Back to home

Privacy Policy

Last updated: March 2026

1. Introduction

KYCBox ("we," "us," or "our") operates an API-first identity verification platform. This Privacy Policy describes how we collect, use, store, and protect personal data when you use our website, APIs, and related services (collectively, the "Services").

By accessing or using our Services, you agree to the practices described in this policy. If you are using our Services on behalf of an organization, you represent that you are authorized to accept this policy on their behalf.

2. Data We Collect

2.1 Account Information

When you register for KYCBox, we collect your name, work email address, company name, phone number, and billing details. This information is necessary to create and manage your account.

2.2 Verification Data

As an identity verification platform, our clients submit personal data of their end users through our APIs. This data may include identity document details (Aadhaar number, PAN, Driving Licence, Passport), photographs, biometric data (facial images for liveness checks), and other personally identifiable information. We process this data strictly on behalf of our clients as a data processor.

2.3 Usage Data

We automatically collect information about how you interact with our Services, including API request logs, IP addresses, browser type, device information, and timestamps. This data helps us monitor service performance, detect abuse, and improve our platform.

2.4 Cookies and Analytics

Our website uses essential cookies for authentication and session management. We may use analytics tools to understand website traffic and usage patterns. We do not use advertising cookies or cross-site tracking.

3. How We Use Your Data

We use the data we collect to:

  • Provide, operate, and maintain our verification APIs
  • Process identity verification requests on behalf of our clients
  • Manage your account, process billing, and provide customer support
  • Monitor API usage, detect fraud, and prevent unauthorized access
  • Generate anonymized and aggregated analytics to improve our Services
  • Comply with legal obligations and respond to lawful requests from authorities
  • Send service-related communications including security alerts and API updates

4. Data Storage and Residency

All personal data and verification data processed through KYCBox is stored on servers located in India. We use enterprise-grade cloud infrastructure with data centers in Indian regions to ensure compliance with data localization requirements.

Verification data submitted through our APIs is retained only for the duration necessary to complete the verification request and deliver results to our clients. We do not retain identity documents or biometric data beyond the processing period unless required by applicable law.

5. Data Retention

Account information is retained for as long as your account is active and for a reasonable period thereafter to comply with legal and audit obligations.

API request logs and usage data are retained for up to 12 months for operational and security purposes, after which they are anonymized or deleted.

Verification data (identity documents, biometric data) is processed transiently. Raw documents and images are not stored after the verification response is delivered. Metadata and verification results may be retained in accordance with our clients' data processing agreements.

6. Third-Party Sharing

We do not sell personal data to third parties. We may share data in the following limited circumstances:

  • Government databases: Verification data is submitted to authoritative government databases to complete identity checks, as requested by our clients through our APIs.
  • Infrastructure providers: We use cloud hosting and infrastructure services that may process data on our behalf under strict contractual obligations.
  • Legal compliance: We may disclose data when required by law, regulation, or valid legal process.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity.

7. Security Measures

We implement industry-standard security measures to protect your data, including:

  • TLS 1.2+ encryption for all data in transit (API and website)
  • AES-256 encryption for data at rest
  • API key authentication with scoped permissions and rate limiting
  • Regular security audits and vulnerability assessments
  • Access controls with role-based permissions and audit logging
  • Infrastructure hardening and DDoS protection

8. DPDP Act Compliance

KYCBox is committed to compliance with India's Digital Personal Data Protection Act, 2023 (DPDP Act). As a data processor acting on behalf of our clients (data fiduciaries), we implement appropriate technical and organizational measures to ensure the security of personal data.

Our clients, as data fiduciaries, are responsible for obtaining valid consent from their end users before submitting personal data to KYCBox for verification. We process data solely for the purposes specified by our clients and in accordance with the DPDP Act's requirements.

We support our clients in fulfilling data principal rights under the DPDP Act, including the right to access, correction, and erasure of personal data. Requests from data principals should be directed to the respective data fiduciary (our client), who may then coordinate with us to fulfill such requests.

9. Your Rights

Depending on your jurisdiction and applicable law, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of your personal data, subject to legal retention requirements.
  • Grievance redressal: Lodge a complaint regarding how your data is processed.

For end users whose data has been verified through our platform: please contact the organization that initiated the verification (our client) to exercise your data rights. They will coordinate with us as needed.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email or through our API dashboard. Continued use of our Services after changes are posted constitutes acceptance of the updated policy.

11. Contact Us

For privacy-related inquiries, data protection concerns, or to exercise your rights, contact us at:

Email: privacy@kycbox.ai

Company: KYCBox

Address: India