Get in Touch

airis:ident Verification Privacy Notice (End Users)

Last updated: February 2026

This Verification Privacy Notice explains how irisnet GmbH (“Irisnet”, “we”, “us”) processes personal data when you complete an identity verification, proof of address check, or AI-based age estimation (together, the “Verification Services”) branded as airis:ident.

You are completing this verification as part of a process required by the organisation, platform, or service that directed you to this verification (the “Customer”). This may be done, for example, to create or protect an account, verify eligibility or age, prevent fraud, or comply with legal or regulatory requirements.

This notice applies to the Verification Services only. If you want information about data processing on our public websites (e.g., website analytics, contact forms), please refer to our separate website privacy notice: https://shop.airisident.com/privacy-policy/.

1) Who we are

Provider of the Verification Services:
irisnet GmbH
Niederkasseler Lohweg 175
40547 Düsseldorf, Germany

Contact: [email protected]
Data Protection Officer: [email protected]

2) Roles: Customer as Controller, Irisnet as Processor

In most cases:

  • The Customer decides why and how your personal data is processed for verification (e.g., legal compliance, fraud prevention, age gating). The Customer therefore acts as the data controller.
  • Irisnet provides the Verification Services to the Customer and processes personal data on the Customer’s behalf, acting as a data processor.

This means:

  • The Customer is responsible for explaining why verification is required and how the Customer uses and stores the result.
  • Irisnet processes your data primarily to run the verification, provide the result to the Customer, and operate and secure the service.

If you have questions about the Customer’s decisions (e.g., “Why do you need this check?” “What happens if I fail?”), please contact the Customer directly.

3) What Verification Services we provide

Our Verification Services currently include:

  1. Identity Verification (ID document check + selfie face match to the ID)
  2. Proof of Address Check (e.g., bank statement or utility bill if the ID document does not contain an address)
  3. AI-based Age Estimation (selfie-based age estimation)

4) What personal data we process

The data processed depends on which checks the Customer has enabled.

  1. A) Identity Verification (ID document + selfie face match)

We may process:

  • Images of your identity document (front/back depending on document type)
  • Extracted data from the document (e.g., name, date of birth, document number, expiry date, issuing country)
  • Selfie image you submit
  • Face matching signals/results (comparison of selfie to document photo)
  • Document authenticity/integrity signals (e.g., checks for tampering indicators)
  1. B) Proof of Address Check

We may process:

  • Proof-of-address document you submit (e.g., utility bill, bank statement)
  • Extracted address details and validation signals (e.g., whether the document appears to show your address and meets the Customer’s requirements)
  1. C) AI-based Age Estimation

We may process:

  • Selfie image (and, if enabled, liveness/anti-spoofing signals)
  • Age estimation output, such as an estimated age and/or a pass/fail outcome against an age threshold configured by the Customer
  1. D) Technical and usage data

To operate and secure the service, we may process:

  • IP address, timestamps, device/browser information, session identifiers, logs
  • Security and fraud-prevention signals (e.g., anomaly indicators, repeated attempts)

Special categories / biometric data

Some verification steps may involve biometric data (e.g., face matching) and may be treated as special category data under the GDPR depending on how the Customer uses the result. Where this applies, Irisnet processes such data only to provide the Verification Services and only under the Customer’s instructions.

5) Where the data comes from

We receive data:

  • from you (documents, selfies, information you submit during the verification flow),
  • from your device automatically (technical data needed to deliver the service securely).

6) Why we process your data (purposes)

We process your data to:

  1. Perform the Verification Services requested by the Customer (ID check, face match, proof of address check, age estimation).
  2. Provide verification results to the Customer via our API (e.g., pass/fail, confidence signals, and relevant supporting details as configured by the Customer).
  3. Protect security and prevent fraud, including detecting spoofing attempts, abuse, and threats to the service.
  4. Operate, maintain, and improve reliability of the Verification Services (e.g., troubleshooting, quality assurance, performance monitoring). Where possible, we use aggregated or de-identified information for analytics and service improvements.
  5. Comply with legal obligations applicable to Irisnet (e.g., responding to lawful requests, security obligations).

7) Legal bases (GDPR)

Because the Customer typically acts as controller, the Customer determines the primary legal basis for requesting and using verification.

Common legal bases used by controllers for verification include:

  • Performance of a contract or steps prior to entering into a contract (Art. 6(1)(b) GDPR),
  • Compliance with legal obligations (Art. 6(1)(c) GDPR),
  • Legitimate interests such as fraud prevention and platform integrity (Art. 6(1)(f) GDPR),
  • Consent where required by the Customer’s compliance approach (Art. 6(1)(a) GDPR).

Where special category/biometric processing applies, the Customer must ensure an applicable Art. 9 GDPR condition (often explicit consent, depending on context and local requirements).

Irisnet processes personal data as processor under the Customer’s instructions and under a data processing agreement.

8) Automated decision-making

Our systems may generate automated outputs (e.g., “match/no match”, “document valid/invalid”, “estimated age”, or “meets age threshold”) to provide the Verification Services.

Whether and how these outputs are used to make a final decision (e.g., granting access, approving registration, allowing a purchase) is determined by the Customer. If you want to understand the decision logic or request human review (where applicable), please contact the Customer.

9) Who we share data with

We do not sell your personal data.

We may share data with:

  1. The Customer
    We return verification results and related information to the Customer via API, according to the Customer’s configuration.
  2. Subprocessors (service providers)
    We use vetted service providers to help us deliver the Verification Services (e.g., infrastructure, security, and verification technology). Our current subprocessors are listed in the Subprocessor table in our MSA/DPA documentation: https://shop.airisident.com/terms-and-conditions/
  3. Professional advisors and compliance
    Lawyers, auditors, insurers, or consultants where necessary for our legitimate business purposes.
  4. Authorities / legal requests
    Where required by law or where necessary to respond to valid legal process.

10) International data transfers

Your data may be processed in the European Union/European Economic Area (EU/EEA) and may be accessed or processed by service providers in other countries (including the United Kingdom), depending on the Customer configuration and our subprocessors.

Where transfers to countries outside the EU/EEA occur, we implement appropriate safeguards, such as:

  • adequacy decisions (where applicable), and/or
  • Standard Contractual Clauses (SCCs) and additional technical/organizational measures where required.

11) How long we keep data (retention)

We retain personal data only as long as necessary to:

  • provide the Verification Services and return results to the Customer,
  • support quality assurance, service operations, and customer support (e.g., investigating issues raised by the Customer),
  • maintain security and prevent fraud, and
  • meet legal obligations applicable to Irisnet.

After that, we delete or anonymize data in accordance with our retention practices and contractual obligations.

The Customer may retain the results or evidence separately under the Customer’s own privacy notice and legal requirements. Please contact the Customer for details on their retention.

12) Security

We implement appropriate technical and organizational security measures designed to protect your data (e.g., encryption in transit, access controls, logging, incident response, and least-privilege access).

No system can be guaranteed 100% secure. If you believe your personal data has been compromised in connection with a verification session, please contact the Customer and/or Irisnet using the contact details below.

13) Your rights and how to exercise them

Depending on your location and applicable law, you may have rights such as:

  • access to your data,
  • rectification,
  • deletion,
  • restriction of processing,
  • objection,
  • data portability,
  • and the right to lodge a complaint with a supervisory authority.

Because the Customer is typically the controller, you should usually contact the Customer first to exercise your rights.

If you contact Irisnet directly, we may:

  • ask for information to identify the relevant verification session, and
  • forward or coordinate your request with the Customer where we act as processor.

Contact (Irisnet / DPO): [email protected]

14) Complaints

You may have the right to lodge a complaint with a data protection supervisory authority. In Germany, this may be the authority in your federal state or the state of our registered location.

15) Updates to this notice

We may update this Verification Privacy Notice from time to time. We will publish the updated version and change the “Last updated” date above.

16) Contact

irisnet GmbH
Niederkasseler Lohweg 175
40547 Düsseldorf, Germany

General: [email protected]
Data Protection Officer: [email protected]