IdLayer← Back to home

Privacy Policy

Last updated: March 2026

This Privacy Policy explains how IdLayer ("we", "us", or "our") collects, uses, stores, and protects data when you use the IdLayer Shopify application.

1. What data we collect

When a customer initiates a verification through a merchant's Shopify checkout, IdLayer collects and stores:

  • Email address — provided by Shopify's checkout buyer identity
  • Shopify customer ID — linked when a Shopify account is created after verification
  • Checkout token — used as a fallback identity reference for guest checkouts
  • Verification session ID — the unique identifier for the session within our verification provider
  • Verification images — copies of identity documents (front and back), selfie photographs, and any other images captured during the verification flow
  • Verification decision data — the full response from the verification provider, including document metadata and decision rationale
  • Shop domain — the Shopify store that initiated the verification

We do not collect payment card details, order contents, or any data outside the verification flow.

2. How we use data

Data collected through IdLayer is used exclusively to:

  • Deliver the identity verification service to the merchant
  • Display verification results and audit records in the merchant's Shopify Admin dashboard
  • Enable merchants to make manual approval or decline decisions on pending sessions
  • Tag verified customers in the merchant's Shopify store (idlayer:verified)
  • Comply with legal or regulatory requests where applicable

We do not sell, rent, or share verification data with third parties for advertising, analytics, or any purpose unrelated to operating the service.

3. Data storage and security

  • All session records are stored in a private database scoped to each merchant's shop domain. No merchant can access another merchant's data.
  • Verification images are stored in a private storage bucket. Images are never served via public URL — access requires a time-limited signed URL generated server-side per request.
  • All data in transit is protected by TLS. All data at rest is encrypted.
  • Access to session data via the Admin dashboard requires a valid Shopify session token, verified server-side using HMAC-SHA256.

4. Third-party verification provider

IdLayer uses Didit as its verification provider. When a customer initiates verification, they are redirected to a Didit-hosted verification interface. Didit processes the customer's identity data under their own privacy policy. IdLayer copies the verification outcome and images back to its own storage to ensure merchants retain durable access to their verification records independently of Didit's data retention schedules.

Please review Didit's Privacy Policy for information about how they process identity data during the verification flow.

5. Data retention

  • Verification session records are retained for as long as the merchant's IdLayer subscription is active, plus a reasonable period thereafter.
  • Merchants may request deletion of their store's verification data at any time by contacting us.
  • Upon app uninstallation, we process a shop/redact webhook from Shopify within 48 hours to remove all data associated with the merchant's shop.

6. Merchant responsibilities

Merchants who use IdLayer are responsible for:

  • Informing their customers that identity verification is required as part of the checkout process
  • Including appropriate disclosures in their store's own privacy policy
  • Ensuring their use of IdLayer complies with applicable laws, including GDPR, CCPA, and any age-verification regulations in their jurisdiction

7. Customer rights

Customers who have been verified through a merchant's store may request access to, correction of, or deletion of their verification data by contacting the merchant directly. Merchants can locate and manage customer verification records in the IdLayer Admin dashboard.

8. Contact

If you have questions about this Privacy Policy or wish to make a data subject request, contact us at:

Email: [email protected]