Privacy Policy

Last updated: December 2024

XY Zinc ("we," "us," or "our"), a brand of Chaos Unlimited LLC, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard information when you use our website (www.xyzinc.com) and our Age Verification service.

1. Overview

This policy covers two distinct contexts:

  • The XY Zinc Website (www.xyzinc.com) — Information collected when you browse our marketing site
  • The Age Verification Service — Information processed when you complete age verification through our platform

Our Age Verification service is designed with privacy by default. We have architected our systems to minimize data collection and eliminate long-term storage of sensitive biometric information.

2. Information We Collect

2.1 Website Visitors

When you visit www.xyzinc.com, we may collect:

  • Standard server logs (IP address, browser type, pages visited, timestamps)
  • Information you voluntarily provide via contact forms (name, email, message content)
  • Cookies for basic site functionality (see Section 7)
  • Analytics data collected by Matomo, a self-hosted analytics platform (see Section 7)

2.2 Age Verification Users

When you complete age verification, we process two categories of data very differently:

Data We NEVER Store (Temporary Processing Only)

  • Selfie/liveness images
  • ID document photographs
  • Date of birth (extracted only to calculate age, then immediately discarded)

These items exist only in server memory (RAM) during the verification process. They are never written to disk, database, or any persistent storage. Maximum in-memory retention is 15 minutes, with immediate deletion upon verification completion.

Data We NEVER Extract

  • Names from ID documents
  • Addresses from ID documents
  • ID numbers or document numbers
  • Biometric face templates

Our system does not read, parse, or process this information from ID documents. We only extract the date of birth to calculate whether the user meets the minimum age requirement.

Data We Do Store

  • Session ID (random UUID, not linked to your identity)
  • Verification result (approved or rejected)
  • Confidence scores from age classification
  • Country and region code (e.g., "US-TX")
  • IP address (for fraud detection purposes)
  • Timestamps
  • The website that requested verification (tenant identifier)

3. How We Use Information

3.1 Website Data

  • To respond to your inquiries
  • To improve our website and services
  • To analyze usage patterns
  • To prevent abuse or security threats

3.2 Verification Data

  • To determine if you meet age requirements for the requesting website
  • To generate a verification token for the website you're accessing
  • To detect and prevent fraud
  • To generate aggregate, anonymized statistics for our customers

4. Third-Party Services

During the verification process, we use third-party services to perform specific functions. Images are sent directly to these services as raw bytes in API requests (not stored in cloud storage buckets) and results are returned immediately.

Service Purpose Data Sent
AWS Rekognition Liveness detection, face matching Video stream, selfie image, ID photo (for face comparison)
AWS Textract ID document text extraction ID document image
SightEngine Age classification, AI-generated image detection Selfie image, ID document image

AWS Services (Rekognition, Textract)

We have enabled AWS AI Services opt-out policies for our account, which prevents AWS from using your images to train or improve their machine learning models. Images are processed in-memory and are not stored in AWS infrastructure beyond what is necessary for the API call. We do not use cloud storage buckets (such as AWS S3) to transfer your images. For more information, see the AWS Service Terms.

SightEngine

SightEngine processes images for age classification (on your selfie) and AI-generated content detection (on ID documents to detect fakes). They are GDPR-compliant and state that no human moderators review images. Images are processed programmatically and are not shared with third parties. For more information, see the SightEngine Privacy Policy.

Technical note: All images are transmitted directly to these services as raw bytes within API requests. We do not use intermediary cloud storage (such as AWS S3 buckets) at any point in the verification process.

5. Data Retention

Data Type Retention Period
Biometric images (selfies, ID photos) 0 seconds (never stored persistently)
Personal information from IDs (name, DOB, document number) 0 seconds (never stored)
In-memory session data (including images during processing) Maximum 15 minutes, deleted immediately upon completion
Verification session records (anonymized) Retained for service operation and fraud prevention
Contact form submissions Until inquiry is resolved
Server logs 90 days

6. Data Security

We implement technical and organizational measures to protect your information:

  • All data transmitted over HTTPS/TLS encryption
  • Biometric data stored only in memory with disabled persistence (no disk writes)
  • Automatic TTL expiration ensures data purge even on system failure
  • Database encryption at rest
  • API access requires authenticated API keys with bcrypt hashing
  • Admin access requires two-factor authentication (TOTP)
  • Regular security audits and code reviews
  • Access controls limiting who can access systems

7. Cookies

Our website uses minimal cookies:

  • Essential cookies: Required for basic site functionality
  • Verification token: When you complete age verification, a cookie may be set on the requesting website to remember your verified status (typically valid for 365 days)
  • Matomo analytics: Optional

Our websites (www.xyzinc.com and wordpress-demo.xyzinc.com) use Matomo, a self-hosted web analytics platform, to understand how visitors use our sites. Matomo runs on our own infrastructure — no data is sent to third parties. Matomo respects your browser's Do Not Track (DNT) setting. If DNT is enabled, no analytics data is collected. Analytics data collected includes pages visited, referral sources, approximate location (country/region level), browser and device type, and session duration. This data is used in aggregate to improve our websites and is not linked to individual identities. We do not use advertising cookies, remarketing pixels, or any third-party tracking services.

The XY Zinc Age Verification service (age-verify.xyzinc.com) does not use Matomo, Google Analytics, or any other analytics tracking. No cookies are set during the verification process other than the verification token returned to the requesting website upon successful completion.

8. Your Rights

Depending on your jurisdiction, you may have rights including:

  • Access: Request a copy of data we hold about you
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your data
  • Portability: Receive your data in a portable format
  • Objection: Object to certain processing of your data

Please note that because we do not store biometric data or personal identification information from ID documents, we cannot provide or delete data we never possessed. Session records contain only anonymized identifiers.

To exercise your rights, contact us at [email protected].

9. Children's Privacy

Our Age Verification service is designed specifically to prevent minors from accessing age-restricted content. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us immediately.

10. International Data Transfers

Our servers and third-party services may be located in different countries. By using our services, you consent to the transfer of information to countries outside your residence, which may have different data protection rules. We take steps to ensure appropriate safeguards are in place, including using services that comply with applicable data protection frameworks.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the new policy on this page and updating the "Last updated" date. Your continued use of our services after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

XY Zinc
Owned and operated by Chaos Unlimited LLC

Email: [email protected]
Web: www.xyzinc.com/contact