Legal

Privacy
Policy

Last updated: 1 June 2026 — Applies to veryf.eu and all veryf.eu API services

The short version

veryf.eu is a zero-PII system by design. The product delivers verified boolean facts about your users — not their personal data. We do not collect, store, transmit, or process names, dates of birth, document numbers, addresses, or any other personal attributes from the credentials being verified. The architecture makes this structurally true, not just a policy promise.

What we do not receive

When a user presents a Proof of Age Attestation through a veryf.eu verification session, the attestation contains only one attribute: age_over_18. This is not selective disclosure from a full identity credential — it is an attestation purpose-built to contain nothing else. Per the EU Age Verification Blueprint specification (doc type eu.europa.ec.av.1), the attestation SHALL NOT include name, birth_date, document number, or any other personal attribute. Those attributes were used by the Attestation Provider to derive the boolean at enrolment. They never entered the attestation.

We do not receive or store:

  • Given name, family name, or any variant of personal name
  • Date of birth or age beyond the specific predicate requested
  • National identity document numbers
  • Residential address or location data
  • Biometric data of any kind
  • Any credential attribute not explicitly requested in the verification session

What a verification session does generate

To operate the service and maintain security, veryf.eu processes the following session-level data:

  • Session identifier — a pseudonymous token tied to a single verification request, discarded after callback delivery
  • Nonce and timestamp — cryptographic replay prevention values, not linked to any individual
  • Issuer identifier — the URL of the trust anchor that signed the credential (e.g. a government eIDAS node), publicly known
  • Verification outcome — boolean result delivered to the relying party webhook
  • API request metadata — IP address of the relying party server, timestamp, and response code, retained for 30 days for fraud and abuse detection

None of the above constitutes personal data under GDPR Article 4(1) in the context of the veryf.eu data model, as none is linked to an identified or identifiable natural person.

Legal basis and regulatory framework

veryf.eu operates as a technical intermediary under eIDAS 2.0 (Regulation (EU) 2024/1183) and processes verification requests in accordance with:

  • GDPR Article 5(1)(c) — data minimisation, enforced at the attestation level: the Proof of Age Attestation (ISO mDoc, eu.europa.ec.av.1) contains only age_over_18 by specification
  • GDPR Article 25 — data protection by design and by default
  • eIDAS 2.0 Article 5a — selective disclosure requirements for EUDI Wallet acceptance

Because veryf.eu does not process personal data in the ordinary course of verification, it does not act as a data processor under Article 28 with respect to end-user personal attributes. Relying parties integrating verif.eu remain responsible for their own GDPR obligations with respect to their users.

Data retention

Session tokens and nonces are discarded immediately after callback delivery. API request metadata (relying party IP, timestamp, outcome) is retained for 30 days, then deleted. No personal attribute data enters the retention cycle because none is received.

Your rights

Under GDPR Chapter III you have rights including access, rectification, erasure, and objection. Because veryf.eu does not hold personal data linked to you as an individual, most of these rights are satisfied structurally — there is nothing to access, correct, or erase.

For questions about your rights or this policy, contact: gintare@ajatauaml.com

Contact

Data controller: ajatau OÜ, operating veryf.eu
For enquiries: gintare@ajatauaml.com