Biometric Data Policy

Last updated 6 June 2026 · Version 1.1

This policy explains how Verisoar (a trading name of Viral Reach Ltd, registered in England & Wales, No. 16348545) collects, uses, stores, retains and permanently destroys biometric data when an individual completes an age or identity check. It is published as our public written policy on biometric data and supplements our Privacy Notice.

What we mean by biometric data

“Biometric data” (also “biometric identifiers” or “biometric information”) means data derived from a person's physical characteristics that can be used to identify them — here, a scan of facial geometry (a face embedding) and liveness measurements computed from your live camera frames and your identity document photo. Under the UK and EU GDPR this is special-category data.

Our role

We process biometric data on behalf of the business that asked you to verify. That business is the data controller; Verisoar acts as its processor. The business is responsible for telling you why you are verifying and for linking to this policy and our Privacy Notice.

Why we collect it

We process biometric data for a single purpose: to establish whether you meet a required age. Depending on how the business has configured the check, this is done either by facial age estimation (estimating your likely age from live camera frames) or by confirming that a live person matches the identity document they present (a 1:1 face comparison and liveness/anti-spoof check) — or, where age estimation cannot confirm your age, by the document check as a fallback. We do not use it for any other purpose, and we do not use it to identify you against any external database.

Facial age estimation

Where the business has enabled it, we first run a quick, camera-only age estimation: a few live frames are analysed by Amazon Web Services (Amazon Rekognition) in an EU region, as a stateless, in-region operation, to estimate your likely age range. We use only the result of that estimate to decide whether you clearly meet the age requirement (with a safety margin). If the estimate cannot confirm you meet it, we fall back to the document check and 1:1 face comparison described below. The frames are processed in memory only, are never stored, and are not used to train or improve any model. We keep only a yes/no age result and a coded outcome.

Legal basis and consent

We process biometric data on the basis of your explicit consent (GDPR Art. 9(2)(a)), which is captured on a consent screen before any biometric processing begins. Taking part is voluntary; if you do not consent, the check cannot proceed. You may withdraw at any time before submitting the check.

How it is processed

  • Face detection and embedding generation run in your browser during the liveness step.
  • Facial age estimation (when enabled) and the 1:1 face comparison are performed by Amazon Web Services (Amazon Rekognition) in an EU region, as stateless, in-region operations.
  • All biometric processing is performed in memory only. Images and biometric templates are never written to persistent storage.

Retention and destruction

We do not retain biometric data. Document images, selfie frames and any biometric templates derived from them are permanently destroyed immediately after the verification is scored — they exist only transiently in memory for the duration of the check. We never create a stored biometric template, and there is no biometric database to delete from. The only records we keep are non-biometric (such as a yes/no age result and a coded outcome); these are described in our Retention Policy.

Where a law that applies to you sets a maximum retention period for biometric identifiers (for example, three years from your last interaction under certain US state laws), our practice of not retaining biometric data at all satisfies it.

Disclosure

We do not sell, lease, trade, or otherwise profit from biometric data, and we do not disclose it except as needed to perform the check: a transient, in-region comparison by our cloud sub-processor (AWS, EU). We do not use biometric data, or anything derived from it, to train, develop or improve any machine-learning model. We will not otherwise disclose biometric data without your consent unless required by law or valid legal process.

Security

Biometric processing is in-memory only and encrypted in transit. Access is restricted, and our processing is supported by a tamper-evident audit log. Because no biometric data is stored, the risk of biometric data loss is eliminated by design.

U.S. state notice

If you are a resident of Illinois, Texas, Washington, or another U.S. state with a biometric privacy law, this policy serves as our written policy regarding the collection, use, retention and destruction of biometric identifiers and biometric information. We obtain consent before collection, do not sell or profit from biometric data, and do not retain biometric identifiers — they are destroyed immediately after the check. Your business (the entity you are verifying for) is responsible for obtaining any consent required of it as the controller.

Your rights and contact

You have rights over your personal data as described in our Privacy Notice, including the right to complain to the UK Information Commissioner's Office. Because we act as a processor, requests about a specific check are usually best directed to the business you verified for. You can also reach us at support@verisoar.com, or by post to Viral Reach Ltd at Suite G04, 1 Quality Court, Chancery Lane, London, WC2A 1HR.