stop processing unless we have compelling legitimate grounds.

Rights Related to Automated Decision-Making (Article 22)

Age verification involves automated processing of facial features or document data to determine whether you meet an age threshold. This may constitute automated decision-making with significant effects.

If you believe a verification outcome is incorrect, you may request human review by contacting privacy@xident.io. We will review your case and respond within 30 days.

When the automated system produces an uncertain result, document verification (Path B) is automatically offered as an alternative method, providing an additional safeguard.

Right to Withdraw Consent

Where we rely on consent, you can withdraw it at any time. This will not affect the lawfulness of processing before withdrawal.

5. Exercising Your Rights

To exercise any of these rights, you can:

  • Email us at privacy@xident.io
  • Use the data management features in your Xident ID account settings
  • Contact our Data Protection Officer at dpo@xident.io

We will respond to your request within 30 days. In complex cases, we may extend this by up to 60 days, but we will inform you of any extension and the reasons for it.

6. Data Transfers

When we transfer personal data outside the EEA, we use appropriate safeguards:

  • Standard Contractual Clauses (SCCs): EU Commission-approved contracts that ensure adequate protection.
  • UK International Data Transfer Addendum (IDTA): For transfers subject to UK GDPR, the UK IDTA applies in addition to or in place of SCCs.
  • Adequacy Decisions: Transfers to countries the EU has determined provide adequate protection.
  • Supplementary Measures: Additional technical and organizational measures where required.

We conduct transfer impact assessments where required to ensure the legal framework of the destination country provides adequate protection for personal data.

7. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in high risk to individuals, including our biometric verification services. These assessments evaluate risks and identify measures to mitigate them.

8. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours
  • Notify affected individuals without undue delay if there is high risk
  • Document the breach and our response

9. Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected, or as required by law. For specific retention periods, please see our Privacy Policy.

10. Sub-processors

When acting as a data processor, we may use sub-processors to help deliver our services. Our customers can view and approve our list of sub-processors through our Data Processing Agreement.

11. Data Processing Agreement

Business customers who need a formal Data Processing Agreement (DPA) compliant with Article 28 of GDPR can access our standard DPA on our DPA page or request a custom agreement by contacting us.

12. Data Protection Officer

We have appointed a Data Protection Officer who can be contacted at:

Data Protection Officer
Xident B.V.
Email: dpo@xident.io

13. Supervisory Authority

If you are not satisfied with how we handle your request or believe we are processing your data unlawfully, you have the right to lodge a complaint with the supervisory authority in your Member State of habitual residence, place of work, or the place of the alleged infringement.

You can find your local authority at edpb.europa.eu.

14. EU Representative

As required by Article 27 of GDPR, we are formalizing the designation of our EU representative entity. In the interim, EU-related inquiries can be directed to:

Email: eu-representative@xident.io

15. Contact Us

For any questions about our GDPR compliance or data protection practices, please contact us at:

Xident B.V.
Email: privacy@xident.io