Privacy Policy

Deep Identity Inc. collects several categories of information through the getai.id platform, each serving a distinct purpose in the operation of the UAIIP protocol and the provision of platform services.

When you create an account on getai.id, we collect the identity verification information necessary to establish your Verified Owner Credential (VOC). This information is processed through deepidv's existing biometric identity verification pipeline and may include a scan or photograph of your government-issued identity document (passport, driver's license, national identity card, or equivalent), a biometric facial photograph for comparison against the identity document, liveness detection data to confirm that the person presenting the document is physically present and not using a photograph, video replay, or deepfake, and the results of sanctions screening and politically exposed persons (PEP) checks conducted against authoritative international databases. The raw biometric data (facial photographs and liveness video) is processed for the sole purpose of identity verification and is not stored on the getai.id platform or on any public blockchain. Upon successful verification, we generate a cryptographic hash of your verified identity — the Verified Owner Credential (VOC) — which serves as a privacy-preserving pointer to your identity without containing any personally identifiable information itself. The VOC hash is recorded on-chain as part of your soulbound token. The underlying identity documents and biometric data are stored in encrypted form on deepidv's secure infrastructure, subject to the deepidv Privacy Policy available at deepidv.com/privacy, and are accessible only under the specific legal processes described in Section 5 of this Privacy Policy.

When you create an account, we also collect standard account information including your name, email address, organizational affiliation (if registering on behalf of an entity), country of residence or incorporation, and the password you create for your account. If you are registering on behalf of an organization, we may collect additional information about the organization, including its legal name, jurisdiction of incorporation, registered address, and the name and title of the authorized representative.

When you register an AI system on getai.id, we collect information about that system as part of the registration process. This includes the name or designation you assign to the system, the capability classification you declare (such as text generation, image generation, autonomous decision-making, financial transactions, or other categories as defined in the UAIIP specification), the jurisdictions in which the system is deployed or intended to be deployed, and a description of the system's purpose and functionality. If you submit your model for fingerprinting, we collect the model fingerprint — a SHA-3-512 cryptographic hash computed over the canonicalized model weights, architecture graph, and configuration metadata. If you use the full upload fingerprinting pathway, the model weights are temporarily processed in a secure, isolated compute environment solely for the purpose of computing the hash and are securely deleted immediately upon completion of the fingerprinting process. We do not retain, copy, store, train on, or derive any value from your model weights beyond the fingerprint hash. If you use the SDK-based fingerprinting pathway, the model weights never leave your infrastructure and only the resulting hash is transmitted to our servers. If you use the behavioral fingerprinting pathway, we collect the model's responses to our standardized prompt battery, which are used to generate a behavioral fingerprint vector and are then deleted.

When you use the getai.id platform, we automatically collect technical and usage information including your IP address, browser type and version, operating system, device type, referring and exit pages, pages visited on getai.id, timestamps of access, API call logs (including endpoints called, request parameters, response codes, and latency metrics), SDK version information, and blockchain transaction hashes associated with your account activity. We collect this information to operate, maintain, and improve the platform, to detect and prevent fraud and abuse, and to fulfill our legal and compliance obligations.

We may also collect information you voluntarily provide to us through support requests, feedback forms, survey responses, community forum posts, or other direct communications. This information is used to respond to your inquiries and to improve the platform and our services.

We use the information we collect for the following purposes. We use identity verification information to establish your Verified Owner Credential and to bind your registered AI systems to a verified human or organizational identity, which is the core function of the UAIIP protocol. We use account information to create and manage your account, to authenticate your access to the platform, to communicate with you about your account and our services, and to provide customer support. We use AI system registration information to register your systems in the AI Identity Registry, to mint soulbound tokens, to issue ASIDs, to generate and store model fingerprints, and to display public profile information for registered systems. We use technical and usage information to operate, maintain, secure, and improve the platform, to monitor performance and uptime, to detect and prevent abuse and unauthorized access, to enforce our Terms of Service and Acceptable Use Policy, and to generate aggregated, anonymized analytics about platform usage. We may also use your information to comply with applicable laws, regulations, legal processes, and governmental requests, to protect the rights, property, and safety of Deep Identity Inc., our users, and the public, and to enforce our Terms of Service.

We do not sell your personal information. We do not use your personal information to train artificial intelligence models. We do not use your biometric data for any purpose other than identity verification as described in this Privacy Policy and the deepidv Privacy Policy.

A critical architectural feature of the UAIIP protocol is the separation between on-chain and off-chain data storage, which is designed to balance transparency and accountability with privacy protection.

Information stored on the public blockchain (on-chain) includes the AI System Identifier (ASID), the Verified Owner Credential (VOC) hash (a cryptographic hash that does not contain or reveal any personally identifiable information), the model fingerprint hash, the capability classification vector, jurisdictional declaration flags, the registration timestamp, and the update history Merkle root. Because blockchain data is publicly accessible and immutable, no personally identifiable information, no raw biometric data, no identity document images, and no model weights are ever stored on-chain. The on-chain data is designed to be privacy-preserving by construction: even if every byte of on-chain data were publicly analyzed, it would not be possible to derive any personal information about the registered owner without access to the off-chain identity records held by Deep Identity Inc.

Information stored off-chain on Deep Identity Inc.'s secure infrastructure includes your account information, your identity verification records and biometric data, detailed AI system metadata (model descriptions, architecture details, lineage trees, compliance declarations), attestation credentials and API keys, support communications, and usage logs. Off-chain data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher, stored in infrastructure that complies with SOC 2 Type II standards, and accessible only to authorized Deep Identity Inc. personnel and systems on a strict need-to-know basis.

We do not sell, rent, or lease your personal information to third parties. We may share your information in the following limited circumstances. We may share information with service providers and subprocessors who perform services on our behalf, such as cloud hosting providers, payment processors, identity verification service providers, and customer support tools. These service providers are contractually bound to use your information only for the purposes of providing services to us and to maintain appropriate security measures. We may share information in response to valid legal process, including court orders, subpoenas, search warrants, or regulatory demands from government authorities with jurisdiction. When legally permitted, we will provide you with notice of such requests before disclosing your information. We may share information with law enforcement or regulatory authorities when we have a good-faith belief that disclosure is necessary to prevent imminent harm, to protect the rights or property of Deep Identity Inc. or third parties, or to comply with applicable law. We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you for research, analytics, industry reporting, or other lawful purposes. In the event of a merger, acquisition, bankruptcy, or sale of all or substantially all of our assets, your information may be transferred to the acquiring entity, subject to the commitments made in this Privacy Policy.

A fundamental principle of the UAIIP protocol is that pseudonymity is supported but anonymity is not. The identity of a registered AI system's owner is not publicly displayed by default, but it must always be recoverable by authorized parties under defined legal processes. This means that Deep Identity Inc. may disclose the real-world identity behind a Verified Owner Credential in response to a valid court order, subpoena, or similar legal process issued by a court or regulatory body with appropriate jurisdiction, a lawful request from a law enforcement agency investigating criminal activity, fraud, or threats to public safety, a regulatory inquiry from a governmental authority with supervisory jurisdiction over AI systems, identity verification, or financial services, or a valid request under international mutual legal assistance treaties (MLATs). We will evaluate each request on a case-by-case basis, considering its legal validity, scope, and potential impact on user privacy. When legally permitted, we will notify the affected user before making any disclosure and will cooperate with the user's efforts to challenge or narrow the scope of the request. We will disclose only the minimum amount of information necessary to satisfy the legal requirement.

We retain your information for as long as your account is active or as needed to provide you with our services. If you terminate your account, we will retain your account information and identity verification records for a period of five (5) years from the date of termination, as required by applicable anti-money laundering (AML) and know-your-customer (KYC) regulations, and thereafter we will securely delete or anonymize such information unless longer retention is required by applicable law. Technical and usage logs are retained for a period of two (2) years for security, auditing, and compliance purposes. Information stored on the public blockchain, including ASIDs, VOC hashes, fingerprint hashes, and soulbound tokens, cannot be deleted or modified due to the immutable nature of blockchain technology. This is a fundamental characteristic of the UAIIP protocol's design and is necessary to ensure the integrity and auditability of the AI Identity Registry. If you request deletion of your off-chain data, we will flag your on-chain registration status as “deactivated” to indicate that the associated identity records are no longer maintained, but the on-chain data itself will persist.

We implement and maintain administrative, technical, and physical security measures designed to protect your information against unauthorized access, disclosure, alteration, and destruction. These measures include encryption of data at rest using AES-256 and in transit using TLS 1.2 or higher, role-based access controls with the principle of least privilege, multi-factor authentication for all administrative access, regular penetration testing and vulnerability assessments, continuous monitoring and intrusion detection systems, incident response procedures with twenty-four-hour response capabilities, employee security awareness training, and physical security controls at data center facilities. While we strive to protect your information, no method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security. In the event of a data breach affecting your personal information, we will notify you and applicable regulatory authorities in accordance with applicable data breach notification laws, including within seventy-two (72) hours where required by the GDPR.

Deep Identity Inc. is headquartered in the United States, and the getai.id platform is operated from infrastructure located in the United States, Canada, and the European Union. If you access getai.id from a jurisdiction outside the United States, your information may be transferred to, stored in, and processed in the United States or other jurisdictions where our infrastructure is located. We ensure that international data transfers comply with applicable data protection laws by implementing appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA, the UK International Data Transfer Agreement (IDTA) for transfers from the United Kingdom, and contractual commitments with service providers that provide equivalent protections.

Depending on your jurisdiction, you may have certain rights regarding your personal information. If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the right to access the personal data we hold about you, to request correction of inaccurate or incomplete data, to request deletion of your data (subject to the limitations described in Section 6 regarding blockchain data and regulatory retention requirements), to restrict or object to certain processing activities, to data portability (receiving your data in a structured, commonly used, machine-readable format), and to withdraw consent where processing is based on consent. If you are a California resident, you have the right to know what personal information we collect and how we use it, the right to request deletion of your personal information (subject to the same limitations), the right to opt out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising your privacy rights. If you are a Canadian resident, you have the right to access your personal information, to challenge the accuracy and completeness of your information and have it amended as appropriate, and to withdraw consent to the collection, use, or disclosure of your information, subject to legal or contractual restrictions.

To exercise any of these rights, please contact us at privacy@deepidv.com. We will respond to your request within the timeframe required by applicable law, typically within thirty (30) days for GDPR requests and forty-five (45) days for CCPA requests. We may request additional information to verify your identity before processing your request.

The getai.id website uses cookies and similar tracking technologies to operate and improve the platform, to remember your preferences and settings, to understand how you use our website, to analyze website traffic, and to detect and prevent fraud. Essential cookies are necessary for the operation of the website and cannot be disabled. Analytics cookies help us understand how visitors interact with the website and are used to generate aggregated, anonymized usage statistics. We do not use advertising or tracking cookies on getai.id, and we do not serve advertisements on the platform. You can manage your cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of the website.

getai.id is not directed to individuals under the age of eighteen (18), and we do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under the age of eighteen without parental consent, we will take steps to delete that information promptly. If you believe we have collected information from a child, please contact us at privacy@deepidv.com.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated Privacy Policy on getai.id with a revised “Last Updated” date and, for registered users, by sending an email notification. Your continued use of getai.id after the effective date of the updated Privacy Policy constitutes your acceptance of the changes.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data handling practices, please contact our privacy team at privacy@deepidv.com or by mail at Deep Identity Inc., Attn: Privacy Officer, 535 Mission Street, San Francisco, CA 94105, United States. For privacy inquiries specific to the deepidv identity verification platform, please refer to the deepidv Privacy Policy at deepidv.com/privacy.