1. Introduction
This Privacy Policy describes how ONUS ID ("we," "our," or "us") collects, uses, discloses, and protects your personal information when you use the ONUS ID, ONUS Age Verification, ONUS Merchant, and ONUS Dashboard applications (collectively, "ONUS ID Applications").
We are committed to protecting your privacy and handling your data with transparency and care. Please read this Privacy Policy carefully. By using any ONUS ID Application, you consent to the practices described herein.
2. Scope
This Privacy Policy applies to:
- ONUS ID (iOS and Android) — consumer biometric enrollment and verification history
- ONUS Age Verification (iPadOS) — in-store age verification by retail staff
- ONUS Merchant (macOS + Windows) — desktop companion for age verification workflow
- ONUS Dashboard (Web) — cloud-based admin panel for managing stores, users, devices, and compliance
- ONUS ID backend services and APIs
This policy does not apply to third-party services integrated with our applications, which maintain their own privacy policies.
3. Information We Collect
3.1 Information You Provide
| Data Type | Collected From | Purpose |
|---|---|---|
| Name (first and last) | ONUS ID users | Account creation, identity display |
| Email address | All users | Account creation, communication, password reset |
| Phone number | ONUS ID users | Account verification, communication |
| Date of birth | Customers during age verification | Age verification (18+ or 21+ check) |
| Login credentials | Store staff, admin users | Authentication |
3.2 Biometric Data
Biometric Disclosure: Our applications use facial recognition technology for age and identity verification.
| Biometric Type | How It's Used | Where It's Processed |
|---|---|---|
| Facial recognition | Identity verification and age verification at retail locations | Processed on-device with verification results stored on ONUS ID servers |
Important: ONUS ID does not store raw biometric images or videos on its servers. Only verification results (success/failure) and metadata are retained. Facial recognition processing occurs on the device during enrollment and verification.
3.3 Verification Data
When a verification occurs at a store, our backend records the following metadata:
- Store identifier and name
- Device identifier (iPad or desktop device)
- ONUS ID user reference (who was verified)
- Verification method used (facial recognition or manual date-of-birth entry)
- Result (verified or failed)
- Failure reason (if applicable, e.g., "Age below requirement")
- Timestamp (UTC) and verification duration
- Customer name (when available from enrolled profile)
This is metadata about the verification event. No biometric images, facial templates, or raw biometric data are included in verification records stored on ONUS ID servers.
3.4 Device Information
- Device name and model
- Operating system and version
- Application type and version
- IP address (at time of login)
- Device identifiers
3.5 Usage Data
- Login timestamps
- Session duration
- Feature usage patterns
- Connection method (Wi-Fi or Bluetooth) for Age Verification / Merchant apps
4. How We Use Your Information
| Purpose | Legal Basis |
|---|---|
| Provide and operate ONUS ID Applications | Performance of contract |
| Process and record verification results | Performance of contract, legitimate interest |
| Authenticate users and manage sessions | Performance of contract |
| Display verification history to ONUS ID users | Performance of contract |
| Monitor device status and manage store operations | Legitimate interest |
| Detect and prevent fraud and unauthorized access | Legitimate interest, legal obligation |
| Comply with legal obligations (including age verification laws) | Legal obligation |
| Generate aggregated analytics for store performance | Legitimate interest |
| Communicate with you about your account or service updates | Performance of contract, legitimate interest |
| Maintain audit logs for compliance and security | Legal obligation, legitimate interest |
We do not use your personal information for advertising or marketing purposes. We do not sell your personal information to third parties.
5. How We Share Your Information
5.1 With Stores and Merchants
Verification results (success/failure status and method) are shared with the store where the verification took place. Stores can view verification logs for their own location through the admin panel.
5.2 With Service Providers
We may share information with trusted service providers who assist us in operating our services, such as:
- Cloud hosting providers for database and application hosting
- Email delivery services for account notifications
- Error monitoring and logging services for system reliability
These providers are contractually obligated to protect your information and use it only for the purposes we specify.
5.3 For Legal Compliance
We may disclose your information if required by law, legal process, government request, or to protect the rights, property, or safety of ONUS MS, our users, or the public.
5.4 What We Do NOT Share
- We do not sell your personal information
- We do not share your data with advertisers
- We do not use your data for profiling or targeted advertising
- We do not share raw biometric data or facial images with any third parties
- We do not share your verification history across different stores without your consent
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information (name, email, phone) | Retained while your account is active; deleted upon account deletion request |
| Verification records (metadata) | Retained for the duration of your account plus 3 years for compliance and audit purposes |
| Biometric verification results | Retained for 3 years from last verification for compliance and audit purposes; raw biometric data is not stored |
| Device information | Retained while the device is registered; removed when device is deregistered |
| Session and login logs | Retained for 12 months for security monitoring |
| Audit logs (admin actions) | Retained for 5 years for compliance |
You may request deletion of your data at any time (see Section 9: Your Rights).
7. Data Security
In Transit
- All backend API communication is encrypted via HTTPS/TLS
- Local device-to-device communication (Age Verification ↔ Merchant) is encrypted with AES-256-GCM
- Device pairing uses ECDH P-256 key exchange with ephemeral session keys
At Rest
- PostgreSQL database with encryption at rest
- Passwords hashed using bcrypt (industry-standard)
- JWT tokens with short expiration periods (configurable)
- No raw biometric data stored on servers
- Secure session management with automatic expiration
Access Controls
- Role-based access control (Super Admin, Admin, Store User)
- Session management with force-logout capability
- Audit logging of all administrative actions
- Rate limiting on authentication endpoints
While we employ robust security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to protecting your data using commercially reasonable safeguards.
8. Biometric Information Notice (BIPA Compliance)
Illinois Biometric Information Privacy Act (740 ILCS 14)
- Purpose: Facial recognition is used solely for identity verification and age verification purposes at participating retail locations.
- Storage: ONUS ID does not store raw biometric data (facial images or templates) on its servers. Only verification results and metadata are retained.
- Retention: Verification records are retained for three (3) years from your last verification for compliance and audit purposes. No biometric templates are stored.
- Disclosure: Biometric verification results are not sold, leased, or traded. Results are only shared with the specific store where verification occurred.
- Consent: Your informed consent is obtained before enrollment through in-app consent prompts that clearly explain biometric data usage.
- Deletion: You may request deletion of your account and all associated verification records at any time by contacting support@onusid.com.
9. Your Rights
9.1 All Users
- Access your personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your account and associated data
- Request deletion of biometric data
- Withdraw consent for biometric processing
- Receive a copy of your data in a portable format
9.2 California Residents (CCPA/CPRA)
- Right to know what personal information is collected, used, and shared
- Right to delete your personal information
- Right to opt out of the sale of personal information (we do not sell your data)
- Right to non-discrimination for exercising your privacy rights
9.3 EEA/UK Residents (GDPR)
- Right to access, rectification, erasure, and data portability
- Right to restrict or object to processing
- Right to withdraw consent at any time
- Right to lodge a complaint with a supervisory authority
9.4 How to Exercise Your Rights
To exercise any of these rights, contact us at:
Email: support@onusid.com
We will respond to your request within 30 days (or the timeframe required by applicable law).
10. Children's Privacy
ONUS ID Applications are not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly.
If you are a parent or guardian and believe your child has provided personal information to us, please contact us at support@onusid.com.
11. Third-Party Services
ONUS ID applications are built using industry-standard technologies and frameworks. We do not integrate with third-party biometric processing services. All verification processing occurs within our own secure infrastructure.
Our applications may use standard third-party services for:
- Cloud infrastructure and hosting
- Email delivery for account notifications
- System monitoring and error logging
These services do not have access to biometric data or verification results.
12. International Data Transfers
Our servers are located in the United States. If you are accessing ONUS ID Applications from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States.
By using our applications, you consent to the transfer of your information to the United States and other jurisdictions where we or our service providers operate.
13. Data Breach Notification
In the event of a data breach that affects your personal information, we will:
- Notify affected users within 72 hours of becoming aware of the breach (or as required by applicable law)
- Provide details about the nature of the breach and the data affected
- Describe the measures taken to address the breach
- Provide recommendations for steps you can take to protect yourself
- Report the breach to relevant regulatory authorities as required by law
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy within our applications
- Sending an email notification to your registered email address
- Displaying a prominent notice within the application
The "Last Updated" date at the top of this policy indicates when it was last revised. Your continued use of ONUS ID Applications after changes are posted constitutes acceptance of the updated policy.
15. Contact Us
ONUS ID
Email: support@onusid.com
Website: https://onusid.com
Dashboard: https://admin.onusid.com
Privacy inquiries: support@onusid.com
End of Privacy Policy — ONUS ID — Effective January 1, 2025