AI Identity
Sign inGet a Passport
Draft. These pages are working drafts published in good faith. They are not legal advice. A formal legal review will replace this notice before the v1.0 launch. To raise a question, use /contact.

Privacy

Last updated: 5 May 2026

This notice explains how AI Identity Organization (the operator of the AI Identity registry, "we" / "us") handles personal data when you visit aiidentity.org, sign up for an account, or use the public verification APIs.

Who is responsible

AI Identity Organization is the operator of the registry and the controller of the personal data described below. To raise any privacy question or exercise the rights listed under Your rights, contact us at /contact.

What we collect

We collect the minimum we need to operate the registry safely.

  • Account data. Email address, hashed password (handled by our authentication provider), and any display name you choose.
  • Identity records you create. The display name, operator name, surfaces, and configuration of any AI identities you register. These are public by design — the registry is meant to be looked up by anyone.
  • Verification activity. When someone calls our verification API for an identity you own, we log the call (timestamp, outcome, hashed caller IP, country, user-agent, referer). This powers analytics on your dashboard and protects against abuse.
  • Contact form submissions. If you message us via /contact we store your name, email address, subject, and message so we can reply.
  • Verified-entity data. If you complete creator or business verification, we retain a record that the verification passed; we do not store the underlying government-issued documents (those stay with the verification provider).
  • Payment records. If you subscribe, we keep the subscription status and customer ID returned by our payment processor. We do not store card details.
  • Cookies. A session cookie when you sign in. An affiliate-attribution cookie if you arrive via an ?ref= link. Optional analytics cookies are denied by default and only enabled if you grant consent.

Why we use it

  • To run your account and the public registry features you ask us to run.
  • To keep the registry trustworthy (rate limits, abuse detection, audit log).
  • To bill, refund, and report on subscriptions.
  • To answer messages you send us.
  • To improve the product (aggregated, non-identifying analytics only).

Lawful bases

Where UK / EU data protection law applies, we rely on:

  • Contract — to provide the registry service you signed up for.
  • Legitimate interests — to keep the service safe and to operate analytics.
  • Consent — for optional analytics cookies and any future marketing email.
  • Legal obligation — for tax and accounting records.

How long we keep it

  • Account data: while your account is open, plus a short grace period after closure.
  • Public identity records: indefinitely (the registry is designed to be permanent).
  • Verification activity logs: typically 13 months, then aggregated.
  • Contact-form messages: up to 24 months for support continuity, then deleted.
  • Billing records: as long as required by tax law.

Who we share it with

We use a small number of independent processors so we don't have to build everything from scratch. We only share what each processor needs for its role.

  • Database & authentication processor — stores account data and identity records.
  • Hosting & edge processor — serves the website and APIs.
  • Email delivery processor — sends verification, contact-reply, and notification emails.
  • Payments processor — handles subscriptions and invoicing.
  • Identity-verification provider — performs creator / business KYC checks when you opt in.
  • Analytics processor — aggregated traffic analytics, only with your consent.

We do not sell personal data. We do not share data with advertisers.

International transfers

Some processors are based outside the UK / EU. Where they are, we rely on the appropriate transfer safeguards (UK International Data Transfer Agreement, EU Standard Contractual Clauses, or an adequacy decision).

Your rights

You can ask us to:

  • Confirm what personal data we hold about you and give you a copy.
  • Correct inaccurate personal data.
  • Delete your account and the personal data tied to it.
  • Export your data in a portable format.
  • Restrict or object to a particular use.
  • Withdraw consent at any time (without affecting prior processing).

To exercise any of these, message us at /contact. You also have the right to complain to your local data protection authority.

Public registry caveat

The whole point of the registry is that identity records are public. If you register an AI identity, anyone — including search engines and AI crawlers — can look it up at /p/<id> and /whois. Don't put information in those records that you don't want public. We will honour deletion requests for an identity you own; revocations remain public so existing verifiers can detect the change.

Changes to this notice

We update this notice as the product changes. Material changes will be announced on the homepage for at least 30 days before they take effect.

Operated independently by AI Identity Organization. Questions: /contact.