Data Retention Policy
Last updated 5 June 2026
We apply the GDPR storage-limitation principle (Art. 5(1)(e)): personal data is kept only as long as needed for the purpose it was collected, then deleted or anonymised. Where we process on a customer's behalf, the customer (controller) sets the retention period; the figures below are our defaults and are configurable.
| Data | Stored? | Retention & basis |
|---|---|---|
| Document image / selfie frames | No | Discarded immediately after scoring (never written to storage) |
| Face embeddings / pose data | No | In-memory only; discarded after scoring |
| Over-threshold result + coded outcome | Yes | Default 12 months — to evidence the check to the customer, then auto-deleted |
| Dispute scores (match / liveness) | Yes | Default 30 days — to resolve disputed outcomes, then nulled |
| Consent receipt (hashes only) | Yes | Deleted together with its session record — proof of Art. 9 consent |
| Salted IP hash | Yes | On the session record; deleted with it. Never the raw IP |
| Audit log (no end-user PII) | Yes | Append-only accountability record (Art. 30). Contains no end-user personal data (events + hashes only), retained for accountability and legal-claim defence |
An automated retention job runs daily to null expired dispute scores and delete session records (and their consent receipts) once the retention period has passed.
Customers can exercise a data subject's right to erasure for any subject reference at any time, which immediately deletes every record tied to that reference. Because document images, selfies and biometric templates are never stored, erasure removes everything we hold about the subject.