Biometric Policy Skip to content

Legal | Biometric Policy

Biometric Policy

Last updated: Oct 13, 2023


GeoComply Solutions Inc. (“GeoComply” or “we”) has developed this Biometric Data Privacy Policy (this “Policy”) to describe how we and our service providers collect, store, use, retain, and disclose biometric data received from our customers’ applications and services to verify the identities of their end-users and provide related anti-fraud and cybersecurity services. As used in this Policy, biometric data includes “biometric identifiers” and “biometric information” as defined in the Illinois Biometric Information Privacy Act, 740 ILCS § 14/1, et seq. “Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry used to identify an individual. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color.

Additional information for how we generally manage personal data may be found in our privacy statement.

Purpose of our collection of biometric data

We may collect, retain, and use individuals biometric data for the purposes of assisting our customers with their legal obligations for verifying the identities of their end-users for fraud prevention purposes (e.g. anti-money laundering). For example, you may be asked to provide a photo of yourself (selfie) and a copy of your government issued photo identification for facial comparison purposes to legally access sports wagering applications or financial services organizations. GeoComply does not create or store biometric models or data; we provide our customers access to the following vendors for processing biometric data:

IDVerse (OCR Labs)

GeoComply customers may use an identity verification service performed by IDVerse, which is a trading name of OCR Labs. If you are resident in the USA or Canada then it is performed by OCR Labs Global (USA) Inc (a Delaware corporation), if you are resident in Europe, the Middle East or Africa then it is performed by OCR Labs Global Limited (an English company) and if you are resident anywhere else then it is performed by OCR Labs Pty Ltd (a New South Wales, Australia company).

If you are a US resident then please see IDVerse’s US biometric statement in its Privacy Policy.

IDVerse verifies your ID is genuine and then extracts all of the data on the identity document. Data extracted includes the data written on the ID doc and your picture, and also data in any barcode, machine readable zone or in the chip (if the chip is being read). IDVerse sends that data to us. In the user flow you can correct any data extracted incorrectly. If you do correct any incorrect data then IDVerse will take just the incorrect character (and no personal data) from the ID document to make sure it does not make that mistake again.

IDVerse uses your biometric data to check you are a real person, to extract your face from the ID document and to compare that against your selfie to ensure you are the right person, and for anti-fraud purposes. IDVerse deletes your biometric data within 7 days of initial collection.

IDVerse also uses location information from your device for anti-fraud purposes.


GeoComply Customers may use an identity verification service performed by Aristotle. Aristotle uses your biometric data to check you are a real person, to extract your face from the ID document and to compare that against your selfie to ensure you are the right person, verify your age, and for anti-fraud purposes. Aristotle maintains your biometric data for up to 3 years for audit and age verification challenge purposes.

Please see Aristotle’s Privacy Policy for more information.


We will not disclose individual biometric data to any third party, other than vendors who directly assist with the biometric verification process unless:

  1. You or your legally authorized representative provide consent to such disclosure;
  2. The disclosure is required by local, state, or federal law; or
  3. The disclosure is required pursuant to a valid warrant or subpoena.

Please see our “Law Enforcement Request Policy” for more information.

Storage and security

We use commercially reasonable organizational, technical, and administrative methods designed to protect biometric data within our organization. This includes ensuring that any storage and transmission of biometric data is encrypted. Our security controls are independently reviewed by a SOC2 Type II auditor on an annual basis. Please see our Trust Center for more information on our privacy policies and security controls.

Retention schedule and destruction

GeoComply will retain biometric data only for as long as needed, as reasonably required by our customers, or as permitted for the purposes stated in this policy, unless a longer retention period is permitted or required by applicable law. We will request that our vendors permanently destroy such data when the initial purpose for collecting or obtaining such biometric data has been satisfied in compliance with their data retention policies.

Contact Us

If you have questions about this Biometric Data Privacy Policy, please contact GeoComply’s privacy team at