Privacy Policy
Effective Date: March 10, 2026 | Last Updated: March 10, 2026
VerifiedKnock, Inc. ("VerifiedKnock," "we," "our," or "us") is committed to protecting your privacy and the privacy of the individuals whose identity is verified through our platform. This Privacy Policy explains how we collect, use, disclose, and safeguard information in connection with the VerifiedKnock pre-arrival authentication system.
Biometric Information — BIPA, CUBI & HB 1493 Notice
VerifiedKnock does NOT collect, store, transmit, or process your biometric data on its servers.
Authentication is performed entirely on the officer's personal FIDO2-certified hardware device (e.g., AuthenTrend ATKey.Card). The fingerprint match occurs inside the secure element of that device. Only a cryptographic proof-of-identity token — mathematically incapable of reconstructing a fingerprint — is transmitted to VerifiedKnock systems.
This architecture means VerifiedKnock is not a "biometric information" collector under the Illinois Biometric Information Privacy Act (740 ILCS 14), the Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code § 503.001), or Washington's Biometric Privacy Act (RCW 19.375). Nevertheless, we provide this notice as a matter of transparency and best practice.
1. Information We Collect
We collect information in three categories: information you provide directly, information generated automatically when you use our services, and information received from third parties.
1.1 Information You Provide
| Category | Examples |
|---|---|
| Account & Identity | Full name, email address, agency name, badge number, job title |
| Payment | Billing email; card details are processed by Stripe and never stored by VerifiedKnock |
| Communications | Messages sent to support, pilot program inquiries, partner applications |
| Hardware Registration | Public keys and hardware serial identifiers required for FIDO2 credential binding |
1.2 Automatically Collected Information
When officers use the VerifiedKnock app to perform a verification, we log the following for security auditing and service improvement: timestamp of the verification attempt, GPS coordinates (city/state/ZIP precision only — not street-level), the cryptographic outcome (verified, failed, or revoked), and the hardware device identifier (public key only). We do not log the resident's address, name, or any personal information about the person opening the door.
1.3 What We Do NOT Collect
We do not collect fingerprints, retinal scans, voiceprints, facial geometry, or any other biometric identifier as defined under BIPA, CUBI, or HB 1493. We do not collect Social Security numbers, government-issued ID numbers, or full payment card numbers.
2. How We Use Your Information
We use the information we collect for the following purposes:
Service Delivery: To authenticate officers, provision NFC hardware cards, and operate the VerifiedKnock platform.
Security & Fraud Prevention: To detect unauthorized access, investigate suspicious activity, and maintain the integrity of the Card Revocation List (CRL).
Billing & Subscriptions: To process payments via Stripe, manage agency subscriptions, and send receipts.
Communications: To send magic-link login emails, service announcements, and support responses. We do not send marketing emails without explicit opt-in.
Legal Compliance: To comply with applicable law, respond to lawful government requests, and enforce our Terms of Service.
Product Improvement: To analyze aggregate, anonymized usage patterns to improve the platform.
3. Biometric Data — Written Policy & Consent (BIPA § 15(b))
Although VerifiedKnock does not collect biometric data, the hardware device used by officers (the NFC card) stores a fingerprint template inside its tamper-proof secure element. The following disclosures are provided in compliance with the written-policy requirements of Illinois BIPA § 15(a) and as a matter of best practice for all jurisdictions.
Purpose: The fingerprint template stored on the NFC card is used solely to authenticate the officer's physical presence at a registered address. It is never used for any other purpose.
Storage: The template is stored exclusively within the secure element of the officer's personal NFC card. It is not stored on VerifiedKnock servers, agency servers, or any cloud service.
Retention & Destruction: The biometric template is retained on the hardware device for the duration of the officer's active employment with the agency. Upon card revocation or officer departure, the agency administrator must physically destroy the card or use the VerifiedKnock admin portal to remotely lock the credential. The template cannot be extracted from the card after locking.
Third-Party Disclosure: VerifiedKnock does not sell, lease, trade, or otherwise profit from biometric data. No biometric data is disclosed to third parties except as required by law or with the express written consent of the individual.
Consent: By enrolling a fingerprint on the VerifiedKnock NFC card, the officer provides informed written consent as required by BIPA § 15(b). Agencies are responsible for obtaining this consent from their officers prior to enrollment and for maintaining consent records.
4. Information Sharing and Disclosure
We do not sell your personal information. We share information only in the following circumstances:
Service Providers: We share data with Stripe (payment processing) and cloud infrastructure providers under data processing agreements that prohibit secondary use.
Agency Administrators: Verification logs (timestamp, location, outcome) are visible to the agency administrator who manages the officer's account.
Law Enforcement & Legal Process: We may disclose information in response to a valid subpoena, court order, or other lawful government request, or when we believe disclosure is necessary to prevent imminent harm.
Business Transfers: In the event of a merger, acquisition, or sale of assets, user information may be transferred as part of that transaction, subject to the same privacy protections.
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Account & officer records | Duration of agency subscription + 3 years |
| Verification event logs | 3 years from the date of the event |
| Payment records | 7 years (IRS / financial compliance) |
| Magic-link tokens | 15 minutes from issuance; deleted immediately upon use |
| Support communications | 3 years from last contact |
| Revoked card UIDs (CRL) | Indefinitely (required for ongoing revocation enforcement) |
6. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
Access: Request a copy of the personal information we hold about you.
Correction: Request correction of inaccurate or incomplete information.
Deletion: Request deletion of your personal information, subject to legal retention requirements.
Biometric Destruction (BIPA): Illinois residents may request that we confirm no biometric data is held on our servers. Because we do not collect biometric data, we will confirm this in writing within 30 days of a valid request.
Opt-Out of Sale: We do not sell personal information. No opt-out is required.
Data Portability: Request your verification event logs in a machine-readable format.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
7. Security
We implement industry-standard technical and organizational security measures, including TLS encryption in transit, AES-256 encryption at rest, role-based access controls, and regular security audits. Authentication tokens are signed with asymmetric cryptography (FIDO2/WebAuthn). No method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security. In the event of a data breach affecting your rights, we will notify affected parties as required by applicable law.
8. Children's Privacy
VerifiedKnock is a B2B platform intended for use by law enforcement agencies, utilities, licensed contractors, and healthcare organizations. We do not knowingly collect personal information from individuals under 18 years of age. If you believe we have inadvertently collected such information, please contact us immediately.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify agency administrators of material changes via email at least 30 days before the changes take effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy. The "Last Updated" date at the top of this page reflects the most recent revision.
10. Contact Us
For privacy-related questions, requests, or to exercise your rights, contact our Privacy Officer:
This Privacy Policy is provided for informational purposes and does not constitute legal advice. VerifiedKnock recommends that agencies consult with qualified legal counsel regarding their own obligations under applicable biometric privacy laws.