Privacy Policy

Last updated: March 13, 2026

Authentically (“we,” “us,” or “our”) is committed to protecting your privacy. This policy explains what data we collect, why we collect it, how long we keep it, and your rights regarding your information.

1. What Data We Collect

  • Phone number — We collect your phone number for identity verification via one-time passcode (OTP). We store a salted cryptographic hash and the last four digits to prevent duplicate accounts; we do not store the raw phone number after verification is complete.
  • Email address — You may optionally provide an email address during onboarding to receive notifications when employers view your credentials.
  • Name — If you complete identity verification, your name is extracted from your government ID and stored to associate your credential with your verified identity.
  • Face embedding (biometric) — During the identity verification step, a 128-dimensional biometric face embedding is derived from your selfie photograph. This embedding is used to confirm you are a unique individual and to prevent duplicate accounts.
  • Selfie photograph — Your selfie photograph is stored encrypted at rest (AES-256-GCM) so you can see it on your dashboard. We do not store the government ID image.
  • Government ID data — An image of a government-issued photo ID is submitted to extract identity fields (name, date of birth, expiry date, state). We process this image through an AI OCR service. We do not store the ID image. Your date of birth and ID number are used only to generate a one-way hash for duplicate prevention and are not stored in their original form. The ID expiry date and issuing state are stored to verify document validity.
  • Attestation data — For each job application you verify, we store the company name, job title, job URL, resume filename, and a cryptographic hash of the resume file. This data forms your verifiable credential record.
  • Credential activity — When an employer views or verifies your credential, we record the event type, timestamp, and a partial hash of the viewer's IP address. This powers the activity tracking on your dashboard.
  • Passkeys — If you register a passkey for passwordless login, we store the public key and credential identifier associated with your device. Private keys never leave your device.
  • Referrals — If you use a referral link, we record the referral relationship between accounts to grant bonus verifications.

2. Why We Collect It

  • Identity verification — confirming that each account belongs to a unique real person
  • Credential issuance — generating cryptographically signed, verifiable job-application records
  • Fraud prevention — detecting and blocking duplicate accounts or automated submissions
  • Billing — processing subscription payments for Pro plan users
  • Service delivery — displaying your verification history, profile, and credential activity
  • Notifications — sending you alerts when employers view your credentials (if you provide an email)

3. How Long We Retain Your Data

  • Free tier credentials — Verifiable credentials expire and are deleted after 90 days from issuance.
  • Pro tier credentials — Verifiable credentials expire and are deleted after 180 days from issuance.
  • Biometric data — Face embeddings and encrypted selfie images are deleted upon account deletion or upon written request, whichever comes first.
  • Government ID images — ID images are processed for data extraction and discarded; they are not stored. The ID expiry date and issuing state are retained with your account.

4. Third-Party Processors

We share data with the following third-party service providers solely to operate the service. Each processor is contractually obligated to use your data only as directed by us.

  • Twilio — Phone number verification and OTP delivery. Twilio receives your phone number to send a one-time passcode. Privacy policy: twilio.com/legal/privacy
  • Stripe — Payment processing for Pro subscriptions. Stripe receives billing information you provide at checkout. We do not store full payment card numbers. Privacy policy: stripe.com/privacy
  • Anthropic — AI-powered OCR for government ID data extraction. Anthropic processes the ID image you submit to extract identity fields. Images are not retained by Anthropic beyond the API request lifecycle. Privacy policy: anthropic.com/legal/privacy
  • Neon — Database hosting for all account and credential data. Neon provides the PostgreSQL infrastructure on which your data is stored. Privacy policy: neon.tech/privacy-policy

5. Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

  • Access — Request a copy of the personal data we hold about you.
  • Deletion — Request deletion of your account and all associated personal data, including biometric data. You can delete your account from your account settings, or email privacy@authentically.me with the subject line “Delete my account.” We will process your request within 30 days. To prevent duplicate registrations, identity verification hashes are retained for 90 days after deletion and then permanently destroyed.
  • Portability — Request an export of your data in a machine-readable format.
  • Correction — Request correction of inaccurate personal data.
  • Objection — Object to certain processing activities.

To exercise any of these rights, contact us at the email address in Section 7.

6. Biometric Data (Illinois BIPA Notice)

If you are a resident of Illinois, the Illinois Biometric Information Privacy Act (BIPA) provides additional protections for your biometric data.

  • Consent — By proceeding through the identity verification step, you expressly consent to our collection, storage, and use of your face geometry / biometric face embedding and encrypted selfie photograph for the purpose of preventing duplicate accounts, verifying your unique identity, and displaying your profile on your dashboard.
  • Retention schedule — Biometric identifiers and biometric information (face embeddings and encrypted selfie images) are retained only for as long as your account is active. They will be permanently destroyed upon the first of: (a) account deletion request, (b) written request to delete biometric data, or (c) three (3) years from the date of your last interaction with Authentically.
  • Destruction — Biometric data is permanently deleted from our systems and from any third-party processors that handled it upon the applicable retention period or deletion request.
  • No sale of biometric data — We do not sell, lease, trade, or otherwise profit from your biometric data.

7. Contact Information

For privacy inquiries, data requests, or to exercise any of your rights, please contact us at:

privacy@authentically.me

We will respond to all privacy requests within 30 days.