Privacy Policy

Last updated: February 15, 2026

At Xident B.V. ("Xident," "we," "us," or "our"), we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our age verification services, website, and related products.

1. Definitions

In this Privacy Policy, the following terms have these meanings:

  • "Xident ID" — A verified identity profile created by an End User that enables age verification across multiple Partner Sites.
  • "Partner Sites" — Websites and applications that integrate Xident's verification services to confirm End User ages.
  • "Customer" — A business or individual that integrates Xident into their platform via our API or SDK.
  • "End User" — An individual who undergoes age verification through Xident, either directly or via a Partner Site.
  • "Verification Data" — Information collected during the age verification process, including facial images, document images, and derived results.
  • "Face Embedding" — A mathematical representation (numerical vector) of facial features extracted from an image. Face embeddings are not photographs and cannot be used to reconstruct a facial image.

2. Information We Collect

Information You Provide

We collect information you provide directly to us, including:

  • Account Information: Name, email address, and password when you create an account or Xident ID.
  • Payment Information: Billing address and payment details (processed by our payment provider, Stripe — we do not store card numbers).
  • Communications: Information you provide when contacting our support team.

Information We Collect Automatically

When you use our services, we automatically collect:

  • Device Information: Browser type, operating system, device identifiers.
  • Usage Information: Pages visited, features used, timestamps.
  • Log Data: IP address, access times, referring URLs.

Website Analytics: Our marketing website (xident.io) uses Umami, a privacy-focused, self-hosted analytics tool. Umami does not use cookies, does not collect personal data, and does not track visitors across websites. It collects only aggregate page view statistics (page URL, referrer, browser type, country derived from IP). IP addresses are never stored. All analytics data is hosted on our own infrastructure.

Biometric Information (Special Category Data)

For age verification, we process biometric data that constitutes "special category" data under GDPR Article 9. The specific data collected depends on the verification path:

  • Path A — Client-Side Age Estimation: Facial analysis runs entirely in your browser using on-device machine learning. No facial images or biometric data are transmitted to our servers. The analysis determines whether you meet an age threshold and the result (pass/fail) is sent to our server — never the image itself.
  • Path B — Document Verification: If client-side estimation is inconclusive, you may be asked to upload an identity document. Document images are processed server-side for age extraction and are deleted within 24 hours after processing completes. Face embeddings (mathematical vectors, not photographs) may be created for face-matching purposes.
  • Face Embeddings: Where face embeddings are created (Path B, face 2FA, or blacklist checks), they are stored as 512-dimensional numerical vectors, encrypted at rest using AES-256-GCM, and isolated per Customer (tenant). Embeddings cannot be used to reconstruct facial images.

We process biometric data only with your explicit consent under GDPR Article 9(2)(a). This consent is collected separately from acceptance of these terms.

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our age verification services
  • Process and complete transactions
  • Verify your age and identity
  • Detect and prevent fraud and abuse
  • Respond to your requests and support inquiries
  • Send technical notices and security alerts
  • Comply with legal obligations

4. Our Role Under Data Protection Law

Xident's role under data protection legislation varies depending on the context:

  • Controller: When End Users create a Xident ID, Xident independently determines the purposes and means of processing. Xident acts as the data controller for Xident ID account data and cross-platform token verification (Path D).
  • Processor: When providing verification services via API or SDK on behalf of Customers (Partner Sites), Xident acts as a data processor under the Customer's instructions. Processing is governed by our Data Processing Agreement.

Face embeddings stored for Customer-specific features (face 2FA, blacklist) are strictly isolated per Customer and are never shared or reused across Customers.

5. Legal Bases for Processing (EEA/UK/Switzerland)

If you are located in the European Economic Area, United Kingdom, or Switzerland, we process your personal data on the following legal bases:

  • Contract Performance (Article 6(1)(b)): Processing necessary to provide our verification services as agreed in our Terms of Service, including account management and service delivery.
  • Explicit Consent (Article 9(2)(a)): For biometric data processing (face embeddings, facial analysis), we obtain explicit, informed, and freely given consent. This consent is collected separately from general terms acceptance and may be withdrawn at any time.
  • Legitimate Interests (Article 6(1)(f)): For fraud prevention, security monitoring, and service improvement, where our interests do not override your fundamental rights. We have conducted balancing assessments to ensure our interests are proportionate.
  • Legal Obligation (Article 6(1)(c)): Processing required to comply with applicable data protection, consumer protection, and age verification laws.

6. How We Share Your Information

We may share your information in the following circumstances:

  • With Partner Sites: We share verification results (age confirmed/not confirmed) with sites where you choose to verify. We never share facial images, embeddings, or document data with Partner Sites.
  • Service Providers (Sub-processors): Third parties who perform services on our behalf, such as cloud hosting, database services, and payment processing. Our current sub-processors are listed in Annex II of our DPA.
  • Legal Requirements: When required by law, court order, or to protect rights and safety.
  • Business Transfers: In connection with a merger, acquisition, or sale of assets. Any successor entity will be bound by this Privacy Policy for previously collected data.

We do not sell your personal information or biometric data to third parties.

7. Data Retention

We retain your information as follows:

  • Account data: Until you delete your account or after 24 months of inactivity, whichever comes first. We will notify you before deleting an inactive account.
  • Face embeddings: Until you delete your Xident ID, withdraw biometric consent, or after 24 months of account inactivity.
  • Document images: Deleted within 24 hours after processing completes. Document images are not retained beyond what is necessary for OCR extraction.
  • Verification sessions: Session metadata (session status, age bracket result, liveness pass/fail, IP address, and timestamps) is retained for 90 days for debugging, fraud prevention, and dispute resolution.
  • Aggregated analytics: Website analytics collected via Umami are aggregate statistics only (no personal data, no IP addresses stored). Retained indefinitely in anonymized form with no individual identification possible.

8. Your Rights and Choices

Depending on your location, you may have the right to:

  • Access: Request a copy of your personal data.
  • Correction: Request correction of inaccurate data.
  • Deletion: Request deletion of your data (GDPR Article 17).
  • Portability: Receive your data in a structured, commonly used, machine-readable format.
  • Restriction: Request restriction of processing while we verify accuracy or consider your objection.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw Consent: Withdraw consent for biometric processing at any time, without affecting the lawfulness of processing before withdrawal.
  • Supervisory Authority: Lodge a complaint with your local data protection authority. You can find your authority at edpb.europa.eu.

To exercise these rights, contact our Data Protection Officer at dpo@xident.io or email privacy@xident.io. We will respond within 30 days. In complex cases, we may extend this by up to 60 additional days, but we will inform you of any extension and the reasons for it.

9. Security

We implement industry-standard technical and organizational measures appropriate to the risk of our processing activities. These include encryption at rest and in transit, access controls, regular security reviews, and incident response procedures. See our Security page for more details.

10. International Transfers

Your information may be transferred to and processed in countries other than your own. We use appropriate safeguards for international transfers, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • The UK International Data Transfer Addendum (IDTA) for transfers subject to UK GDPR.
  • Supplementary technical and organizational measures where required.

We conduct transfer impact assessments where required to ensure adequate protection of your data. Details of our sub-processor locations are available in Annex II of our DPA.

11. Children and Minors

Because our service verifies age eligibility, we may temporarily process data relating to minors for the sole purpose of age determination:

  • Path A (Client-Side): Facial analysis runs entirely in the browser — no biometric data is transmitted to any server. Only the pass/fail result is communicated.
  • Path B (Document Verification): Documents are processed server-side and deleted within 24 hours after processing.

We do not create accounts for, market to, or knowingly retain data of minors beyond what is strictly necessary for age determination. If a parent or guardian believes we hold data about their child beyond what is described above, they may contact us at privacy@xident.io to request deletion.

12. Automated Decision-Making

Our age verification service uses automated processing to determine whether an End User meets an age threshold. This may constitute automated decision-making with significant effects under GDPR Article 22.

  • How it works: Machine learning models analyze facial features to estimate whether a person meets a specific age threshold (e.g., 18+). The model outputs a pass/fail determination — it does not estimate exact age.
  • Safeguards: When the automated system produces an uncertain result, document verification (Path B) is offered as an alternative method.
  • Your rights: You may contest any automated verification outcome by contacting privacy@xident.io. We will review your case and respond within 30 days.

13. California Privacy Rights

California residents have additional rights under the CCPA/CPRA, including the right to know what personal information we collect and how it is used, the right to delete, and the right to opt out of sales or sharing of personal information.

We do not sell or "share" (as defined under CPRA) personal information for cross-context behavioral advertising purposes. To exercise your California privacy rights, contact us at privacy@xident.io.

14. Data Protection Officer

We have appointed a Data Protection Officer who can be contacted for any data protection inquiries at:

Data Protection Officer
Xident B.V.
Email: dpo@xident.io

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. For material changes that affect how we process your data, we will provide notice at least 30 days before the changes take effect. Your continued use of our services after changes constitutes acceptance.

16. Contact Us

If you have questions about this Privacy Policy or our practices, contact us at:

Xident B.V.
Email: privacy@xident.io

For data protection inquiries in the EU, you may also contact our EU representative. EU representative entity designation is being formalized. In the interim, please contact: eu-representative@xident.io.

17. Supervisory Authority

If you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the supervisory authority in your Member State of habitual residence, place of work, or the place of the alleged infringement. You can find your local data protection authority at edpb.europa.eu.