Privacy Policy

1) Who we are

Checkify provides a privacy-first identity and proof approval service. Our app helps users create a private Checkify identity and approve proof requests from websites or businesses, such as proving they are a real human or meet an age requirement.

This Privacy Policy explains what information we collect, how we use it, and the choices you have.

Controller contact: Checkify
Email: privacy@checkify.me
Website: checkify.me

2) What information we collect

A. Account information

If you create a Checkify account, we may collect account information such as your email address, account identifiers, authentication records, and account status information.

We use this information to create and manage your account, authenticate you, support account recovery, protect the service, prevent abuse, and provide customer support.

B. Identity profile information

Some Checkify features may allow you to create or maintain an identity profile. Depending on the features you use, this may include details such as your name, date of birth, document-derived information, verification status, or proof eligibility.

Checkify is designed to minimise server-side storage of personal identity data and to keep sensitive identity information on your device where possible. Where a feature requires information to be sent to Checkify or a service provider, it is used only to provide the requested verification, proof approval, security, fraud-prevention, or support function.

C. Photos, videos, camera use, and liveness checks

Some features may require camera access for QR scanning, selfie capture, liveness checks, or identity verification.

Photos, videos, biometric-related information, liveness outputs, or verification results may be processed to verify that a real person is present, prevent fraud, protect the integrity of the service, and allow you to approve requested proofs.

We do not use photos, videos, selfie data, liveness data, or biometric-related information for third-party advertising or tracking.

D. User-provided verification content

Some features may involve you capturing, scanning, entering, or using verification content such as identity document information, proof documents, document-derived information, or other user-submitted verification material.

Our design goal is that sensitive identity and verification information remains on your device wherever possible. If a feature clearly requires server-side processing, we process the information only for the purpose of providing that feature, protecting the service, preventing fraud, maintaining audit records where required, or supporting you.

E. Operational identifiers and logs

To operate the service, we collect and store limited operational data such as:

• UUIDs and account identifiers associated with app sessions, devices, accounts, proof requests, or verification events
• Device or installation identifiers used for security, trusted-device checks, proof signing, fraud prevention, or service reliability
• Event logs such as timestamps, request type, proof request status, success or failure codes, and performance metrics
• Security logs such as rate-limit triggers, abuse prevention signals, suspicious activity, and audit events

We design these logs to avoid storing direct personal information where it is not needed, but some operational records may be linked to your account, device, session, or proof request so that we can provide, secure, and troubleshoot the service.

F. Device, network, and diagnostic information

The app and our backend may process limited device, network, and diagnostic information such as device type, operating system version, app version, locale, IP address at the time of request, crash logs, performance data, error logs, failed request details, and related technical diagnostics.

We use this information to keep the service secure, prevent abuse, diagnose problems, improve reliability, maintain server uptime, minimise crashes, and provide support.

G. Usage and product interaction data

We may collect limited information about how the app and service are used, such as app launches, proof request activity, QR scan activity, verification flow status, approval or decline events, failed or expired request events, and security-related usage events.

We use this data to provide app functionality, maintain security, prevent fraud, troubleshoot issues, improve reliability, and understand whether core product features are working correctly.

H. Push notifications

If you enable notifications, the app may use Apple Push Notification service (APNs) and/or Firebase Cloud Messaging (Google) to deliver alerts such as business login approval requests or important account notices.

To deliver push notifications, we store a push token linked to your Checkify identity on our servers. We do not use push data for advertising or cross-app tracking.

I. On-device vs server-side data

The table below summarises our design intent. Individual features may vary as the product evolves.

• Typically on your device only: face embedding vectors used for on-device face match; passport or ID details you scan (until you choose to share specific fields); PIN/biometric unlock settings; camera frames during liveness/selfie processing.
• Sent to Checkify as verification evidence (metadata): evidence type (e.g. human verification, face enrollment, passport verification), method, algorithm version, confidence or score, and timestamps—without raw biometric images or embedding files.
• Sent when you approve a proof request: only the proofs and personal data fields you explicitly approve on the review screen (for example age proof results or selected contact details).
• Operational records: identity UUIDs, device key identifiers, QR/proof request IDs, audit events, security logs, and billing records where applicable.

J. Billing and payment information

Business billing features may collect a billing email address and create a Stripe customer record. Payment card details are entered on Stripe’s hosted checkout pages and are processed by Stripe—not stored in the Checkify app.

3) How we use information

• Provide and maintain the service, including account access, identity setup, proof requests, verification results, QR flows, and approval flows
• Authenticate users and protect accounts, devices, sessions, and proof requests
• Support identity and proof functionality, such as human verification, selfie/liveness checks, age-related proofs, and verification status
• Security and fraud prevention, including abuse detection, rate limiting, audit events, trusted-device checks, and suspicious activity monitoring
• Troubleshooting and reliability, including diagnosing errors, reducing crashes, improving performance, and maintaining service availability
• Customer support, including responding to support requests and investigating account or technical issues
• Compliance where required by law, regulation, legal process, or enforceable request

4) Tracking and advertising

We do not sell your personal information.

We do not use personal data, identity data, photos, videos, selfie data, liveness data, device identifiers, usage data, or diagnostic data for third-party advertising tracking.

We do not share personal information with data brokers for advertising purposes. If we use service providers to help operate Checkify, they are required to process information only for permitted service, security, support, reliability, or legal purposes.

5) Legal bases for processing

Where UK or EU data protection law applies, we process information under one or more of the following legal bases:

• Performance of a contract, to provide the service or feature you request
• Legitimate interests, including security, fraud prevention, abuse prevention, service reliability, troubleshooting, and product improvement
• Consent, where we ask for your permission, such as for optional features or device permissions
• Legal obligation, where we must comply with applicable laws, regulations, or lawful requests

6) Sharing and disclosures

We do not sell your personal information. We may share limited data in the following cases:

• Service providers that help us run, host, monitor, secure, or support the app and backend services, under appropriate confidentiality and security obligations
• Verification, security, or infrastructure providers where needed to provide a feature you use, protect the service, prevent fraud, or maintain reliability
• Payment processing (Stripe) for business subscriptions and credit purchases
• Push notification delivery (Apple APNs, Google Firebase Cloud Messaging)
• Cloud hosting for the Checkify API and website
• Legal and safety reasons where required to comply with law, regulation, legal process, enforceable request, or to protect users, Checkify, or others
• Business transfers if Checkify is involved in a merger, acquisition, financing, reorganisation, or sale of assets, subject to appropriate safeguards

Key service providers we use to operate Checkify include:

• Render — API and website hosting
• Stripe — payment processing for business billing
• Google Firebase Cloud Messaging — push notification delivery (Android; may also be used on iOS in some configurations)
• Apple Push Notification service — push notification delivery on iOS

We can provide additional subprocessor details on request by contacting privacy@checkify.me.

7) Data retention

We retain information only for as long as reasonably necessary to provide the service, keep it secure and reliable, investigate abuse or incidents, resolve disputes, support users, and meet legal obligations.

Standard operational logs are typically retained for up to 90 days. We may retain security, fraud-prevention, audit, legal, or incident-related records for longer where justified.

Information stored only on your device may remain on that device until you delete it, clear app data, or uninstall the app, subject to your device settings and backups.

8) Security

We use appropriate technical and organisational measures to protect information, including access controls, encryption in transit, least-privilege practices, monitoring, and security-focused operational procedures.

No method of transmission or storage is 100% secure, but we work to protect your information and reduce unnecessary data exposure.

9) Your rights

Depending on your location, you may have rights to access, correct, delete, restrict, or object to the processing of your information, and to withdraw consent where processing is based on consent.

Because Checkify is designed to minimise direct identity storage, some records may be linked to UUIDs, device identifiers, sessions, proof requests, or operational logs rather than obvious personal details. We may need additional information to locate relevant records and verify your request.

To exercise your rights, contact: privacy@checkify.me

10) Account deletion

You may request deletion of your account and associated personal data by contacting privacy@checkify.me.

Where information is stored only on your device, deleting the app or clearing app data may remove that local information. We may retain limited records where required or justified for security, fraud prevention, legal compliance, dispute handling, support, or audit purposes.

11) Children

Checkify is not intended for children under the age where parental consent is required in their jurisdiction.

If you believe a child has used the service without appropriate consent, contact us at privacy@checkify.me.

12) International transfers

If we transfer information internationally, we use appropriate safeguards such as contractual protections or other recognised transfer mechanisms to help ensure an appropriate level of protection.

13) Changes to this policy

We may update this Privacy Policy from time to time. We will update the “Last updated” date above when changes are made.

If changes are material, we will provide additional notice where appropriate.

Contact: privacy@checkify.me