Legal · Privacy

Data Processor Privacy Policy

Last updated: April 14, 2026

Sanctum Key, Inc. ("Sanctum Key") provides this Privacy Policy to individuals whose personal data we process as a data processor on behalf of our customers. We act solely on the instructions of the customer controller with whom you have a direct relationship.

Age Assurance Services

Personal Data We Collect (Age Assurance)

You provide personal data to us at the direction of our customers so that our customers may verify your age and prevent fraud ("age assurance services"). The information we collect depends on the age assurance method used. We do not require all of the information listed below for every age assurance check. Depending on the method selected, you may be asked to provide only a subset of the following:

  • Name and contact information, including name, email address, address, and phone number
  • Demographic data, including birthdate and age
  • Government documents, barcodes, and identifiers, such as a passport or driver's license
  • Audio, video, and photos of you — from the selfie or video you provide and from your government identification document
  • Biometric Data, only with your express consent, including a scan of your facial geometry based on the photos or video you provide

We may also collect the following information from you, our customer, or third parties to determine the appropriate age assurance method and to support compliance with applicable laws:

  • Device information, including IP address, device type, operating system, browser, cookie and device identifiers, and other software details
  • Account information, such as details about your account with our customer or other third parties
  • Geolocation data — we may infer your general geographic location (city, state, country) based on your IP address. We do not collect precise geolocation data
  • Usage data, including time to complete verification, access times, and other interaction details such as copy-and-paste detection
  • Wireless Device Data — your wireless carrier may disclose information about your account and device, solely to help assess your age or evaluate your device and to detect and prevent fraud
  • Additional Age Assurance Data from trusted third-party sources: open government databases, national ID registries, consumer credit bureaus, utility companies, mobile network providers, and postal address databases
Biometric Data

Facial Scan & Biometrics Information

This section describes how Sanctum Key treats scans of facial geometry extracted from your selfie and government ID. Biometric information includes unique physical characteristics such as face geometry through which you can be identified or recognised.

Sanctum Key, acting as a processor on behalf of the customer, may — depending on the age assurance method selected and only as necessary to provide the service — do the following:

  • If only selfie age estimation is used: analyse non-uniquely identifying facial geometry ("Age Estimation Scan Data") to estimate your age. This data is deleted immediately once an outcome is determined.
  • If your government ID is compared against your selfie: analyse facial geometry extracted from the ID document and compare it against facial geometry from your selfie ("Identity Scan Data") to confirm the document belongs to you.
  • Use your information, including Identity Scan Data, to detect, prevent, and investigate fraud and abuse.

Sanctum Key's default setting is to automatically delete all personal data, including Age Estimation Scan Data and Identity Scan Data, immediately as soon as processing is complete and an outcome has been determined. Customers may direct us to retain certain data for longer periods to detect, investigate, or prevent suspicious or fraudulent activity. Retained Identity Scan Data is stored in encrypted format.

Sanctum Key may use one or more secure cloud service providers to process biometric data, including: Amazon Web Services (AWS)Google Cloud, and OVHCloud.

Data Use

How We Use Personal Data

Important

Sanctum Key does not use any personal data, including biometric data, for any AI or model training. Sanctum Key does not sell or share personal data with third parties. We do not use such data for marketing or for any purpose other than providing the age assurance and identity verification services as requested by customers.

Depending on the identity verification method performed, we may collect, hold, use, and disclose personal data to provide our customers with the age assurance services in accordance with their written instructions. This includes verifying the age of individuals, preventing fraud, and complying with applicable laws.

Third Parties

How We Disclose Personal Data

We may engage third parties to assist us in providing the age assurance service, in which case we may disclose personal data to them. Disclosures may be made to service providers including:

  • Hosting, cloud services, and other information technology service providers
  • Email communication and SMS software providers
  • Mobile device operators, public and private records database providers
  • Consumer reporting services, and fraud and identity management providers
Retention Policy

Data Retention

Sanctum Key's default setting is to automatically delete all personal data immediately as soon as processing is complete and an outcome has been determined. However, Sanctum Key's customers may retain certain data for longer periods, as disclosed to you at the time you provide consent, when necessary to detect, investigate, or prevent suspicious or fraudulent activity.

Identity Verification

Identity Verification

The following provisions apply specifically to our identity verification services.

Personal Data We Collect (Identity Verification)

You provide personal data to us at the direction of our customers so that our customers may verify your identity and prevent fraud ("identity verification services"). The information we collect depends on the method used. Depending on the method selected, you may be asked to provide only a subset of:

  • Name and contact information, including name, email address, address, and phone number
  • Demographic data, including birthdate and age
  • Files you upload, such as tax forms and utility bills
  • Government documents, barcodes, and identifiers, such as a passport, driver's licence, or Social Security Number
  • Audio, video, and photos of you, from the selfie or video you provide and from your government identification document
  • Biometric Data, only with your express consent, including a scan of your facial geometry

We may also collect the following from you, our customer, or third parties:

  • Current and previous name and contact information
  • Demographic data, including birthdate, age, gender, marital status, and similar details
  • Government documents, barcodes, and identifiers
  • Device information, including IP address, device type, operating system, browser, cookies, and software details
  • Publicly available data, including data from governmental public records, the public internet and social media
  • Geolocation data inferred from your IP address (general only — no precise geolocation)
  • Wireless Device Data to help identify you or your device and to prevent fraud
  • Additional Identity Data from trusted third-party sources including government databases, national ID registries, consumer credit bureaus, utility companies, and mobile network providers

Facial Scan & Biometrics (Identity Verification)

This section describes how Sanctum Key treats scans of facial geometry extracted from uploaded images of your identity documents and your selfie.

Sanctum Key, acting as a processor on behalf of the customer, may:

  • Compare facial geometry extracted from your ID document ("ID Scan Data") against facial geometry extracted from your selfie ("Selfie Scan Data") to help verify your identity
  • Use your information, including ID and Selfie Scan Data, to detect, prevent, and investigate fraud and abuse

Subject to the customer's retention period, Sanctum Key will permanently destroy ID and Selfie Scan Data upon completion of identity verification services or within three years of your last interaction with Sanctum Key, unless otherwise required by law or legal process. Retained Scan Data is stored in encrypted format.

Sanctum Key may use one or more secure cloud service providers including Amazon Web Services (AWS)Google Cloud, and OVHCloud.

How We Use Personal Data (Identity Verification)

Important

Sanctum Key does not use any personal data, including biometric data, for any AI or model training. Sanctum Key does not sell or share personal data with third parties. We do not use such data for marketing or for any purpose other than providing the age assurance services as requested by customers.

We may collect, hold, use, and disclose personal data to provide customers with identity verification services in accordance with their written instructions, which includes verifying the identity of individuals, preventing fraud, and complying with applicable laws — for example, performing AML/KYC checks for regulated customers.

How We Disclose Personal Data (Identity Verification)

We may engage third parties to assist us in providing the identity verification service, in which case we may disclose personal data to them, including:

  • Hosting, cloud services, and other information technology service providers
  • Email communication and SMS software providers
  • Identity verification services, mobile device operators, background check providers
  • Public and private records database providers, consumer reporting services
  • Fraud and identity management providers'

Data Retention (Identity Verification)

We retain personal data in accordance with written instructions from our customers, including as long as necessary to provide the identity verification service, fulfil the transactions customers have requested, and comply with legal obligations.

Additional Notices

Location of Personal Data

The personal data we collect may be stored and processed in your country or region, or in any other country where we or our affiliates, subsidiaries, or service providers process data. We currently primarily use data centres in the United States and Germany. Storage locations are chosen to operate efficiently and improve performance. We take steps designed to ensure personal data is processed and protected wherever it is located.

We transfer personal data from the European Economic Area (EEA), United Kingdom (UK), and Switzerland to other countries. When we do so, we use legal mechanisms, including contracts, to help ensure your rights and protections.

Sanctum Key complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. If there is any conflict between the terms in this privacy policy and the DPF Principles, the Principles shall govern. We are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.

Your Rights

Choices Regarding Personal Data

Sanctum Key processes personal data on behalf of its customers, with whom you have a direct relationship. To exercise any privacy rights you may have, please contact the appropriate customer who will be better able to help you. Depending on where you are located and subject to applicable privacy laws, you may have certain privacy rights, such as the right to access or correct your personal data.

If you have further concerns or questions regarding the processing of your personal data, please email support@sanctumkey.com. When contacting us, please do not send any personal data beyond what is required for communication, such as copies of your government ID.

Get in touch

Questions about this policy?

Reach our privacy team at any time.

support@sanctumkey.com