Data Retention & Privacy
What Stile stores, what gets purged and when, and how the platform minimizes the PII you ever touch.
Stile is built to minimize the personal data you handle. Raw identity material is collected only to run a verification, then purged — what persists is the verification outcome and a set of hashed anchors that let returning users skip re-verification. This page covers what's stored, what's discarded, and how long things live.
What persists vs. what's purged
| Data | Retention |
|---|---|
| Raw identity data (ID images, name, DOB, document numbers) | Purged after verification completes. Not stored long-term. |
| Hashed anchors (email hash, phone hash, document fingerprint) | Retained for deduplication and returning-user lookup. Not reversible to PII. |
| Verification outcome (age tier, method, expiry) | Retained — so returning users can skip re-verification even after raw PII is gone. |
The raw image bytes for document capture and NFC passport reads are purged as soon as the verification result is computed — the capture record keeps only the extracted, validated fields and is then stripped of PII.
You never store the documents
Because raw documents are purged server-side, you never receive or store ID images yourself. The verification result tells you what you need (age tier, pass/fail, method) without exposing the underlying PII.
Jurisdiction-specific retention
Retention windows aren't one-size-fits-all — they're set by the compliance rule for the jurisdiction the verification ran in. Each rule carries three independent limits:
| Limit | Governs |
|---|---|
data_retention_days | Collected PII (names, dates of birth, addresses). |
document_image_retention_days | Captured ID document images. |
biometric_retention_days | Biometric data such as face-match templates. |
For example, a jurisdiction with strict biometric law (e.g. Illinois BIPA) sets a shorter biometric window than a jurisdiction without one. Stile applies the correct limit automatically based on where the verification was performed — you don't configure it per request.
Credentials outlive raw PII
Verification credentials (the record that a user verified) are governed by their
credential_validity_days, not by these retention limits. A returning user can still skip
re-verification after their raw PII has been purged — until the credential itself expires.
Biometric consent
Where biometric processing requires explicit consent (e.g. BIPA §15), the widget collects it inside the flow before any biometric step runs, and the consent is recorded against the session. Retention of biometric templates then follows the jurisdiction's biometric_retention_days.
Erasure and data-subject requests
Stile supports deleting a user's biometric and verification data on request, so you can satisfy right-to-be-forgotten obligations (GDPR, CCPA, BIPA). Reach out through your account's support channel or the dashboard to action an erasure; the underlying biometric template for a session can be deleted independently of the verification outcome.
This is implementation guidance, not legal advice
Retention windows and consent requirements are driven by jurisdiction rules in the platform, but your own compliance obligations depend on your use case. Confirm the specifics with your compliance team.
Next steps
Security Best Practices
Webhook-first access control, signature verification, key management, rate limits, and anti-fraud measures for production integrations.
Returning User Verification
Verify once, reuse many times — VP tokens, credential lookup with OTP, and the strength, age-tier, and expiry rules that decide when a user must re-verify.