Privacy Policy
Last updated: January 1, 2025
At MID (Mobile Identity), we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile identity verification platform, including our mobile application, web services, and API.
1. Information We Collect
Personal Information
| Data Type | Purpose | Storage |
|---|---|---|
| Full name | Identity verification | Encrypted, server-side |
| Email address | Account management | Encrypted, server-side |
| Phone number | Two-factor authentication | Encrypted, server-side |
| Government ID | Document verification | Processed, not stored permanently |
| Facial biometrics | Liveness detection | On-device only — never uploaded |
| Date of birth | Age verification | Encrypted, server-side |
2. How We Use Your Information
Identity Verification
Verifying your identity through document scanning and biometric matching to establish trust.
Authentication
Providing secure, passwordless authentication using FIDO2 standards and biometric verification.
Consent Management
Facilitating transparent data sharing consent between you and requesting organizations.
Service Improvement
Using anonymized, aggregated data to improve accuracy, speed, and reliability of our platform.
Security & Fraud Prevention
Detecting and preventing unauthorized access, fraud, and abuse of our platform.
Legal Compliance
Meeting regulatory obligations under GDPR, CCPA, HIPAA, and other applicable laws.
3. Data Storage and Security
On-Device Storage
- Biometric templates — stored exclusively in the device's Secure Enclave (iOS) or TEE (Android)
- FIDO2 private keys — generated and stored in hardware-backed keystores
- Identity documents — encrypted with AES-256 on the device
- Session tokens — stored in secure, encrypted app storage
4. Data Sharing and Disclosure
We do not sell your personal information. We may share data only in these circumstances:
- With your consent — When you explicitly authorize a third party to receive your verified identity data through a consent session.
- Service providers — Trusted partners who process data on our behalf under strict contractual obligations.
- Legal requirements — When required by law, regulation, legal process, or governmental request.
- Safety and security — To protect against fraud, security threats, or abuse of our platform.
- Business transfers — In connection with a merger, acquisition, or sale of assets (with prior notice).
5. Your Rights and Choices
Right to Access
Request a copy of all personal data we hold about you.
Right to Rectification
Correct inaccurate or incomplete personal data.
Right to Erasure
Request deletion of your data ("right to be forgotten").
Right to Portability
Receive your data in a structured, machine-readable format.
Right to Restriction
Request restriction of processing of your personal data.
Right to Objection
Object to processing based on legitimate interests.
Exercise Your Rights
6. Children's Privacy
MID is not intended for children under 13 years of age (or 16 in the EEA). We do not knowingly collect personal information from children. If we become aware of such collection, we will promptly delete the data.
7. International Data Transfers
MID operates globally and may transfer data to countries outside your jurisdiction. We ensure appropriate safeguards through Standard Contractual Clauses (SCCs), adequacy decisions, or other legally recognized mechanisms.
8. Data Retention
| Data Type | Retention Period | Basis |
|---|---|---|
| Account data | Duration of account + 30 days | Contract |
| Verification results | 5 years | Legal obligation (KYC/AML) |
| Authentication logs | 90 days | Legitimate interest |
| Consent records | 7 years | Legal obligation |
| Analytics data | 12 months (anonymized) | Legitimate interest |
9. Cookies and Tracking
Our web services use essential cookies for authentication and security. We do not use tracking cookies for advertising purposes. Analytics cookies are used only with your explicit consent and can be disabled at any time.
10. Regional Compliance
European Union (GDPR)
Full compliance with the General Data Protection Regulation. DPO appointed, lawful basis documented for all processing.
California (CCPA/CPRA)
Full compliance with California consumer privacy rights including right to opt-out of data sales.
United States (HIPAA)
BAA available for healthcare customers. PHI handled according to HIPAA Security and Privacy Rules.
Nigeria (NDPR)
Compliance with Nigeria Data Protection Regulation for all Nigerian users and data.
11. Updates to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 30 days before the changes take effect. Continued use of MID after the effective date constitutes acceptance of the updated policy.
12. Contact Information
If you have questions or concerns about this Privacy Policy or our data practices, please contact us:
Data Protection Officer: privacy@mobid.io
General Inquiries: support@mobid.io
Address: MID Technologies, Stockholm, Sweden