Data Retention Policy

Last updated 5 June 2026

We apply the GDPR storage-limitation principle (Art. 5(1)(e)): personal data is kept only as long as needed for the purpose it was collected, then deleted or anonymised. Where we process on a customer's behalf, the customer (controller) sets the retention period; the figures below are our defaults and are configurable.

DataStored?Retention & basis
Document image / selfie framesNoDiscarded immediately after scoring (never written to storage)
Face embeddings / pose dataNoIn-memory only; discarded after scoring
Over-threshold result + coded outcomeYesDefault 12 months — to evidence the check to the customer, then auto-deleted
Dispute scores (match / liveness)YesDefault 30 days — to resolve disputed outcomes, then nulled
Consent receipt (hashes only)YesDeleted together with its session record — proof of Art. 9 consent
Salted IP hashYesOn the session record; deleted with it. Never the raw IP
Audit log (no end-user PII)YesAppend-only accountability record (Art. 30). Contains no end-user personal data (events + hashes only), retained for accountability and legal-claim defence

An automated retention job runs daily to null expired dispute scores and delete session records (and their consent receipts) once the retention period has passed.

Customers can exercise a data subject's right to erasure for any subject reference at any time, which immediately deletes every record tied to that reference. Because document images, selfies and biometric templates are never stored, erasure removes everything we hold about the subject.