Biometric retention
VEREID retains biometric templates for 30 days and document images for 7 years by default, with per-tenant override. Here is how, why, and when.
Last updated 2026-05-20
Biometric data is the highest-risk class we hold. Our retention defaults are conservative and explicit, and every divergence from the default is enumerable from the API.
Default retention
| Artifact | Default retention | Storage | KMS CMK |
|---|---|---|---|
| Liveness template (vector embedding) | 30 days | S3 vereid-biometrics (auto-purge lifecycle rule) | pii-vault |
| Face-match template | 30 days | S3 vereid-biometrics | pii-vault |
| Raw selfie image | 30 days | S3 vereid-biometrics | pii-vault |
| Raw selfie video (liveness) | 7 days | S3 vereid-biometrics | pii-vault |
| ID document image | 7 years | S3 vereid-id-docs, Object Lock | pii-vault |
| MRZ extracted text | 7 years | Aurora documents.mrz | (column-level encryption) |
| Verification decision + signals | 7 years | Aurora verifications | (no PII, just refs) |
The 30-day biometric default matches BIPA-style consumer-protection thresholds and is shorter than every commercial KYC vendor we benchmarked. The 7-year ID-doc retention matches the typical AML record-keeping requirement; tenants whose regulators demand longer can extend per-record up to 10 years.
Per-tenant override
Each B2B tenant can configure retention per artifact via the developer console or the API:
curl -sS -X PATCH https://api.vereid.com/v1/developer/tenants/$TENANT_ID/retention \
-H "Authorization: Bearer $VEREID_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"biometric_template_days": 30,
"selfie_image_days": 30,
"selfie_video_days": 7,
"id_document_years": 5
}'await vereid.developer.tenants.updateRetention(tenantId, {
biometric_template_days: 30,
id_document_years: 5,
});Allowed ranges:
| Field | Min | Max |
|---|---|---|
biometric_template_days | 0 (purge on completion) | 365 |
selfie_image_days | 0 | 90 |
selfie_video_days | 0 | 30 |
id_document_years | 1 | 10 |
Tightening retention is instant — already-stored objects are reclassified by the next nightly lifecycle pass (within 24 hours). Loosening retention only affects future uploads; we cannot un-purge objects that were already deleted.
Purge proof
We emit a biometric.purged event when a template is deleted, including the verification_id, the artifact class, and the purge timestamp:
{
"type": "biometric.purged",
"data": {
"verification_id": "vs_01HZ3K8R...",
"artifact": "liveness_template",
"purged_at": "2026-06-19T00:01:14Z"
}
}These events are appended to your audit log and to ours — both are WORM-replicated to the vereid-audit bucket on a nightly cadence with Object Lock so they cannot be tampered with. This is the evidence we ship to a regulator if asked.
User-initiated purge
End users can purge their biometric data at any time via /v1/me/biometrics:
curl -X DELETE https://api.vereid.com/v1/me/biometrics \
-H "Authorization: Bearer $VEREID_USER_ACCESS_TOKEN"This is instant. The user's verification decision survives — we keep the verifications row with all PII fields nulled — but the underlying biometric artifacts are deleted within 60 seconds and the biometric.purged event fires.
Note: deleting biometrics will downgrade the user's vereid_verification.badges array, removing liveness (since we no longer hold the template that proved it). photo may survive if the photo match was previously recorded without retaining the template.
What we do not store
- Raw fingerprints — we do not collect any.
- 3D face meshes — never generated; only 2D embeddings.
- Behavioural biometrics (typing cadence, mouse pattern) — never collected.
- Voice prints — even where liveness uses a spoken phrase, the audio is deleted after the phonetic match runs and only a pass/fail boolean is stored.
Regional notes
- Illinois (BIPA): defaults exceed the BIPA standard (30d ≤ 3 years).
- Texas (CUBI): defaults exceed the CUBI standard.
- EU: see EU compliance for the live
/v1/verifygeo-block. - Australia (Privacy Act): defaults exceed the OAIC guidance for biometric retention.
If your jurisdiction requires a shorter retention than our defaults, set the override before your first verification. We will not retroactively shorten retention for already-completed verifications, since that would invalidate audit records relied upon by other tenants.