Last updated: February 2026
DeepAuth, Inc. ("DeepAuth," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our digital identity verification and content authentication platform ("Service"). Please read this Privacy Policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.
We collect several types of information from and about users of our Service:
When you create an account or use our Service, we may collect personally identifiable information including: your full name, email address, phone number, postal address, date of birth, username, and profile information you choose to provide.
As part of our identity verification services, we may collect: government-issued identification documents (such as passports, driver's licenses, or national ID cards), facial photographs and selfies for document comparison, the results and metadata from identity verification checks conducted through Stripe Identity, and any additional documentation required for enhanced verification tiers.
For content authentication purposes, we may collect behavioral biometric data including: typing patterns and keystroke dynamics during content creation, mouse movement and interaction patterns, writing style characteristics and linguistic fingerprints, and temporal patterns associated with content authorship.
We automatically collect certain information when you access and use the Service, including: your IP address and approximate geographic location, browser type and version, operating system, pages visited and features used, time and date of your visits, time spent on pages, referring and exit URLs, and clickstream data.
We may collect information about the device you use to access the Service, including: device type and model, unique device identifiers, operating system version, browser type and settings, screen resolution, and language preferences.
When you submit content for authentication through DeepAuth, we collect and process: the content itself (text, images, audio, video, or other media), content metadata such as creation timestamps and file properties, cryptographic hashes generated from submitted content, and attestation records created during the verification process.
We use the information we collect for the following purposes:
If you are located in the European Economic Area (EEA) or the United Kingdom (UK), our legal basis for collecting and using your personal information depends on the specific information collected and the context in which we collect it. We process your personal data based on: (a) your consent, where you have given us clear consent to process your personal data for a specific purpose; (b) contractual necessity, where processing is necessary for the performance of a contract with you; (c) legal obligation, where processing is necessary for compliance with a legal obligation; and (d) legitimate interests, where processing is necessary for our legitimate interests or those of a third party, provided that such interests are not overridden by your data protection interests or fundamental rights and freedoms.
We may share your information with the following categories of third parties:
We use Stripe Identity for government ID verification. When you submit identity documents, they are transmitted to and processed by Stripe, Inc. in accordance with Stripe's privacy policy. Stripe processes your identification documents and biometric data to verify your identity on our behalf.
We use Cloudinary for media storage and processing. Images, videos, and other media you submit may be stored on and served from Cloudinary's infrastructure. Cloudinary processes this data as our data processor in accordance with our data processing agreement.
Certain verification and attestation data may be recorded on public blockchain networks. This data includes cryptographic hashes and attestation metadata but does not include personally identifiable information in human-readable form. However, blockchain records are permanent and publicly accessible.
We may also disclose your information: (a) to comply with applicable laws, regulations, or legal processes; (b) to respond to lawful requests from government authorities; (c) to enforce our Terms of Service and other agreements; (d) to protect our rights, privacy, safety, or property, and that of our users or others; (e) in connection with a merger, acquisition, restructuring, or sale of assets; and (f) with your consent or at your direction.
We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements. Specific retention periods vary by data type: account information is retained for the duration of your account and for up to 30 days after account deletion; identity verification records are retained for a minimum of 5 years as required by applicable anti-money laundering and know-your-customer regulations; content attestation records on the blockchain are permanent and cannot be deleted; behavioral biometric data is retained for up to 2 years from the date of collection; and usage logs and analytics data are retained for up to 24 months.
Depending on your location, you may have certain rights regarding your personal information:
If you are a resident of the European Economic Area or the United Kingdom, you have the right to: access your personal data; rectify inaccurate personal data; request erasure of your personal data; restrict processing of your personal data; data portability; object to processing of your personal data; and withdraw consent at any time. For detailed information on exercising these rights, please visit our GDPR Rights page.
If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with the right to: know what personal information is collected, used, shared, or sold; delete personal information held by us and by extension our service providers; opt out of the sale of your personal information (note: we do not sell personal information); and non-discrimination for exercising your CCPA rights. To exercise your CCPA rights, please contact us at privacy@deepauth.io. We will verify your identity before processing your request.
We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include: encryption of data in transit using TLS 1.3 and at rest using AES-256; regular security assessments and penetration testing; access controls and authentication requirements for personnel; secure development practices and code review processes; monitoring systems for detecting security incidents; and incident response procedures. However, no method of transmission over the Internet or method of electronic storage is 100% secure, and we cannot guarantee absolute security.
We use cookies and similar tracking technologies to collect and use personal information about you. For detailed information about the cookies we use and how to manage your cookie preferences, please see our Cookie Policy.
The Service is not intended for children under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information as soon as reasonably practicable. If you believe that a child under 18 has provided us with personal information, please contact us at privacy@deepauth.io.
Your information may be transferred to and processed in countries other than the country in which you reside. These countries may have data protection laws that are different from the laws of your country. We take appropriate safeguards to ensure that your personal information remains protected in accordance with this Privacy Policy when transferred internationally. For transfers from the EEA or UK, we rely on EU Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions where applicable, and other legally recognized transfer mechanisms. For more information about our international data transfer practices, please visit our GDPR Rights page.
Some web browsers transmit "Do Not Track" (DNT) signals. Because there is no industry standard for how to handle DNT signals, we do not currently respond to DNT signals. We will continue to monitor developments regarding DNT and may adopt a DNT policy in the future.
The Service may contain links to third-party websites, applications, or services that are not operated by us. If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the privacy policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.
When you use DeepAuth as part of an organization's account, the organization's administrator may have the ability to access and control your account within the organization. In such cases, the organization acts as the data controller for the information processed within its organizational account, and we act as the data processor. The organization's own privacy practices and policies govern how your information is handled within the organizational context. We encourage you to review your organization's privacy policies.
We use automated processing to calculate trust scores, verify identity documents, and analyze behavioral biometric data. These automated processes may affect the verification status and trust level assigned to your account. You have the right to request human review of any automated decision that significantly affects you. To request a review, please contact us at privacy@deepauth.io.
In the event of a data breach that affects your personal information, we will notify you in accordance with applicable data protection laws. Where required, we will notify affected individuals without undue delay and no later than 72 hours after becoming aware of the breach. Notification will include the nature of the breach, the categories and approximate number of data subjects concerned, the likely consequences, and the measures taken or proposed to address the breach.
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. For material changes, we will provide additional notice via email or an in-app notification. You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:
For GDPR-related inquiries, you may also contact our Data Protection Officer at gdpr@deepauth.io. See our GDPR Rights page for more information.