Skip to main content
Didit Raises $2M and Joins Y Combinator (W26)
Didit
Didit
Privacy Policy
Updated May 16, 2026 · didit.me/terms/privacy-policy
Legal

Privacy Policy

Updated: May 16, 2026

On this page

This Privacy Policy explains how Didit processes personal data when you visit our websites, contact us, use our products and services, or complete an identity or fraud verification flow powered by Didit.

If you are verifying your identity for a bank, fintech, crypto platform, marketplace, employer, or another organization that uses Didit, that organization is the party that decides why the verification is required. In those cases, it is the controller or business, and Didit acts as its processor or service provider. For verification-specific processing, biometric data, and white-label flows, read our Verification Privacy Notice and End User Terms for Identity Verification.

1. Who we are

Depending on the service and geography, your data may be processed by one or both of the following Didit entities:

  • Didit Identity Spain, S.L. — CIF B22929327, Calle Nápoles 227, P. 1, 08013 Barcelona, Spain. Contracting entity for European Union, United Kingdom, European Economic Area, Switzerland, and Latin America customers and the establishment that operates the European data plane.
  • Didit Identity, Inc. — EIN 39-2860573, 1111B S Governors Ave STE 34855, Dover, Delaware 19904, United States. Contracting entity for United States, Canada, Asia-Pacific, Middle East, and global customers.

When we say "Didit", "we", "us", or "our", we mean the Didit entity or entities providing the applicable service.

2. Scope and our role

This Privacy Policy applies when you:

  • visit `didit.me` or any Didit-operated website;
  • request information, a demo, or support;
  • create or manage a Didit business relationship, account, or integration;
  • apply for a role with Didit; or
  • use a verification, fraud-prevention, authentication, or compliance flow operated by or through Didit.

Our role changes depending on the context:

ContextDidit's roleWhat that means
Website visitors, marketing, recruiting, sales, support, and direct business relationshipsControllerDidit decides why and how the data is processed for those direct interactions.
Verification flows requested by a Didit customerProcessor / Service ProviderThe customer decides why the verification happens and what checks are enabled. Didit processes data on the customer's behalf.
Security, abuse prevention, service integrity, audit logging, legal compliance, fraud-model training and validation on anonymized or pseudonymized data, and legal claimsIndependent controller for that specific purposeDidit may process limited data to secure the platform, train and improve fraud-detection and verification models, comply with law, and establish, exercise, or defend legal claims.

If you are in a white-label verification flow or on a custom domain, custom branding does not necessarily mean only the branded company processes your data. Didit may still provide the underlying verification technology and related processing.

3. Categories of personal data we process

The categories of data we process depend on the service, workflow configuration, and your relationship with Didit. They may include:

  • Identifiers and contact data — name, email address, phone number, mailing address, date of birth, and similar identifying information.
  • Business and account data — company name, billing information, account credentials, API usage details, and records of your relationship with Didit.
  • Verification data — identity document images, extracted document data, proof-of-address files, questionnaire answers, sanctions or watchlist screening inputs, and verification outcomes.
  • Biometric and liveness data, where the workflow includes face verification or similar checks — selfies, face images, videos, liveness captures, anti-spoofing signals, and data derived from scans of facial geometry.
  • Device, network, and technical data — IP address, browser type, operating system, language, device identifiers, timestamps, geolocation inferred from network data, and other security or anti-fraud telemetry.
  • Communications and support data — messages, support tickets, call records, email exchanges, and operational logs.
  • Third-party and public-source data — information provided by our customers, identity or fraud-prevention partners, public authorities, telecom providers, and publicly available sources where permitted by law.
  • Recruitment data — CVs, employment history, and other materials submitted during hiring.

We do not need every category listed above for every interaction. The exact data used depends on the services requested and the configuration selected by the relevant customer.

4. How we use personal data

We may use personal data for the following purposes:

  • To operate our websites and services — account access, product delivery, customer support, billing, and communications.
  • To provide identity and fraud infrastructure services — User Verification (Know Your Customer / KYC), Business Verification (Know Your Business / KYB), Transaction Monitoring, Wallet Screening (Know Your Transaction / KYT), and other configured checks.
  • To secure the platform — prevent abuse, detect spoofing, prevent fraud, monitor suspicious activity, and maintain service integrity.
  • To train, evaluate, and improve fraud-detection and verification models using anonymized or pseudonymized data derived from verification activity, where permitted by law. See Section 11 for the opt-out.
  • To respond to requests — demo requests, support questions, due diligence requests, and business communications.
  • To manage recruiting and hiring — review applications and communicate with candidates.
  • To comply with legal and regulatory obligations — maintain records, respond to lawful requests, enforce contracts, and carry out internal or external audits.
  • To establish, exercise, or defend legal claims and protect the rights, safety, and security of Didit, our customers, and affected individuals.

5. Legal bases for processing

Where the General Data Protection Regulation (GDPR), United Kingdom GDPR, Swiss data protection law, or similar laws apply, Didit relies on one or more of the following legal bases:

  • Performance of a contract or steps taken at your request before entering into a contract.
  • Legitimate interests — securing our platform, supporting customers, preventing fraud, maintaining records, training and improving fraud-detection and verification models on anonymized or pseudonymized data, and communicating with business contacts, provided those interests are not overridden by your rights.
  • Consent, including where consent is required for marketing communications, certain cookies, or biometric processing in a particular jurisdiction or workflow.
  • Legal obligation, where processing is required to comply with applicable law, regulation, court order, or lawful request from authorities.
  • Establishment, exercise, or defense of legal claims.

Where special-category or sensitive data is processed, including biometric data used to uniquely identify you, Didit processes that data only where permitted by applicable law. In verification flows, the relevant customer is responsible for determining and documenting the primary legal basis for the verification itself, including whether explicit consent is required.

6. How we disclose personal data

We may disclose personal data to:

  • The customer that asked us to perform the verification, so the customer can complete onboarding, fraud review, compliance checks, or related business processes.
  • Didit group entities, where necessary to operate, support, secure, or provide the relevant services.
  • Service providers and sub-processors — providers of cloud hosting, storage, infrastructure, communications, support, analytics, fraud prevention, document processing, security, audit, and professional services. A current sub-processor list is available to customers and prospective customers under a signed Non-Disclosure Agreement (NDA) on request to security@didit.me.
  • Professional advisers — lawyers, auditors, insurers, and consultants, where needed for legitimate business, compliance, or legal purposes.
  • Public authorities, regulators, courts, law enforcement, or other third parties, when required by law, legal process, or enforceable governmental request.
  • Successors and transaction counterparties, if Didit is involved in a merger, acquisition, financing, insolvency process, or sale of assets, subject to confidentiality and legal safeguards.

Didit does not sell, lease, trade, or otherwise profit from biometric identifiers or biometric information.

7. International transfers

Didit may process data in multiple countries. When personal data is transferred outside the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with transfer restrictions, Didit uses appropriate safeguards where required, including:

  • adequacy decisions;
  • the European Commission's 2021 Standard Contractual Clauses (SCCs) and any equivalent UK or Swiss addenda;
  • intra-group transfer arrangements; or
  • another lawful transfer mechanism recognized by applicable law.

8. Retention

Didit retains personal data for as long as reasonably necessary for the purposes described in this Privacy Policy, including to:

  • provide and support the relevant services;
  • follow customer instructions in processor relationships;
  • comply with contractual, legal, tax, accounting, and regulatory obligations;
  • maintain security and fraud-prevention records;
  • resolve disputes; and
  • establish, exercise, or defend legal claims.

Retention periods vary by service, workflow configuration, applicable law, and the role Didit plays in the processing:

  • Business relationship data is typically retained for the duration of the relationship and for lawful post-termination recordkeeping periods.
  • Support and audit records may be retained for operational, security, and compliance purposes.
  • Recruitment data is retained for the recruitment process and any lawful follow-up period, or longer if you separately consent.
  • Verification data — the default retention is indefinite ("unlimited"), unless the customer configures a shorter period. Customers configure retention per application in the Business Console between 30 days and 10 years, or trigger a per-session delete at any time via the API endpoint `POST /v3/sessions/:session_id/delete/`. End users may also exercise deletion rights as described in Section 9. Biometric data retention is in every case subject to, and capped by, applicable biometric-privacy laws and regulations — including the EU General Data Protection Regulation (GDPR) Article 9, the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), Washington H.B. 1493, and any other applicable biometric-privacy law; where such law prescribes a shorter retention period or an earlier destruction obligation, that shorter or stricter rule prevails over any default or customer-configured retention period.

When data is no longer needed, Didit deletes, redacts, anonymizes, de-identifies, or securely destroys it. For biometric data and verification media, see the Verification Privacy Notice.

9. Your rights

Depending on your location and the applicable law, you may have the right to:

  • access your personal data;
  • request correction of inaccurate or incomplete data;
  • request deletion or erasure;
  • request restriction of processing;
  • object to certain processing, including processing on the basis of legitimate interests (see Section 11 for the model-training and fraud-detection opt-out);
  • withdraw consent where processing is based on consent;
  • request portability of the data you provided;
  • not be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects, subject to the conditions and exceptions in Article 22 GDPR; and
  • lodge a complaint with a supervisory authority. Didit's lead supervisory authority is the Spanish Data Protection Agency (Agencia Española de Protección de Datos / AEPD) at `aepd.es`.

When Didit acts as controller, submit privacy requests to privacy@didit.me or dpo@didit.me.

When Didit acts as processor or service provider for a customer verification flow, direct your request to the organization that asked you to verify. That customer controls the purpose of the verification and is best positioned to respond. If Didit receives such a request directly, we may forward it to the relevant customer.

10. Cookies and similar technologies

Didit uses cookies and similar technologies on its websites for functionality, security, analytics, and attribution. Read our Cookies Policy for the full inventory, the consent banner controls, and our Global Privacy Control (GPC) and Do Not Track (DNT) posture.

11. Anonymized model training and fraud detection — your opt-out

Didit trains, evaluates, and improves its identity-verification, biometric, and fraud-detection models, and operates cross-customer fraud-prevention safeguards, using anonymized or pseudonymized data derived from verification activity (for example: document features, fraud signals, attack patterns, model-error samples). Didit applies anonymization, pseudonymization, aggregation, and access controls so that the data used for training and fraud detection cannot reasonably be linked back to an identifiable individual outside the underlying verification record.

This processing is grounded in Didit's legitimate interest in:

  • improving the accuracy and safety of identity and fraud infrastructure used by all customers;
  • detecting and preventing fraud, identity-theft attacks, deepfakes, and known-attacker repeat attempts; and
  • meeting regulatory expectations around model performance, fairness, and security.

Opt-out. A customer or end user may opt their data out of model training and fraud-detection processing by:

  • deleting the underlying verification record via the API or the Business Console (the deletion removes the record from training pipelines on the next refresh cycle), or
  • emailing privacy@didit.me with the relevant session identifier or account, requesting an opt-out.

Opt-outs apply prospectively from the date of the request; Didit will also use commercially reasonable efforts to purge eligible records from active training datasets.

12. United States — California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) Addendum

This section supplements this Privacy Policy for California residents and applies whenever Didit is a "business" under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). When Didit is a "service provider" or "contractor" to a Didit customer (a "business" under the CCPA), the customer's privacy notice governs the relevant verification flow and Didit processes personal information under the relevant Data Processing Agreement.

Categories of personal information collected in the last 12 months (CCPA categories):

  • Identifiers (name, email, phone, IP address, device identifiers).
  • Customer records (billing, contact, account).
  • Internet or network activity (browsing, interactions, telemetry).
  • Geolocation data (inferred from IP).
  • Sensory data (selfies, face images, liveness video, document images).
  • Professional or employment data (for candidates).
  • Sensitive personal information (SPI), including biometric information used to uniquely identify a consumer, government identifiers contained in identity documents, and account log-in credentials.
  • Inferences drawn from any of the above (risk scores, fraud signals, decision outcomes).

Purposes — the purposes listed in Section 4.

Sale or sharing of personal information. Didit does not sell or share (as those terms are defined under the CCPA/CPRA) personal information, including biometric information.

Use and disclosure of sensitive personal information. Didit uses sensitive personal information only for the purposes permitted under California Civil Code § 1798.121(a) and the implementing regulations — to provide and secure the verification service, prevent fraud and security incidents, comply with legal obligations, and other purposes permitted without a separate consumer right to limit.

Your California rights:

  • right to know what personal information is collected, used, disclosed, and sold/shared;
  • right to delete personal information;
  • right to correct inaccurate personal information;
  • right to opt out of sale or sharing (Didit does neither);
  • right to limit use and disclosure of sensitive personal information (Didit's processing is already limited to purposes that do not trigger the right);
  • right to data portability; and
  • right to non-discrimination for exercising any of the above.

Submit California requests to privacy@didit.me. Verification of your identity may be required before responding. Authorized agents may submit requests with proof of authorization.

Global Privacy Control (GPC) and Do Not Track (DNT). Didit honors browser-based Global Privacy Control signals on the marketing site as an opt-out of sale or sharing — even though Didit does not sell or share personal information, GPC signals are recorded so that no advertising or analytics cookie that could be construed as sharing is set for that browser. Didit does not currently respond to legacy Do Not Track (DNT) headers because there is no industry consensus on how to interpret them; the GPC signal supersedes DNT for Didit's purposes.

13. Security

Didit uses administrative, technical, and organizational safeguards designed to protect personal data against unauthorized access, loss, misuse, alteration, and unlawful destruction, including encryption at rest with AES-256, encryption in transit with TLS 1.3, key management in AWS KMS, role-based access control, environment separation, continuous monitoring, vendor oversight, and incident response procedures. See the Information Security Policy for the full posture and certifications.

No security measure is perfect. You should also protect your own devices, credentials, and communications.

14. Children

Didit's public websites and standard business services are not directed to children. Some customers may lawfully use Didit for age-related or identity-related checks involving younger users, but that use must be supported by an appropriate legal basis and the customer's own notices. If you believe personal data was submitted to Didit without proper authorization, contact privacy@didit.me.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect legal, technical, operational, or product changes. The effective date at the top of the policy reflects the last refresh. Material changes will be communicated where required by law.

16. Contact

Didit Identity Spain, S.L. — CIF B22929327 · Calle Nápoles 227, P. 1, 08013 Barcelona, Spain
Didit Identity, Inc. — EIN 39-2860573 · 1111B S Governors Ave STE 34855, Dover, Delaware 19904, United States
© 2026 Didit · legal@didit.me · privacy@didit.me · security@didit.me · didit.me/terms/privacy-policy

Have questions about a specific document?

Email legal@didit.me, privacy@didit.me, or security@didit.me — or message us on WhatsApp. We route you to the right contact.

Talk to us
Ask an AI to summarise this page