Compliance

How Proof of You meets regulatory requirements worldwide.

Our Compliance Position

Proof of You is designed from the ground up to comply with privacy regulations by collecting the absolute minimum data necessary to operate. Our zero-knowledge architecture means we never possess the most sensitive categories of data - including biometric images, personal identity documents, or content - making many regulatory concerns inapplicable by design.

Rather than building compliance as an afterthought, we architected our system so that privacy protection is the default, not the exception.

Regulations We Address

GDPR EU

The General Data Protection Regulation is the EU's comprehensive data protection law. Here is how PoY complies:

  • Lawful basis: Consent - explicit, informed, and freely revocable at any time
  • Data minimization: We store only cryptographic hashes, never raw biometric data or personal content. We collect only what is strictly necessary to operate the service.
  • Right to erasure (Article 17): Users can delete their account and all associated data at any time. Deletion is permanent and irreversible.
  • Data portability (Article 20): Users can export their complete verification history, stamps, and account data in a machine-readable format.
  • Privacy by design (Article 25): Our zero-knowledge architecture is the definition of privacy by design - we cannot access what we do not possess.
  • Data Protection Officer: dpo@proofofyou.com

BIPA Illinois

The Illinois Biometric Information Privacy Act is the strictest biometric privacy law in the United States. Our architecture is specifically designed to address BIPA:

  • No biometric identifiers collected: We do NOT collect "biometric identifiers" as defined by BIPA (740 ILCS 14/10). No retina scans, fingerprints, voiceprints, or hand/face geometry are transmitted to or stored on our servers.
  • Hash irreversibility: The SHA-256 hash we store is a one-way cryptographic function. It cannot be used to reconstruct, reverse-engineer, or approximate the original biometric features.
  • Architecture designed for non-applicability: By processing all biometric data on-device and transmitting only irreversible hashes, we avoid creating the data categories BIPA was designed to protect.
  • Written consent: Despite our position that BIPA does not apply, we still obtain explicit written consent before any biometric enrollment as a matter of best practice.
  • Retention and destruction: Users can delete their hash at any time. We do not retain biometric hashes after account deletion.

CCPA / CPRA California

The California Consumer Privacy Act (as amended by the California Privacy Rights Act) grants California residents specific rights over their personal information:

  • Right to know: California residents can request a detailed disclosure of what personal information we collect, how we use it, and who we share it with. See our Privacy Policy for full details.
  • Right to delete: California residents can request deletion of their personal information. We process these requests within 45 days.
  • Right to opt out of sale: We do not sell personal information to third parties. We never have, and we have no plans to.
  • No discrimination: We do not discriminate against users who exercise their CCPA/CPRA rights. Exercising your rights will not affect your service access or pricing.
  • Sensitive personal information: Under CPRA, biometric data is classified as sensitive. Because we never possess actual biometric data, this classification reinforces rather than complicates our compliance position.

Texas CUBI / Washington Biometric Law US States

The Texas Capture or Use of Biometric Identifier Act and Washington state's biometric privacy law impose requirements on entities that collect biometric data:

  • Same zero-knowledge approach: The same architecture that addresses BIPA applies here. No biometric data is collected, stored, or transmitted to our servers.
  • On-device processing: All biometric analysis occurs locally on the user's device. Only an irreversible hash crosses the network boundary.
  • Consent and disclosure: We provide clear, conspicuous notice of our practices and obtain consent before enrollment regardless of jurisdiction.
  • No commercial use: We do not sell, lease, or otherwise profit from biometric data or derivatives. Our business model is subscription-based, not data-based.

Data Residency

User data is stored in Supabase cloud infrastructure. By default, data is processed and stored in regions determined by our infrastructure provider's standard configuration.

For enterprise customers with specific data residency requirements - including EU-only storage, data sovereignty mandates, or industry-specific regulations - we can accommodate custom data residency arrangements. Contact us to discuss your needs.

For Enterprise

Need a security questionnaire, SOC2 report, or custom Data Processing Agreement?
Contact compliance@proofofyou.com

Compliance Contact

For all compliance-related inquiries, including data subject requests, regulatory questions, and enterprise assessments: