Privacy Policy

Last updated: June 22, 2026

Checktiv is a trade name of Autohost, Inc. (“Checktiv,” “we,” “us,” or “our”), a corporation incorporated under the laws of Canada, with its principal place of business at 280 Howland Ave, Suite PH18, Toronto, ON, M5R 0C3, Canada.

Your privacy matters to us. This Privacy Policy explains how we collect, use, disclose, safeguard, and otherwise handle personal data when you use the Checktiv identity-verification platform, visit our website, or interact with us. Please read it together with our Terms of Service and, for business customers, our Data Processing Agreement.

1. About Checktiv and our two roles

Checktiv provides an identity-verification platform. Businesses (“Operators,” our customers) use Checktiv to design verification workflows and to verify the identity of the individuals they choose to screen (“Applicants”). An Operator can configure a workflow to collect basic identifying information, verify a government-issued identity document, optionally confirm a live facial match, screen against sanctions and watchlists, and run background checks.

Our role under data protection law depends on whose data we are handling:

For Applicant verification data, we act as a processor (a “service provider” under U.S. law). We collect and process Applicant personal data on behalf of, and under the documented instructions of, the Operator that initiated the verification. The Operator is the controller (the “business”) and decides why the verification is performed and how its results are used. If you are an Applicant, the Operator that asked you to verify is responsible for that verification, and you should consult the Operator’s own privacy notice for the purposes of the screening.
For Operator account data and our website, we act as a controller. When a business signs up for and administers a Checktiv account, and when anyone visits our website, we determine the purposes and means of processing and are the controller for that data.

This Policy is organized to reflect those roles: Part A is for Applicants, Part B is for Operators and website visitors, and the remaining sections apply to both.

Part A - For Applicants (people being verified)

In plain terms: the business that asked you to verify (the “Operator”) is in charge of your verification data and decides how it is used. Checktiv runs the checks for that business. For most questions about your data, the Operator is your first contact - and we will help if you reach us instead.

A.1 What we collect, and on whose behalf

When you complete a verification, you are providing information to the Operator that requested it. We collect and process that information on the Operator’s behalf so we can deliver the verification result back to the Operator. Depending on how the Operator has configured its workflow, we may collect:

Your legal name (always collected), used to identify and verify you.
Contact details - email address and/or phone number, where the Operator enables these fields, used to communicate with you about the verification.
Date of birth, where the Operator enables it, used to confirm your identity and eligibility.
Residential address, where the Operator enables it, used to confirm your identity.
Government-issued identity document - images of a passport, driver’s license, or identity card, where the Operator’s workflow includes document verification, used to confirm that the document is genuine and matches the information you provided.
Facial images and a short facial video (biometric data) - only where the Operator has expressly enabled a facial-match or liveness step. See Section A.3.
Verification and screening results - for example, whether a document appeared valid, whether your name matched your document, and whether a sanctions, watchlist, or background-check match was found.
Technical and device information - such as IP address, device and browser characteristics, and security and fraud-prevention signals collected while you complete the verification, used to keep the verification secure and to detect fraud.

We collect only the information needed to perform the verification the Operator has configured. We do not ask you to create an account.

A.2 Sanctions, watchlist, and background checks

Where the Operator’s workflow includes them, we facilitate screening against sanctions and watchlists (such as government and international lists) and background checks; these may return information about criminal records or adverse media where permitted by law and where the Operator has a lawful basis to obtain them. Identity verification (confirming your name matches your document, document authenticity, and any facial match) is provided to authenticate identity and prevent fraud. For sanctions, watchlist, and background-check results, Checktiv is a technology provider; it does not act as, and does not perform the functions of, a “consumer reporting agency” under the U.S. Fair Credit Reporting Act (“FCRA”), and those results are not “consumer reports” furnished by Checktiv. The Operator (and, for the underlying screening data, the screening provider that compiled it) is responsible for any FCRA or similar-law obligations, including permissible purpose, required authorizations, and any pre-adverse-action and adverse-action notices. Direct any request to dispute the accuracy or completeness of a background, criminal, sanctions, or watchlist result, and any adverse-action question, to the Operator that requested your verification. Checktiv does not adjudicate disputes about the accuracy of third-party screening content; if you contact us, we will forward your request to the relevant Operator.

A.3 Biometric data (facial match and liveness)

An Operator can, at its option, enable a step that uses your face to confirm that the person presenting the identity document is its genuine holder. This step is off by default and only runs when the Operator turns it on for its workflow.

When it is enabled, with your consent we collect a facial image and/or a short facial video, and process it using automated facial-comparison and “liveness” technology to confirm a match and to confirm you are a live person. This is biometric data and is treated as sensitive personal data (sometimes called “special category” data under EU and UK law) under laws such as the EU and UK General Data Protection Regulation, Quebec’s Law 25, the Illinois Biometric Information Privacy Act (“BIPA”), the Texas Capture or Use of Biometric Identifier Act, and Washington’s biometric law.

We collect biometric data only with your consent, presented to you before any facial capture. You can decline; if you decline, you may be unable to complete a verification that the Operator has configured to require this step, and the Operator decides what happens next.
We use biometric data only to perform the facial-match and liveness check for that verification. We do not sell it, and we do not use it to build facial-recognition profiles, to train models, or for any purpose beyond the verification.
The facial-comparison and liveness processing is performed by a specialized verification provider engaged as our sub-processor and pinned to the same region (United States or European Union) as the rest of your verification data. Your name, date of birth, address, email, and phone number are not sent to that provider. The provider is identified in our Sub-processor List (see Section 3).
We retain biometric data only for as long as needed to complete the verification and within the retention period the Operator sets, and in no event longer than permitted by applicable biometric law. See Section 4.

A.4 How long we keep Applicant data

We keep Applicant verification data for the period the Operator configures for its account, after which it is deleted or rendered unreadable. Default retention periods apply where the Operator does not set its own, and differ by region. Some records (for example, minimal audit records that we must keep to evidence that a verification occurred) are retained longer where required for security, fraud prevention, or legal compliance. See Section 4 for details.

A.5 Where your data is stored

We operate separate, isolated data regions for the United States and the European Union. Your verification data is stored in the region of the Operator that requested your verification: in plain terms, European Union data stays in the European Union and United States data stays in the United States. We do not replicate Applicant verification data across regions. See Section 5.

A.6 Your choices and rights as an Applicant

Because the Operator is the controller of your verification, most requests to access, correct, or delete your verification data, or to object to or restrict its processing, should be directed to the Operator. If you contact us instead, we will not leave you stuck: within the time required by law, and in any event without undue delay, we will forward your request to the relevant Operator and help them respond. You may also contact us using the details in Section 11, and you always have the right to lodge a complaint with your local data protection authority.

You must be at least 18 years old to complete a verification. See Section 8.

Part B - For Operators and website visitors

B.1 Operator account data

When you register for and use a Checktiv account as an Operator, we collect and process, as controller:

Account and contact information - your name, business email address, phone number, and the name of your organization.
Authentication data - your login credentials and security settings (for example, passkeys or other multi-factor methods).
Billing information - subscription and usage records, and limited payment-method metadata (such as card brand and last four digits) processed through our payments sub-processor. We do not store full payment card numbers.
Usage and configuration data - the workflows you build, your settings, and how you use the dashboard, used to provide, secure, support, and improve the service.

We use this data to provide and administer the platform, authenticate you, process payments, provide support, communicate service and security notices, meet our legal and compliance obligations, and improve and secure the service.

B.2 Website, cookies, and similar technologies

When you visit our website, with your consent where required we use cookies and similar technologies to recognize your browser, remember your preferences, understand how our site is used, and improve it. We may collect your IP address, device and browser information, pages visited, links clicked, and referring URL. You can control cookies through your browser settings; disabling some cookies may affect site features.

If you contact us, sign up for updates, or request a demo, we use the contact details you provide to respond to you and, with your consent where required, to send you communications about Checktiv. You can opt out of marketing communications at any time.

Sections applying to both Applicants and Operators

2. How we use personal data

We use personal data to:

verify the identity of Applicants and the information they provide, as configured by the Operator;
perform sanctions, watchlist, and background-check screening configured by the Operator;
produce verification and screening results for the Operator;
detect, prevent, and investigate fraud, abuse, and security incidents;
provide, operate, administer, support, and improve the platform;
communicate with Operators and Applicants about a verification or account;
comply with our legal, regulatory, audit, and contractual obligations; and
establish, exercise, or defend legal claims.

We do not use Applicant verification data to train artificial-intelligence or machine-learning models for our own product development, and we do not use it for any purpose other than providing the verification and the purposes described above. Some verification steps use automated comparison (for example, comparing the name you enter with the name read from your document) solely to perform the verification itself.

When we process Applicant data, we do so on the lawful basis the Operator (as controller) has identified - typically the Operator’s legitimate interests in verifying identity and preventing fraud, compliance with a legal obligation (such as KYC/AML), or performance of a contract; and, for biometric data, the Applicant’s explicit consent under Article 9(2)(a) GDPR. The Operator’s own privacy notice states the basis that applies to your verification.

We do not sell or rent personal data. We share personal data only as follows:

Operators. We disclose Applicant verification data to the Operator that requested the verification. That Operator is the controller of that data.
Sub-processors. We engage a limited number of vetted third-party providers to host our infrastructure, process payments, perform document and biometric verification, screen against sanctions and watchlists and run background checks, provide fraud-prevention signals, and similar functions. Each sub-processor is bound by a written contract requiring it to protect personal data and to use it only to provide services to us. We remain responsible for our sub-processors. The current list of sub-processors, including each one’s name, location, processing activity, and transfer mechanism, is maintained in, and incorporated into, our Data Processing Agreement (Annex C), and is available to Operators on request.
Required by law. We may disclose personal data where we reasonably believe disclosure is required by law, legal process, or a lawful request from a public authority. Where we are legally permitted to do so, we will notify the affected party, and where we act as a processor we will, unless legally prohibited, direct the request to the relevant Operator and disclose only the minimum necessary. Where we receive such a request for data we process on an Operator’s behalf, we will, unless legally prohibited, notify the Operator first, challenge requests we consider unlawful or overbroad, and disclose only the minimum necessary, consistent with our Data Processing Agreement. See our Data Processing Agreement for our government-access commitments.
Fraud, security, and investigations. We may disclose personal data where reasonably necessary to detect, prevent, or address fraud, security, or technical issues, or to investigate a suspected breach of an agreement or of the law.
Business transfers. We may disclose personal data in connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to the recipient agreeing to protect the data consistent with this Policy.

Consistent with our customer-communications practice, we do not name our individual sub-processors in this Policy; they are identified in the Sub-processor List referenced above so that the list stays current and authoritative.

4. Data retention

We retain personal data only for as long as necessary for the purposes described in this Policy or as required by law.

Applicant verification data is retained for the period the Operator configures for its account. Where the Operator has not set a period, default retention applies and differs by region. After the retention period, data is deleted or rendered permanently unreadable.
Biometric data is retained only for as long as needed to complete the verification and within the Operator’s retention period, and in no event longer than permitted by applicable biometric law.
Government identity-document images are retained for a limited period appropriate to their sensitivity, consistent with the Operator’s retention settings.
Audit and security records that evidence that a verification or privileged action occurred are retained for a longer period where required for security, fraud prevention, and legal or regulatory compliance, even after other data is deleted.
Operator account and billing records are retained for the life of the account plus any period required by law (for example, for tax and accounting).

Checktiv applies a platform maximum retention period to the most sensitive data (identity-document images and biometric data) that overrides any longer Operator-configured period: biometric data is deleted or rendered permanently unreadable no later than 90 days after the verification is completed and in no event more than 12 months from collection, consistent with applicable biometric law (including the Illinois BIPA outer limit) and GDPR Art. 5(1)(e).

We honor verified erasure requests as described in Sections A.6 and 9 and in our Data Processing Agreement, subject to limited exceptions where retention is required by law.

5. International data transfers and data residency

We operate separate, isolated data regions for the United States and the European Union. Personal data is stored and processed in the region of the relevant Operator, and we do not replicate Applicant verification data between regions.

European Union Applicant verification data stays in the European Union, including identity data, document images, any biometric data, and verification results.
Where it is necessary to transfer personal data across borders (for example, to a sub-processor located outside your region, or to Autohost, Inc. in Canada (Checktiv is a trade name of Autohost, Inc.) for corporate functions and, where the Operator enables them, screening services), we rely on appropriate safeguards recognized under applicable law, including the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum, together with supplementary technical measures. Details of each transfer mechanism are set out in our Data Processing Agreement.
A limited, documented exception applies to billing data, which is processed centrally in the United States under appropriate safeguards even for European Union Operators.

Checktiv is a Canadian company and does not rely on the EU-U.S. Data Privacy Framework as a transfer mechanism. Our Data Processing Agreement contains our transfer impact assessment and our commitments regarding government access requests.

6. How we secure personal data

We maintain a security program designed to meet recognized industry standards and appropriate to the sensitivity of the data we handle. Checktiv maintains SOC 2 Type II certification covering our verification platform. Our measures include:

Encryption in transit using TLS, and encryption at rest. Sensitive personal data is additionally protected with application-level envelope encryption using per-customer data-encryption keys, so that even within our systems the most sensitive fields are individually encrypted.
Region isolation, so that data stays within its designated region with no cross-region replication of verification data.
Strict access controls based on least privilege and need-to-know, multi-factor authentication for privileged access, and quarterly access reviews.
Tamper-evident audit logging of privileged actions, and automatic redaction of personal data from operational logs.
Personnel measures, including background checks, confidentiality obligations, and security training.
Vulnerability management, including regular scanning and periodic penetration testing.

No method of transmission or storage is completely secure, but we work continuously to protect personal data and to improve our safeguards.

7. Automated processing and human decision-making

Our platform produces verification results and risk flags to support an Operator’s decision. It is designed as a decision-support tool with a human in the loop: it flags concerns for the Operator’s review and does not make a final automated decision that produces legal or similarly significant effects on an Applicant. The Operator’s authorized personnel are responsible for reviewing results and making the final decision. If you are an Applicant and want to understand or contest a decision, contact the Operator.

Our platform performs automated comparisons (for example, comparing your entered name with the name on your document, document-validity checks, and watchlist matching) that produce flags and risk indicators. These are inputs to the Operator’s decision, not a substitute for it; the Operator’s people make the final decision with genuine human review.

8. Children

Checktiv is intended for use by adults. Verifications are intended only for individuals who are at least 18 years old, and by completing a verification you represent that you are 18 or older. Operators are responsible for ensuring they do not direct minors to complete a verification and for obtaining any parental or guardian consent required by law if they do.

The platform is not offered to anyone under 18, including teenagers aged 13 to 17. As a backstop, our platform is not directed to children under 13, and we do not knowingly collect personal data from children under 13. If we learn that we have collected personal data from a child under 13, we will take steps to delete it. If you believe a child under 13 has provided personal data to us, contact us at privacy@autohost.ai.

9. Your privacy rights

Depending on where you live and the laws that apply to you, you may have the right to:

access the personal data we hold about you;
correct inaccurate personal data;
delete your personal data;
restrict or object to certain processing;
receive your personal data in a portable format;
withdraw consent (including consent to biometric processing) at any time, without affecting processing already carried out; and
not be subject to a solely automated decision with legal or similarly significant effects.

These rights are subject to the exceptions and limits in applicable law (for example, the EU/UK GDPR, the Swiss Federal Act on Data Protection (“FADP”), the California Consumer Privacy Act as amended, Canada’s PIPEDA, and Quebec’s Law 25). If your request concerns verification data we processed on an Operator’s behalf, please direct it to the Operator, who is the controller; if you contact us, we will forward your request and assist the Operator. For data for which we are the controller, contact us at privacy@autohost.ai.

We will respond to your request within the time required by applicable law, and in any event without undue delay - generally within one month under the EU/UK GDPR (extendable by up to two further months for complex requests), within 45 days under the CCPA (extendable once), and within 30 days under Canada’s PIPEDA. We will not discriminate against you for exercising your rights. If we cannot fulfill a request (for example, because doing so would reveal another person’s information), we will explain why. You may also lodge a complaint with your local data protection authority.

10. Sensitive personal information (California)

Some data we handle is “sensitive personal information” under the California Consumer Privacy Act, including biometric information processed to uniquely identify you, government identity-document data, and (where an Operator enables it) information that may concern health or criminal history. We use and disclose sensitive personal information only to perform the verification the Operator configured and for the limited purposes permitted by Cal. Civ. Code 1798.140(e) (including security, fraud prevention, and providing the service), never to infer characteristics about you. For applicant verification data we act as the Operator’s service provider; direct requests to limit, access, or delete to the Operator. For data we control (Operator accounts and website visitors), contact privacy@autohost.ai.

11. Contact us

If you have questions about this Policy or our privacy practices, or to exercise your rights, contact us at:

Email: privacy@autohost.ai
Mail: Autohost, Inc. (Checktiv), 280 Howland Ave, Suite PH18, Toronto, ON, M5R 0C3, Canada

The person responsible for the protection of personal information at Checktiv (our Privacy Officer, as required by Canada’s PIPEDA and Quebec’s privacy law) can be reached at privacy@autohost.ai or by mail at the address above.

12. Changes to this Policy

We may update this Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, provide additional notice. Your continued use of the platform after an update means you accept the revised Policy.