Biometric Data Processing Consent
1. Why This Document Is Necessary
Under the GDPR (General Data Protection Regulation of the European Union), Article 9, biometric data is a special category of personal information. Processing such data is permitted only on the basis of your explicit consent (Article 9(2)(a)).
This document explains precisely which biometric data is processed, why, by whom, and what your rights are — and requests your consent before the process begins.
Without your consent — no biometric data processing will take place whatsoever.
2. What Is Identity Verification (KYC)
To enhance trust and security within the Swapli community, we require advanced identity verification (Know Your Customer — KYC) from every member who wishes to conduct house exchanges.
The process includes:
- Photograph or upload of a government-issued identity document — passport, identity card, or driver's license.
- Selfie photograph — a live facial image (with liveness check).
- Biometric comparison — the third-party provider compares the face in the selfie with the image on the identity document.
- Receipt of result — Swapli receives only the verification result (pass / fail) and basic details from the document.
3. Which Biometric Data Is Processed
3.1 Data Processed During Verification
| Data Type | Description | Who Processes |
|---|---|---|
| Facial identification | Biometric template of your facial features | Third-party provider only (Didit or Stripe) |
| Liveness check | Verification that you are a living person (not a photograph or video) | Third-party provider only |
| Selfie photograph | Photograph of your face for comparison purposes | Third-party provider only |
| Identity document photograph | Photograph of the document including facial image | Third-party provider only |
3.2 What Swapli Retains
Swapli retains only the verification results, not the biometric data itself:
- Verification result (pass / fail)
- Name as it appears in the document
- Date of birth
- Type of document (passport, identity card, etc.)
- Document number (partially encrypted)
- Issuing country
- Verification timestamp
- Identification of the provider who performed the verification
3.3 What Swapli Does Not Retain — Under Any Circumstances
- Selfie photographs
- Identity document photographs
- Video recordings
- Biometric templates (facial templates)
- Raw facial identification data
- Any other biometric data
4. Who Processes the Biometric Data
Biometric data is processed exclusively by a third-party provider — Didit or Stripe Identity (depending on system requirements). Swapli does not process biometric data itself.
| Provider | Role | Privacy Policy |
|---|---|---|
| Stripe Identity | KYC identity verification | stripe.com/privacy |
| Didit | KYC identity verification | didit.me/privacy |
Biometric data is transmitted directly from your device to the provider, retained according to its retention policy, and deleted according to its terms of service. Swapli does not intermediary, store, or process raw biometric data at any stage.
5. Why We Need Your Consent
5.1 Legal Basis
Processing biometric data requires explicit consent under GDPR Article 9(2)(a). This is the sole legal basis on which we rely for processing biometric data.
Note: Other details from the KYC process (name, date of birth, document details) are processed on the basis of contract performance (Article 6(1)(b)) and legitimate interest (Article 6(1)(f)), and are not dependent on this consent.
5.2 Purposes
Your consent enables processing of biometric data for the following purposes only:
- Verification of your identity — confirmation that the person submitting the request is indeed the holder of the identity document.
- Fraud prevention — ensuring that forged or stolen documents are not used.
- Liveness check — confirmation that we are dealing with a living person and not a photograph, mask, or video recording.
6. Retention and Deletion
6.1 Verification Results (What Swapli Retains)
- Retention period: One year from the date of verification.
- Reason: Statutory limitation period (5 years under Dutch law) + legal protection.
- After account deletion: Verification results are retained until the end of the 5-year period, even if the account is deleted earlier.
6.2 Raw Biometric Data (What the Provider Retains)
- Swapli does not retain raw biometric data — at all.
- The provider (Didit or Stripe) retains the data according to its own retention policy.
- For complete details, please refer to the provider's privacy policy (links in Section 4).
7. Your Rights
7.1 Right to Withdraw Consent
You have the right to withdraw your consent at any time. Withdrawal of consent:
- Will not affect the lawfulness of processing already carried out before withdrawal.
- Will prevent future biometric processing.
- May affect your ability to use services that require identity verification (you will not be able to conduct new house exchanges).
How to withdraw consent:
- Through your account settings → Privacy → Biometric Data
- By contacting the DPO at: dpo@swapli.net
7.2 Right of Access
You have the right to request access to all data held about you, including verification results. Please contact the DPO at dpo@swapli.net.
7.3 Right to Erasure
You have the right to request deletion of verification results, subject to legal retention obligations (see Section 6.1). Regarding raw biometric data — please contact the provider directly (Didit or Stripe).
7.4 Right to Lodge a Complaint
If you believe your data is being processed unlawfully, you may lodge a complaint with:
- Autoriteit Persoonsgegevens (Dutch Data Protection Authority): autoriteitpersoonsgegevens.nl
- Any other supervisory authority in your European Union member state.
8. Contact Information
Data Protection Officer (DPO): Daniel Email: dpo@swapli.net
Platform Operator: Webguy BV KVK: 72381647 Amsterdam, The Netherlands
For complete information on how your data is handled, please refer to our Privacy Policy and Terms of Service.
9. Governing Language
This document has been prepared in Hebrew and English. In the event of any discrepancy between the versions, the English version shall prevail.
This document is an integral part of Swapli's privacy policy and terms of service.
What's new in this version
Updated KYC results retention to 1 year, updated reason (statutory limitation + legal protection)