When you store copies of IDs and selfies "for compliance," you become the custodian of the most sensitive data your users have. A breach doesn’t just leak emails, it leaks documents that can be used for identity fraud, and face images that can be used for impersonation. Regulators and plaintiffs often treat such storage as a major risk and a potential violation of data-minimisation principles.
The token-only alternative
The alternative is to not store them at all. A privacy-first age verification provider checks the document and the person (e.g. via liveness), confirms they meet the age threshold, and returns to you only a signed result, for example "18+ verified" plus an audit identifier (e.g. a verification receipt). You keep the token and the receipt; you never hold the ID or the face. Your database is no longer a honeypot for attackers, and you have a clear story for regulators: we only retain what we need to prove compliance.
Better UX for returning users
This model also simplifies user experience and returning flows. Once a user has verified elsewhere in the same ecosystem, they can re-prove age with a quick check (e.g. face-only) without uploading documents again. You still get a fresh token and audit trail. Less data, less liability, better UX, and alignment with GDPR, DSA, and emerging guidance that favours minimal retention and strong security.
