1 Who we are
Veyon is a biometric identity protection platform. We help individuals and organisations register their face and voice as a verified identity, detect unauthorised use of their likeness across the web, and enforce their rights through automated DMCA takedown workflows and court-ready legal evidence.
The data controller for all personal data processed through veyon.ai is:
Veyon Limited
Killoskehane Castle, Killoskehane, Borrisoleigh,
Co. Tipperary, E41 Y519, Republic of Ireland
Privacy contact: support@veyon.ai
Our supervisory authority is the Irish Data Protection Commission (DPC), reachable at dataprotection.ie. If you are based in the UK, the relevant supervisory authority is the Information Commissioner's Office (ICO).
2 What data we collect
We collect only the data necessary to deliver and improve the Veyon service.
Account information
- Email address and name (required to create an account)
- Password (stored as a one-way hash — we never store plaintext passwords)
- Subscription tier and billing status
- Decentralised identifier (DID) generated automatically on account creation
Biometric data (special category)
- Facial captures: face images and derived facial embeddings used for identity binding and likeness monitoring
- Voice samples and voiceprints: audio recordings and extracted voice embeddings used for voice identity monitoring
Special category data. Facial features and voiceprints constitute biometric data under GDPR Article 9. We process this data only with your explicit consent (see Section 4).
Identity verification data
- Government-issued identity document images (processed by Veriff for KYC verification; Veyon does not store raw document images)
- KYC verification status and session identifiers
Payment information
- Subscription status, plan, and billing period
- Stripe customer ID and payment method metadata (last 4 digits, card brand)
- We do not store full card numbers or CVV codes — these are handled exclusively by Stripe
Usage and technical data
- Pages visited and in-app actions (page views, feature interactions)
- Scan results and match detections linked to your identity
- DMCA takedown submissions and their status
- IP address, browser type, and device information collected via server logs and analytics
- Cookie identifiers (see Section 10)
API usage data (B2B customers)
- API key identifiers (hashed), endpoint requests, response codes, and timestamps
- Organisation and team membership information
3 Why we collect it — legal bases
Under GDPR Article 6, every processing activity requires a legal basis. We rely on the following:
| Processing activity | Legal basis |
|---|---|
| Creating and managing your account | Contract (Art. 6(1)(b)) — necessary to provide the service |
| Processing payments and subscriptions | Contract (Art. 6(1)(b)) |
| Biometric identity registration and monitoring | Explicit consent (Art. 6(1)(a) + Art. 9(2)(a)) |
| KYC identity verification via Veriff | Consent + legal obligation where applicable (Art. 6(1)(a), (c)) |
| Security, fraud prevention, and abuse detection | Legitimate interest (Art. 6(1)(f)) |
| Service analytics and improvement | Legitimate interest (Art. 6(1)(f)) |
| Sending transactional emails (scan alerts, takedown updates) | Contract (Art. 6(1)(b)) |
| Marketing communications | Consent (Art. 6(1)(a)) — you may unsubscribe at any time |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interest, we have conducted a balancing test concluding that our interests do not override your rights and freedoms. You may object to legitimate interest processing at any time (see Section 9).
4 How we handle biometric data
GDPR Article 9 — Special category data. Biometric data that uniquely identifies a natural person is a special category under GDPR and subject to heightened protection. Veyon processes biometric data solely on the basis of your explicit, informed consent.
What we do with biometric data
- Generate facial embeddings and voiceprints from your registered samples
- Search third-party databases (including our Face Search provider's index of 700M+ photos) for unauthorised use of your likeness
- Generate a tamper-proof identity certificate (DID-anchored) as proof of prior registration
- Build DEIA-certified evidence packages for legal proceedings
Consent and withdrawal
You provide explicit consent during the biometric registration flow, which presents a clear disclosure of what data is collected and how it is used. You may withdraw consent at any time by deleting your biometric data from your account settings. Withdrawal does not affect the lawfulness of processing before withdrawal.
Withdrawing biometric consent will disable identity monitoring and scan features, as they depend on your registered biometric profile.
Security of biometric data
Biometric embeddings are stored encrypted at rest. We do not store raw facial images beyond the initial processing step. Access to biometric data is restricted to personnel and systems with a documented operational need. We apply access controls, audit logging, and security monitoring to biometric data stores.
No sale of biometric data
We do not sell, rent, or share your biometric data with third parties for their own commercial purposes. Biometric data is shared only with processors listed in Section 6, under contractual data processing agreements, for the sole purpose of delivering Veyon's service to you.
5 How we use your data
- Service delivery: running identity scans, detecting matches, dispatching DMCA takedowns, generating evidence packages
- Account management: authentication, subscription billing, plan upgrades/downgrades
- Communications: scan alerts, takedown status updates, security notifications, product updates (where consented)
- Security: detecting and preventing fraud, abuse, and unauthorised access
- Legal compliance: responding to valid legal requests, maintaining records required by law
- Product improvement: understanding aggregate usage patterns to improve features (never using biometric data for model training without separate, explicit consent)
We do not use your personal data for automated decision-making that produces legal or similarly significant effects on you, without human review.
6 Third-party processors
We engage the following sub-processors to deliver the Veyon service. Each is bound by a Data Processing Agreement (DPA) and may only process your data on our documented instructions.
| Processor | Purpose | Data transferred | Location |
|---|---|---|---|
| Veriff | KYC identity verification | Government ID images, selfie photos, session data | EU / US (SCCs in place) |
| Stripe | Payment processing | Email, billing address, payment method metadata | US (SCCs in place) |
| Face Search provider | Biometric likeness monitoring — search against 700M+ indexed photos | Facial embedding vectors | US (SCCs in place) |
| Polsia | Cloud hosting and infrastructure | All application data (servers, database, file storage) | US / EU (SCCs in place) |
We do not sell personal data to third parties. We do not share personal data with third parties for their own marketing purposes.
Analytics and advertising
We use Meta Pixel (Facebook) on our marketing pages to measure advertising effectiveness. This involves the transmission of anonymised event data (page views, sign-up actions) to Meta Platforms Ireland Limited, acting as an independent data controller for its own analytics purposes. This processing is subject to Meta's Privacy Policy. You may opt out by adjusting your cookie preferences.
7 International data transfers
Some of our processors are based outside the European Economic Area (EEA), primarily in the United States. Whenever we transfer personal data outside the EEA, we ensure an adequate level of protection is in place through one or more of the following safeguards:
- Standard Contractual Clauses (SCCs) — the European Commission's approved contractual framework for third-country transfers (Module 2: Controller-to-Processor)
- Adequacy decisions — where the European Commission has determined the recipient country provides equivalent protection
UK users: equivalent protections apply under the UK GDPR and the International Data Transfer Agreement (IDTA) where relevant.
You may request a copy of the transfer safeguards applicable to your data by contacting us at support@veyon.ai.
8 Data retention
We retain your data for as long as necessary to deliver the service, comply with legal obligations, and resolve disputes.
| Data type | Retention period |
|---|---|
| Account information (email, name) | Duration of account + 90 days after deletion request |
| Biometric data (embeddings, voiceprints) | Until you delete your biometric profile, or account deletion — whichever is sooner |
| Identity certificates and evidence packages | 7 years (legal evidentiary value) |
| Scan results and match records | Duration of account + 90 days |
| Payment and billing records | 7 years (tax / financial regulation) |
| Server logs and IP records | 90 days |
| Analytics events | 24 months, then anonymised |
| API usage logs | 12 months |
When a retention period expires, data is securely deleted or anonymised. Anonymised data (from which you cannot be identified) may be retained indefinitely for aggregate analysis.
9 Your rights under GDPR
You have the following rights regarding your personal data. To exercise any right, contact us at support@veyon.ai. We will respond within 30 days (extendable to 90 days for complex requests, with notice).
Right of access
Request a copy of the personal data we hold about you, including the categories, purposes, and recipients.
Right to rectification
Request correction of inaccurate or incomplete personal data without undue delay.
Right to erasure
Request deletion of your personal data where it is no longer necessary, consent is withdrawn, or you object and there is no overriding legal ground.
Right to portability
Receive your personal data in a structured, machine-readable format, and transfer it to another controller where technically feasible.
Right to restrict processing
Request that we limit how we use your data while a dispute is resolved or an objection is being considered.
Right to object
Object to processing based on legitimate interest, including profiling. We will cease processing unless we can demonstrate compelling legitimate grounds.
Withdraw consent
Withdraw consent for biometric processing or marketing at any time, without affecting the lawfulness of prior processing.
Lodge a complaint
File a complaint with the Irish Data Protection Commission (DPC) or your local supervisory authority if you believe we have violated your rights.
We will never charge a fee for exercising your rights unless a request is manifestly unfounded or excessive. We may ask you to verify your identity before processing a request.
10 Cookies and tracking
We use cookies and similar tracking technologies on veyon.ai. Here is what is currently running:
| Cookie / technology | Type | Purpose |
|---|---|---|
| Session cookies | Essential | Maintain your login session and authentication state |
| CSRF token | Essential | Security — prevent cross-site request forgery |
| Meta Pixel (fbq) | Analytics / advertising | Measures ad effectiveness; tracks page views, sign-up events, and purchase conversions for Facebook/Instagram advertising. Data sent to Meta Platforms Ireland Ltd. |
| Local storage (preferences) | Functional | Stores your currency preference on the pricing page (USD/EUR/GBP) |
Managing cookies
Essential cookies cannot be disabled without breaking the service. You may opt out of analytics and advertising cookies by:
- Using your browser's cookie controls to block or delete third-party cookies
- Installing the Meta Pixel opt-out browser extension
- Adjusting your ad preferences in your Facebook account settings
Note: blocking analytics cookies does not prevent us from delivering the service — it only limits our ability to measure marketing effectiveness.
11 Children's privacy
Veyon is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you are under 16, please do not create an account or submit any personal data through the service.
If we become aware that we have inadvertently collected personal data from a child under 16, we will delete it promptly. If you believe we may have collected data from a minor, please contact us at support@veyon.ai.
12 Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "last updated" date at the top of this page
- Notify registered users by email at least 14 days before the change takes effect
- Where required by law, seek fresh consent for any new processing activities
Continued use of Veyon after the effective date of a non-material update constitutes acceptance of the revised policy. For material changes affecting biometric data processing, we will always seek explicit re-consent.
13 Contact us
For any privacy-related queries, requests, or concerns — including exercising your data subject rights — please contact us:
Privacy contact
Email: support@veyon.ai
Postal address
Veyon Limited
Killoskehane Castle, Killoskehane, Borrisoleigh,
Co. Tipperary, E41 Y519
Republic of Ireland
Supervisory authority (Ireland)
Data Protection Commission
21 Fitzwilliam Square South, Dublin 2, D02 RD28
dataprotection.ie