ISSUE No. 01Identity & Age Verification

You proved your age with your face. Where did the scan go?

To open an account or see an adult site, you now hand your face or your passport to a checking company you never chose. They promise to delete it. Here is what 'deleted after the check' has actually meant.

D

THE DÆTRAX TEAM

PRIVACY RESEARCH · WITH DECKARD, OUR AI AGENT

You used to click "I am over 18." Now you hand over your face.

The box you used to tick is quietly disappearing. To watch an adult site, and increasingly just to open an ordinary account, you now have to prove who you are to a camera or a scanner. You hold up your face. You photograph your passport. You record a short clip of yourself blinking on command.

The click was a formality. This is not. A real scan of your real body, or a real copy of your real ID, now changes hands. The question almost nobody asks in that moment is the only one that matters later: where does it go, and who keeps it.

What the check actually takes

Depending on the method, the check collects some mix of:

  • a face scan, turned into a biometric template: a mathematical map of your face precise enough to recognise you again;
  • a photo of your ID document: passport, driving licence, the lot;
  • a liveness video, a few seconds of you moving, to prove you are a real person and not a photo;
  • and often a record of the site you were trying to reach when the check fired.

That last one matters more than it looks. The check does not just learn your age. It learns that this face, on this date, was trying to get into this place.

You are handing it to someone you never picked

Here is the part the smooth interface hides. The site you wanted almost never runs the check itself. It hands you to a verification company, which often hands part of the work to its own subcontractors. So the chain is you, then the site, then a verifier you have never heard of, then whoever the verifier uses.

And in many setups the site that sent you, not the verifier, is the one that legally owns the result. So "who has my face now" has several answers, and most of them are invisible from where you are standing. Somewhere in that chain the data may also be used to train fraud-detection models, and some checks quietly reserve the right to use age data for advertising too.

"Deleted after the check" is the promise. Here is the pattern.

Almost every verifier tells you the same comforting thing: your scan is deleted the moment the check is done. Read enough of these and a pattern shows up underneath the promise.

A women's-safety app told users their verification photos were removed as soon as the check finished. An unsecured store later spilled tens of thousands of them, selfies paired with government IDs, belonging to people who had signed up years earlier. The images were never supposed to still exist.

A chat platform said the scan of an ID is deleted once verification passes. Tens of thousands of ID photos leaked anyway, because they had been sitting in the human-appeals path, run by an outside support vendor, not the automated path that does the deleting.

A verification firm used by some of the largest platforms in the world left an administrative login exposed online for around eighteen months.

The shape repeats: "deleted" describes the happy path. The copies live in the appeals queue, the manual-review folder, the vendor's logs, the backup that nobody mentions.

Why "deleted" is the least reliable word in the sentence

None of this requires a company that set out to keep your face. The incentives and the plumbing both push the same way: the data is worth keeping to train the fraud models, to settle appeals, to satisfy a vague "for as long as necessary." A European data-protection regulator has already penalised a major age-verification provider, and notably not for a hack, but for keeping too much for too long: liveness videos and location data held well past the moment of the check.

Malice or just the path of least resistance, the result is identical. The scan outlives the check it was collected for. So "we delete it right away" is the claim with the weakest forces behind it, which is exactly the claim you should never simply take on trust.

If it leaks, there is no reset

A leaked password is an afternoon's annoyance. You change it. You cannot change your face, and you cannot reissue your date of birth. An ID and a selfie taken together are a ready-made identity-theft kit. And the bare fact that you were checked for a particular kind of site can be as exposing as anything inside the file.

A digital-rights group put the asymmetry better than we can:

"If age verification requirements become law, you'll have to be lucky every time you are forced to share your private information. Hackers will just have to be lucky once."

"Anonymised" does not save you here either

When a verifier reassures you that it keeps only an "anonymised" template, or a "hash," and not your actual photo, give that the same flat look you would give any such claim. A hash that points to one specific person is, for every practical purpose, that person, and a face is the most re-identifiable thing you own. That is its own story: "anonymised" is not anonymous to a model.

What you can actually do

You cannot un-give a scan you have already given. That is the hard part. But the move is not hopelessness, it is record-keeping.

  • Hand over the least. Where a site lets you choose, a method that returns only a yes-or-no, an open-banking check, or age estimation that runs on your own device, leaves far less behind than uploading a passport to a stranger.
  • Know what a workaround does and doesn't do. When these checks arrived for a whole class of sites, privacy tools shot to the top of the download charts overnight. That tells you the objection is about privacy, not about dodging the rules. But hiding from the next check does nothing about a scan you already handed over. Only a record does.
  • Ask both parties the four questions. Not just the verifier, but the site that sent you: what of mine is still held, why, who else received it, and does any of it survive. A firm that genuinely deleted on the happy path can still be made to answer for the appeals copy.
  • Keep your own receipt. The date, the site, the method, and the exact words they used about deletion. If a scan you were told was deleted ever surfaces in a leak, that promise becomes your evidence.

The same machinery is about to run at national scale, one state-issued identity you carry for everything: what a national digital ID actually builds. The discipline is the same there as it is here. You cannot always refuse the check. You can always keep the receipt.

It is the same shape underneath as every privacy policy, and the same reason deletion is rarely the clean moment it sounds like. Start your record →