Privacy Policy (Service Delivery)
Effective Date: February 2, 2026
Last Updated: February 2, 2026
Looking for our Website Privacy Policy? Click here
1. Introduction
This Privacy Policy explains how TrustGate Inc. ("TrustGate," "we," "us," or "our") processes personal information when you undergo identity verification through our platform. This policy applies to individuals ("you" or "Applicants") whose identity is being verified on behalf of our business customers ("Customers").
TrustGate provides identity verification, document verification, liveness detection, and anti-money laundering (AML) screening services to businesses. When you complete a verification through our platform, your personal information is processed as described in this policy.
1.1 Our Role
In most cases, TrustGate acts as a data processor on behalf of our Customers, who are the data controllers. This means:
- Our Customers determine why and how your personal information is processed
- We process your information according to our Customers' instructions
- Our Customers are responsible for providing you with their own privacy notices
- You should contact our Customer directly for questions about why your data is being collected
In some circumstances, TrustGate acts as a data controller, including:
- Fraud prevention and detection across our platform
- Service improvement and algorithm training (using anonymized/aggregated data)
- Legal compliance and defense
- Security monitoring
1.2 Scope
This policy applies to personal information collected through:
- TrustGate verification flows (web, mobile SDK, API)
- Document uploads and selfie captures
- Automated identity checks
This policy does not apply to:
- Visitors to our corporate website (see our Website Privacy Policy)
- Our business customers (see our Terms of Service)
2. Data We Collect
We collect the following categories of personal information during the verification process:
2.1 Identity Information
| Data Type | Examples |
|---|---|
| Name | Full legal name, maiden name, aliases |
| Date of Birth | Birth date |
| Nationality | Country of citizenship |
| Gender | As stated on identity documents |
| Place of Birth | City, country of birth |
2.2 Identity Document Information
| Data Type | Examples |
|---|---|
| Document Type | Passport, driver's license, national ID, residence permit |
| Document Number | Passport number, license number |
| Issue and Expiry Dates | When the document was issued and expires |
| Issuing Authority | Country or state that issued the document |
| MRZ Data | Machine Readable Zone information |
| Document Images | Photos of the front and back of your documents |
| Security Features | Hologram detection, watermarks, microprinting analysis |
2.3 Biometric Information
| Data Type | Examples |
|---|---|
| Facial Images | Selfies, video frames captured during liveness checks |
| Facial Geometry | Mathematical representation of facial features |
| Liveness Data | Movement patterns, depth analysis, 3D facial mapping |
Important: Biometric data is used solely for identity verification purposes. See Section 6 for detailed information about biometric data processing.
2.4 Technical Information
| Data Type | Examples |
|---|---|
| IP Address | Your internet protocol address |
| Device Information | Device type, operating system, browser type |
| Device Identifiers | Unique device fingerprints |
| Geolocation | Approximate location based on IP address |
| Session Data | Timestamps, verification flow interactions |
2.5 Screening Information
| Data Type | Examples |
|---|---|
| Sanctions Matches | Matches against global sanctions lists |
| PEP Status | Politically Exposed Person screening results |
| Adverse Media | Relevant media mentions (if applicable) |
| Watchlist Results | Matches against law enforcement and regulatory databases |
3. How We Collect Your Data
We collect personal information:
3.1 Directly From You
- When you submit identity documents through our verification interface
- When you capture selfies or videos for liveness detection
- When you enter personal details manually
3.2 From Your Documents
- By extracting text using Optical Character Recognition (OCR)
- By reading machine-readable zones (MRZ)
- By analyzing document security features
3.3 From Your Device
- Through automated collection of technical data when you use our verification interface
- Through our SDK integrated into our Customers' applications
3.4 From Third-Party Sources
- Sanctions and watchlist databases (OpenSanctions, government databases)
- Fraud prevention databases
- Document verification databases
4. Purposes of Processing
We process your personal information for the following purposes:
4.1 Identity Verification (Primary Purpose)
- Confirming your identity matches your documents
- Verifying document authenticity and validity
- Performing liveness detection to ensure you are present
- Conducting face matching between your selfie and document photo
4.2 Regulatory Compliance
- Anti-Money Laundering (AML) screening
- Counter-Terrorist Financing (CTF) checks
- Know Your Customer (KYC) requirements
- Sanctions and watchlist screening
- Politically Exposed Person (PEP) screening
4.3 Fraud Prevention
- Detecting fraudulent documents
- Identifying synthetic or manipulated identities
- Preventing duplicate account creation
- Detecting device emulators, deepfakes, and spoofing attempts
4.4 Service Operation
- Processing verification requests from our Customers
- Providing verification results and risk assessments
- Maintaining audit trails for compliance purposes
- Technical troubleshooting and support
4.5 Service Improvement (Controller Processing)
- Improving verification accuracy (using anonymized data)
- Training fraud detection algorithms (using anonymized/aggregated data)
- Analyzing verification patterns (statistical analysis only)
5. Legal Bases for Processing (GDPR)
For individuals in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on the following legal bases:
5.1 Processing as a Processor
When processing on behalf of our Customers (data controllers), the legal basis is determined by the Customer. Common bases include:
| Legal Basis | Article | Typical Use |
|---|---|---|
| Contract Performance | Art. 6(1)(b) | Verification required to provide services to you |
| Legal Obligation | Art. 6(1)(c) | AML/CFT compliance, regulatory requirements |
| Legitimate Interests | Art. 6(1)(f) | Fraud prevention, security |
5.2 Processing as a Controller
When TrustGate processes as a controller, we rely on:
| Legal Basis | Article | Purpose |
|---|---|---|
| Legitimate Interests | Art. 6(1)(f) | Fraud prevention across platform, service improvement, security |
| Legal Obligation | Art. 6(1)(c) | Compliance with legal requirements, responding to law enforcement |
5.3 Special Category Data (Biometric)
Processing of biometric data as special category data under GDPR Article 9:
| Legal Basis | Article | Application |
|---|---|---|
| Explicit Consent | Art. 9(2)(a) | Primary basis for biometric processing |
| Substantial Public Interest | Art. 9(2)(g) | Fraud prevention, preventing identity crime |
| Legal Claims | Art. 9(2)(f) | Establishing, exercising, or defending legal claims |
6. Biometric Data
This section provides detailed information about our collection and use of biometric data, including compliance with state-specific biometric privacy laws.
6.1 What Biometric Data We Collect
We collect and process:
- Facial Images: Photographs and video frames of your face captured during liveness detection
- Facial Geometry: Mathematical representations derived from facial features (faceprints) used for face matching
- Liveness Indicators: Movement patterns, depth data, and other indicators used to confirm you are a real person
6.2 How We Use Biometric Data
Your biometric data is used to:
- Liveness Detection: Confirm you are a real, live person (not a photo, video, mask, or deepfake)
- Face Matching: Compare your selfie against the photo on your identity document
- Fraud Prevention: Detect if the same face has been used in multiple fraudulent verification attempts
- Identity Confirmation: Provide assurance to our Customers that you are who you claim to be
6.3 How We Protect Biometric Data
We implement the following safeguards:
- Encryption: Biometric data is encrypted at rest using AES-256 encryption
- Secure Transmission: All biometric data is transmitted over TLS 1.3 encrypted connections
- Access Controls: Biometric data access is strictly limited and logged
- Segregation: Biometric data is stored separately from other personal information
- No Sale: We do not sell biometric data to third parties
6.4 Biometric Data Retention
Retention periods for biometric data vary by jurisdiction and Customer instruction:
| Jurisdiction | Retention Period |
|---|---|
| Illinois (BIPA) | Destroyed within 3 years of collection or last interaction, or when the purpose has been satisfied, whichever occurs first |
| Texas (CUBI) | Destroyed within 1 year after the purpose expires, or 5 years from collection, whichever is earlier |
| Other US States | As determined by Customer, typically not exceeding 5 years |
| European Union | As determined by Customer, subject to GDPR data minimization principles |
| Default | 5 years from verification or as instructed by Customer |
6.5 Illinois Residents (BIPA Notice)
If you are an Illinois resident, please read this section carefully.
NOTICE
TrustGate collects biometric identifiers and biometric information ("biometric data") as defined under the Illinois Biometric Information Privacy Act, 740 ILCS 14 ("BIPA").
Collection and Purpose:
- We collect facial geometry (biometric identifiers) from your selfie/video
- This data is used to verify your identity by comparing your face to your identity document photo
- This data may be used to detect fraudulent verification attempts
Storage:
- Your biometric data will be stored for no longer than 3 years from the date of collection or your last interaction with TrustGate, or until the purpose for collection has been satisfied, whichever occurs first
Disclosure:
Your biometric data may be disclosed to:
- The Customer who requested your verification
- Our subprocessors who assist with verification (available upon request at legal@bytrustgate.com)
- Authorities when required by law
Your Rights:
- You have the right to request deletion of your biometric data
- You have the right to a copy of this notice
Consent: By proceeding with verification, you acknowledge receipt of this notice and consent to the collection, use, storage, and disclosure of your biometric data as described herein.
6.6 Texas Residents (CUBI Notice)
If you are a Texas resident, please read this section carefully.
NOTICE
Pursuant to the Texas Capture or Use of Biometric Identifier Act, Tex. Bus. & Com. Code Ann. Section 503.001 ("CUBI"), TrustGate provides the following notice:
- TrustGate captures biometric identifiers (facial geometry) for the purpose of identity verification
- Your biometric data will be destroyed within 1 year after the purpose for which it was collected expires, or within 5 years of collection, whichever is earlier
- By proceeding, you consent to the capture and use of your biometric identifiers
6.7 Withdrawing Consent
You may withdraw your consent for biometric data processing at any time by contacting us at legal@bytrustgate.com. Please note:
- Withdrawal of consent does not affect the lawfulness of processing conducted before withdrawal
- Withdrawal may prevent completion of verification services
- We may retain biometric data where required by law or for legal defense purposes
7. Data Sharing
We share your personal information with the following categories of recipients:
7.1 Our Customers
We provide verification results to the Customer who requested your verification. This typically includes:
- Verification decision (approved, rejected, or review required)
- Risk score and confidence levels
- Document validity information
- Extracted identity data
- Watchlist screening results
Our Customers use this information according to their own privacy policies.
7.2 Subprocessors
We use trusted third-party service providers to help deliver our services:
| Category | Purpose | Data Shared |
|---|---|---|
| Cloud Infrastructure | Hosting and storage | All verification data |
| Face Matching | Biometric comparison | Facial images |
| Document Analysis | OCR and authenticity | Document images |
| Sanctions Screening | AML/CFT compliance | Name, DOB, nationality |
| Fraud Detection | Risk scoring | IP, device data |
A complete list of our subprocessors is available upon request. Contact legal@bytrustgate.com for details.
7.3 Government and Regulatory Authorities
We may disclose your personal information when required by law, including:
- Court orders and subpoenas
- Law enforcement requests
- Regulatory investigations
- National security requests
We will notify you of such requests where legally permitted.
7.4 Legal and Professional Advisors
We may share data with our attorneys, auditors, and consultants as necessary for:
- Legal advice and defense
- Compliance audits
- Regulatory examinations
7.5 Corporate Transactions
In the event of a merger, acquisition, or sale of assets, your personal information may be transferred as part of that transaction. You will be notified of any such change.
7.6 We Do Not Sell Your Data
TrustGate does not sell, rent, or trade your personal information to third parties for their marketing purposes.
8. International Data Transfers
TrustGate is based in the United States. If you are located outside the United States, your personal information will be transferred to and processed in the United States.
8.1 Transfers from the EEA, UK, and Switzerland
For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland to the United States, we rely on:
- Standard Contractual Clauses (SCCs): We enter into EU-approved Standard Contractual Clauses with our Customers and subprocessors
- UK International Data Transfer Agreement: For UK transfers
- Swiss Data Protection Addendum: For Swiss transfers
8.2 Safeguards
We implement supplementary measures to protect transferred data:
- Encryption of data at rest and in transit
- Access controls and audit logging
- Contractual commitments with all data recipients
8.3 Data Localization
Enterprise Customers may request data residency in specific regions. Contact us for available options.
9. Data Retention
We retain personal information for the following periods:
9.1 Verification Data
| Data Type | Retention Period | Basis |
|---|---|---|
| Identity Information | As instructed by Customer (default: 5 years) | AML/CFT regulatory requirements typically require 5 years post-relationship |
| Document Images | As instructed by Customer (default: 5 years) | Regulatory compliance |
| Biometric Data | See Section 6.4 for jurisdiction-specific periods | State law requirements |
| Technical Data | 2 years | Security and fraud prevention |
| Audit Logs | 7 years | Regulatory compliance |
9.2 Customer-Determined Retention
Our Customers may instruct us to retain data for shorter or longer periods based on their legal requirements. The retention period applied to your data depends on:
- The Customer's instructions
- Applicable laws in your jurisdiction
- State-specific biometric privacy laws (see Section 6.4)
9.3 Deletion
Upon expiration of the retention period, data is deleted using secure deletion methods with verification.
You may request earlier deletion of your data (see Section 10), subject to:
- Legal retention requirements
- Our Customers' instructions
- Ongoing legal proceedings
10. Your Rights
10.1 Rights Under GDPR (EEA, UK, Switzerland Residents)
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights:
| Right | Description |
|---|---|
| Access | Request a copy of your personal data |
| Rectification | Request correction of inaccurate data |
| Erasure | Request deletion of your data (subject to legal exceptions) |
| Restriction | Request limitation of processing |
| Portability | Receive your data in a structured, machine-readable format |
| Object | Object to processing based on legitimate interests |
| Automated Decisions | Request human review of automated decisions |
| Withdraw Consent | Withdraw consent at any time |
| Complain | Lodge a complaint with a supervisory authority |
Important: Because TrustGate typically acts as a processor, you should first contact the Customer who requested your verification to exercise these rights. We will assist our Customers in responding to your requests.
10.2 Rights Under CCPA/CPRA (California Residents)
If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:
| Right | Description |
|---|---|
| Right to Know | Request disclosure of personal information collected, used, and shared |
| Right to Delete | Request deletion of your personal information |
| Right to Correct | Request correction of inaccurate personal information |
| Right to Opt-Out of Sale | We do not sell personal information |
| Right to Limit Use of Sensitive PI | Limit use of sensitive personal information |
| Right to Non-Discrimination | Not be discriminated against for exercising rights |
Categories of Personal Information Collected:
- Identifiers (name, email, IP address, device identifiers)
- Biometric information
- Internet activity information
- Geolocation data
- Inferences drawn from the above
Notice: We do not "sell" or "share" (for cross-context behavioral advertising) your personal information as defined by the CCPA/CPRA.
10.3 How to Exercise Your Rights
For requests related to verification data:
Contact the Customer (business) that requested your verification first. They are the data controller and responsible for processing your request.
For requests directly to TrustGate:
- Email: legal@bytrustgate.com
- Subject: "Data Subject Request - [Your Name]"
- Include: Your name, the business you were verified for (if known), and a description of your request
We will respond within:
- GDPR: 30 days (extendable by 60 days for complex requests)
- CCPA: 45 days (extendable to 90 days)
We may need to verify your identity before processing your request.
11. Security
We implement comprehensive security measures to protect your personal information:
11.1 Technical Measures
- Encryption at Rest: AES-256 encryption for all stored data
- Encryption in Transit: TLS 1.3 for all data transmission
- Field-Level Encryption: Additional encryption for PII fields
- Access Controls: Role-based access control (RBAC)
- Multi-Factor Authentication: Required for all system access
- Intrusion Detection: 24/7 security monitoring
11.2 Organizational Measures
- Employee Training: Security awareness training for all staff
- Background Checks: Pre-employment screening for employees with data access
- Access Reviews: Quarterly reviews of access permissions
- Incident Response: Documented incident response procedures
- Vendor Security: Security requirements in all subprocessor contracts
11.3 Data Breach Response
In the event of a data breach affecting your personal information, we will:
- Notify affected Customers without undue delay
- Cooperate with Customer breach notification obligations
- Notify regulatory authorities as required by law
- Notify affected individuals where required (coordinated with Customers)
12. Children's Privacy
Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children.
If you believe we have inadvertently collected information from a child, please contact us immediately at legal@bytrustgate.com.
13. Automated Decision-Making
TrustGate uses automated processing to generate verification results. This includes:
- Document Authenticity Checks: Automated analysis of document security features
- Face Matching: Automated comparison of selfie to document photo
- Liveness Detection: Automated analysis to confirm presence of a real person
- Sanctions Screening: Automated checking against watchlists
13.1 Human Review
Our Customers may configure verification workflows to include human review for:
- Low-confidence automated results
- Edge cases and exceptions
- Appeals of verification decisions
13.2 Your Rights
If you are subject to automated decision-making that produces legal or similarly significant effects, you may:
- Request human intervention
- Express your point of view
- Contest the decision
Contact the Customer who requested your verification to exercise these rights.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be:
- Posted on this page with an updated "Last Updated" date
- Communicated to our Customers who can notify affected individuals
- Material changes will be highlighted
We encourage you to review this policy periodically.
15. Contact Us
Privacy and Legal Inquiries
For privacy-related inquiries or to exercise your rights:
Email: legal@bytrustgate.com
Address: 700 NE 25th St APT 1902, Miami, FL 33137
General Support
Website: bytrustgate.com
Support: support@bytrustgate.com
Supervisory Authorities
If you are in the EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority. A list of EEA data protection authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en
For UK residents: Information Commissioner's Office (ICO) - https://ico.org.uk
16. Additional Disclosures
16.1 FCRA Disclaimer
TrustGate is not a consumer reporting agency as defined by the Fair Credit Reporting Act ("FCRA"), 15 U.S.C. Section 1681 et seq., and our services do not constitute "consumer reports" under FCRA. Our verification services are not intended to be used as the sole basis for decisions regarding consumer eligibility for credit, insurance, employment, or other purposes governed by FCRA.
16.2 Equal Opportunity
Our verification technology is designed to work fairly across all demographics. We continuously test and improve our algorithms to minimize bias and ensure equitable treatment.
16.3 Accessibility
If you need assistance accessing or understanding this policy, please contact us at legal@bytrustgate.com.
Appendix A: Glossary
| Term | Definition |
|---|---|
| Applicant | An individual undergoing identity verification through TrustGate |
| Biometric Data | Data relating to physical characteristics used for identification, including facial geometry |
| Customer | A business using TrustGate services to verify individuals |
| Data Controller | Entity that determines purposes and means of data processing |
| Data Processor | Entity that processes data on behalf of a controller |
| GDPR | General Data Protection Regulation (EU) 2016/679 |
| CCPA | California Consumer Privacy Act of 2018 |
| BIPA | Illinois Biometric Information Privacy Act, 740 ILCS 14 |
| CUBI | Texas Capture or Use of Biometric Identifier Act, Tex. Bus. & Com. Code Ann. Section 503.001 |
| PII | Personally Identifiable Information |
| SCCs | Standard Contractual Clauses for international data transfers |
This Privacy Policy was last updated on February 2, 2026.
TrustGate - Secure Identity Verification