Can you trust age verification agencies with your data?

Since the Online Safety Act (OSA) went into force in the UK on July 25, 2025, experts have expressed a range of concerns about the security implications of the law.

The act requires social media platforms and sites that host adult material to confirm the age of users before they are able to access content that may be unsuitable for under-18s.

Many sites and platforms have partnered with specialist third-party agencies that handle the processing of personal information provided by users to confirm their ages.

The best VPNs have seen a huge spike in sign ups in the UK as people attempt to bypass age verification checks.

Many users are worried about the possibility of their information being stored, shared, or used for purposes such as AI training.

Given the sensitivity of this information, which can include ID scans, email addresses, phone numbers, and identifying photographs, it’s a reasonable concern. This is compounded by the act’s stipulation that checks should be "accurate, robust, reliable and fair," but without specifying that data should be stored securely.

So, it's up to the third parties employed by these platforms to handle your sensitive data appropriately. Here’s what some of the leading age verification agencies say about how they handle user data.

Yoti (used by Spotify, Bluesky, and Meta)

Yoti provides identity and age verification services and offers a digital ID platform. It can check ages via facial age estimation, ID verification, credit card checks, database checks, email age estimation, and mobile phone provider checks.

In its privacy policy, Yoti states, "For most age-checking methods, the data is deleted as soon as the check is complete." This applies to images and credit card information, among other details.

The only information supplied to Yoti’s client is either your age in years or whether you are above the client’s age requirement threshold.

Where a third-party provider is involved in the process, however, they can retain the information for considerably longer. In the case of mobile provider checks, they may retain a record for up to two years.

In addition, the client can extend the time given to Yoti to run checks to up to 28 days, during which the firm will retain your information. Yoti will also retain data when it is required to by law enforcement agencies and regulatory bodies.

In terms of security, the provider has SOC 2, ISO 9001:2015, and ISO/IEC 27001:2022 accreditation, certifying that it has robust security systems and that it meets international standards for data security management.

All age verification checks are processed within the UK or in US, EU, or UK AWS regions meaning that they fall under GDPR.

Persona (used by Reddit and X)

Persona offers age verification, identity confirmation, and Know Your Customer (KYC) and Know Your Business (KYB) services. It runs checks via selfie age estimation, ID scans, and database checks.

The company doesn’t have a distinct privacy policy for its age verification service, unfortunately. In addition, Persona’s standard privacy policy doesn’t give specific details on how long user data is kept, noting that information may be retained for purposes such as dispute resolution.

However, Persona does note that it will delete facial geometry scan data either "upon completion of verification or within three years of your last interaction with Persona [depending on the customer’s instructions]."

The policy includes a long list of third parties that may receive your personal data (including IT services providers, email communication and SMS software providers, ID verification services, mobile device operators, background check providers, consumer reporting services, fraud and identity management providers, and law enforcement).

In addition, Persona automatically collects user information, including identifiers and device information, geolocation data, and usage data. The privacy policy also effectively states that your data could be processed in any country in the world. On a positive note, the service is SOC 2 and ISO 27001 certified, testifying to its security credentials.

Au10tix (used by X)

Au10tix (pronounced "authentics") is an identity verification specialist offering KYC, reusable ID, and selfie verification services. It checks the age of users with ID verification, incorporating liveness detection and ongoing authentication.

Like Persona, Au10tix doesn’t specify how long user data is kept in its privacy policy and notes that it will retain biometric data until the verification process is complete or until three years after the last interaction between the user and Au10tix’s customer (when it will remove the information if it is specifically notified), whichever comes first.

On the bright side, Au10tix states, "We do not sell, rent, or lease personal data." However, it will share personal data with third party service providers, law enforcement agencies, and others to comply with court orders and warrants. In addition, it will “keep aggregated non-identifiable information without limitation”.

When it comes to security, Au10tix uses SHA-2 and RSA 2048-key encryption and TLS/SSL connections for data in transit.

The firm is ISO/IEC 27001:2013 certified, and all data is stored and processed in the EU, the US, the UK, and Israel, whether being handled by Au10tix or third parties.

Stripe (used by X and Bluesky)

Stripe is a financial services company that offers payment and money management solutions for businesses as well as identity verification functionality. It can scan government IDs from 100+ countries, check information against databases, and use biometrics to confirm the validity of your ID.

Stripe states that it "retains biometric data for one year and non-biometric data [including images, IP addresses, and data from your ID documents] for three years, with options for users to opt-out or request deletion of their data."

Surprisingly, Stripe’s customers can also access all the information that you’ve submitted, and they can grant permission to others to access your information via the platform. In addition, Stripe may provide access to third parties to assist with identity verification.

When handling personal information, Stripe conveys data via TLS-encrypted connections, and it’s encrypted with AES-256 while in storage.

As a firm handling billions of dollars of payments each year, the company runs annual SOC 1 and SOC 2 Type II auditing, is SOC 3 accredited, and has a range of security certifications specific to the financial services sector. All data processing and storage occurs in the United States.

Incode (used by TikTok)

Identity verification firm Incode provides age confirmation with facial age estimation, database checks, and ID validation.

In Incode’s privacy policy, it states that, as per GDPR, it will only process personal data where it has a legal basis for doing so. However, it doesn’t specify any set term limits for the deletion of data.

When it comes to biometric data, Incode states that it will retain the information until it has been used or until three years after your last interaction with the customer, whichever comes first.

Incode commits not to share opt-in consent or phone numbers, but it may otherwise share personal data with service providers, analytics partners, business partners, law enforcement agencies, courts, and regulatory agencies.

The firm is SOC 2 Type II and ISO 30107-3 compliant and has a newly launched vulnerability disclosure program meaning it will let users know if and when security issues are found and dealt with. Data processing occurs in the US and, slightly concerningly, in other unnamed countries.

Can you trust age verification companies with your data?

In theory, using a third-party firm that specialises in handling sensitive data means that the information should be handled securely and that it shouldn’t be shared with the site or service requesting the verification.

While the firms covered here generally have a solid set of security credentials, they will share your data with a variety of third-party service providers and may retain your information for years (or forever in some cases).

In addition, while you might expect age verification firms to provide a discreet service, some providers will share your details with their customers and nearly all will generate a considerable paper trail.