Privacy

Privacy & data handling

AnonID is built so the right answer is also the default. This page summarizes how we treat the documents you process. It is maintained by AnonID and is not a legal certification.

What gets processed

Scans of identity documents (passports, national ID cards, driving licenses) that you or your apps upload. We need the bytes long enough to detect sensitive regions and draw black rectangles over them.

What gets stored

  • ✓ The anonymized output (encrypted at rest, scoped to your organization).
  • ✓ Metadata describing the redaction: document type, the list of field IDs that were redacted, who triggered it, when.
  • ✓ The filename you sent (you control it; we recommend not putting PII in filenames).

What never gets stored

  • ✗ The original (un-anonymized) file. It leaves memory when the redacted copy is produced.
  • ✗ Extracted text from your document (we locate regions, we don't read values).
  • ✗ Your BSN, MRZ contents, document number or any other field value.

Retention

Anonymized documents are deleted after the retention window you choose per organization (ephemeral, 7, 30, 90 or 365 days). Audit logs are kept while your account is active; you can request export or deletion.

Multi-tenancy

Every row in the database carries an organization_id and is gated by Postgres Row-Level Security. Members of one organization cannot see — or signed-URL-link to — files from another.

Compliance defaults (Netherlands)

The pre-loaded redaction profile mirrors guidance from the Dutch government (Rijksoverheid) and the Autoriteit Persoonsgegevens (AP): BSN and MRZ are always blacked out, photo and signature are recommended. Name and date-of-birth are kept visible so the copy can still be used to verify identity. Required-by-law fields are enforced server-side and cannot be turned off.

Contact

Privacy questions: privacy@anonid.nl.