Privacy Policy

Effective date: 25 April 2026 Company: Horkos Ltd Product: Horkos

This Privacy Policy explains how Horkos Ltd (“Horkos”, “we”, “us”, “our”) handles information in connection with the Horkos identity verification platform, website, hosted verification flow, APIs, admin panel, and related services.

Horkos is a B2B identity verification infrastructure service. Businesses use Horkos to verify whether a person appears to match an identity document and to receive a technical verification result.

This Policy is written for:

  • businesses that use Horkos;
  • people who complete a verification flow powered by Horkos;
  • administrators, developers, reviewers, and other users of the Horkos platform;
  • visitors to the Horkos website.

1. Who controls the verification

In most verification flows, the business that invited you to verify your identity decides:

  • why verification is required;
  • which verification checks are enabled;
  • which threshold or decision policy is used;
  • what happens after a verification result is returned;
  • how long non-raw verification records are needed for its own business purpose.

Horkos provides the infrastructure that collects, processes, analyzes, and returns verification results according to the configuration selected by that business.

If you are an end user and have questions about why you were asked to verify your identity, how a result affects your account, or whether you can use an alternative process, contact the business that requested your verification.

2. Information we collect

The information collected depends on how the business configured the verification flow.

2.1 Verification data

During a verification session, Horkos may process:

  • images or scans of an identity document, such as a passport or ID card;
  • a selfie image or short selfie video;
  • a portrait extracted from the identity document;
  • data extracted from the document, such as name, date of birth, document number, document type, issuing country, expiry date, MRZ data, and similar fields;
  • face matching results, including similarity score, threshold, pass/fail result, provider name, and model version;
  • liveness result if liveness is enabled;
  • document quality and processing flags;
  • decision result, reason codes, timestamps, and audit events.

2.2 Technical data

Horkos may process technical data needed to run the service:

  • session ID;
  • tenant ID;
  • external user ID if provided by the business;
  • request ID;
  • IP address;
  • user agent;
  • browser and device information;
  • upload status;
  • API and webhook delivery logs;
  • error logs;
  • security and rate-limit events.

2.3 Business account data

For business customers and platform users, Horkos may process:

  • name;
  • business email;
  • company name;
  • role or access level;
  • API key metadata;
  • admin activity logs;
  • webhook settings;
  • support messages;
  • billing or commercial contact details where applicable.

2.4 Website data

When you visit the Horkos website, we may process basic technical information such as IP address, browser type, pages visited, timestamps, and similar operational logs.

3. How we use information

Horkos uses information to:

  • create and run verification sessions;
  • extract data from identity documents;
  • compare a document portrait with a selfie;
  • calculate technical scores and pass/fail results;
  • apply the configured decision rules;
  • provide hosted verification links;
  • send API responses and webhook events;
  • show results in the admin panel;
  • maintain audit trails;
  • detect abuse, broken integrations, and suspicious technical behavior;
  • secure accounts, API keys, sessions, and infrastructure;
  • debug failures and improve system reliability;
  • provide customer support;
  • operate and improve the Horkos platform.

Horkos does not use raw passport, selfie, or video files for advertising.

Horkos does not sell raw verification data.

4. Raw media retention

Horkos is designed to minimize long-term storage of raw biometric and identity media.

Raw passport, ID card, selfie, and video bytes are not persisted long-term by default.

For normal processing, raw media may temporarily exist in:

  • upload memory;
  • temporary object storage;
  • processing workers;
  • provider requests if a configured external provider is used.

In the standard Horkos deployment, raw media in temporary object storage has a hard lifecycle expiry of 24 hours and is also eagerly purged after the pipeline step that consumes it.

After processing, Horkos may retain non-raw records, including:

  • session metadata;
  • extracted OCR fields;
  • MRZ validation result;
  • hashes;
  • scores;
  • provider names;
  • model versions;
  • decision result;
  • reason codes;
  • webhook delivery records;
  • audit events.

These records are used to explain what happened in a verification session without keeping the original raw media longer than needed.

5. Automated processing and human review

Horkos may generate a technical result automatically, such as:

  • face match score;
  • liveness score;
  • document quality score;
  • pass/fail result;
  • retry required;
  • needs manual review.

The business using Horkos decides how to use that result in its own service.

Some sessions may be reviewed manually by authorized users of the business or by authorized Horkos platform users, depending on the setup.

6. Sharing information

Horkos may share information with:

6.1 The business that requested verification

Verification results and relevant session data are shared with the business that created or requested the verification session.

6.2 Infrastructure and service providers

Horkos may use infrastructure and technical providers for hosting, storage, queueing, logging, OCR, face matching, liveness, email, monitoring, analytics, support, and similar operational services.

Depending on the tenant configuration, this may include external providers such as document OCR or face matching APIs.

6.3 Professional advisors and business operations

Horkos may share limited information with advisors, auditors, insurers, or service providers where needed to operate the business.

6.4 Required disclosures

Horkos may disclose information when required to protect the service, respond to lawful requests, enforce agreements, prevent abuse, or protect rights and safety.

7. External providers

Some Horkos deployments may use third-party providers for specific checks, such as:

  • document OCR;
  • face matching;
  • liveness;
  • document authenticity.

Provider use depends on the business configuration.

If an external provider is enabled, the relevant verification data may be sent to that provider for processing. Horkos records the provider name and model or service version where available.

8. Security

Horkos uses technical and organizational measures designed to protect data, including:

  • encrypted transport;
  • access controls;
  • API key hashing;
  • signed webhooks;
  • session tokens;
  • audit logging;
  • object storage lifecycle expiry;
  • limited retention of raw media;
  • separation of raw media and long-term metadata;
  • restricted administrative access;
  • monitoring and rate limits.

No system is perfectly secure. If you believe you found a security issue, contact us immediately.

9. Data location

Horkos may process and store data in the regions where its infrastructure, customer deployment, or configured providers operate.

For self-hosted or dedicated deployments, data location may depend on the deployment selected by the business.

10. Data requests

If you completed a verification flow for a business, contact that business first for requests related to:

  • access;
  • correction;
  • deletion;
  • objection;
  • alternative verification;
  • appeal or review of a decision.

Horkos may not be able to identify or act on an end-user request without direction from the business that requested the verification.

Business customers and platform users may contact Horkos directly for account-related data requests.

11. Data deletion

Horkos deletes or anonymizes data according to:

  • the retention settings configured for the relevant deployment;
  • the business customer’s instructions;
  • operational needs;
  • security needs;
  • backup and disaster recovery cycles;
  • obligations that require limited retention.

Raw media is handled separately from long-term metadata and is designed to expire quickly as described in this Policy.

12. Children

Horkos is a B2B platform and is not intended for direct use by children.

Businesses using Horkos are responsible for deciding whether a verification flow is appropriate for their users.

13. Changes to this Policy

Horkos may update this Privacy Policy from time to time.

If we make material changes, we will update the effective date and provide notice through the website, platform, customer communication, or another appropriate channel.

14. Contact

For privacy questions, contact:

Horkos Ltd Email: privacy@horkos.example Address: [Insert registered company address] Company registration number: [Insert registration number]