Back to Home
Your privacy is our architecture

Privacy
Policy

How we protect the personal data of identity owners, their children, and identity consumers.

Last updated: 4 March 2026

1. Overview

LifePassport ("we", "us", "our") is a privacy-first digital identity platform. This Privacy Policy explains how we collect, use, store, and protect personal data for three distinct groups:

  • Identity Owners — individuals who use the LifePassport mobile app to verify and manage their identity
  • Children — minors whose identity is managed by a parent or legal guardian through the app
  • Identity Consumers — businesses that use the LifePassport platform to request and verify identity claims

Our core architectural principle is that personal identity data stays on the user's device. LifePassport's backend never stores raw personal data. We store only cryptographic hashes and digitally signed verification receipts — not the underlying personal information.

2. Who We Are

LifePassport is operated by Murphee Ltd, a company registered in England and Wales.

Data Controller: Murphee Ltd
ICO Registration: Pending

3. Definitions

Identity Owner — An individual who downloads the LifePassport app and uses it to verify, store, and selectively share their identity credentials.
Child Profile — An identity profile for a minor (under 18) managed by a parent or legal guardian within the app.
Identity Consumer — A business or organisation that registers on the LifePassport Consumer Portal to request identity verification from Identity Owners via our API.
Claim — A specific piece of identity information (e.g. "full name", "date of birth", "over 18") that can be verified and shared.
Verification Receipt — A digitally signed, non-PII record confirming that a verification took place, including the outcome, timestamp, and claims hash.
Zero-Knowledge Proof (ZKP) — A cryptographic method that proves a fact (e.g. "this person is over 18") without revealing the underlying data (e.g. date of birth).

4. Identity Owners (App Users)

How we handle your data as a LifePassport app user

4.1 Data Stored on Your Device Only

The following data is stored exclusively on your device, encrypted with AES-256-GCM, protected by your biometric authentication. LifePassport's servers never receive or store this data:

  • Passport data read from the NFC chip (name, date of birth, nationality, photo)
  • Driving licence data (scanned via OCR and NFC)
  • Face photos captured during liveness verification
  • Liveness biometric data (see Section 7 for full details)
  • Self-asserted identity profile (address, middle names)
  • OAuth tokens from government services (HMRC, NHS Login, etc.)
  • Verified identity claims and credentials

4.2 Data Stored on Our Servers

We store the following data on our servers to operate the service:

  • Account data: Email address, phone number (E.164 format), hashed password, country of residence
  • Device registration: FCM push token, device fingerprint hash, platform (Android/iOS)
  • Cryptographic hashes: SHA-256 hashes of your verified claims — used to confirm verifications without storing the actual data
  • Verification receipts: Digitally signed records of verification events (no PII — only hashes, timestamps, and outcomes)
  • DID (Decentralised Identifier): Your public cryptographic identifier — contains no personal information

4.3 Legal Basis for Processing

Contract performanceAccount creation, authentication, identity verification servicesLegitimate interestSecurity monitoring, fraud prevention, service improvementConsentSharing specific identity claims with Identity Consumers (you approve each request individually)Legal obligationRetention of verification receipts for regulatory audit requirements

4.4 Identity Sharing

When a business requests your identity, you see exactly which claims they are requesting and choose whether to approve or reject the request. You can approve with full data, or use zero-knowledge proofs to confirm facts without revealing the underlying data.

You are always in control. No identity data is shared without your explicit, per-request approval via biometric authentication.

5. Children & Parental Controls

Special protections for children under 18

LifePassport provides enhanced protections for children in accordance with child privacy laws worldwide, including the UK Age Appropriate Design Code, UK GDPR, the UK Children's Code, the Online Safety Act 2023, the US Children's Online Privacy Protection Act (COPPA), EU GDPR Article 8, and the Brazilian LGPD Article 14.

5.1 Parental Consent Required

Children under 18 cannot create their own LifePassport account. A parent or legal guardian must create a Child Profile within their own account. The parent retains full control over:

  • Which platforms can request the child's identity verification
  • Which specific claims each platform can verify
  • Granting and revoking consent for each platform individually
  • Viewing all verification activity in the audit log

5.2 Age Verification

Children undergo liveness-based age estimation using on-device AI (the image never leaves the device). The system produces a multi-signal confidence score combining facial age estimation, declared age, parent-child plausibility, and document evidence where available.

Biometric processing for children: Any mathematical representation of the child's face used during liveness age estimation is transient — it is processed entirely within the device's secure enclave and destroyed immediately after the check completes. LifePassport does not create, transmit, or store a persistent biometric template for any child on its servers. See Section 7 for full biometric data details.

5.3 Re-Verification & Age Bracket Transitions

The system automatically schedules re-verification checks as children grow. When a child transitions between age brackets (e.g. turning 13 or 16), the system can automatically revoke consents that are no longer appropriate for the new age bracket. Parents are notified via push notification when re-verification is due.

Automated decision-making: Automatic consent revocation on age bracket transitions and automatic re-verification scheduling are necessary for the protection of the child (GDPR Article 22(2)(b) — processing necessary for reasons of substantial public interest under Article 9(2)(g)). Parents are notified of all automated actions and may contest any automated decision regarding their child's age verification or consent status by contacting our privacy team at privacy@lifepassport.id.

5.4 Data Minimisation for Children

We apply strict data minimisation for children's profiles:

  • No facial images are stored on our servers — liveness checks are processed entirely on-device
  • Only the age bracket (e.g. "13–15") and a confidence score are stored, never the actual date of birth
  • Businesses receive only the minimum claims needed (e.g. "under 18 = true") — never the child's full identity
  • Child profiles can be deleted at any time by the parent, which immediately revokes all active consents

5.5 Secondary Parents

A primary parent can invite a secondary parent or guardian to co-manage a child's profile. Both parents have visibility of the child's consent status and verification history.

5.6 If You're Under 18 — Read This

Hey — this part is written just for you.

Your personal stuff stays on your phone. Your name, your photo, your date of birth — none of that is sent to our computers. It's locked on your device, protected by your fingerprint or face.

Your parent decides who can check your identity. If a website or app wants to confirm something about you (like that you're old enough), your parent has to say yes first. They can also take back that permission at any time.

Nobody gets more info than they need. If a website just needs to know you're over 13, that's all they get — a simple yes or no. They don't see your name, your birthday, or anything else.

If you have questions about your data, you or your parent can email us at privacy@lifepassport.id — we'll always reply.

5.7 Global Child Privacy Compliance

LifePassport is designed to comply with child privacy regulations across jurisdictions. The following table summarises how our architecture meets key requirements:

RegulationRequirementHow We Comply
UK Children's CodeBest interests of the child, data minimisation, transparencyOn-device processing, parental controls, child-friendly privacy notice (above)
US COPPAVerifiable parental consent for under-13s, no unnecessary collectionAll children require parental account; only age brackets stored server-side
EU GDPR Art. 8Parental consent for information society services (age 13–16 by member state)Parental consent required for all under-18s (exceeds minimum threshold)
Brazil LGPD Art. 14Processing in child's best interest, specific parental consentPer-platform parental consent, data minimisation, no profiling
Online Safety Act 2023Age assurance for regulated servicesMulti-signal age estimation with re-verification cycles

6. Identity Consumers (Businesses)

How we handle business data on the Consumer Portal

6.1 Registration Data

When a business registers on the LifePassport Consumer Portal, we collect:

  • Business name, registered address, and company number
  • Industry category (used to determine which claims the business can request)
  • Contact email addresses for portal users (admin, manager, viewer roles)
  • Hashed passwords for portal authentication
  • Webhook URLs for receiving verification notifications

6.2 API Keys & Tokens

API keys are generated for authenticated API access. Key hashes are stored server-side; the raw key is shown only once at creation. Keys can be rotated or revoked at any time through the portal.

6.3 Verification Data Received by Businesses

The data a business receives depends on their chosen data tier:

ZKP Mode (Zero-Knowledge) — The business receives only a yes/no confirmation (e.g. "over 18 = true"). No personal data is transmitted or stored.
Token Mode — The business receives encrypted identity tokens containing the approved claims. The business stores these on their own systems and is responsible for their protection under applicable data protection law.
Receipt Mode — Both parties receive a digitally signed verification receipt (no PII) for audit purposes.

6.4 Claim Restrictions

LifePassport's data governance service enforces which claims a business can request based on their industry category, country of operation, and applicable regulations. A gambling company cannot request medical data. A hotel cannot request credit scores. These restrictions are enforced programmatically and cannot be bypassed.

6.5 Audit Trail

All API activity on the Consumer Portal is logged in an immutable audit trail, including verification requests, approvals, rejections, API key usage, and team member changes. This audit trail is available to the business through the portal and may be required for regulatory compliance.

7. Biometric Data

How we handle biometric information

LifePassport processes biometric data (facial images and liveness checks) as part of identity verification. This section explains exactly how biometric data is handled to comply with the Illinois Biometric Information Privacy Act (BIPA), the EU AI Act, UK GDPR Article 9, and other biometric privacy regulations worldwide.

7.1 No Persistent Biometric Templates on Our Servers

LifePassport does not create, collect, store, or retain any biometric template, biometric identifier, or persistent mathematical representation of your face on its servers.

All biometric processing occurs exclusively on your device:

  • Face photos captured for liveness verification are processed within the device's hardware-backed secure enclave (Android Keystore / iOS Secure Enclave)
  • Any mathematical representation of your face used during liveness analysis is transient — it exists only in volatile memory during the check and is destroyed immediately upon completion
  • No biometric data, template, or derived representation is transmitted to LifePassport's servers or any third party
  • The only output sent to our server is a pass/fail liveness confidence score (a single number)

7.2 On-Device Biometric Authentication

LifePassport uses your device's built-in biometric authentication (fingerprint or face recognition) to authorise sensitive operations such as identity sharing. This biometric check is handled entirely by the operating system (Android BiometricPrompt / iOS LocalAuthentication) — LifePassport never receives, processes, or stores the biometric data used for device unlock.

7.3 Government ID Photos

When you scan a passport or driving licence, the photo from the document is stored encrypted on your device for potential face-matching during verification. This photo is never uploaded to our servers. If you delete your profile or uninstall the app, this data is permanently destroyed.

7.4 Your Rights Regarding Biometric Data

You have the right to:

  • Request confirmation of whether we hold any biometric data about you (we do not hold any on our servers)
  • Delete all on-device biometric data at any time by deleting your profile or uninstalling the app
  • Opt out of liveness verification (note: this may limit the assurance level of your identity)

8. Data We Collect

Data CategoryStored WhereApplies To
Email addressServerOwners, Consumers
Phone numberServerOwners
Hashed passwordServerOwners, Consumers
Passport / licence dataDevice onlyOwners
Face photos / livenessDevice onlyOwners, Children
Claims hashes (SHA-256)ServerOwners, Children
Verification receiptsServerOwners, Consumers
Child age bracketServerChildren
Business registration detailsServerConsumers
API keys (hashed)ServerConsumers

9. How We Use Data

  • Account management: Creating and authenticating your account, sending OTP verification codes
  • Identity verification: Facilitating the verification flow between Identity Owners and Identity Consumers
  • Child protection: Enforcing age-appropriate access controls, scheduling re-verification, detecting age bracket transitions
  • Security: Detecting fraud, preventing unauthorised access, device attestation
  • Compliance: Generating verification receipts for regulatory audit, enforcing data governance rules per jurisdiction
  • Service improvement: Anonymised and aggregated usage analytics (no personal data)
  • Communications: Transactional emails (OTP, verification notifications), push notifications for verification requests

We do not: sell personal data, use personal data for advertising, profile users for marketing, or share personal data with third parties for their own purposes.

10. Do Not Sell or Share

California CCPA/CPRA Notice

LifePassport does not sell your personal information as defined by the California Consumer Privacy Act (CCPA). LifePassport does not share your personal information for cross-context behavioural advertising as defined by the California Privacy Rights Act (CPRA).

Sensitive Personal Information

Under the CPRA, government-issued identifiers, biometric data, and precise geolocation are classified as "Sensitive Personal Information" (SPI). LifePassport processes SPI solely for the purpose of providing the identity verification service you have requested. We do not use or disclose sensitive personal information for purposes other than those permitted by Section 1798.121 of the CPRA.

Notice at Collection

This Privacy Policy is linked at the point of data collection — on the registration screen of the LifePassport app and the Consumer Portal registration page — before you provide any personal information. You are not required to provide personal information to browse the LifePassport website.

11. Automated Decision-Making

GDPR Article 22 — Rights regarding automated processing

LifePassport uses automated processing in the following limited contexts:

  • Age bracket transitions: When a child reaches a new age bracket (e.g. 13, 16, 18), the system may automatically revoke consents that are no longer age-appropriate
  • Re-verification scheduling: The system automatically schedules periodic re-verification checks for child profiles based on platform requirements and regulatory rules
  • Liveness confidence scoring: On-device AI produces a multi-signal confidence score for age estimation (this does not produce legal effects — it informs the assurance level displayed)
  • Claim restriction enforcement: The data governance service automatically determines which claims a business may request based on their industry and jurisdiction

11.1 Legal Basis

Automated consent revocation and re-verification scheduling for children are necessary for the performance of the contract (providing a child-safe identity service) and for reasons of substantial public interest in the area of child protection (GDPR Article 9(2)(g), UK Data Protection Act 2018 Schedule 1 Part 2).

11.2 Human Oversight & Right to Contest

You may contest any automated decision by contacting our privacy team at privacy@lifepassport.id. We will:

  • Review the decision with human oversight within 5 working days
  • Provide a clear explanation of the automated logic and inputs
  • Reverse or modify the decision if it is found to be incorrect
  • Offer an alternative manual process if you object to automated decision-making

Parents may contest automated decisions affecting their children's profiles at any time. Identity Consumers may contest automated claim restriction decisions through the Consumer Portal or by contacting privacy@lifepassport.id.

12. Data Sharing

We share personal data only in the following circumstances:

  • With Identity Consumers (only with your approval): When you approve a verification request, the approved claims are shared with the requesting business. You control this on a per-request basis.
  • Infrastructure providers: We use cloud hosting, email delivery (Microsoft Graph), SMS delivery (Telnyx), and push notifications (Firebase Cloud Messaging). These providers process data on our behalf under data processing agreements.
  • Legal requirements: We may disclose data if required by law, regulation, court order, or governmental authority.

We do not share personal data with advertisers, data brokers, or social media platforms.

13. International Transfers

Cross-border data handling

LifePassport's architecture minimises international data transfers because personal data stays on the user's device. Server-side data (account details, hashes, receipts) is hosted within the EEA/UK.

Where infrastructure providers process data outside the UK/EEA (e.g. Firebase Cloud Messaging), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA).

14. Data Retention

How long we keep data

Account dataUntil you delete your account, then purged within 30 daysDevice on-device dataUntil you uninstall the app or wipe the dataVerification receipts7 years (regulatory audit requirement)Claims hashesUntil account deletionChild profilesUntil deleted by parent or child reaches 18 and creates own accountConsumer Portal dataUntil business closes account, then purged within 30 days (except receipts)Audit logs7 years

15. Security Measures

How we protect your data

  • On-device encryption: AES-256-GCM with keys bound to the device's hardware security module (Android Keystore / iOS Secure Enclave)
  • Biometric protection: Sensitive operations (identity sharing, profile changes) require fingerprint or face authentication
  • Transport security: TLS 1.2+ for all API communication, certificate pinning for sensitive endpoints
  • Server-side encryption: AES-256-GCM storage encryption with key rotation support
  • Zero-knowledge proofs: Prove facts without revealing underlying data
  • RS256 JWT authentication: Asymmetric token signing — private key isolated to auth service
  • HMAC-SHA256 webhooks: Tamper-proof notification delivery to businesses
  • Ed25519 signed receipts: Tamper-evident verification records
  • Split-key architecture: Sensitive data requires both device key and server key to decrypt — neither party can access data alone

16. Your Rights

Under UK GDPR, EU GDPR, and applicable local law

16.1 What We Actually Hold About You

Because LifePassport's architecture keeps personal identity data on your device, the data we hold on our servers is limited to:

  • Your email address, phone number, and hashed password
  • Your country of residence
  • A device registration token (for push notifications)
  • Your DID (a public cryptographic identifier — not personal data)
  • SHA-256 hashes of your verified claims (one-way hashes — the original data cannot be recovered from these)
  • Digitally signed verification receipts (containing no personal data — only hashes, timestamps, and outcomes)
  • For children: an age bracket (e.g. "13–15") and a confidence score — never date of birth

We do not hold: your name, date of birth, address, passport data, driving licence data, face photos, biometric templates, or any verified identity claims. All of that data exists only on your device.

16.2 Your Rights

You have the following rights, with practical notes on what each means given our architecture:

  • Right of access: You can request a copy of everything we hold. Because we do not store your personal identity data, the response will contain only the account and cryptographic data listed above. Your full identity data (documents, photos, credentials) is on your device — you already have it.
  • Right to rectification: You can update your email address or phone number through the app. On-device identity data (name, address, etc.) can be edited directly on your device — we cannot correct it because we don't hold it.
  • Right to erasure: You can delete your account from Settings, which permanently removes all server-side data within 30 days. To remove on-device data, delete your profile in the app or uninstall it.
  • Right to restrict processing: You can limit how we process your data. In practice, you already control every instance of data sharing by approving or rejecting each verification request individually.
  • Right to data portability: You can request your server-side data in a structured, machine-readable format (JSON). Note that this will contain only account data and hashes — not your identity credentials, which are already portable on your device.
  • Right to object: You can object to processing based on our legitimate interests (security monitoring, fraud prevention). Contact privacy@lifepassport.id.
  • Right to withdraw consent: You can withdraw consent for any specific identity sharing at any time. Since every verification requires your real-time biometric approval, no sharing continues without your active, ongoing consent.
  • Right not to be subject to automated decisions: You may contest any automated decision (see Section 11). For children's profiles, parents may contest automated age bracket transitions or consent revocations at any time.

16.3 Parents (on Behalf of Children)

In addition to exercising the above rights on behalf of your child, you may:

  • View all platforms that have requested your child's identity
  • Revoke any active consent immediately
  • Delete your child's profile entirely (all consents are automatically revoked)
  • Contest any automated decision about your child's age bracket or consent status

16.4 Identity Consumers

  • Access and export your business registration data and audit logs
  • Close your Consumer Portal account (verification receipts are retained for regulatory purposes)
  • Request deletion of portal user accounts

16.5 How to Exercise Your Rights

Contact us at privacy@lifepassport.id. We will respond within 30 days (or 72 hours for access requests, since we hold minimal data and the response is straightforward). There is no charge for exercising your rights.

If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

16.6 A Note on "the Right to Be Forgotten"

Because we don't store your personal identity data in the first place, there is very little to forget. Deleting your account removes your email, phone number, hashes, and receipts. Your identity credentials were never on our servers — they disappear when you remove them from your device.

17. California Privacy Rights (CCPA/CPRA)

Additional rights for California residents

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information. This section supplements the rest of this Privacy Policy.

17.1 Categories of Personal Information

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:

IdentifiersEmail address, phone number, DIDBiometric informationProcessed on-device only (not collected by our servers)Internet activityMinimal analytics, API usage logsSensitive PI (government IDs)Processed on-device only (hashes stored on server)Professional informationBusiness registration details (Identity Consumers only)

17.2 Your California Rights

As a California resident, you have the right to:

  • Right to know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it
  • Right to delete: Request deletion of your personal information (subject to exceptions such as regulatory receipt retention)
  • Right to correct: Request correction of inaccurate personal information
  • Right to opt out of sale/sharing: We do not sell or share your personal information, so no opt-out is necessary
  • Right to limit use of SPI: Request that we limit our use of sensitive personal information to what is necessary to provide the service
  • Right to non-discrimination: We will not discriminate against you for exercising any of these rights

17.3 How to Exercise Your Rights

To submit a verifiable consumer request, contact us at privacy@lifepassport.id with "California Privacy Request" in the subject line. We will verify your identity before processing the request and respond within 45 days. You may designate an authorised agent to make a request on your behalf.

17.4 Financial Incentives

We do not offer any financial incentives or price differences in exchange for the retention or sale of personal information.

18. Cookies & Analytics

The LifePassport website uses minimal analytics via a self-hosted, privacy-respecting analytics service. No cookies are used for tracking or advertising. We do not use Google Analytics.

The Consumer Portal uses essential session cookies for authentication. These are strictly necessary and do not require consent under the UK PECR.

19. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users and displayed prominently on the website. The "last updated" date at the top of this page reflects the most recent revision.

20. Contact Us

For any privacy-related questions, concerns, or requests:

Privacy enquiries
privacy@lifepassport.id
General enquiries
hello@lifepassport.id
Data subject access requests
privacy@lifepassport.id — include "DSAR" in the subject line