Privacy Policy
Last updated: April 6, 2026
Our core promise: JustYes.ID is built on zero-knowledge principles. We verify your age without storing your identity. Your government ID is processed, verified, and immediately discarded.
1. What We Collect
JustYes.ID collects the minimum data necessary to operate a compliant age verification service:
- During verification: Your government-issued ID is scanned using OCR and biometric liveness detection. The ID image is processed in real-time and never stored on our servers.
- Cryptographic credential: After successful verification, a Schnorr-based credential is generated and stored only on your device inside an encrypted vault protected by your PIN.
- Consent records: A timestamped, anonymized record of your consent to share your age-verified status with a specific partner site.
- Verification receipts: A tamper-proof receipt containing a one-way hash (no personally identifiable information) used for compliance and billing.
2. What We Never Collect or Store
- Your name, date of birth, address, or ID number
- Your government ID image or any biometric data
- Your browsing history or the content you access
- Your PIN, recovery phrase, or private key (these exist only on your device)
- Any data that could link your identity to a specific partner site visit
3. Zero-Knowledge Architecture
Our system is designed so that we cannot access your identity even if compelled. Here's how:
- Your encrypted vault uses AES-256-GCM encryption with a key derived from your PIN via PBKDF2 (600,000 iterations). We store the encrypted blob but cannot decrypt it.
- Your credential is a Schnorr signature that proves "this person is 18+" without revealing who they are.
- Partner sites receive only a signed JWT confirming age verification, never your identity.
4. How We Use Data
The limited data we process is used exclusively to:
- Verify your age meets the legal requirements of your state
- Generate compliance receipts required by state law
- Bill partner sites for verification usage
- Detect and prevent fraud or abuse
- Comply with legal obligations (e.g., state audit requirements)
5. Data Sharing
We do not sell, rent, or trade your data. We share information only in these limited circumstances:
- With partner sites: Only the age-verified status (yes/no) and an anonymous receipt ID, shared only after you grant explicit consent.
- With state authorities: Anonymized aggregate compliance data as required by state age verification laws. This data contains no personally identifiable information.
- Legal process: If required by valid legal process, we can only provide the encrypted vault blob (which we cannot decrypt) and anonymized receipt data.
6. Data Retention
- Government ID images: Zero seconds. Processed in-memory and immediately discarded.
- Encrypted vault: Retained until you delete your account.
- Consent records: Retained for the duration required by applicable state law (typically 5-7 years).
- Verification receipts: Retained per state compliance requirements.
7. Your Rights
You have the right to:
- Delete your account: You can permanently delete your encrypted vault and all associated data at any time from your profile.
- Export your data: Request a copy of all data associated with your credential.
- Revoke consent: Withdraw consent previously granted to any partner site.
8. Cookies and Tracking
JustYes.ID does not use third-party cookies, advertising trackers, or analytics services. We use only essential localStorage to maintain your session and encrypted vault on your device.
9. Partner Site Data
If you are a partner site operator, we collect your business name, contact email, and billing information to operate your account. This data is governed by your partner agreement and this privacy policy.
10. Children's Privacy
JustYes.ID is an age verification service for individuals 18 years and older. We do not knowingly collect data from individuals under 18. If a minor's ID is submitted, the verification fails and the ID image is immediately discarded.
11. Security
We employ industry-standard security measures including TLS encryption in transit, AES-256-GCM encryption at rest, rate limiting, vault lockout after failed PIN attempts, and regular security audits. Our zero-knowledge architecture means that even a complete server breach would not expose user identities.
12. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated through the platform. Continued use after changes constitutes acceptance.
13. Contact
For privacy-related questions or to exercise your rights, contact us at privacy@justyes.id or visit our Contact page.