Data retention and deletion policies

Last updated: October 28, 2024

The retention and deletion policy for a biometric profile (Special Category Personal Data and other Personal Data) can be customized for each service provider.

Default detention policies

The default deletion policies are:

  • 60 days for normal transactions.

  • 90 days for suspected fraudulent transactions.

If you need to retain data for longer periods, iProov can contract with your organization to enable one of the following:

  • The retention of data by iProov and the secure handover of all data when a contract terminates.

  • The regular, secure transfer of data to your organization so that all data is already held by you when a contract terminates.

Verifier data retention period

For Verifier, an indefinite data retention period is required or until the user account is terminated. Verifier validates a claim against an existing biometric profile held securely on the iProov system. Profile data needs to be retained to allow subsequent authentication attempts.

Anonymized data

Data retained in iProov databases are anonymized biometric profiles with associated keys for identification to the other processing elements of the platform. iProov also retains a single image for each profile as reference for future claims. Both these data assets can be deleted and the face anonymized. iProov does not store or process data outside of the cloud environments we deploy to:

  • Microsoft Azure

  • Google Cloud Platform

  • Amazon Web Services

These environments all have established certified processes for dealing with the storage estate they provide.

Important

Support may not be able to investigate transactions after data is deleted.

Next step

Configure service providers as production services