Privacy Policy

1. Introduction

Identities AI, Inc. (“Identities AI,” “we,” “us,” or “our”) operates the Ratify platform — a cryptographic identity and authorization service for AI agents. This Privacy Policy describes how we collect, use, store, and protect information when you use our website, API, admin console, SDKs, adapters, and related services (the “Service”). We are committed to handling your data transparently.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your email address (required for authentication), first and last name, organization name, email domain (for corporate-domain matching), and account type (personal or organization). If you authenticate via Google or Microsoft OAuth, we receive your verified email address and provider user ID from the OAuth provider.

2.2 Cryptographic Key Material

For custodial accounts, we generate hybrid cryptographic key pairs (Ed25519 + ML-DSA-65) on your behalf. Private keys are envelope-encrypted using AES-256-GCM with data encryption keys (DEKs) that are themselves encrypted by Cloud KMS key encryption keys (KEKs). Private keys are never stored or accessed in plaintext. Public keys are stored unencrypted and are used only for signature verification. Self-custody users hold their own private keys; we never see them.

2.3 Delegation and Verification Data

When you issue or verify delegation certificates, we store delegation certificate metadata (issuer, subject, scopes, constraints, expiry), verification results (valid/invalid, identity status, assurance level), revocation records, and challenge-response data. Challenge bytes are ephemeral — held in a memory cache with a short TTL.

2.4 Meeting Integration Data

When you connect a meeting platform (Zoom, Microsoft Teams, Google Meet), we receive participant metadata from webhook events (display name, email address, platform-assigned participant ID), meeting session identifiers, and meeting-pass verification results. We do not access, record, store, or process any meeting audio, video, screen-sharing content, chat messages, or transcripts. We process only the minimum participant metadata required to match participants against verified meeting passes.

2.5 Audit Trail Data

Security-sensitive actions generate immutable audit records including event type, timestamp, actor identifier, subject identifier, organization identifier, and event-specific details. Audit records are hash-chained for tamper evidence (see VerificationReceipt in SPEC §17.5). PII-bearing fields are deliberately excluded from the hash payload so that GDPR pseudonymization and right-to-erasure do not break chain integrity.

2.6 Technical Data

We automatically collect IP addresses (for rate limiting, audit logging, and abuse prevention), HTTP request metadata (method, path, status code, latency — no request or response bodies), browser user-agent (for session management), and authentication timestamps. The marketing site uses Cloudflare Web Analytics, which is cookieless and does not identify individual users.

3. How We Use Your Information

We use collected information to (a) authenticate your identity and manage your account; (b) generate and manage cryptographic keys on your behalf for custodial accounts; (c) issue, verify, and revoke delegation certificates; (d) verify AI agent participants in meetings per your configured policy; (e) maintain immutable audit trails for compliance and security; (f) enforce rate limits and prevent abuse; (g) communicate with you about your account and the Service; and (h) comply with legal obligations. We do not use your data for advertising, profiling, or sale to third parties.

4. Data Storage and Security

Account data and delegation records are stored with encryption at rest (AES-256) and in transit (TLS 1.3). Cryptographic private keys for custodial accounts are envelope-encrypted under Cloud KMS with per-organization key rings. Ephemeral challenge data is held in an in-memory cache with TLS and a short TTL. Audit archives are stored in write-once (WORM) object storage with a default 365-day retention. Verify Sovereign deployments run inside the customer’s own infrastructure with customer-owned keys (see SPEC §17 and the Verify product documentation). Access to production infrastructure requires two-person approval via privileged access management.

5. Data Retention

Account data is retained for the lifetime of your account plus a 30-day grace period after deletion request. Audit trail data retention is motion-dependent: 30 days searchable on Verify Operational; 90 days standard with optional 365-day retention on Verify Trust; and customer-controlled retention on Verify Sovereign (since the data lives inside the customer’s infrastructure). All managed audit data is also archived in WORM storage for 365 days regardless of motion. Delegation certificates are retained until expiry or revocation, plus 90 days for audit linkage. Meeting session data is retained for the audit-retention period of your motion. Cryptographic key material for custodial accounts is destroyed on account deletion.

6. Data Sharing

We do not sell, rent, or trade your personal information. We share data only in the following circumstances:

• Service providers. Cloud infrastructure (Google Cloud Platform), CDN / DNS / analytics (Cloudflare), transactional email (Resend / AWS SES). All providers are bound by data-processing agreements.
• Meeting platforms. When you connect Zoom, Teams, or Meet, the platform sends us participant metadata via webhooks; we send enforcement actions back via their API. We do not share your Ratify data with meeting platforms beyond what is necessary for enforcement.
• Legal requirements. We may disclose data when required by law, court order, or governmental regulation. We will notify you of such requests unless legally prohibited.
• Business transfers. In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction. We will notify you.

7. Your Rights

Depending on your jurisdiction, you may have the right to (a) access your personal data; (b) correct inaccurate data; (c) request deletion of your data (subject to legal hold and sole-owner restrictions); (d) export your data in a machine-readable format; (e) object to processing of your data; (f) withdraw consent where processing is based on consent; and (g) lodge a complaint with a supervisory authority. To exercise these rights, email privacy@identities.ai. We respond within 30 days.

8. GDPR Compliance

For users in the European Economic Area, our legal basis for processing is (a) contract performance (providing the Service), (b) legitimate interest (security, abuse prevention, audit trails), and (c) legal obligation (regulatory compliance). The hash chain in our audit trail is designed for GDPR compatibility: PII is excluded from the chain payload, so pseudonymization and right-to-erasure can be exercised without breaking audit integrity. Data transfers outside the EEA are governed by Standard Contractual Clauses with our infrastructure providers. Verify Trust offers contractual data-residency commitments (US, EU, Switzerland); Verify Sovereign keeps all data inside the customer’s own jurisdiction.

9. CCPA Compliance

For California residents: we do not sell personal information and do not use personal information for cross-context behavioral advertising. You have the right to know what personal information we collect, request deletion, and opt out of any future sale (which we do not engage in). To exercise these rights, email privacy@identities.ai.

10. Children’s Privacy

The Service is not directed to individuals under 16. We do not knowingly collect personal information from children. If we learn that we have, we will delete it promptly.

11. Cookies and Tracking

The Ratify Verify console (ratify.identities.ai) uses HttpOnly cookies for session tokens and a readable CSRF cookie for request protection. We do not use tracking cookies, advertising pixels, or third-party analytics scripts in the admin console. The marketing site (identities.ai) uses Cloudflare Web Analytics, which is cookieless and does not track individual users.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes are communicated via email at least 30 days before they take effect. The “Last updated” date at the top of this policy reflects the most recent revision.

13. Contact

Privacy: privacy@identities.ai
Security: security@identities.ai
Identities AI, Inc. · Seattle, Washington, United States.