Last updated: 12 June 2026
W Identity AB, Malmgårdsvägen 63, 116 38 Stockholm, Sweden, “W Identity”, “we”, “us”, or “our”, is the controller responsible for the processing of personal data described in this Privacy Notice.
W Identity provides an identity verification service that allows you to verify your identity and selectively share verified attributes with third-party applications under your control.
W Identity is designed as a privacy-preserving and decentralised identity solution. After your identity has been verified, your verified identity attributes are stored in the W Identity app on your own device. W Identity does not retain a long-term copy of your verified identity attributes on its servers after verification has completed, except where you choose to use optional encrypted backup functionality.
We do retain limited account, security, operational and log data as described in this Privacy Notice.
If you choose to use optional backup functionality, your backup data is stored encrypted. W Identity is not intended to have access to the contents of that encrypted backup. This depends on the correct use of the backup and recovery mechanism, including the protection of any recovery credentials or keys made available to you.
Please note that the optional backup functionality is described in this Privacy Notice in advance of its release. At this point in time, the functionality is not available, and W Identity does not store or otherwise process any backup data.
You can contact us at info@widentity.eu. You can contact our Data Protection Officer at dpo@widentity.eu for privacy-related questions.
2.1 Data collected directly from you
When you create a W Identity account, we collect personal data directly from you through the app. This may include your phone number, email address and date of birth.
As part of onboarding, you are asked to verify your identity using your passport. You may choose between two verification methods: taking a photo of your passport, or scanning your passport chip using NFC (Near Field Communication) technology. You are also required to provide a selfie, which is used to compare your face with the passport image as part of the identity verification process.
2.2 Data generated or observed during verification
During the verification process, we may process phone number, email address, date of birth, passport data, nationality, passport image, selfie image, IP address, session data, device information, user agent strings, error events and rate-limiting events.
Where we process your passport facial image and selfie using face-matching technology for the purpose of verifying your identity, this may involve processing biometric data within the meaning of the GDPR.
2.3 Data collected from third parties
Where we use third-party verification providers, they may provide us with information about whether a verification step was successful, failed, or requires manual review.
2.4 Data you choose to share with third-party applications
You may choose to share verified attributes with third-party applications. The W Identity app shares only the specific attributes requested by the application and explicitly approved by you.
Once you choose to share attributes with a third-party application, that third party is responsible for its own processing of the personal data it receives, unless otherwise stated. You should review the privacy notice of the relevant third-party application.
We process your personal data for the purposes and legal bases set out below.
| Purpose | Categories of data | Legal basis |
|---|---|---|
| Creating and maintaining your W Identity account, including generating an account identifier or UUID | Account creation data, account identifier, phone number, email address, date of birth | Performance of a contract, Article 6(1)(b) GDPR |
| Verifying your phone number and email address | Phone number, email address | Performance of a contract, Article 6(1)(b) GDPR |
| Verifying your identity using passport and selfie checks | Date of birth, nationality, passport data, passport image, selfie image, verification result | For non-special category data: performance of a contract, Article 6(1)(b) GDPR |
| Processing facial image and selfie data using face-matching technology for identity verification | Passport facial image, selfie image, face-matching result | Explicit consent, Article 9(2)(a) GDPR, together with Article 6(1)(a) GDPR, unless another lawful basis applies |
| Sharing verified attributes with third-party applications at your request | Only the specific attributes you select and approve | Consent, Article 6(1)(a) GDPR |
| Providing optional encrypted backup and restore functionality | Encrypted backup data, account identifier, backup metadata | Performance of a contract, Article 6(1)(b) GDPR, or consent, Article 6(1)(a) GDPR, depending on how the functionality is enabled |
| Security, abuse prevention and fraud prevention | IP addresses, session data, device identifiers, user agent strings, error events, rate-limiting events, security logs | Legitimate interest, Article 6(1)(f) GDPR |
| Maintaining operational logs for administration, troubleshooting and statistics | Timestamp, JID, IP address, technical event data | Legitimate interest, Article 6(1)(f) GDPR |
| Compliance with legal obligations | Data relevant to the specific legal obligation | Legal obligation, Article 6(1)(c) GDPR |
| Establishing, exercising or defending legal claims | Data relevant to the claim or dispute | Legitimate interest, Article 6(1)(f) GDPR, and where applicable Article 9(2)(f) GDPR |
Where we rely on legitimate interest, our legitimate interest is to keep the W Identity service secure, prevent misuse and fraud, maintain reliable operation, troubleshoot technical issues, and protect our legal rights. You have the right to object to processing based on legitimate interests as described in section 9.
Providing your phone number, email address, date of birth, passport information and selfie is necessary to create and verify your W Identity account. If you do not provide this information, we may not be able to create your account or verify your identity.
Sharing verified attributes with third-party applications is optional and only takes place when you approve the specific sharing request.
Use of optional encrypted backup functionality is optional. If you do not enable backup, your verified identity attributes are stored only in the W Identity app on your device, and you may lose access to them if you lose access to your device or app data.
Where processing is based on consent, you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. If you withdraw consent for processing that is necessary for a specific feature, we may no longer be able to provide that feature.
5.1 Processors
We use third-party service providers that process personal data on our behalf under data processing agreements. These may include hosting providers, email providers, document verification providers, phone number verification providers, infrastructure providers, support providers and security service providers.
These providers may only process personal data according to our documented instructions and must protect the data in accordance with applicable data protection law.
5.2 Trust Anchor Group
Trust Anchor Group AB acts as a processor on our behalf. Trust Anchor Group maintains neuron server infrastructure used in the verification process and may perform manual reviews for us where automatic verification cannot be completed.
Where manual review is required, the reviewer may access the data necessary to complete the review. This may include passport image, selfie image, year of birth, nationality, verification status, and the reason why automatic verification could not be completed. If the passport image is not technically masked, the reviewer may also be able to see other information visible on the passport image.
5.3 Third-party applications
You may choose to share verified attributes with third-party applications. The W Identity app shares only the specific attributes requested by an application and explicitly approved by you.
The third-party application is normally an independent controller for the personal data it receives from you. W Identity is not responsible for how a third-party application processes personal data after you have approved the sharing request.
5.4 Authorities and legal recipients
We may disclose personal data where required by law, court order, or a binding request from a competent authority. We may also disclose personal data where necessary to establish, exercise or defend legal claims.
We store personal data only for as long as necessary for the purposes described in this Privacy Notice, unless we are legally required or permitted to retain it for a longer period.
Account data. Account data is retained for as long as your W Identity account remains active. If you delete your account, we delete or anonymise account data within 30 days, unless we are legally required or permitted to retain limited information for security, fraud prevention, dispute resolution, legal claims, accounting, audit or compliance purposes.
Verification data. Verification data, including phone number, email address, date of birth, passport data, IP address and selfie image, is retained only for the time needed to complete the verification checks.
Where automatic verification is successful, verification data is deleted shortly after the verification process has completed and in any case within one minute. Where manual review is required, the reviewer may access the information necessary to complete the review. In such cases, the verification data may be retained for up to fourteen days to enable review of the submitted material.
Verified identity attributes. After verification has completed, your verified identity attributes are stored in the W Identity app on your device. W Identity does not retain a long-term server-side copy of your verified identity attributes, except where you choose to use optional encrypted backup functionality.
Optional encrypted backup. If you enable optional encrypted backup functionality, the encrypted backup is retained for as long as the backup functionality remains enabled, or until you delete the backup or close your account. W Identity is not intended to have access to the contents of the encrypted backup. However, backup metadata, such as account identifier, timestamp and technical status information, may be retained for operational and security purposes.
Event log. We maintain an event log for administrative, operational and security purposes, including troubleshooting, service reliability, misuse prevention, fraud prevention and security monitoring.
The event log records relevant service events and the technical reason why the event occurred. The following data may be recorded: timestamp, event type, event reason or trigger, JID, and IP address. The JID is an XMPP address consisting of a client-generated name and the W Identity domain, for example [client-generated-name]@auth.widentity.eu. Event log data is retained for 90 days, after which it is deleted or anonymised. Any statistical reporting based on event log data is produced only in aggregated or anonymised form.
Communication log. We maintain a communication log for operational and security purposes, including service reliability, troubleshooting, abuse prevention, fraud prevention and security monitoring. The communication log records relevant communication events between the client, meaning the mobile device, the neuron server, and third-party applications or services involved in a request. This includes information about when communication occurred, what type of communication event took place, the direction of the communication, the third party involved, the status or outcome of the event, and the technical reason or trigger for the event.
The following data may be recorded in the communication log: timestamp, communication event type, communication direction, event status or outcome, event reason or technical trigger, third-party application or service identifier, JID, and IP address. The JID is an XMPP address consisting of a client-generated name and the W Identity domain, for example [client-generated-name]@auth.widentity.eu. Communication log data is retained for 7 days, after which it is deleted or anonymised. Any statistical reporting based on communication log data is produced only in aggregated or anonymised form.
Consent and legal records. Where processing is based on consent, we may retain records showing when and how consent was given or withdrawn for as long as necessary to demonstrate compliance with the GDPR.
Where data is needed to establish, exercise or defend legal claims, we may retain the relevant data for the applicable limitation period.
We aim to process and store personal data within the European Economic Area.
Where our service providers process personal data outside the European Economic Area, we ensure that an appropriate transfer mechanism is in place in accordance with Chapter V of the GDPR. This may include an adequacy decision by the European Commission, the European Commission’s Standard Contractual Clauses, and, where required, supplementary technical and organisational measures.
You may contact us at info@widentity.eu if you would like more information about the safeguards used for international transfers.
We use automated technical checks as part of the identity verification process. These checks may include document validity checks, phone and email verification, fraud prevention checks and face-matching between your passport image and selfie.
We do not make decisions based solely on automated processing that produce legal effects or similarly significant effects for you within the meaning of Article 22 GDPR.
Where automatic verification cannot be completed, the case may be referred for manual review. Manual review is performed by authorised personnel acting on behalf of W Identity. The purpose of manual review is to assess whether verification can be completed or whether additional action is required.
Subject to the conditions and exceptions set out in the GDPR, you have the following rights in relation to your personal data.
You have the right of access under Article 15 GDPR. This means that you may request confirmation as to whether we process personal data about you and receive information about that processing.
You have the right to rectification under Article 16 GDPR. This means that you may request correction of inaccurate personal data and completion of incomplete personal data.
You have the right to erasure under Article 17 GDPR. This means that you may request deletion of your personal data in certain circumstances, for example where the data is no longer necessary for the purposes for which it was collected.
You have the right to restriction of processing under Article 18 GDPR. This means that you may request that we restrict the processing of your personal data in certain circumstances.
You have the right to data portability under Article 20 GDPR. Where processing is based on consent or contract and carried out by automated means, you may request to receive your personal data in a structured, commonly used and machine-readable format and transmit it to another controller.
You have the right to object under Article 21 GDPR. Where processing is based on legitimate interests, you may object to the processing on grounds relating to your particular situation.
You have the right to withdraw consent under Article 7(3) GDPR. Where processing is based on your consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
You have the right to lodge a complaint with a supervisory authority. In Sweden, the relevant supervisory authority is Integritetsskyddsmyndigheten, IMY, the Swedish Authority for Privacy Protection. You may also lodge a complaint with another competent EU or EEA supervisory authority.
To exercise your rights, please contact us at info@widentity.eu or dpo@widentity.eu.
We apply technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration and disclosure. These measures include encryption, access controls, logging, separation of duties, retention controls and security monitoring where appropriate.
The W Identity app is designed to keep verified identity attributes under the user’s control on the user’s device. However, you are responsible for keeping your device, app access credentials and any recovery credentials secure.
We may update this Privacy Notice from time to time. The latest version of this Privacy Notice will always indicate the date on which it was last updated.