NearID Privacy Policy
This Privacy Policy explains what NearID collects, why we collect it, how long we keep it, and how users can exercise privacy rights across our website, console surfaces, partner panel, mobile app, receivers, and related support flows.
Account and contact data. We collect names, email addresses, organization names, role assignments, invite status, support messages, request-form submissions, and other business contact details needed to create or administer access.
Presence and receiver data. We collect timestamps, organization and checkpoint identifiers, receiver identifiers, verification outcomes, receiver health signals, and device-linked presence proofs needed to verify attendance or site presence. NearID is designed to verify presence without GPS. We do not use GPS coordinates as the basis for presence verification.
Security and authentication data. We collect login attempts, session events, verification events, API and webhook security events, abuse-control signals, and device or browser details needed to secure the service. Where the product uses device-linked telemetry, identifiers may be salted and hashed before storage or export, such as hashed device identifiers used in presence and diagnostics flows.
Mobile diagnostics and HPS data. If a user enables mobile diagnostics or an organization enables HPS enrollment, we collect app diagnostics, device basics, and motion-signature data associated with that feature. HPS collection occurs only after explicit enrollment consent.
We use personal data to:
- provide access to NearID accounts, receivers, partner tools, and support workflows,
- verify presence events, generate audit trails, and produce compliance or billing evidence,
- detect fraud, abuse, token misuse, replay activity, and unauthorized access attempts,
- deliver transactional emails, password resets, invites, and support communications,
- operate reliability tooling such as webhook retries, receiver health monitoring, and incident response,
- comply with contractual, legal, tax, accounting, and security obligations.
If GDPR, UK GDPR, or similar laws apply, NearID generally relies on the following legal bases:
- Performance of a contract to provide the NearID service, onboard users, support organizations, and fulfill partner or customer commitments.
- Legitimate interests to secure the platform, prevent abuse, troubleshoot incidents, improve reliability, and maintain service operations.
- Legal obligation where we must retain or disclose information for regulatory, accounting, tax, audit, or law-enforcement reasons.
- Consent where a feature requires it, including HPS enrollment and certain optional mobile or communication workflows.
Retention depends on the type of record, customer configuration, and regulatory obligations. Examples of current product behavior include:
- lead and support communications are retained for support, audit, and follow-up operations,
- presence, session, and audit records are retained under organization or platform retention settings,
- mobile retry queues and temporary local state are short-lived and may be discarded after a limited local window,
- HPS match records are retained for 90 days by default and HPS baselines for 180 days by default unless a tighter policy applies,
- records may be retained longer when required for legal holds, disputes, fraud review, or financial traceability.
Depending on your location, you may have the right to request access, correction, deletion, export, restriction, objection, or withdrawal of consent for certain processing.
To submit a privacy request, email privacy@nearid.com and clearly label the request as deletion, export, correction, or privacy inquiry. Signed-in org users should use the NearID Support flow with category Privacy where available so the request enters the tracked operations queue. Mobile app users can also use the in-app export or deletion paths where available. We may need to verify identity and organizational authority before completing a request.
Our operating targets are to acknowledge verified privacy requests within 2 business days, complete verification or routing within 5 business days, and provide a substantive response within 30 calendar days unless a longer period is allowed by applicable law.
NearID uses service providers to host and operate the platform. Current categories include cloud hosting, database infrastructure, caching and queue infrastructure, transactional email delivery, and crash or diagnostics tooling.
Examples reflected in the current product stack include Render and Vercel for hosting and deployment, Supabase for database services, Redis-backed infrastructure for critical caching and queueing, MailerSend for transactional email handling, and Sentry for certain mobile crash diagnostics.
Browser-based authentication flows use first-party secure cookie controls where that surface is configured for cookie-backed sessions, including CSRF protection cookies on the backend. Some browser app surfaces also persist signed session context or bearer tokens in first-party browser storage to bootstrap console or partner sessions, as documented in the Cookie Policy and storage inventory. Refresh-token references are stored in hashed form on the server side. On supported mobile platforms, tokens, device secrets, and similar credentials are stored in OS-protected secure storage rather than plain app storage.
Presence verification is designed around receiver-backed and token-based proofs rather than GPS tracking. Diagnostic and crash flows may hash identifiers before upload so support and engineering can investigate issues without exposing raw account identifiers where hashing is used.