Privacy Policy

Deep-Check processes special-category biometric data. We are committed to full transparency about what we collect, why, and how we protect it.

GDPR Article 9 Notice — Biometric data used for the purpose of uniquely identifying a natural person is a special category of personal data under EU Regulation 2016/679 (GDPR). Processing such data requires explicit consent or another lawful basis. Deep-Check only processes biometric data with the explicit, informed consent of the data subject.

1. Data Controller

Deep-Check Inc. (“Deep-Check”, “we”, “us”) is the data controller for personal data processed through this platform.

Contact: privacy@deep-check.io

Data Protection Officer (DPO): dpo@deep-check.io

2. Data We Collect

2.1 Biometric Data (Special Category — Art. 9 GDPR)

Data Type	Description	Purpose
Keystroke dynamics	Flight times (inter-key intervals), hold times, typing rhythm patterns	Identity verification sessions and enrollment
Facial landmarks	68-point facial landmark vectors derived from camera feed	Liveness detection during active sessions only
Eye gaze vectors	Horizontal/vertical gaze ratio history	Anti-deepfake analysis during active sessions
Blink patterns	EAR (Eye Aspect Ratio) measurements, blink frequency	Liveness scoring during active sessions

⚠ Raw video or images are never stored. Only derived numerical vectors are processed. Raw biometric signals exist only in browser memory during an active session and are discarded immediately after.

2.2 Document Forensics Data

Data Type	Description	Purpose
Image thumbnails	Low-resolution (320px) JPEG representation of uploaded images	Case reference and audit trail
ELA heatmap	Error Level Analysis visualization of uploaded image	Forensic evidence for the analysis report
EXIF metadata	Camera make/model, software, timestamps extracted from uploaded images	Anomaly detection
Forensic scores	Numerical risk scores (0–100) per analytical module	Fraud detection output

2.3 Standard Personal Data

Data Type	Description	Purpose
Candidate name	Text field, provided by the operator	Session identification
Email address	Optional, provided during enrollment	Profile linking across sessions
Session metadata	Timestamps, session duration, alert counts	Audit and compliance

3. Legal Basis for Processing

Category	Legal Basis	Notes
Biometric data (keystroke, facial)	Explicit consent (Art. 6(1)(a) + Art. 9(2)(a) GDPR)	Withdrawn at any time via account deletion request
Session metadata	Legitimate interest (Art. 6(1)(f)) / Contract (Art. 6(1)(b))	Fraud prevention and service delivery
Document forensic data	Consent of the operator + data subject where applicable	Fraud detection in document workflows

4. Privacy by Design Architecture

Deep-Check is architected to minimise biometric data exposure:

Client-side processing — All biometric signal extraction (face detection, keystroke analysis) runs entirely in the user's browser using WebAssembly (ONNX Runtime Web) and the Canvas API. Raw video frames and keystroke events never leave the device.
Vector-only transmission — Only derived numerical feature vectors (18 floating-point values) are sent to our servers for ML inference. These vectors cannot be used to reconstruct the original biometric signal.
No persistent raw biometrics — We do not store video recordings, audio, raw images, or keystroke sequences. Enrollment profiles store statistical aggregates (mean, standard deviation) only.
Automatic expiry — Enrollment profiles expire after 90 days and are permanently deleted.
Pseudonymisation — Sessions are identified by UUIDs with no direct link to personal identity unless explicitly provided by the operator.

5. Data Retention

Data Type	Retention Period	Notes
Enrollment biometric profiles	90 days from creation	Automatic deletion on expiry
Session assessments	12 months	Operator may request earlier deletion
Document forensic analyses	24 months	Required for audit trail integrity
API keys	Until revoked by operator	Active key management required
Server logs	30 days	Security and debugging only

6. Data Transfers

Data is stored in Supabase infrastructure hosted in the EU (eu-west-1, Ireland). No personal data is transferred to third countries outside the EEA without appropriate safeguards (Standard Contractual Clauses or adequacy decision).

Sub-processors:

Supabase Inc. — Database and storage (DPA in place, EU hosting)
Vercel Inc. — Application hosting (DPA in place, EU edge nodes available)

7. Your Rights (GDPR Articles 15–22)

Right	Description
Access (Art. 15)	Request a copy of all personal data we hold about you
Rectification (Art. 16)	Correct inaccurate data
Erasure (Art. 17)	Request deletion of your data ("right to be forgotten")
Portability (Art. 20)	Receive your data in a machine-readable format
Object (Art. 21)	Object to processing based on legitimate interest
Withdraw consent (Art. 7(3))	Withdraw consent for biometric processing at any time — without affecting prior lawful processing
Lodge a complaint	Contact your national supervisory authority (Spain: AEPD — www.aepd.es)

To exercise any right: privacy@deep-check.io — we respond within 30 days.

8. Cookies

Deep-Check uses only technically necessary cookies (session state, authentication tokens). We do not use advertising, tracking, or analytics cookies without your consent. A consent banner is shown on first visit for any non-essential cookies.

9. EU AI Act Compliance

Deep-Check operates identity verification systems that may fall under the EU AI Act (Regulation 2024/1689) as high-risk AI systems in the context of employment and education access (Annex III). We are committed to:

Maintaining a technical documentation file per Article 11
Implementing human oversight mechanisms per Article 14
Ensuring transparency toward affected persons per Article 13
Conducting conformity assessments prior to deployment in regulated contexts

Contact compliance@deep-check.io for AI Act compliance documentation requests.

10. Changes to This Policy

We will notify operators of material changes 30 days in advance via email. The current version is always available at this URL. Previous versions are available on request.