Skip to main content
Didit Raises $2M and Joins Y Combinator (W26)
Didit
Didit
Verification Privacy Notice
Updated May 16, 2026 · didit.me/terms/verification-privacy-notice
Legal

Verification Privacy Notice

Updated: May 16, 2026

On this page

This Verification Privacy Notice explains how Didit processes personal data, including biometric data, when Didit provides an identity verification, fraud prevention, authentication, or compliance workflow on behalf of one of its customers.

This notice supplements our Privacy Policy and our End User Terms for Identity Verification.

1. Scope

This notice applies when you interact with a verification flow, hosted page, SDK, API-based journey, mobile flow, or white-label experience powered by Didit for a Customer.

It covers the processing of:

  • identity and contact data;
  • documents and files you submit;
  • selfies, face images, videos, and liveness captures;
  • biometric data derived from those submissions;
  • device, IP, location, and anti-fraud telemetry;
  • verification results, risk signals, and audit records; and
  • related support, compliance, and security records connected to the verification session.

2. Who are the parties and what are their roles?

PartyTypical roleWhat that means
CustomerController / BusinessThe Customer decides why your verification is required, which checks are enabled, and how the result is used.
DiditProcessor / Service ProviderDidit provides the verification technology and processes data on the Customer's behalf to perform the configured checks.
DiditIndependent controller for limited purposesDidit may process limited data for security, abuse prevention, legal compliance, audit logging, and legal claims.

If the verification journey is white-labeled or uses a custom domain, Didit may still be the technology provider processing your data behind the branded interface.

3. Categories of data used in verification

Depending on the configured workflow, Didit may process:

  • Identity data, such as name, date of birth, address, phone number, email, nationality, and other identifying details.
  • Document data, such as passports, ID cards, residence permits, driver's licenses, proof-of-address documents, and data extracted from those materials.
  • Biometric and liveness data, such as face images, selfie images, videos, liveness captures, anti-spoofing signals, and data derived from scans of facial geometry used to compare your face to the identity document or to confirm that a real person is present.
  • Technical and fraud-prevention data, such as IP address, browser, device data, timestamps, session data, geolocation inferred from network data, and similar integrity or risk signals.
  • Questionnaire and workflow data, such as declarations, answers, uploaded files, consent records, and status transitions.
  • Verification outputs, such as match scores, warnings, fraud indicators, review outcomes, and audit evidence.

4. Purposes of processing

Didit may process the data above to:

  • verify identity and authenticate a person;
  • check document authenticity and completeness;
  • detect spoofing, manipulation, fraud, or abuse;
  • comply with legal, regulatory, sanctions, Anti-Money Laundering (AML), Know Your Customer (KYC), and risk-management requirements configured by the Customer;
  • secure the verification flow and underlying infrastructure;
  • support manual review, resubmission, escalation, and audit processes;
  • respond to lawful requests and defend legal claims; and
  • maintain service integrity, troubleshoot incidents, and perform quality and security monitoring.

Where law permits and appropriate controls are in place, Didit may also use anonymized or pseudonymized verification-related data for service testing, quality assurance, fraud-model training and validation, and security improvement. Where a separate notice, consent, or additional legal basis is required for a secondary use, Didit will obtain it or refrain from that use.

You (or the Customer on your behalf) may opt this anonymized / pseudonymized processing out by (a) deleting the underlying verification record via the Customer's application or via Didit's API or Business Console, or (b) emailing privacy@didit.me with the relevant session identifier or account. Opt-outs apply prospectively from the date of the request; Didit will also use commercially reasonable efforts to purge eligible records from active training datasets.

5. How Didit handles biometric data

For purposes of this notice, biometric data includes data derived from scans of facial geometry or similar biometric characteristics extracted from images or video, where that data is used to verify identity, confirm liveness, or prevent fraud.

When a workflow includes face verification or liveness, Didit may:

  • capture or receive selfie images, face images, and/or video;
  • extract facial characteristics from those submissions and from the portrait on your identity document;
  • compare those signals to verify that the person presenting the document is the same person shown on the document;
  • analyze liveness and anti-spoofing indicators to confirm a real person is present; and
  • generate verification results, confidence indicators, and fraud or review signals.

Didit:

  • uses biometric data only for the lawful purposes described in this notice, the Customer's instructions, and applicable law;
  • applies safeguards designed for sensitive data, including access controls, monitoring, and secure handling practices;
  • does not sell, lease, trade, or otherwise profit from biometric identifiers or biometric information; and
  • expects Customers using API or white-label journeys to clearly disclose Didit as the verification provider and to obtain any notice or consent required by law before biometric capture begins.

6. Additional U.S. biometric privacy disclosures

If you are located in Illinois, Texas, Washington, or another jurisdiction with biometric privacy requirements, the following additional points are important:

  • Biometric data may include data derived from scans of face geometry, selfie images, liveness video, or similar identity-verification media.
  • You may be asked to provide explicit electronic or written consent before biometric data is captured or uploaded.
  • The Customer should identify Didit as a verification provider or processor when presenting the required notices in white-label or API-based journeys.
  • Didit uses biometric data to perform identity verification, liveness, anti-spoofing, fraud prevention, security, and related compliance operations requested by the Customer.
  • Didit retains biometric data only for as long as needed to provide the service, follow lawful Customer instructions, satisfy legal obligations, resolve disputes, or defend claims, and in no event longer than applicable law permits.
  • Didit uses a reasonable standard of care designed for sensitive data and does not sell, lease, trade, or otherwise profit from biometric identifiers or biometric information.

If a jurisdiction requires a shorter retention period, a separate public schedule, or additional disclosures, Didit and the Customer will apply the shorter or stricter requirement that governs the relevant verification flow.

Other jurisdictions with biometric privacy requirements. The points above apply, with appropriate adjustments, to any other state, province, country, or jurisdiction with biometric privacy requirements — including (without limitation) the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) treatment of sensitive personal information, the Colorado Privacy Act (CPA), the Virginia Consumer Data Protection Act (VCDPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), New York's biometric privacy proposals, the European Union's General Data Protection Regulation (GDPR) Article 9 framework for biometric data, the United Kingdom GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection (FADP), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec's Law 25, Brazil's Lei Geral de Proteção de Dados (LGPD), and any future biometric privacy law that applies to the relevant verification flow.

7. Disclosures and service providers

Didit may disclose verification-related data to:

  • the Customer that asked you to verify;
  • Didit group entities involved in delivering, supporting, or securing the service;
  • providers of hosting, cloud storage, communications, identity, fraud, analytics, audit, security, and professional services;
  • regulators, courts, law enforcement, or public authorities where legally required; and
  • transaction counterparties in a merger, acquisition, restructuring, or asset transfer, subject to lawful safeguards.

The exact recipients depend on the service, region, workflow configuration, and legal requirements.

8. International transfers

Verification data may be processed in countries other than the country in which you began the verification flow. Where required by law, Didit applies appropriate transfer safeguards such as adequacy decisions, standard contractual clauses, or other recognized legal mechanisms.

9. Retention and destruction

Default retention. The default retention period for verification data is indefinite ("unlimited") unless the Customer configures a shorter period or you exercise a deletion right. Customers can configure retention per application in the Business Console between 30 days and 10 years and can delete any individual verification session at any time. You may also exercise deletion rights as described in Section 11. Biometric data retention is in every case subject to, and capped by, applicable biometric-privacy laws and regulations — including the EU General Data Protection Regulation (GDPR) Article 9, the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), Washington H.B. 1493, and any other applicable biometric-privacy law; where such law prescribes a shorter retention period or an earlier destruction obligation, that shorter or stricter rule prevails over any default or Customer-configured retention period.

In every case Didit retains verification data, including biometric data, according to:

  • the Customer's documented instructions and configured retention settings (30 days minimum, 10 years maximum, or unlimited if the Customer has not lowered the ceiling);
  • applicable contractual, regulatory, audit, and legal obligations;
  • fraud-prevention, security, and dispute-resolution needs; and
  • the shorter or stricter retention rule required by applicable law, which always governs.

When the relevant data is no longer needed, Didit deletes, redacts, anonymizes, de-identifies, or securely destroys it.

For biometric data, Didit aims to ensure that biometric identifiers and biometric information are deleted, de-identified, or securely destroyed when:

  • the original verification purpose has been satisfied;
  • the applicable retention period expires;
  • the Customer lawfully instructs deletion; or
  • applicable law requires earlier destruction.

10. Automated processing and human review

Didit may use automated systems to review document integrity, liveness, face match, fraud indicators, and other verification signals. Some sessions may also be routed for human review, quality assurance, or escalation depending on the Customer's workflow and risk configuration.

Except where a specific service states otherwise, the Customer remains responsible for how it uses the verification result in its own business decision-making.

11. Rights and requests

If you want to access, correct, delete, restrict, object to, or otherwise exercise rights over data processed in a specific verification session, you should generally contact the Customer first. The Customer usually determines the main purpose of the verification and is the best point of contact for rights tied to that relationship.

If Didit receives a request directly in a processor context, Didit may forward or redirect the request to the relevant Customer where appropriate. If Didit acts as an independent controller for a limited processing purpose, you may also contact privacy@didit.me or Didit's Data Protection Officer at dpo@didit.me.

You may also lodge a complaint with a supervisory authority. Didit's lead supervisory authority is the Spanish Data Protection Agency (Agencia Española de Protección de Datos / AEPD) at `aepd.es`. You may also lodge a complaint with your local data-protection authority.

12. Security

Didit uses technical, organizational, and administrative safeguards designed to protect verification data, including sensitive and biometric data. These safeguards may include encryption, access controls, environment separation, logging, monitoring, and incident response procedures.

13. Children

Didit does not intend this verification notice to authorize unlawful collection of children's data. If a verification flow is used for age-related or youth-related checks, the Customer must ensure a lawful basis, appropriate notices, and any required parental or guardian permissions.

14. Changes to this notice

Didit may update this Verification Privacy Notice from time to time to reflect legal, operational, or product changes. When we do, we will update the effective date at the top of this notice.

15. Contact

If you have questions about this notice, contact:

Didit Identity Spain, S.L. — CIF B22929327 · Calle Nápoles 227, P. 1, 08013 Barcelona, Spain
Didit Identity, Inc. — EIN 39-2860573 · 1111B S Governors Ave STE 34855, Dover, Delaware 19904, United States
© 2026 Didit · legal@didit.me · privacy@didit.me · security@didit.me · didit.me/terms/verification-privacy-notice

Have questions about a specific document?

Email legal@didit.me, privacy@didit.me, or security@didit.me — or message us on WhatsApp. We route you to the right contact.

Talk to us
Ask an AI to summarise this page