Privacy Notice — Age & Identity Verification

Last updated 6 June 2026 · Version 2.0

This notice explains how biometric and document data are processed when you complete an age or identity check powered by Verisoar. Please read it together with the privacy notice of the website or app that asked you to verify (the “business”), who decides why you are being asked to verify.

Who we are

Verisoar is a trading name of Viral Reach Ltd, registered in England & Wales (company No. 16348545), registered office Suite G04, 1 Quality Court, Chancery Lane, London, WC2A 1HR.

  • When we run a verification on behalf of a business, that business is the data controller and Verisoar is its data processor (GDPR Art. 28). The business decides why you verify and what happens with the result.
  • When you browse our own website or contact us directly, Verisoar is the data controller.

What we process

  • Short live camera frames, used either to estimate your likely age or — for an ID check — to confirm a live face matches your document; and, for an ID check, a photo of your identity document used to read your date of birth.
  • Derived signals (an estimated age range, a face embedding, head-pose readings, liveness/anti-spoof scores) computed during the check.
  • Document-derived fields needed to reach a decision (date of birth, and document checks such as MRZ check-digits).
  • A salted hash of your IP address and basic device/technical signals, used for fraud prevention and security.

What we keep

  • Document images and selfies are processed transiently in memory and are never written to storage.
  • We retain only: a yes/no “over the required age” result, a coded outcome, short-lived dispute scores (including, where age estimation is used, the estimated age range — not your actual age), a salted hash of your IP, a consent receipt, and a tamper-evident audit hash.
  • We do not store your raw date of birth, face images, or biometric templates.

Legal basis

Biometric data used to uniquely identify you is special-category data. We process it on the basis of your explicit consent (GDPR Art. 9(2)(a)), captured before the check begins. The underlying lawful basis (GDPR Art. 6) is set by the business — usually their legal obligation to apply age assurance, their legitimate interests in preventing fraud and protecting children, or your consent. Providing your data is voluntary, but without it we cannot verify you and the business may not let you proceed.

Automated decision-making

The age and identity decision is reached by automated processing, without human involvement, and can have a legal or similarly significant effect (for example, whether you are allowed to access an age-restricted service). Depending on the method, the logic either estimates your likely age from live camera frames, or compares your live face to your document, checks document integrity and tests whether your date of birth meets the required threshold. Where an age estimate cannot confirm you meet the threshold, the check escalates to the document method. The outcome is recorded as approved or declined.

This automated processing is permitted because it is based on your explicit consent (GDPR Art. 22(2)(c)). The final decision on whether to grant you access rests with the business, not Verisoar. You have the right not to be subject to a decision based solely on automated processing: you may request human review, express your point of view, and contest the outcome by contacting the business you were verifying for, or us at support@verisoar.com.

Who we share data with

We use a small number of vetted sub-processors, each bound by a data-processing agreement:

  • The business you are verifying for — receives your verification result.
  • RunPod (EU/EEA data centres, stateless): facial age estimation — live frames are analysed by our own age-estimation worker (MiVOLO) in memory and are not stored or used to train any model.
  • Amazon Web Services (EU region, stateless): Rekognition for the 1:1 face match; Textract and Amazon Nova (Bedrock) for reading document fields. Images are processed in memory in-region and are not stored or used to train any model.
  • Vercel (application hosting) and Neon (database) — store only the minimal result record described above, never document images or biometrics.

We never sell your data and do not use it for advertising.

International transfers

Verification processing is pinned to AWS's EU region, and both our application hosting (Vercel) and the minimal-record database (Neon) are in the EU (Frankfurt) — so personal data stays within the EEA. Where any personal data is transferred outside the UK/EEA, we rely on adequacy decisions or Standard Contractual Clauses with appropriate safeguards.

Retention

Dispute scores are deleted automatically (default 30 days). The minimal result record is deleted after the configured retention period (default 12 months). Automated purge runs daily.

Children's data

Age verification can involve people under 18, and may involve children. We are mindful of the ICO's Age Appropriate Design Code and apply data minimisation by default: we never store document images, selfies, or biometric templates, and we keep only the minimal result needed to evidence the check. We do not profile children or use their data for marketing. If the business has set an age threshold that excludes you, the result is simply that you are not granted access — no additional data is retained as a result of being under age. If you believe a child's data has been processed in a way that concerns you, contact us at support@verisoar.com and we will prioritise your request.

Security

  • Biometric processing is in-memory only; images are discarded immediately after scoring.
  • Encryption in transit; hashed API keys and IP addresses; a tamper-evident, hash-chained audit log.
  • Documented retention with automated erasure.

Cookies

We use only strictly necessary cookies — there are no advertising, analytics or third-party tracking cookies on our site or in the verification flow, so no consent banner is required. The cookies we set are:

  • a session cookie that keeps you signed in to the Verisoar dashboard;
  • a short-lived cookie used to secure the sign-in process (e.g. to protect the Google OAuth flow against cross-site request forgery).

These are essential to provide the service and cannot be switched off through our site. You can block or delete cookies in your browser settings, but parts of the dashboard may then stop working. The verification flow itself uses a short-lived session token rather than tracking cookies.

Your rights

Depending on where you live, you have the right to:

  • access the personal data we hold about you and obtain a copy;
  • have inaccurate data corrected;
  • have your data erased — because no biometrics are stored, erasure removes everything tied to your reference;
  • restrict or object to certain processing;
  • data portability, where applicable;
  • withdraw consent at any time (this does not affect processing already carried out);
  • not be subject to a solely automated decision, as described above.

Because we usually act as a processor, requests about a specific verification are best directed to the business you verified for, who is the controller — we will help them respond. You can also contact us directly at support@verisoar.com. We may need to confirm your identity before acting. We aim to respond within one month.

If you are unhappy with how your data has been handled, you can complain to the UK Information Commissioner's Office (ICO) at ico.org.uk, or to your local supervisory authority in the EEA.

Contact

Data protection enquiries: support@verisoar.com, or by post to Viral Reach Ltd at the registered office above.

Changes to this notice

We may update this notice from time to time. Material changes will be reflected in the version number and “last updated” date at the top of this page.