Skip to main content
Version: v2.0 (latest)

Data Retention and Privacy

A few commitments govern what OIDC Web keeps:

  • Hosted biometric profiles are retained according to the retention policy of the iProov service configuration backing your account. You can delete a profile at any time through the user-management API. Your iProov representative can describe or change the retention setup.

  • Everything else is ephemeral. For logins without a hosted profile (liveness-only), we remove all session material from the production system as soon as the success or failure response is returned to you. The key pair securing the transaction is deleted with it. Persistence exists only in audit logs — one-way encrypted with a key held offline and never available to the production system.

  • We never store your login_hint. The identifier you send is not retained. Before anything is persisted, it is turned into an opaque biometric profile UUID through a double, salted hash:

    1. A per-client (service-provider) salt and a cluster-wide secret are combined and hashed into an intermediate salt.
    2. Your login_hint is then combined with that intermediate salt and hashed again (SHA3-512); the first bytes of the digest become the profile UUID.

    The construction is one-way and bound to both salts, which gives two guarantees. First, your user namespace is private: the same email enrolled by two different customers yields two unrelated profiles, because the per-client salt differs. Second, the mapping from a real username to a biometric profile cannot be reconstructed from what we store — not even by iProov administrators, who would additionally need both salts and the original identifier to do so.

Opting out — Do not hash login_hint. A client can be configured (in iPortal) to skip this hashing. In that mode you must supply a valid UUID directly as the login_hint, and OIDC Web uses it verbatim as the profile identifier. The purpose is interoperability: it lets you reuse biometric profiles you already hold in iProov's classic biometrics API, which are keyed by UUID. Use it only when you need that reuse — otherwise leave hashing on, since it is what keeps your identifiers private.