Archonite Logo
v2.1.0

Privacy Policy

Transparency is the foundation of trust. This policy outlines how Archonite processes, encrypts, and protects the identity data powering the modern web.

Effective: January 21, 2026

1. Introduction

Archonite Ltd. (Malta) ("Archonite", "We", "Us", "Provider") respects your privacy and is committed to protecting it through our compliance with this policy. This Privacy Policy describes the types of information we may collect from you or that you may provide when you visit our website or use our identity verification APIs, SDKs, and Dashboard ("Services").

We act primarily as a Data Processor on behalf of our Customers (the businesses requesting your verification). However, we act as a Data Controller regarding our direct Customer account information and website analytics.

Role Definitions:

  • Data Processor: When we verify an identity on behalf of a business client (our "Customer"), Archonite acts as a Data Processor. We process this data strictly based on the Customer's instructions and our Data Processing Agreement (DPA).
  • Data Controller: When you visit our marketing website, sign up for a developer account, or contact our support, Archonite acts as the Data Controller of your account information.

This policy adheres to the General Data Protection Regulation (GDPR), Service Organization Control (SOC 2), and the Data Protection Act (Chapter 586 of the Laws of Malta).

2. Information We Collect

(a) End-User Data (Verification Subjects)

When an individual undergoes verification, we collect strictly what is necessary to perform the service:

  • Government ID Images: Front and back images of passports, driver's licenses, national IDs, or residence permits.
  • Extracted PII: Data parsed via OCR such as Full Name, Date of Birth, Address, Nationality, Document Number, and Expiry Date.
  • Biometric Inputs: Selfie video or static images used for liveness analysis and facial matching.
  • Device Metadata: IP address, User-Agent, device model, and OS version (used exclusively for fraud detection and risk scoring).

(b) Customer Data (Business Clients)

To manage your access to the Archonite platform, we collect:

  • Account Info: Business email, hashed passwords (Argon2id), and company details.
  • Billing Details: Payment tokens (via Polar) and billing addresses. We do not store raw credit card numbers.
  • Integration Logs: API usage patterns, webhook endpoints, and developer activity logs.

3. Biometric Data Policy

Archonite processes "Biometric Data" (facial geometry and liveness vectors) which is classified as Sensitive Personal Information. We adhere to the strictest standards regarding this data.

(a) Definition & Nature

We generate a mathematical representation (a "template" or "vector") of your facial features using 3D Liveness Detection. This template is used to compare your selfie against the photo on your ID document. This template is proprietary and cannot be reverse-engineered into a photograph.

(b) Explicit Consent (BIPA/GDPR)

Biometric processing never occurs without affirmative consent. Our SDKs include a mandatory consent screen where End-Users must explicitly agree to the collection of biometric data before the camera is activated.

(c) Prohibited Uses

Archonite creates biometric templates solely for identity verification and fraud prevention. We do not, and will not, sell, lease, trade, or profit from biometric data. We do not use biometric data for surveillance or behavioral advertising.

(d) Retention Schedule

Biometric templates are transient by default. They are permanently destroyed immediately upon the completion of the verification session or within a maximum of 30 days, unless a valid legal order requires preservation.

4. Purposes of Processing

We process data based on the following legal grounds:

  • Contractual Necessity: To fulfill the verification requests initiated by our Customers.
  • Legal Obligation: To comply with Anti-Money Laundering (AML), Know Your Customer (KYC), and Counter-Terrorism Financing (CTF) regulations.
  • Legitimate Interests: To detect and prevent fraud across our network (e.g., identifying a fake ID used across multiple clients) and to ensure network security (DDoS mitigation).
  • Consent: For specific sensitive data processing (Biometrics) or optional marketing communications.

Model Improvement: We may use de-identified, anonymized, and aggregated data to train and improve our computer vision models (e.g., to reduce bias in facial recognition). This data cannot be linked back to any specific individual.

5. Sharing & Disclosures

We disclose Personal Information only in the following controlled scenarios:

(a) To the Customer

The Business Client who initiated the request receives the full verification report. They act as an independent Controller of this data once received.

(b) Trusted Sub-processors

We engage third-party vendors who are bound by Data Processing Agreements (DPAs) and confidentiality clauses. Refer to our Subprocessors List for full details.

  • Vercel: Cloud Infrastructure & Hosting.
  • Supabase: Database & Storage for encrypted user states.
  • Gemini API: AI-driven anomalies detection and liveness analysis.
  • Polar: Payment Processor for handling billing transactions.
  • Hostinger Mail: Transactional email service provider.
  • GitHub: Source Code Management.

(c) Legal Requirements

We may disclose data to law enforcement if compelled by a valid court order, subpoena, or search warrant. We challenge such requests if they are overly broad or lack legal basis.

(d) Corporate Transactions

In the event of a merger, acquisition, or sale of assets, customer data may be transferred as a business asset, subject to the acquirer respecting this privacy policy.

6. Security Measures

We implement a defense-in-depth security strategy designed to protect data against unauthorized access, alteration, and destruction.

  • Encryption: All sensitive data is encrypted using AES-256 at rest. Credentials are hashed using Argon2id. All payloads are secured via Archonite Signed Payload (ASP) logic.
  • Access Control: We use Role-Based Access Control (RBAC) and Mandatory Multi-Factor Authentication (MFA) for all internal systems. No engineer has standing access to production customer data (Just-In-Time access only).
  • Guardrail Sentinel AI: Our proprietary autonomous agent monitors system health and security patterns in real-time, flagging potential fraud or security anomalies.
  • Incident Response: In the event of a data breach, we will notify affected Customers and regulatory authorities no later than 48 hours of becoming aware of the breach, in accordance with GDPR/PDPA/HIPAA requirements.

HIPAA Compliance

Archonite is fully compliant with HIPAA standards for handling ePHI. This includes strict access control, audit trails, and Business Associate Agreements (BAA) with all relevant sub-processors.

7. Retention & Deletion

We retain data 6 years following account closure.

Data TypeRetention PeriodPurpose
Biometric VectorsMax 30 DaysVerification & Fraud prevention window
Document Images90 Days (Default)Dispute resolution & Audit
Transaction Logs6 YearsFinancial, AML, and CTF regulatory compliance
Unsubmitted Sessions24 HoursSecurity & Debugging

Note: In instances where AML laws mandate data retention (e.g., 6 years), this legal obligation takes precedence over "Right to Erasure" requests.

8. International Transfers

Archonite is a global company. Data collected in the EEA, UK, or Switzerland may be transferred to, and stored at, a destination outside the European Economic Area (specifically the Malta and the EEA).

In addition, our Privacy Policy incorporates the EU Commission's latest Standard Contractual Clauses (SCCs) for transfers to third countries.

9. Your Privacy Rights

Depending on your jurisdiction (GDPR, CCPA, PDPA), you possess specific rights regarding your personal data:

The Right to Access

You have the right to request copies of your personal data.

The Right to Rectification

You have the right to request that we correct any information you believe is inaccurate.

The Right to Erasure

You have the right to request that we erase your personal data ("Right to be Forgotten"), subject to overriding legal obligations (e.g., maintaining fraud records or AML laws).

The Right to Object

You have the right to object to our processing of your personal data for direct marketing purposes.

Exercising Your Rights

If you verified your identity with an Archonite Customer, please contact them directly, as they are the Data Controller. If you contact us, we are legally required to redirect your request to the Customer. For direct inquiries regarding Archonite's own data handling, email dpo@archonite.xyz.

10. Children's Privacy

Our Service is strictly intended for individuals 18 years of age or older. We do not knowingly collect, use, or disclose personal data from children under 18. If we identify that a verification attempt involves a minor (via OCR of the Date of Birth), the system is configured to automatically reject the transaction and purge the data immediately, unless the Customer has configured specific "Parental Consent" flows compliant with COPPA/GDPR-K.

11. Updates to Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Effective Date."

For Enterprise customers, we provide email notifications 30 days prior to material changes affecting data processing terms.

12. Contact & Address

Your privacy is our priority.