Last updated: 20 March 2026
W Identity AB, Malmgårdsvägen 63, 116 38 Stockholm, Sweden (“W Identity”, “we,” “us,” or “our”) is the controller responsible for processing your personal data under the EU General Data Protection Regulation (“GDPR”) as described in this Privacy Notice.
W Identity is an identity verification service provider that allows you to verify your identity once and then selectively share verified attributes with third-party applications under your control. W Identity operates on a decentralized model: after your identity has been verified, your verified identity details are stored only on your own device inside the W Identity app, and the W Identity server does not retain a long-term identity profile. If you choose to use our optional backup functionality, we will also store your data securely encrypted on our servers, in a format which is inaccessible to us. This approach ensures that identity verification and user privacy remain complementary objectives.
You can reach us at info@widentity.eu and our Data Protection Officer at dpo@widentity.eu with all privacy-related questions.
This Privacy Notice explains how we process your personal data when you use the W Identity app.
3.1 Data Collected Directly from You
When you create a W Identity account, we collect the following personal data directly from you through the app: your phone number, email address, and date of birth. As part of onboarding, you will be asked to verify your identity using your passport, either by taking a photo of the passport or by scanning the passport via NFC. You are also required to provide a selfie, which is used to match your face with the passport photo as part of the verification flow.
3.2 Data Generated or Observed During Verification
During server-side processing of your verification request, we process the following data as part of the verification flow: phone number, email address, date of birth, passport data, IP address, and selfie image.
3.3 Data Collected from Third Parties
Where we use third-party verification providers, they inform us whether the verification was successful.
We process your personal data for the purposes set out below, together with the corresponding legal basis:
| Purpose | Categories of Data | Legal Basis |
|---|---|---|
| Creating and maintaining your W Identity account, including generating your account UUID (Universally Unique Identifier) | All account creation data, account number | Performance of a contract (Article 6(1)(b) GDPR) |
| Verifying your phone number and email address | Phone number, email address | Performance of a contract (Article 6(1)(b) GDPR) |
| Verifying your identity via passport and selfie check | Date of birth, nationality, passport data, selfie image | For non-biometric data in your passport: performance of a contract (Article 6(1)(b) GDPR) For biometric data in your passport: consent (Article 9(2)(a) in conjunction with Article 6(1)(a) GDPR) |
| Sharing verified attributes with third-party applications at your request | Only the specific attributes you select and approve. You must explicitly grant permission before any information is shared. | Consent (Article 6(1)(a) GDPR) |
| Security and fraud prevention | IP addresses, session data, device identifiers, user agent strings, error and rate-limiting events | Our legitimate interest in keeping our app secure (Article 6(1)(f) GDPR) |
| Compliance with legal obligations | Any data relevant to the specific legal obligation | Compliance with legal obligations (Article 6(1)(c) GDPR) |
5.1 Processors
We use third-party service providers that act as our processors under the GDPR, including a hosting provider, an email provider, a passport validation provider, and a phone number verification provider.
5.2 Trust Anchor Group
Trust Anchor Group AB also acts as a processor on our behalf. Trust Anchor Group maintains the neuron server infrastructure used in the verification process and performs manual reviews for us.
5.3 Third-Party Applications
You may choose to share your verified attributes with third-party applications. The W Identity app shares only the specific attributes requested by an application and explicitly approved by you.
We and our service providers store your personal data in accordance with applicable data protection laws to the extent necessary for the purposes set out in this Privacy Notice. Thereafter, we delete your personal data in accordance with our data retention and deletion policy or take steps to properly render the data anonymous, unless we are legally obliged or permitted to keep it longer (for example, for legal compliance, tax, accounting, or auditing purposes). Where legally permissible or required, we may restrict the processing of your data instead of deleting it (for example, by restricting access).
This applies in particular where we may still need the data to perform a contract or to establish, exercise, or defend legal claims, or where retention is otherwise required or permitted by law. In such cases, the duration of the restriction depends on the applicable statutory limitation or retention periods, and the data will be deleted after those periods expire.
For example, W Identity applies the following retention periods:
Verification data. Verification data (phone number, email address, date of birth, passport data, IP address, and selfie image) is retained only for the time needed to complete the checks, after which it is deleted. Where automatic verification is successful, the storage period does not exceed one minute. Where a manual review is conducted, the reviewer will have access to the following data: passport photo, selfie, year of birth, nationality, and the reason why automatic verification was not successfully completed. In such cases, the data may be retained for up to fourteen days to enable the review of the submitted material.
Verified identity. After verification is completed, the verified identity is stored only in the W Identity app on your device as part of a decentralized solution. The W Identity server does not retain a user profile or store the verified identity details beyond what is required for short-lived processing during verification. If you choose to use our optional backup functionality, we will also store your data securely encrypted on our servers in a format which is inaccessible even to us.
Event log. We maintain an event log for administrative and statistical purposes. The following data is recorded in this log: timestamp, JID (XMPP address consisting of the client-generated name and the neuron domain, e.g. @auth.widentity.eu), and IP address. This log is retained for 90 days, after which it is deleted.
Communication log. We maintain a communication log recording traffic between the client (mobile device) and the neuron server. The following data is recorded in this log: timestamp, JID (XMPP address consisting of the client-generated name and the neuron domain, e.g. @auth.widentity.eu), and IP address. This log is retained for 7 days, after which it is deleted.
W Identity shares personal data only with recipients located within the European Economic Area (EEA). To the extent our service providers may transfer personal data to recipients outside the EEA, they are obligated, both contractually and under applicable law, to provide appropriate safeguards in accordance with Chapter V of the GDPR.
We do not use technologies that constitute automated decision-making within the meaning of Article 22 GDPR.
Under the GDPR, you have the following rights in relation to your personal data, subject to the conditions and exceptions set out in the GDPR:
Right of access (Article 15): You have the right to obtain confirmation as to whether your personal data is being processed and, where that is the case, to access the data and receive certain information about the processing.
Right to rectification (Article 16): You have the right to obtain the rectification of inaccurate personal data and, taking into account the purposes of the processing, to have incomplete personal data completed.
Right to erasure (Article 17): You have the right to obtain the erasure of your personal data in certain circumstances, such as where the data is no longer necessary for the purposes for which it was collected.
Right to restriction of processing (Article 18): You have the right to obtain restriction of processing in certain circumstances, such as where you contest the accuracy of the data.
Right to data portability (Article 20): Where processing is based on consent or on a contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
Right to object (Article 21): Where processing is based on legitimate interests, you have the right to object to the processing on grounds relating to your particular situation.
Right to withdraw consent (Article 7(3)): Where processing is based on your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
Right to lodge a complaint: You have the right to lodge a complaint with a data protection supervisory authority of your choice.
To exercise any of these rights, please contact us at info@widentity.eu.