LEGAL

Privacy Policy

Last updated: March 2026

CAGE is designed to know as little about you as possible. Here's exactly what we collect, why, and how long we keep it.

CONTENTS

  1. 1. What we collect
  2. 2. What we never collect
  3. 3. Third-party services
  4. 4. How long we keep your data
  5. 5. What partners receive
  6. 6. Your rights
  7. 7. Browser extension
  8. 8. Changes to this policy

What we collect

We collect the minimum possible to operate the service:

  • Email address (hashed — used only for magic link login, never shared)
  • Age verification result (18+ or 21+ — no exact age, no birthday)
  • Verification timestamp and expiry date
  • Anonymous per-partner identifiers (so partner sites cannot track you across other sites)

That's it. No name, no address, no government ID images, no biometric data.

What we never collect

  • Government ID document images (handled entirely by Veriff — see their privacy policy)
  • Full legal name
  • Date of birth
  • Facial biometric data
  • Browsing history or location data
  • IP addresses (used only for in-memory rate limiting — never stored)

Third-party services

Veriff

Handles identity document verification. They temporarily store document images and selfie data per their own retention policy (default 7 days). CAGE never receives or stores this data.

Neon (PostgreSQL)

Stores our database. Data is encrypted at rest.

Upstash (Redis)

Temporary session and auth code storage only. No long-term personal data.

Resend

Sends magic link emails. Processes email addresses for delivery only.

Vercel

Hosts the frontend. Standard CDN request logging.

Railway

Hosts the backend API.

How long we keep your data

Session data90 days
Verification result12 months from verification, or until you delete your account
Auth codes60 seconds (auto-deleted)

What partners receive

When a partner site requests your age verification, they receive only:

  • An anonymous ID — unique to that partner, cannot be used to identify you elsewhere
  • A boolean age_verified flag (always true if the token was issued)
  • An age_floor (18 or 21)

Partners cannot see your email, name, or any personal information. They cannot correlate your identity across other partner sites.

Your rights

You can delete your account at any time from your dashboard. This is a hard delete — all data is permanently and immediately removed, including your verification result, partner connections, and session data.

For any data requests or questions, email us at privacy@cageid.app.

Browser extension

  • The extension stores your session token locally in chrome.storage.local on your device only
  • It does not track your browsing history
  • It only activates when a partner site initiates a CAGE OAuth flow
  • No data is sent to CAGE servers except during active OAuth flows

Changes to this policy

We'll update this page if anything changes. Major changes will be communicated via email to registered users.