Privacy Policy
Last updated: May 16, 2026 · Effective: May 16, 2026
Overview
Universal Identity Protocol ("UIP," "we," "us") provides a digital identity service that lets you prove who you are and produce legally significant signatures across the apps and businesses you interact with. Our service is built around a face-template biometric identity you control through the UIP mobile app.
This policy explains, in plain language, what data we collect, why we collect it, how long we keep it, who we share it with, and how you can exercise your legal rights. We collect what we need and nothing more.
Who is responsible for your data
The controller of your personal data is Universal Identity Protocol.
- General contact: [email protected]
- Privacy / data-subject requests: [email protected]
- Legal: [email protected]
Registered legal entity name and address will be listed here at general availability. For data-subject requests in the interim, use [email protected].
Data we collect
We collect data in the categories below. Each category is tied to a specific purpose and legal basis listed further down.
Biometric data
When you create or renew your UIP identity, you perform a liveness check (a guided head-movement capture). From that capture we derive a face template (a mathematical representation of facial features) and store it in our AWS Rekognition collection in the United States. The face template is what allows us to recognize you across sessions without re-running full identity verification.
- The raw liveness recording is processed transiently and not retained as a long-term record.
- The face template is held in AWS Rekognition for as long as you have a UIP account. Every 2 years we ask you to complete a renewal liveness check; the renewal produces a new template, and the previous template is removed from our collection in the same step. See the Retention table below for the full destruction schedule.
- If you complete KYC (Know-Your-Customer document verification), our KYC vendor briefly captures a selfie to run liveness detection on its own side. UIP streams that selfie into our face-template match check and does not persist it.
- We do not sell, lease, or trade biometric data, and we do not use it to train third-party machine-learning models.
Identity verification (KYC) data
If a business action requires verified identity, you complete a one-time KYC flow through our KYC provider (currently Didit) inside the UIP app. We receive a normalized record from the provider containing:
- Full name, date of birth, nationality, and country of issuance
- Document type (passport, national ID, driver's license), document number, and expiration date
- The verdict (approved / rejected) and supporting metadata (MRZ parse result, document image hashes — not the document images themselves)
Account & device data
- UIP user identifier (a random UUID we generate for you)
- App install identifier (a per-install random ID)
- Apple App Attest device attestation (a hardware-backed proof your device is genuine, not your device's serial number or identifiers)
- Optional contact details if you choose to provide them (e.g., for account recovery — feature not currently exposed)
Audit & activity data
- Records of identity-verification, signing, and consume events you take, with timestamps and the business identifier you interacted with
- Cryptographic signatures and verifiable proofs produced by your device
- Encrypted messages routed through the service (we do not have access to message contents)
Business-customer data (B2B)
If you operate a business that integrates UIP, we additionally process:
- Business legal name, jurisdiction, and registration evidence
- Account owner identity (the natural person who registered the business)
- API keys, webhook URLs, and integration metadata
- Billing data, if applicable, processed by our payment provider
Technical & usage data
- IP address, approximate location derived from IP, user agent, and request timing
- Rate-limit counters and abuse-protection signals
- Aggregated, non-identifying usage statistics
Why we collect it (purposes & legal bases)
For users in the European Economic Area (EEA), United Kingdom, and Switzerland, the table below sets out our purposes and the GDPR/UK GDPR Article 6 legal basis for each. Biometric data is special-category data under Article 9; we rely on your explicit consent (Article 9(2)(a)) for biometric processing.
| Purpose | Data categories | Legal basis |
|---|---|---|
| Identity continuity (biometric) | Biometric, account | Explicit consent (Art. 9(2)(a)) |
| KYC verification | Identity verification | Contract (Art. 6(1)(b)) + legal obligation where applicable |
| Producing legally-significant signatures | Audit, account, device | Contract (Art. 6(1)(b)) |
| Fraud prevention & abuse protection | Technical, audit | Legitimate interests (Art. 6(1)(f)) |
| Service operation & security | Account, device, technical | Contract / legitimate interests |
| Compliance with legal obligations | Audit, KYC | Legal obligation (Art. 6(1)(c)) |
You can withdraw consent for biometric processing at any time by deleting your UIP account in-app, which triggers deletion of your face template from AWS Rekognition before your other account data is erased.
Who we share with (sub-processors)
We do not sell your personal data. We share data only with carefully vetted sub-processors that act on our written instructions under data-processing agreements. Each is listed publicly on our sub-processor page, including purpose, region, and a link to their own privacy and security documentation. Categories:
- Amazon Web Services (Rekognition): stores and matches face templates in the United States (us-east-1; EU collection planned for EU users)
- Didit: performs document scanning and liveness detection during KYC; receives the document image and a captured selfie as part of the user's session with Didit
- Supabase: primary database, authentication, and account storage
- Railway: backend hosting for the UIP API
- Apple (APNs): push notification delivery to iOS devices
We do not share your personal data with advertisers or data brokers. We disclose information to law enforcement only when required by a binding legal order, and we challenge orders we consider overbroad.
International data transfers
UIP is operated from the United States, and several of our sub-processors store or process data in the United States. For EEA, UK, and Swiss data subjects, we rely on the following transfer mechanisms:
- EU Standard Contractual Clauses (2021/914): in place with each sub-processor that processes data outside the EEA
- UK International Data Transfer Addendum: applied where data leaves the UK
- Transfer Impact Assessments: conducted for each non-EEA recipient
When we open the EU market, biometric data for EU users will be stored in an EU-based AWS Rekognition collection (eu-west-1). Cross-region face matching is not supported, so the EU and US collections will remain logically separate.
How long we keep your data (retention)
| Category | Retention |
|---|---|
| Face template (biometric) | Held for the life of your UIP account. Rotated every 2 years on renewal (the previous template is removed from our collection when the new one is created). Permanently destroyed within 30 days of account deletion, or after 3 years of inactivity — whichever is sooner. See BIPA notice below. |
| Liveness capture (raw) | Processed transiently; not retained as a long-term record |
| KYC document image | Held by KYC provider per their retention schedule; UIP retains only normalized fields (no document images) |
| KYC normalized record | Until the document expires; renewed on re-verification; deleted on account deletion |
| Account & device data | For the life of your account; deleted within 30 days of account deletion |
| Audit & signing records | Retained as long as legally required for the relying party's use case (typically 7+ years for signed transactions); after which anonymized |
| Technical logs | 90 days, then aggregated |
| Encrypted messages | Retained per the relying business's request and our terms; UIP cannot read message content |
Your rights
Rights under GDPR / UK GDPR (EEA, UK, Switzerland)
- Access — request a copy of your personal data (Art. 15)
- Rectification — correct inaccurate data (Art. 16)
- Erasure — request deletion (Art. 17). For biometric data, deletion is also triggered automatically when you delete your account.
- Restriction — pause processing while a dispute is resolved (Art. 18)
- Portability — receive your data in a machine-readable format (Art. 20)
- Objection — object to legitimate-interests processing (Art. 21)
- Withdraw consent — withdraw consent at any time for processing based on consent (Art. 7)
- Lodge a complaint — with your national supervisory authority (Art. 77)
Rights under CCPA / CPRA (California)
- Right to know what personal information we collect, use, and share
- Right to delete personal information
- Right to correct inaccurate personal information
- Right to limit use of sensitive personal information (biometric data is "sensitive PI" under CPRA)
- Right to opt out of sale / sharing — UIP does not sell personal information, and we do not share for cross-context behavioral advertising
- Right to non-discrimination for exercising your rights
How to exercise these rights
Email [email protected] from the address associated with your account, or use the in-app Delete Account flow. We respond within 30 days for GDPR requests and 45 days for CCPA requests, extendable once where lawful. You may authorize an agent in writing to act on your behalf.
Illinois Biometric Information Privacy Act (BIPA) notice
This section applies to residents of Illinois. UIP collects and stores biometric identifiers (face templates derived from a liveness capture) and biometric information as those terms are defined in 740 ILCS 14/.
- Purpose: to recognize you across sessions, prevent identity fraud, and confirm continuity of identity when you complete KYC or sign actions.
- Retention schedule: a face template is held in AWS Rekognition for the duration of your UIP account. Every 2 years a renewal liveness check produces a new template, and the previous template is removed from our collection in the same step (rotation). All templates are permanently destroyed within 30 days of (a) account deletion, (b) the purpose for which we collected them ending, or (c) 3 years from your last interaction with us — whichever is sooner.
- Destruction: deletion is performed by removing the face from our AWS Rekognition collection (irreversible) before any other account data is purged.
- Disclosure: we do not sell, lease, trade, or otherwise profit from biometric data. We disclose biometric data only to AWS as our sub-processor (storage/matching), under written contract, and only when compelled by a valid legal order.
- Consent: we will not collect biometric data without your prior written consent, captured through the in-app consent screen.
This notice constitutes our publicly-available written policy under 740 ILCS 14/15(a).
Automated decision-making
KYC verdicts (approved / rejected) and biometric matching are produced by automated systems. If you are in the EEA, UK, or Switzerland and a decision produces legal effects for you under Art. 22 GDPR, you have the right to request human review, express your point of view, and contest the decision. Email [email protected].
Security
We protect your data with hardware-attested device signing, transport encryption (TLS 1.2+), at-rest encryption on all stored data, role-scoped database access, secret rotation, and continuous monitoring. Biometric face templates are stored in AWS Rekognition under an IAM role scoped to our collection only — no human at UIP has access to the raw template bytes. Sensitive operations require per-request device signatures bound to a hardware-backed key on your phone.
Children's privacy
UIP is not intended for users under 18 (or the local age of digital consent, whichever is higher). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, contact us at [email protected] and we will delete it.
Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top of the page reflects the most recent change. Material changes will be announced in-app and by email where we have a contact for you, with at least 30 days' notice before they take effect. Continued use of UIP after the effective date constitutes acceptance of the updated policy.
Contact & complaints
Questions, requests, or complaints about how we handle your data:
- Privacy contact: [email protected]
- General contact: [email protected]
- Legal: [email protected]
If you are in the EEA, UK, or Switzerland you also have the right to lodge a complaint with your national data protection supervisory authority.