Last updated · 27 April 2026

Privacy Policy

This Privacy Policy describes how Veri5 handles personal data when you visit our website, create an account, complete a verification, or otherwise use the Service. We are committed to collecting as little personal data as possible — privacy is not just a compliance topic for us, it's the product.

The short version. Most of the personal data needed to verify your age (your name, date of birth, document images, selfie) is collected and held by our regulated KYC provider, Didit — not by Veri5. We receive only a yes/no answer and a session reference. We hold your sign-in email (via Clerk), your subscription status (via Stripe), an opaque account identifier, and minimal usage logs. We never sell your data.

1. Who is the Data Controller

The data controller for personal data processed under this Policy is Veri5. You can contact us at privacy@veri5.app. We are based in the United Kingdom.

For the underlying KYC check, Didit GmbH acts as an independent controller of the identity-document and biometric data you submit to them; their privacy notice applies to that data and is available at didit.me/privacy-policy.

2. Personal Data We Collect

From you, directly

  • Sign-in identifiers via Clerk — your email address (and Google account identifier if you sign in with Google). Clerk holds the credential and session data; we receive a stable user ID.
  • Verification outcome — a yes/no result of the Didit check. We do not receive your name, date of birth, address, or document images.
  • Subscription & billing data via Stripe — your payment-method details are held by Stripe; we receive a customer reference, subscription status, and invoice metadata.
  • Account configuration — your chosen avatar seed or uploaded avatar image, account type (User or Business), and (for Business accounts) referral code, display preferences, and similar.
  • User-generated content — for Business accounts: ratings and comments you leave on Users you have verified.
  • Support correspondence — anything you send us by email when you contact support.

Automatically

  • Verification-event metadata — when a proof code is generated or consumed, we record a timestamp, a hashed code, the IP address of the consumer (for rate-limiting and abuse detection), and account references for both parties. We never see the plain-text code after issuance.
  • Server logs — minimal request logs for debugging and security: IP address, request path, status, user-agent, timestamp. Held briefly (see retention).
  • Cookies and similar — described in our Cookie Policy.

3. Personal Data We Do Not Collect

We do not collect, store, or have access to:

  • Your name, date of birth, address, or any government-document image;
  • Your selfie or biometric data;
  • Your full payment card details;
  • Your sign-in password.

Each of these items is held instead by the relevant specialist processor (Didit, Stripe, or Clerk) under their own privacy notices and security regimes. This separation is deliberate — it limits the consequences of any data incident on our side.

4. Why We Use Your Data (Lawful Bases)

Under UK GDPR, we process your personal data on the following bases:

Performance of a contract
To provide the Service you signed up for — verification, proof generation/consumption, account management, billing.
Legitimate interests
Security and abuse prevention (rate-limiting, fraud detection, log retention), product analytics in aggregate form, communicating service-essential updates, and operating the Revshare program for Business accounts. Where we rely on legitimate interests we have balanced them against your rights and concluded the processing is proportionate.
Legal obligation
Tax/accounting record-keeping, responding to lawful requests from regulators or law enforcement, complying with the Online Safety Act 2023 to the extent it applies to us.
Consent
Where we ask for it explicitly — for example, optional product communications. You can withdraw consent at any time.

5. Who We Share Data With (Sub-processors)

We use the following sub-processors. They process personal data on our behalf, under contractual obligations consistent with UK GDPR:

Didit GmbH
Identity verification (KYC). Receives your name, date of birth, document images, and selfie directly from you. Returns a yes/no decision to Veri5. Based in Germany / EEA.
Clerk Inc.
Authentication, session management, and OAuth handling. Holds your email, password (hashed), and session tokens. Based in the United States.
Stripe Payments Europe Ltd
Payment processing and subscription management. Holds your payment-method details and invoice records. Based in Ireland with US affiliates.
Database and hosting providers
Application hosting and the Postgres database that holds account, verification-event, and ledger data. Currently hosted within the UK / EEA. Names available on request.
Email provider
Transactional email for receipts, password resets via Clerk, and support replies. Names available on request.

We do not sell, rent, or share your personal data with third parties for their own marketing purposes.

6. International Transfers

Where a sub-processor is outside the UK or EEA (notably Clerk and Stripe's US affiliates), we rely on transfer mechanisms recognised under UK GDPR — typically the UK International Data Transfer Addendum or the EU Standard Contractual Clauses, supplemented by appropriate technical and organisational safeguards.

7. Data Retention

We keep personal data only as long as we need it for the purposes set out in this Policy, then we delete or anonymise it.

  • Account data — for as long as your account is active, plus 30 days after deletion to allow recovery of accidentally-deleted accounts.
  • Verification outcomes — for the life of your account; verifications are verified-for-life, so this is the same as the bullet above.
  • Verification-event records (proof codes consumed) — 12 months for fraud and dispute resolution, then minimised.
  • Server logs — typically 14 days, longer if needed for security investigation.
  • Billing records — 6 years from the end of the relevant tax year, as required by HMRC.
  • Revshare ledger — for the life of your Business account plus 6 years for tax purposes.
  • Support correspondence — 24 months from the last interaction.

8. Cookies and Local Storage

We use a small number of cookies, plus browser sessionStorage and localStorage for limited UX preferences. See our Cookie Policy for the detail.

9. Your Rights

Under UK GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you;
  • Rectify — ask us to correct inaccurate data;
  • Erase — ask us to delete your data, subject to our legal retention obligations;
  • Restrict — ask us to pause processing in certain circumstances;
  • Object — object to processing based on our legitimate interests;
  • Port — receive your data in a structured, machine-readable format, or have it transmitted to another controller where technically feasible;
  • Withdraw consent — where processing is based on consent, you can withdraw it at any time.

Most of these can be actioned by emailing privacy@veri5.app. We aim to respond within one calendar month. For data held by Didit (your name, DOB, documents), we will route the request to them — they are the controller of that data.

If you are not happy with how we've handled your data, you can complain to the UK Information Commissioner's Office (ICO) at ico.org.uk or by phoning 0303 123 1113. We'd appreciate the chance to address your concerns first, but you don't have to come to us before going to the ICO.

10. Security

We use industry-standard technical and organisational measures to protect personal data, including transport-layer encryption (TLS), encryption at rest for databases, hashing of proof codes, regular dependency patching, principle-of-least-privilege access controls, and audit logging of administrative actions. No system is perfect; if we become aware of a personal-data breach affecting you, we will notify you and the ICO as required by UK GDPR.

11. Children

The Service is for adults only — you must be 18 or older to use it. We do not knowingly collect personal data from anyone under 18. If you believe a child has used the Service, please contact us at privacy@veri5.app and we will delete the relevant data.

12. Changes to This Policy

We may update this Policy from time to time. The "Last updated" date at the top will reflect the latest revision. Where the change is material, we will notify you in advance by email or in-app notification.

13. Contact

For any privacy-related question or to exercise your rights:

  • Email: privacy@veri5.app
  • Postal: Veri5, United Kingdom (full address available on request)