Legal · Age Plus Privacy Policy
Age Plus Privacy Policy
Last updated February 23, 2026
Applies To
Age Plus App (iOS & Android)
Biometric Data
Displayed only, never stored
Contact
privacy@oneproof.comOneproof, Inc., its parent, subsidiaries, affiliates, successors, and assigns (“Company”, “we”, “our”, or “us”) respect your privacy and are committed to protecting it through our compliance with this policy. This privacy policy applies specifically to the Age Plus mobile application for iOS and Android (“App”), an age verification solution that uses ISO 18013-5 mobile driver's licenses (mDL) to verify age eligibility.
This policy covers data collected through:
- The Age Plus mobile application on iOS and Android devices.
- The cloud-based activity log and dashboard associated with the App.
- Business account registration and management for the App.
Age Plus is sold to businesses such as bars, restaurants, retailers, and other age restricted venues (“Business Customers”). Business Customers use the App to verify the age of individuals (“Verified Individuals”) presenting a mobile driver's license. This policy describes how we handle data for both Business Customers and Verified Individuals.
For our general privacy policy covering the ONEPROOF website and other services, please see our Privacy Policy. By using the App, you agree to the practices described in this policy. This policy may change from time to time. Continued use of the App after changes constitutes acceptance.
How Age Plus Works
Age Plus verifies age eligibility using ISO 18013-5 compliant mobile driver's licenses (mDL). When a Verified Individual presents their mDL, the App reads the credential via secure proximity protocols (BLE, NFC, or QR code) and determines whether the credential is valid and whether the individual meets the required age threshold.
The App also requests the portrait photo from the mDL so the Business Customer's staff can visually confirm the person presenting the mDL is the credential holder. The portrait is displayed on screen only and is never stored, saved, transmitted, or retained by the App or our servers.
Children's and Minors' Data
The App is designed to verify whether an individual meets a minimum age requirement (typically 21 years of age). The App is not intended for use by children under 18. We do not knowingly collect personal data from children. If we learn we have collected personal data from a child under 18 without verification of parental consent, we will delete that information.
01Data Collected from Verified Individuals
When a Verified Individual presents their mDL, the App reads a limited set of data elements from the credential. We practice data minimization and only request the information necessary for age verification.
Data Read from the mDL
- Age Over 21 indicator - a boolean confirming the individual is over the age of 21.
- Date of Birth - depending on Business Customer configuration, the date of birth may be read instead of or in addition to the age over indicator.
- Age in Years - the individual's age expressed as a whole number, as an alternative data element.
- Portrait Photo - displayed on screen for visual identity confirmation by staff. Never stored, transmitted, or retained.
Verification Record (Stored)
For each verification, the App generates an activity log entry containing:
- Date and time of the verification.
- Credential validity result (e.g., COSE signature valid/invalid, credential expiration status).
- Age verification result (pass/fail).
- Location of the verification (business location/device location) for usage reporting.
The verification record does not include any personally identifiable information about the Verified Individual. No names, addresses, license numbers, dates of birth, or portrait photos are stored in the verification record.
02Data Collected from Business Customers
When a Business Customer registers for Age Plus, we collect information necessary to create and manage their account and provide the service.
- Business name and business address
- Contact person name, email address, and phone number
- Payment and billing information
- Business license or liquor permit details (for verification of eligibility)
- Number of devices and deployment configuration
- Account credentials and authentication information
03Data Collected Automatically
The App may automatically collect certain technical and usage information to maintain service quality and improve the App.
Device and Usage Information
Device type, operating system and version, App version, device identifiers, and general usage patterns (e.g., number of verifications performed, feature usage).
Usage Metrics
We collect usage metrics including the total number of mDL verifications performed per device, per location, and per Business Customer account. These metrics are associated with the Business Customer's account and subscription, help Business Customers understand verification volume across their locations, and help us operate, maintain, and improve the service.
Location Information
We collect the location of the device at the time of verification to associate verification activity with specific business locations. This allows Business Customers with multiple locations to view usage data broken down by venue or site. Location data is associated with the Business Customer's account and verification activity logs and it is never linked to the Verified Individual.
Analytics and Crash Reporting
The App uses third-party analytics and crash reporting services to help us understand usage patterns, diagnose technical issues, and improve the App. These services may collect device identifiers, crash logs, performance data, and aggregated usage statistics. No personally identifiable information about Verified Individuals is shared with these services.
04How We Use Your Information
We use information collected through the App to:
- Perform age verification by reading mDL credential data and determining validity
- Display the portrait photo temporarily for visual identity confirmation by staff
- Generate and maintain verification activity logs for Business Customers
- Track verification volume and usage metrics per device and per business location
- Provide location-based usage reporting so Business Customers can monitor activity across venues
- Manage Business Customer accounts, subscriptions, and billing
- Provide customer support and respond to inquiries
- Monitor and improve the App's performance, reliability, and security
- Comply with legal requirements and enforce our terms of service
05Data Retention
Portrait Photo
Not retained. Displayed in real-time on the device screen only and immediately discarded after the verification interaction ends. Never written to disk, transmitted to servers, or saved in any form.
mDL Data Elements
Age-related data (age over 21, date of birth, age in years) is processed in real-time for verification and is not stored after the verification result is generated.
Verification Activity Logs
- Free tier: 7 days, then automatically deleted.
- Paid plans: Extended retention period as specified in the Business Customer's subscription agreement.
Business Account Data
Retained for the duration of the Business Customer's account. Deleted within 90 days after account cancellation, unless retention is required by law.
06Data Sharing and Disclosure
We do not sell personal data collected through the App. We may share information in the following limited circumstances:
- With Business Customers: Verification activity logs are accessible to the Business Customer that performed the verification. Paid Business Customers may export this data to their own backend systems.
- With service providers: We use third-party service providers for hosting, analytics, crash reporting, and payment processing, bound by contractual obligations to keep data confidential.
- For legal compliance: We may disclose information to comply with applicable laws, regulations, court orders, or government requests.
- Business transfers: In connection with a merger, acquisition, or sale of assets, data may be transferred to the successor entity.
- To protect rights and safety: When necessary to protect ONEPROOF, our Business Customers, or the public.
07Biometric Information Disclosure (BIPA)
Important Notice for Illinois Residents and All Jurisdictions with Biometric Privacy Laws
The Illinois Biometric Information Privacy Act (740 ILCS 14/1 et seq.) (“BIPA”) and similar laws in other states regulate the collection, use, and storage of biometric identifiers and biometric information. This section provides the required disclosures under BIPA and similar statutes.
What Biometric Data Is Involved
The Age Plus App requests the portrait photograph from the Verified Individual's mDL credential. This portrait may constitute a “biometric identifier” under BIPA and similar laws. The portrait is displayed on the device screen solely for the purpose of allowing the Business Customer's staff to visually confirm that the person presenting the mDL is the credential holder.
Purpose and Use
The sole purpose of displaying the portrait is to enable visual identity confirmation at the point of verification. The portrait is not used for facial recognition, facial geometry analysis, or any automated biometric matching. It is viewed by a human operator only.
Storage, Collection, and Destruction
- No storage: The portrait is not stored on the device, in the App's local storage, in any database, or on any server.
- No transmission: The portrait is not transmitted, uploaded, or sent to any server, cloud service, or third party.
- Immediate discard: The portrait exists only in the device's volatile memory (RAM) during the active verification session and is discarded when the verification interaction ends or the screen is dismissed.
- No profiling: No biometric template, faceprint, or geometric data is derived from the portrait at any time.
Consent Obligation for Business Customers
Business Customers operating in Illinois or other jurisdictions with biometric privacy laws are responsible for obtaining the Verified Individual's informed written consent before initiating a verification that involves the display of the portrait photo.
Under BIPA, before collecting or capturing a biometric identifier, a private entity must:
- 1.Inform the individual in writing that biometric data is being collected or stored.
- 2.Inform the individual of the specific purpose and length of time for which it is being collected, stored, and used.
- 3.Receive a written release from the individual.
ONEPROOF provides guidance and sample consent language to Business Customers to assist with this obligation. However, the Business Customer remains responsible for compliance with applicable biometric privacy laws in their jurisdiction.
Retention and Destruction Schedule
As required by BIPA Section 15(a), this serves as our written policy for the retention and destruction of biometric data: The portrait photo is held in volatile device memory only for the duration of the active verification session (typically seconds). It is automatically destroyed when the session ends. No permanent record of the portrait or any derived biometric data is ever created. This retention schedule applies regardless of whether the Business Customer's purpose for collecting the data has been satisfied.
08Data Security
We implement commercially reasonable administrative, physical, and technical safeguards to protect information processed through the App, including:
- All mDL verification uses ISO 18013-5 secure proximity protocols with cryptographic session encryption.
- Verification activity logs are encrypted in transit and at rest.
- Business Customer account credentials are securely hashed and never stored in plaintext.
- The App does not write portrait photos or mDL data elements to device storage at any point.
However, no mobile application, system, or electronic storage is completely secure. We cannot guarantee absolute security of your information.
09Your Rights and Choices
For Business Customers
- Access: You may request access to your account data and verification activity logs at any time through the App or by contacting us.
- Correction: You may request correction of inaccurate account information.
- Deletion: You may request deletion of your account and associated data. Verification activity logs will be deleted according to the retention schedule above.
- Data Export: Paid plan Business Customers may export verification activity logs to their own backend systems.
For Verified Individuals
Because we do not store any personally identifiable information about Verified Individuals (no names, no portraits, no license numbers), we cannot identify or retrieve data associated with a specific individual. The verification activity logs contain only anonymized results (date, time, pass/fail).
If you have questions about your data, you may contact us at privacy@oneproof.com.
State Privacy Rights (US)
Depending on your state of residency, you may have certain rights including:
- Access and Data Portability: Confirm whether we process your personal data and access a copy.
- Correction: Request correction of inaccurate personal data.
- Deletion: Request deletion of personal data (subject to exceptions).
- Opt Out: Request we not use your data for targeted advertising or profiling.
To exercise these rights, email privacy@oneproof.com.
Class Action Waiver (US Residents Only)
YOU (IF YOU ARE A RESIDENT OF THE UNITED STATES) AND COMPANY AGREE THAT ANY PROCEEDINGS TO RESOLVE OR LITIGATE ANY DISPUTE WILL BE CONDUCTED SOLELY ON AN INDIVIDUAL BASIS, AND THAT NEITHER YOU NOR COMPANY WILL SEEK TO HAVE ANY DISPUTE HEARD AS A CLASS ACTION, A REPRESENTATIVE ACTION, A COLLECTIVE ACTION, A PRIVATE-ATTORNEY GENERAL ACTION, OR IN ANY PROCEEDING IN WHICH YOU OR COMPANY ACTS OR PROPOSES TO ACT IN A REPRESENTATIVE CAPACITY.
YOU AND COMPANY FURTHER AGREE THAT NO PROCEEDING WILL BE JOINED, CONSOLIDATED, OR COMBINED WITH ANOTHER PROCEEDING WITHOUT THE PRIOR WRITTEN CONSENT OF YOU, COMPANY, AND ALL PARTIES TO ANY SUCH PROCEEDING.
The term “DISPUTE” shall be interpreted as broadly as permitted under applicable law and shall apply to all past, present, and future legal disputes and legal claims between you and Company.
Contact Information
To exercise your rights or ask questions about this privacy policy, contact us at:
privacy@oneproof.comChanges to This Privacy Policy
We may update this policy from time to time. The date the policy was last updated is identified at the top of the page. Your continued use of the App after changes constitutes acceptance of the revised policy. We encourage Business Customers to periodically review this policy.
General Privacy Policy
For information about our website and other services, see our general privacy policy.