Privacy Policy

Welcome to CAIRL ("we," "our," or "us"), operated by reAPPlicate Incorporated, a Florida corporation. We are a privacy-first identity verification platform that helps you prove who you are while keeping your personal information secure.

Our core principle: We do not use your biometric data, identity documents, or personal information for surveillance, tracking, profiling, or advertising — ever. CAIRL exists to verify identity, not to monetize it.

This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our services. We believe you should always know what data we collect, why we collect it, and how you can control it.

CAIRL acts as the data controller for personal information described in this policy, except where we act as a data processor on behalf of a business customer under a separate agreement. We do not use your personal information, biometric data, or verification records to train machine learning models.

CAIRL is a privacy-preserving identity verification platform. To be clear about what that means:

• CAIRL is not a data broker. We do not sell, license, or trade personal information to third parties.
• CAIRL is not an advertising platform. We do not use your data for ad targeting, behavioral profiling, or marketing analytics.
• CAIRL is not a surveillance system. We do not track your activity across other platforms or build dossiers on your behavior.

We are designed to collect only the data necessary to perform identity verification and deliver the services you use. This principle of data minimization guides every feature, every integration, and every service provider we work with.

Account Information

When you create an account, we collect:

• Email address — To identify your account and send you important updates
• Password — Stored as a secure hash, never in plain text
• Name — To personalize your experience

Identity Documents

When you verify your identity, we may collect:

• Government-issued ID images — Such as driver's license, passport, or state ID
• Selfie photos — To match against your ID photo
• Document data — Name, date of birth, address, and document number extracted from your ID

Biometric Information

Our verification process collects and processes biometric data. Please read this section carefully.

What we collect: During identity verification, we capture facial geometry data (a mathematical representation of your face) from your selfie and government-issued ID photo.

How we use it: Biometric data is used exclusively for identity verification and account integrity — specifically, to confirm that (a) the person presenting the ID is the same person in the selfie, (b) the person is physically present and not using a photo, video, or mask (liveness detection), and (c) the same individual has not previously created another account or circumvented verification controls. We do not track your behavior, activity, or interactions across platforms. Biometric data is used only to determine whether the same individual has previously completed a verification event, not to monitor how you use other services.

How we process it: Biometric data is processed by Amazon Web Services (AWS) Rekognition, acting as a data processor under our control. AWS processes this data solely to perform face matching and liveness detection on our behalf and does not use your biometric data for its own purposes.

Our approach to storage: CAIRL follows an ephemeral-first approach to biometric data for active verification sessions. Session-specific biometric data (such as raw selfie processing results) is processed in real time and is not retained beyond the session. However, a limited biometric reference (facial embedding) may be retained within secure verification infrastructure to support account integrity, uniqueness enforcement, and fraud prevention. Where biometric references are retained, they are stored in encrypted form (AES-256) and are deletable at your request at any time.

Uniqueness and fraud prevention: To prevent duplicate accounts, repeated free trial abuse, and identity fraud, CAIRL may retain a biometric reference associated with your account within secure verification infrastructure. This reference is used solely to enforce one account per individual within CAIRL, detect duplicate or fraudulent account creation attempts, and support uniqueness and anti-abuse checks for connected platforms where you have explicitly initiated verification. This biometric reference is not used for tracking your activity across services, advertising, profiling, or surveillance. It is only used to confirm whether the same individual has previously completed verification within a specific context. Biometric references are scoped to CAIRL's verification system and, where applicable, to specific integrations initiated by you. CAIRL does not use biometric data to track your behavior across unrelated services.

Retention and destruction: Biometric data associated with your account is permanently destroyed within 30 days of any of the following: your deletion request, your withdrawal of consent, or your account closure. Temporary retention beyond this period occurs only where required for system integrity, security incident response, or legal obligation, and is limited to the minimum duration necessary.

Consent: Before biometric data is collected, you will be presented with a clear, explicit consent prompt in the verification interface. This consent is separate from your agreement to these terms. You may withdraw consent at any time by contacting privacy@cairl.app or by deleting your account. Withdrawal of consent will result in destruction of your biometric data within 30 days, but may limit your ability to use verification-dependent features.

Third-party access: Biometric data is processed by AWS Rekognition as described above. No other third parties receive your biometric data. We do not sell, lease, or trade biometric data.

Your rights regarding biometric data: You have the right to request information about the biometric data we hold, request its deletion, and withdraw your consent to its collection. To exercise these rights, contact privacy@cairl.app. Residents of Illinois, Texas, and Washington may have additional rights under their respective state biometric privacy laws (Illinois BIPA, Texas CUBI, and Washington's biometric identifier law). See the Your Rights section below for details.

Verification Data

Our verification process generates:

• Face match confidence scores — How closely your selfie matches your ID photo
• Liveness detection results — Whether a live person is present (not a spoof)
• Document authenticity checks — Whether your document appears genuine
• Verification timestamps — When verification occurred

Proxy Email Data

If you use CAIRL/mail (our proxy email service), we generate and manage proxy email addresses on your behalf. Messages relayed through proxy addresses are processed by our email infrastructure (Mailgun) to route communications between you and connected services. Message content is processed as necessary to deliver the service and prevent abuse, but we do not use message content for advertising, profiling, or analytics. Relay metadata (sender, recipient, timestamps) is retained for service operation and abuse prevention.

Usage Information

We collect minimal usage data to keep our service running smoothly:

• Log data — IP address, browser type, pages visited
• Device information — Operating system, device type
• Bot protection data — Cloudflare Turnstile collects browser and device signals to distinguish real users from automated traffic during verification flows. This data is processed by Cloudflare and is not used for advertising or tracking.
• Error reports — To fix bugs and improve our service

Payment Information

When you make a purchase, our payment processor (Stripe) handles your card details. We never see or store your full card number. We only receive:

• Last four digits of your card
• Card brand (Visa, Mastercard, etc.)
• Billing address

Bank Account Information

If you use Plaid to link a bank account, Plaid securely accesses your bank credentials and account information. We receive only the information necessary to verify your account and process transactions — we do not receive your bank login credentials.

We use your information to:

• Provide verification services — Process your identity documents and verify your identity
• Deliver proxy email services — Generate and route proxy email addresses for connected services
• Prevent fraud — Detect and prevent fraudulent use of our service
• Comply with legal requirements — Meet regulatory obligations for identity verification
• Improve our services — Using anonymized and aggregated data only. Anonymized data cannot reasonably be used to identify you.
• Communicate with you — Send important account updates and security alerts

We do not sell your personal information. We do not use your biometric data for any purpose other than verification. We are designed to collect only the data necessary for each purpose described above.

Your security is our top priority. We protect your data using:

• Encryption at rest — All stored data is encrypted using AES-256, the same standard used by banks and governments
• Encryption in transit — All connections use TLS 1.3, the latest encryption protocol
• Access controls — Strict role-based access with multi-factor authentication for all staff
• Regular security testing — Including penetration testing and vulnerability assessments
• Industry-standard security practices — Our security program is designed using industry-standard frameworks, and we are actively pursuing independent compliance certifications

CAIRL is not a HIPAA covered entity or business associate unless explicitly contracted under a Business Associate Agreement.

For more details about our security practices, visit our Security page.

In the event of a data breach that affects your personal information, we will:

• Notify affected users as required by applicable law and without unreasonable delay
• Provide a description of the nature of the breach, the types of data involved, and the steps we are taking in response
• Report the breach to relevant regulatory authorities as required by applicable federal and state law

We may disclose your personal information in the following limited circumstances:

• Legal obligations — When required by applicable law, regulation, or legal process
• Court orders and subpoenas — In response to a valid court order, subpoena, or government request
• Law enforcement — When we believe in good faith that disclosure is necessary to protect public safety, prevent fraud, or address security threats
• Protection of rights — To protect the rights, property, or safety of CAIRL, our users, or others
• With your consent — When you have explicitly authorized disclosure

When legally permitted, we will notify you before disclosing your information in response to a legal request. We do not voluntarily provide user data to law enforcement absent a valid legal obligation.

CAIRL staff access to user data is governed by strict controls:

• Need-to-know only — Personnel access user data only when necessary to provide support, resolve technical issues, investigate fraud, or comply with legal obligations
• Role-based access — Access is scoped by role and limited to the minimum data required for the task
• Logged and audited — All access to user data by CAIRL personnel is logged and subject to periodic audit
• Multi-factor authentication — All staff with data access are required to use multi-factor authentication

We retain your data only as long as necessary:

Important distinction: You can delete your raw documents, biometric references, and biometric session data at any time. Biometric references (facial embeddings) used for uniqueness enforcement are permanently destroyed within 30 days of: your deletion request, your withdrawal of consent, or your account closure. However, verification records — the fact that a verification occurred, its result, and its timestamp — are retained for up to 7 years to meet regulatory, audit, and fraud prevention obligations. These records do not contain your document images, biometric references, or biometric session data.

You can request deletion of your data at any time, subject to the legal retention requirements described above. Data may persist in secure, isolated backups for a limited period and is automatically deleted in accordance with backup retention schedules.

CAIRL allows users on eligible plans to create circles — shared identity governance contexts for families, teams, clubs, and other groups. Circle administrators may manage identity verification and permissions for circle members, including minors.

Minors in Circles

Minors (anyone under 18) cannot independently create CAIRL accounts. A minor may participate in CAIRL only through a circle managed by their parent, legal guardian, or an authorized adult on an eligible Identity Plan.

Parental consent: Before a minor's identity information is collected or managed through a circle, the managing adult must provide verifiable parental consent as required by the Children's Online Privacy Protection Act (COPPA) and applicable state laws. CAIRL treats the circle administrator as the consenting party responsible for the minor's data.

Parental controls: The managing adult controls the minor's verification data, privacy settings, and sharing permissions. The managing adult may delete the minor's data at any time.

Liability boundary: CAIRL relies on the circle administrator's representation that they are the minor's parent, legal guardian, or authorized custodian. If CAIRL becomes aware that a minor's data is being managed by someone without proper authority, we will suspend access and notify the appropriate parties.

COPPA compliance: CAIRL does not knowingly collect personal information directly from children under 13 without verifiable parental consent. If you believe we have inadvertently collected information directly from an unaccompanied minor, please contact us immediately at privacy@cairl.app.

We apply additional protections to data associated with minors, including restricted data sharing defaults and enhanced consent requirements.

You have the right to:

• Access your data — Request a copy of all personal information we hold about you
• Correct inaccuracies — Update or fix incorrect information
• Delete your data — Request deletion of your personal information (with exceptions for legal holds and regulatory retention)
• Delete your biometric data — Request specific deletion of biometric identifiers at any time
• Export your data — Receive your data in a portable format
• Opt-out — Decline non-essential data processing

For EU Users (GDPR)

You also have the right to:

• Object to processing based on legitimate interests
• Restrict processing in certain circumstances
• Lodge a complaint with your local data protection authority

Our legal basis for processing is consent (for biometric data) and legitimate interest (for service delivery and fraud prevention).

For California Users (CCPA)

You also have the right to:

• Know what personal information we collect and how we use it
• Request deletion of your personal information
• Opt-out of the sale of personal information (we do not sell your data)
• Non-discrimination for exercising your rights
• Designate an authorized agent to make requests on your behalf, subject to verification of the agent's authority

For Illinois Users (BIPA)

You have additional rights under the Illinois Biometric Information Privacy Act, including the right to informed consent before collection, a published retention and destruction schedule (see Biometric Information and Data Retention above), and the right to pursue a private right of action for violations.

For Texas and Washington Users

You may have additional rights regarding biometric data under your respective state laws. Contact privacy@cairl.app to exercise these rights.

To exercise any of these rights, contact us at privacy@cairl.app.

We use a minimal number of cookies to keep our service running. We believe in a privacy-first approach:

• Essential cookies only by default
• Optional cookies require your explicit consent
• No advertising cookies — ever

For full details, see our Cookie Policy.

We work with trusted service providers to deliver our platform. Each handles only the data necessary for its designated purpose and acts as a data processor under our control:

All service providers process data under our instructions and are contractually bound to handle your data in accordance with this Privacy Policy and applicable law. Third-party services assist in processing data, but all verification outcomes are determined by CAIRL's systems and policies.

We may update our service providers from time to time. Material changes to our service providers will be reflected in this policy or communicated to users where required by law.

CAIRL does not allow minors (anyone under 18) to independently create accounts or use the platform without adult supervision.

Minors may participate in CAIRL only through circles managed by a parent, legal guardian, or authorized adult on an eligible Identity Plan. See Circle and Family Management above for full details on parental consent, controls, and our COPPA compliance posture.

If you believe we have inadvertently collected information directly from an unaccompanied minor, please contact us immediately at privacy@cairl.app.

Your data is processed and stored in the United States. If you are located outside the US, your information will be transferred to and processed in the US.

For users in the European Economic Area (EEA), we use Standard Contractual Clauses approved by the European Commission to ensure appropriate safeguards for international data transfers.

We may update this Privacy Policy from time to time. When we make material changes:

• We will notify you via email at least 30 days before changes take effect
• We will update the "Last Updated" date at the top of this page
• We will highlight what has changed

Your continued use of CAIRL after changes take effect means you accept the updated policy.

If you have questions about this Privacy Policy or want to exercise your rights, contact us:

• Privacy inquiries: privacy@cairl.app
• Legal inquiries: legal@cairl.app
• General inquiries: info@cairl.app
• Address: reAPPlicate Incorporated, 3200 NW 62nd Avenue #22, Margate, FL 33063

We aim to respond to all requests within 30 days.