Privacy Policy

Last updated: May 2026. Substantially revised following the AffixIO API and SDK overhaul.

AffixIO (“we”, “us”, “our”) operates https://www.affix-io.com and provides the AffixIO verification platform, including our public website, our verification API, our merchant and developer SDKs, our dashboard, and any related documentation, sample code, libraries, and supporting services (together, the “Services”). This Privacy Policy explains what information we receive, what we do and do not store, how we use it, who we share it with, and the choices and rights you have.

Summary at a glance

  • We do not store personally identifiable information (PII) for verification purposes.
  • The verification API and SDK are designed to return a binary result without retaining the underlying identifier.
  • We do not sell, rent, or share personal data with third parties for advertising or marketing.
  • We do not train, fine-tune, or evaluate machine learning or generative AI models on customer or end-user data.
  • We use a privacy-first consent banner; analytics only load if you accept.
  • We minimise everything: minimum fields, minimum retention, minimum surface area, and minimum subprocessors.
  • We publish a status page, maintain an incident-response programme, and follow a documented breach-notification process.
  • The specific cryptographic methods, circuit constructions, proving systems, parameter sets, and internal verification mechanics that power the platform are proprietary trade secrets and are intentionally not described in this policy.

Data minimisation principles

Data minimisation is a foundational engineering principle at AffixIO, not just a policy commitment. We design the Services so that we receive the least amount of information necessary to deliver a verification result, and we structure storage so that what we do receive cannot be expanded into a richer profile after the fact. Specifically:

  • Field minimisation: API and SDK request schemas accept only the fields documented as required. Undocumented fields are rejected or discarded.
  • Time minimisation: inputs needed to issue a verification are held only for the time required to produce a response.
  • Scope minimisation: account-level configuration and credentials are kept separate from request-time data.
  • Identifier minimisation: where we must persist any value derived from an input (for example to enforce abuse or replay controls), we do so in a form that is one-way and that we cannot reverse back into an identifier.
  • Recipient minimisation: we share data with the fewest possible subprocessors required to operate the Services.

Major platform update (May 2026)

This Privacy Policy has been substantially revised to reflect a wide-ranging overhaul of the AffixIO API and SDK platform. The overhaul introduces a new generation of our verification endpoints, an expanded developer and merchant SDK, refreshed dashboard tooling, additional regional points of presence, refined operational logging, additional integration channels for agentic and machine-to-machine clients, and updated contractual frameworks for customers, integrators, resellers, and end users. While the user-facing privacy model has not changed (we still do not store PII or build profiles), the breadth of touchpoints, log fields, account-level metadata, and integration paths has expanded, and this policy describes them in much greater detail.

For commercial reasons, and to protect the intellectual property of AffixIO and its licensors, this policy does not describe the underlying mechanism, algorithms, schemes, circuits, parameter sets, key material, hardware, or any other internal technical detail used to produce a verification result. Those details are trade secrets and/or covered by issued or pending intellectual property protections. Nothing in this policy should be read as a disclosure of, or licence to, any such technical information.

Who this policy applies to

This policy applies to:

  • Website visitors: anyone who browses affix-io.com, its subdomains, or our documentation portal.
  • Account holders: developers, merchants, operators, integrators, and resellers with an AffixIO account or dashboard access.
  • API and SDK callers: systems and applications that send verification requests through the AffixIO API, libraries, plugins, or the merchant SDK.
  • Agent and machine clients: autonomous agents, M2M systems, and integration platforms that consume AffixIO verification signals.
  • Contacts: anyone who emails us, fills in a contact form, requests a demo, applies for early access, signs up for updates, or otherwise communicates with us.

Where AffixIO acts as a data processor on behalf of a customer (for example when a customer integrates the SDK into their own product), the customer is the controller for any personal data they collect from their own end users. AffixIO processes only the limited inputs necessary to return a verification result.

We do not store PII for verification

The AffixIO verification API and SDK are designed around a strict no-PII-retention model. When you, your application, your agent, or your SDK sends a verification request, AffixIO returns a binary result (typically a yes/no, an allow/deny, or an equivalent signal) and does not retain the input identifier as a stored personal record after processing the request.

We do not maintain identity profiles, user databases, behavioural profiles, biometric vaults, document stores, or shadow-PII tables tied to verification inputs. The platform is intentionally architected so that the inputs needed to issue a verification do not persist in a form that allows AffixIO to reconstruct an identity. The exact technical means by which this is achieved is proprietary and is not described here.

Data we do not collect

Through the verification API and SDK, we do not collect, store, or build profiles from:

  • government identity document scans or contents;
  • biometric templates, faces, fingerprints, or voiceprints;
  • full payment card numbers (PAN), CVV, or PIN data;
  • account passwords, secrets, or recoverable credentials of end users;
  • contact lists, social graphs, or device contact metadata;
  • health, sexual, religious, political, or other special-category data;
  • advertising identifiers tied to verification requests.

What we do receive and process

To deliver and operate the Services we receive a limited set of information. The categories below describe what we receive, not how the verification is performed.

Website and marketing

  • Standard request data: IP address, user agent, referrer, requested URL, timestamp, response status. We use this for security, abuse prevention, and aggregate analytics.
  • Contact and form submissions: name, email, company, role, subject, message, and anything else you choose to include. Used to respond to you.
  • Optional analytics: only loaded if you consent via the banner.

Account and dashboard

  • Identity of the account holder: name, business email, company, role, and contact details.
  • Authentication data: hashed passwords or federated identity tokens, multi-factor enrolment details, and session metadata.
  • Configuration: API keys, webhook endpoints, allow-lists, environment names, regional preferences, and integration settings.
  • Billing and commercial: company name, billing address, VAT/tax IDs, plan, invoice records, and limited payment metadata returned to us by our payment processor (we do not see full card numbers).
  • Support correspondence: tickets, attachments and email threads you send to us.

API and SDK operational telemetry

  • Request metadata: API key identifier, environment (test/live), endpoint, response code, latency, region, SDK name and version, runtime/platform string, and timestamp.
  • Abuse signals: rate, frequency, and pattern signals used to detect misuse, key compromise, scraping, or replay.
  • Error diagnostics: error type and stack-level diagnostic fields (excluding any verification input payload). Customers can opt into more verbose diagnostics for debugging.
  • SDK-level telemetry: when enabled, the SDK reports anonymous usage counters, version information, feature flag state, and crash summaries. SDK telemetry can be disabled by the integrator; see “Choices and controls” below.

None of the above categories is designed to capture, and we instruct integrators not to send us, end-user PII inside request payloads.

Specific log fields we may record

For transparency, the typical fields written to our operational logs for an API or SDK call include some or all of the following. The exact field set varies by endpoint and SDK version, and the list below is illustrative rather than exhaustive:

  • request timestamp and time zone offset;
  • request unique identifier (server-generated, not derived from PII);
  • account identifier and API key identifier (never the full secret);
  • environment (sandbox, staging, or production);
  • endpoint path and version, request method, response status code, response size;
  • client SDK name, SDK version, runtime, operating system family, and architecture;
  • IP address and approximate geographic region (used for routing, abuse prevention, and aggregate analytics);
  • TLS version and cipher suite;
  • processing latency, queue time, and any retry counters;
  • internal correlation identifiers used to debug a single request across our infrastructure;
  • abuse and security signals (for example burst counters, geo-velocity flags, and reputation markers).

Operational logs are protected by access controls, written to short-retention storage, and rotated out on a fixed schedule. They are used for debugging, capacity planning, security investigations, and aggregate reporting only.

Webhook and callback data

If you configure webhooks, we send signed event notifications to your endpoint over HTTPS. The payload contains operational metadata (event type, event identifier, timestamp, account identifier, environment, and result code) and a cryptographic signature header. We do not include end-user PII in webhook payloads. We record webhook delivery attempts, response codes, and retry state to provide reliability and to surface failed deliveries in the Dashboard.

Dashboard sessions and cookies

The Dashboard uses first-party, strictly necessary cookies and tokens to authenticate sessions, enforce multi-factor authentication, prevent CSRF, and remember preferences such as time zone and language. These cookies are essential and are not used for advertising or cross-site tracking. Where supported by your browser, we use cookie attributes such as Secure, HttpOnly, and SameSite=Lax or SameSite=Strict.

Transactional email

For Account Holders we send transactional email such as sign-in alerts, security advisories, key-rotation reminders, billing receipts, incident notices, and material policy updates. Transactional email is sent in connection with the contract you have with us and is not promotional. Optional product newsletters and announcements are separate and require explicit opt-in; you can unsubscribe at any time using the link in any such email or by emailing hello@affix-io.com.

How we use information

We use the information we receive to:

  • provide, operate, and improve the Services;
  • authenticate accounts and issue or rotate API keys and SDK credentials;
  • return verification results to callers;
  • maintain platform security, prevent abuse, fraud, and unauthorised access;
  • meter usage, calculate bills, and enforce plan limits;
  • diagnose errors, monitor performance, and improve reliability;
  • communicate with customers about service updates, incidents, security advisories, and contractual matters;
  • comply with legal and regulatory obligations.

We do not use customer or end-user data to train third-party generative models, and we do not sell customer data.

Legal bases (UK and EU)

Where UK GDPR or EU GDPR applies, we rely on the following legal bases:

  • Performance of a contract: to deliver the Services to account holders and integrators.
  • Legitimate interests: to operate, secure, and improve the platform, prevent abuse, communicate with customers, and run our business.
  • Consent: for optional cookies, optional analytics, and optional marketing communications.
  • Legal obligation: for tax, accounting, anti-fraud, and lawful information requests.

Retention

We retain different categories of data for different periods:

  • Verification inputs: not retained as identifiable personal records after a request is processed.
  • Operational logs and metadata: typically retained for short rolling windows for security, debugging, and capacity planning, then aggregated or deleted.
  • Account and billing records: retained for the life of the account and for the period required by law (for example for tax records).
  • Contact-form submissions and support tickets: retained for as long as needed to handle the enquiry and a reasonable follow-up period.
  • Backups: rolling backups age out on a fixed schedule.

Specific retention windows may be adjusted from time to time for operational, legal, or security reasons. Customers with specific retention needs can contact us.

Subprocessors and third parties

We use a small number of carefully selected subprocessors to operate the Services. These typically fall into the following functional categories:

  • Cloud infrastructure and compute: hosting, container orchestration, storage, and managed networking.
  • Content delivery and edge security: caching, DDoS mitigation, and web application firewall.
  • Email and notification delivery: transactional email, status notifications, and password or key-rotation messages.
  • Payments and billing: payment processing, invoicing, and tax calculation.
  • Error monitoring and observability: aggregated error reports, performance metrics, and trace sampling.
  • Customer support tooling: ticketing, knowledge base, and CRM systems for handling support and sales enquiries.
  • Identity and access management: federated sign-in, single sign-on, and multi-factor authentication providers.
  • Security and compliance tooling: vulnerability scanning, secrets management, and audit logging.

Each subprocessor is bound by contractual confidentiality and data-protection terms appropriate to the data they may process on our behalf. A current list of subprocessors, identifying the provider, processing activity, and host country, is available on request to hello@affix-io.com.

We may also disclose limited information to our professional advisers (such as auditors, legal advisers, and accountants), to potential or actual acquirers in a corporate transaction (under appropriate confidentiality), and to government authorities where required by law (see “Government and law-enforcement requests” below).

We do not share customer or end-user data with third parties for advertising, profiling, or model training.

AI and model training

We do not use customer data, request payloads, verification inputs, or end-user data to train, fine-tune, evaluate, or benchmark machine learning models, generative AI models, or third-party AI products. We also instruct our subprocessors not to do so. Where we use AI or machine learning internally (for example to detect abuse patterns or to triage support tickets), models are trained on operational metadata and aggregate, non-identifying signals only.

Aggregate and statistical data

We may produce, retain, and use aggregate or de-identified statistics about platform usage, performance, error rates, and abuse trends. Aggregate data is not personal data once it can no longer reasonably be linked to an identifiable individual. We may publish such statistics (for example in our marketing, on our status page, or in research and trend articles) without notice.

Government and law-enforcement requests

We may receive requests from government agencies, regulators, or courts for information about the Services or our customers. Our approach is as follows:

  • We require valid legal process appropriate to the jurisdiction and the data requested.
  • We scrutinise requests for scope, specificity, and proportionality, and we push back on overbroad or unlawful requests.
  • Where lawful and practical, we notify the affected customer so that they may seek a protective order or challenge the request directly.
  • We respond only to information we actually hold. We do not retain copies of verification inputs, so requests for that category of data will generally yield no responsive material.

Pseudonymisation and one-way transforms

Where we must persist any value derived from an input (for example, for abuse, rate-limiting, replay-prevention, or aggregate analytics), we use one-way transforms so that we cannot recover the original identifier from the stored value. The specific cryptographic constructions used are proprietary and are intentionally not described in this policy, but the operational principle is that the stored value cannot, on its own and in our hands, be reversed back into an identifier.

Categories we explicitly refuse

The API and SDK are not designed to accept and we will reject, where technically possible, any of the following categories of data submitted into a verification request:

  • full government identity document images or scans;
  • full biometric templates;
  • full payment card numbers (PAN), CVV, or PIN;
  • health records, diagnoses, or sexual life or orientation data;
  • data revealing racial or ethnic origin, religious or philosophical beliefs, political opinions, or trade-union membership;
  • data of children where you have no lawful basis to process it;
  • data of identified data subjects whom you have no relationship with or instruction from.

If you believe such data has been sent to the API in error, please contact us immediately and we will work with you to scrub any operational records that may have captured incidental metadata.

Automated decision-making

A verification result returned by the API or SDK is a single signal intended as an input to your decision-making process. AffixIO does not make decisions with legal or similarly significant effect on end users on its own. Where your use of the result has such effects on your end users, you are responsible for ensuring that your overall decision-making process complies with applicable law, including any obligations relating to automated decision-making, human review, transparency, and rights to contest.

Incident response and breach notification

We maintain an incident-response programme that includes documented runbooks, on-call rotations, severity classification, post-incident review, and customer communication procedures. If we become aware of a personal data breach affecting your data, we will notify affected customers without undue delay in accordance with applicable law, typically within 72 hours of becoming aware of the breach where required by UK or EU GDPR. Notifications will include the nature of the breach, the categories and approximate volume of data involved, the likely consequences, and the steps taken or proposed to address it.

Audits and assurance

We follow secure software development practices, regular vulnerability scanning, periodic penetration testing by qualified third parties, and infrastructure hardening reviews. Summary information about our security posture is available to customers under appropriate confidentiality. Where a customer reasonably requires additional assurance (for example to satisfy their own regulatory obligations), we will work in good faith to provide it.

Data subject request workflow

If you wish to exercise a right under applicable data protection law, please email hello@affix-io.com with the nature of the request and enough detail to allow us to identify any personal data we hold about you. We may ask you to verify your identity (we will use the minimum information necessary to do so and will not retain it beyond the request). We will respond within the timeframe required by applicable law (typically one month for UK or EU GDPR, with one possible extension for complex requests). Where we are unable to act on a request (for example because we hold no personal data about you, because we hold it only as a processor on behalf of a customer, or because an exemption applies), we will explain why.

International transfers

We may process data in the UK, the EEA, and other jurisdictions where our infrastructure or subprocessors operate. Where personal data is transferred outside the UK or EEA, we rely on appropriate safeguards, including the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses, or other valid transfer mechanisms.

Security

We apply technical and organisational measures appropriate to a stateless verification platform, including transport encryption, access controls, key management, infrastructure hardening, segregation of environments, logging and monitoring, secure software development practices, vulnerability management, and incident response procedures. No system can be guaranteed perfectly secure; if you believe you have identified a vulnerability, please see our vulnerability disclosure policy or email hello@affix-io.com with subject "Security report".

Cookies, analytics, and consent

We use a privacy-first consent banner. Your consent choice is stored locally in your browser as a cryptographic record (for example in local storage), not as a tracking cookie, and is valid for 365 days. If you accept, we may load Google Analytics (GA4) and similar measurement scripts; if you reject, those scripts are not loaded. We may also use first-party operational cookies that are strictly necessary for the site or dashboard to function. See our Cookies & consent page for details.

Agentic and machine-to-machine clients

When verification requests are issued by autonomous agents, M2M systems, or integration platforms, the same no-PII-retention principles apply. We process the credentials of the calling agent or integration (for example API keys or signed agent identifiers), operational metadata, and the request signal needed to return a result. We do not build behavioural profiles of agents or operators beyond what is required to operate, secure, and meter the Services.

Beta, preview, and experimental features

From time to time we make beta, preview, or experimental features available. These features may have additional logging or different operational characteristics to help us evaluate them. Where this materially changes how personal data is processed, we will identify the feature as beta or preview in the dashboard or documentation. Participation in beta features is optional.

Choices and controls

  • Cookies and analytics: accept or reject via our consent banner; clear your local storage or use your browser controls to revoke at any time.
  • Marketing email: unsubscribe from any promotional email using the link in the email or by emailing hello@affix-io.com.
  • SDK telemetry: integrators can disable optional SDK telemetry through SDK configuration; required operational telemetry needed to make a request cannot be disabled.
  • Dashboard sessions: sign out at any time; we honour session timeouts and revoke sessions on credential rotation.
  • Account closure: contact us to close an account; we will retain only what we are required to keep by law or for accounting purposes.

Children

The Services are not directed to children. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will take appropriate steps to delete it.

Visitors located outside your home jurisdiction

If you visit the site, sign up for an account, or call the API from a jurisdiction whose data protection law differs from the UK or EU framework, the protections of UK or EU GDPR may still apply to you where we are required to provide them, and we will apply equivalent baseline standards (consent for optional cookies, minimum retention, no sale of personal data, no behavioural advertising) globally regardless of local minimums.

Records of processing

Where required by UK or EU GDPR Article 30, we maintain internal records of processing activities for the Services. These records describe the categories of personal data we process, the purposes, the recipients, retention periods, and applied security measures. These records are confidential and are made available to supervisory authorities on lawful request.

Contact for data protection matters

You can reach our data protection point of contact at hello@affix-io.com. Please mark the subject line clearly (for example “Privacy request”, “DPA request”, or “Subprocessor list”) so we can route your request promptly.

Your rights

Depending on where you are located, you may have rights under applicable data protection law, including the right to access, rectify, erase, restrict, port, or object to processing of your personal data, and the right to withdraw consent at any time. You can exercise these rights by contacting hello@affix-io.com. We will respond to legitimate requests within the timeframes required by applicable law. You also have the right to lodge a complaint with a supervisory authority. In the UK, that is the Information Commissioner’s Office (ICO).

Customers acting as controllers

If you are a customer or integrator using the AffixIO API or SDK in your own product or service, you are responsible for your own privacy notices, lawful basis, and consent obtained from your end users. AffixIO will act as a processor with respect to limited inputs sent to the API on your behalf, under our Data Processing Addendum (available on request).

Trade secrets and undisclosed technical detail

The specific cryptographic primitives, proving systems, parameter sets, circuit designs, key-management approaches, hardware configurations, and the precise method by which the API and SDK produce a verification result are proprietary, are protected as trade secrets, and may be covered by issued or pending intellectual property rights, including the patent referenced in the site footer. This Privacy Policy does not, and is not intended to, disclose any such information. The descriptions in this policy are functional and behavioural only.

Changes to this policy

We may update this policy from time to time. Material changes will be flagged on this page; the “Last updated” date at the top will change. For account holders we may also send an email notice for material changes. Continued use of the Services after the effective date of an update constitutes acceptance of the updated policy. Previous versions are available on request.

Contact

For privacy questions, data subject requests, or to request our subprocessor list, Data Processing Addendum, or a prior version of this policy, contact hello@affix-io.com. AffixIO is operated by Becca & Kris Richens.