Privacy Policy for BentID.com

Last Updated: August 30, 2025

This Privacy Policy describes how BentID.com ("BentID", "we", "us", or "our"), a service provided by Brooks & Keitt, a Swiss-based Software Company, collects, uses, and protects your personal data when you use our identity aggregation and verification service. Your privacy is of paramount importance to us, and we are committed to handling your data with the highest level of security and in full compliance with applicable data protection laws, including Switzerland's Federal Act on Data Protection (FADP), the General Data Protection Regulation (GDPR), relevant UK regulations, and key US privacy laws.

BentID.com is solely an identity and age verification system. We do not host, display, or provide any content (photos, videos, or otherwise) with adult connotations. Our role is strictly to verify your identity and age to enable your access to third-party services that require such verification.

1. Data Controller

The data controller responsible for your personal data collected through BentID.com is:

Brooks & Keitt SARL
Place du Midi 30, 1950, Sion
info@bentid.com

2. What Personal Data We Collect

We collect personal data that is strictly necessary for the purpose of identity and age verification. This may include:

Identity Document Information: Images of government-issued photo IDs (e.g., passport, driving license), from which we extract your name, date of birth, and document expiry date.
Biometric Data: A live selfie or short video of your face. This is used for a one-time biometric comparison against your ID photo to confirm liveness (that you are a real person present for the check) and to match your face to the document. This data is considered special category data under GDPR and is processed only with your explicit consent.
Contact Information: Your email address for account creation, communication, and multi-factor authentication.
Account Information: A unique, anonymized user ID generated by BentID to represent your verified status.
Transaction Data: Information related to your payment for the verification service (e.g., payment confirmation, but not full payment card details, which are handled by our secure payment processor).
Technical Data: IP address, device information, and browser type for security, fraud prevention, and service integrity.

3. How We Use Your Personal Data

We use your personal data exclusively for the following purposes based on the principle of purpose limitation:

To Verify Your Identity and Age: To confirm that you are who you claim to be and that you are 18 years of age or older.
To Prevent Fraud: To detect and prevent fraudulent activities, duplicate accounts, and unauthorized access to ensure the integrity of our verification process.
To Provide Our Service: To create and manage your BentID account and communicate your verified status to third-party platforms with your consent.
To Comply with Legal Obligations: To adhere to legal and regulatory requirements in the jurisdictions we operate.
To Provide Customer Support: To assist you and respond to your inquiries regarding the verification process.

4. Legal Basis for Processing

We process your personal data based on the following legal grounds:

Consent: We rely on your explicit consent for processing your identity document and biometric data. You provide this consent before uploading your data. You can withdraw your consent at any time by requesting account deletion.
Contractual Necessity: To fulfill our contractual obligations to you by providing the BentID service you have requested.
Legal Obligation: To comply with legal requirements, such as those related to age verification under laws like the UK Online Safety Act.
Legitimate Interests: For fraud prevention and securing our systems, where these interests are not overridden by your data protection rights.

5. Data Storage, Protection, and Retention

Data Security

We employ robust, state-of-the-art security measures to protect your personal data:

Secure Storage: Your sensitive data is stored in our highly secure, private cloud infrastructure with strictly limited access.
Encryption: All data is encrypted at rest and in transit using industry-standard protocols like AES-256 and TLS 1.2/1.3.
Access Control: We implement the principle of least privilege, ensuring that only essential, authorized backend systems can access data for the explicit purpose of verification. Human access to sensitive personal data is prohibited unless required for a customer support issue initiated by you.

Data Retention

We believe in data minimization and retain your personal data only for as long as absolutely necessary.

Biometric Data: Your biometric data (live selfie/video) is used for the one-time verification check and is then permanently deleted from our systems within 24 hours of a successful verification.
Identity Documents: Copies of your ID documents are retained in our secure, encrypted storage for as long as your account is active to handle potential fraud investigations or legal requirements. They are permanently deleted upon account deletion.
Account Data: We retain your anonymized BentID user ID and verification status as long as your account remains active with us or a partner platform.

You may request the deletion of your account and associated personal data at any time by contacting us.

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data. Our data sharing policy is simple:

Verification Confirmation Only: When you use BentID to access a third-party service (e.g., BentBox), we only transmit a simple, cryptographically signed confirmation (a "token") that confirms your verified status (e.g., "User is 18+"). No personal details from your ID, your name, date of birth, or biometric data are ever shared.
Service Providers: We engage trusted third-party providers for essential services like cloud infrastructure and payment processing. These providers are contractually bound to protect your data and are prohibited from using it for any other purpose.
Legal Requirements: We may disclose data if required by law or in response to a valid, legally binding request from a public authority (e.g., a court order from a competent jurisdiction). We will assess such requests for validity and scope and challenge them where appropriate.

7. Your Data Protection Rights

Depending on your location, you have specific rights regarding your personal data. We are committed to upholding these rights for all our users.

Rights under GDPR (for users in EEA/UK/Switzerland)

You have the right to access, rectify, erase ("right to be forgotten"), restrict processing, object to processing, and the right to data portability. To exercise these rights, please contact us.

Rights for US Residents

Several US states have enacted privacy laws granting consumers specific rights. We extend these rights to all our US users. This includes, but is not limited to, rights provided by the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA).

Right to Know and Access: You have the right to request information about the categories and specific pieces of personal data we have collected about you.
Right to Delete: You have the right to request the deletion of your personal data, subject to certain exceptions.
Right to Correct: You have the right to request the correction of inaccurate personal information.
No Sale or Sharing of Data: We do not "sell" or "share" your personal data as defined by the CCPA/CPRA. We do not provide your data to third parties for cross-context behavioral advertising or for monetary value.
Right to Limit Use of Sensitive Personal Information: You have already exercised this right by design. We only use your sensitive personal information (ID and biometric data) for the explicit purpose of identity verification and fraud prevention, for which we obtained your consent. We do not use it for any other purpose.

To exercise any of these rights, please contact us using the details provided in Section 9.

8. Compliance with International and US Law

GDPR and Swiss FADP

As a Swiss-based company, we are compliant with both Switzerland's Federal Act on Data Protection (FADP) and the General Data Protection Regulation (GDPR), which set a high standard for data protection worldwide.

US Biometric and Privacy Laws

We are committed to complying with applicable US laws regarding the collection and processing of personal data. This includes biometric privacy laws such as the Illinois Biometric Information Privacy Act (BIPA). In line with such regulations, we:

Obtain your explicit consent before collecting any biometric data.
Inform you of the specific purpose and length of time for which the data is being stored.
Maintain a public policy (this policy) establishing our retention schedule and guidelines for permanently destroying your biometric data.
Do not sell, lease, trade, or otherwise profit from your biometric data.

9. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any significant changes by posting the new Privacy Policy on this page and updating the "Last Updated" date.

10. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact our Data Protection Officer:

Email: privacy@bentid.com

Or by mail:
Brooks & Keitt SARL
Attn: Data Protection Officer
Place du Midi 30, 1950, Sion, Switzerland