Privacy & Data Handling
Verified viewer proof without the privacy trade-off.
Veroface provides verified viewer proof without relying on identity resolution or sending raw imagery off-device. No raw images leave the device. No biometric identity store is required. This page explains the methodology.
Core principles
No raw images leave the device
The verification engine runs on-device. Quality and presence signals are derived locally and summarised before any data is transmitted. Raw frame data is never sent off-device.
No biometric identity store required
Veroface does not build, maintain, or reference a biometric identity database. The engine assesses structural viewing signals — presence, count, quality — not the identity of who is present.
No identity resolution
Veroface has no integration with identity resolution platforms, device graphs, or audience identity infrastructure. The audit signal is structural, not personal.
Cryptographic attestation at every step
Every event carries an Ed25519 signature generated on-device at the point of measurement using an ephemeral keypair. The server verifies each signature before the event is accepted into the audit record.
Independently verifiable output
The audit report includes a verification guide and a structured JSON export. Any stakeholder with the public key can verify the signature of every evidence row without relying on Veroface infrastructure.
No audience segments created or transmitted
Veroface does not build, license, or transmit audience segments. The platform has no integration with advertising identity or targeting infrastructure of any kind.
Veroface does
- ✓Run viewer verification on-device, not server-side
- ✓Generate ephemeral Ed25519 keypairs per session
- ✓Sign every event at the point of measurement
- ✓Verify signatures server-side before accepting events
- ✓Produce aggregate viewable-but-unverified classifications
- ✓Deliver a tamper-evident, independently verifiable report
- ✓Enforce agreed data retention and deletion schedules
Veroface does not
- ✗Transmit raw images or video off-device
- ✗Build or reference a biometric identity store
- ✗Perform identity resolution of any kind
- ✗Build or transmit audience segments
- ✗Integrate with ad serving, bidding, or identity infrastructure
- ✗Sell, license, or share audit data with third parties
- ✗Retain data beyond the agreed retention window
Data handling flow
01
On-device verification
The Veroface engine runs locally. Frame-level quality and viewer presence signals are computed on-device. An ephemeral Ed25519 keypair is generated per session. No raw frames are transmitted.
02
Event signing
At the point of measurement, a canonical event record is produced and signed with the session keypair before any transmission occurs. The private key is discarded after signing.
03
Signature verification
The Veroface ingest endpoint verifies the Ed25519 signature, checks timestamp freshness (5-minute window), and rejects replayed nonces. Events failing verification are discarded.
04
Persistence and classification
Verified events are stored with their signature and classified. No personal data, no raw imagery, and no biometric data is retained at any stage.
05
Report assembly
The audit report is assembled from signed, verified events. The export includes the public key needed to validate every signature independently, without Veroface infrastructure.
06
Retention and deletion
Events are retained for the agreed audit window. After the retention period, events are deleted per the agreed schedule. Veroface enforces 30-day rolling retention by default.
Frequently asked questions
Does Veroface use face recognition to identify individuals?
No. The engine assesses structural signals — viewer presence, count, and image quality — not identity. The output is a statistical signal about the viewing environment, not a record of who was present.
Does raw imagery leave the device?
No. The engine runs on-device. Only derived signals — quality scores, presence classifications — are transmitted, along with a cryptographic signature. No raw frames are sent.
Is biometric data collected or stored?
No biometric data is collected or stored. Veroface does not build or reference a biometric identity database at any point in the audit process.
Is the methodology reviewable by legal or compliance teams?
Yes. The canonical event format, the signing algorithm (Ed25519), and the classification criteria are published in the audit report's verification guide. No NDA is required to review or validate the methodology.
Does the platform integrate with advertising or identity infrastructure?
No. Veroface has no integration with DSPs, SSPs, ad exchanges, device graphs, or identity resolution platforms. The audit pipeline is fully isolated from advertising infrastructure.
What happens to data after the audit window?
Events are retained for the agreed period, then deleted per the configured schedule. Veroface enforces 30-day rolling retention by default. Deletion is auditable.
Questions for legal or compliance?
Bring specific compliance questions to the pilot-fit conversation. We will answer them plainly before any engagement begins — no NDA required.