Humanos wins Mastercard For Fintechs 2026 competition
HumanosHumanos
Start
Get API keys
Create production credentials
Quickstart
5-minute integration
Dashboard
Manage mandates & receipts
API reference
All endpoints & types
VIAComing soon
Open verification protocol
SDKs
TypeScript
npm install humanos
Python
pip install humanos
C#
dotnet add Humanos
Orchestration
n8nComing soon
Drop verify() into low-code workflows
ZapierComing soon
Trigger-based agent automation
SkillsComing soon
Reusable verify() modules for LLM agents
Core
humanos.verify()
Verify before execution
Requesting approvals
Capture approval at runtime
Revocation
Invalidate credentials
Webhooks
Event-driven integration

Privacy Statement · v1.0 · effective 2026-06-01

Privacy Statement

Humanos — operated by Humanos Labs Inc.. This Privacy Statement explains how we collect, use, share and protect personal data when you use the Humanos platform, websites, applications and related services.

1. Introduction

This Privacy Statement explains how Humanos Labs Inc., trading as Humanos (“Humanos”, “we”, “us”, “our”), collects, uses, shares and protects personal data when you use the Humanos digital identity and verifiable credentials platform, our websites, applications and related services (together, the “Service”).

We are committed to protecting the privacy of personal information and to compliance with applicable data protection laws, including the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and Portuguese data protection law. Our practices are governed by our internal Data Protection Policy, Privacy By Design Policy, Data Classification Policy and Data Retention Policy, and our information security controls are certified to ISO/IEC 27001:2022.

By using the Service, you acknowledge the practices described in this Privacy Statement.

2. Who we are (Data Controller)

For the personal data processed in connection with the Service, the data controller is:

Where Humanos processes personal data on behalf of a business customer (for example, when a customer uses our platform to verify the identity of its own users), Humanos acts as a data processor and the business customer is the data controller. In those cases, processing is governed by the Data Processing Agreement (DPA) entered into with that customer.

3. The personal data we collect

We collect only the data required to deliver the Service (“data minimisation”). Depending on how you use the Service, this may include:

CategoryExamplesSource
Account dataName, email address, phone number, account recordsProvided by you at registration
Authentication dataLogin credentials, authentication tokens, session informationGenerated when you sign in
Identity verification (KYC) dataIdentity documents and facial image used to verify your identityProvided by you; processed via our verification provider
Verifiable credential dataDecentralised identifiers (DIDs), credential metadata and cryptographic anchorsGenerated when credentials are issued
Uploaded documentsFiles and documents you upload, and text extracted from themProvided by you
Payment and billing dataBilling details and payment method (card details are sent directly to our payment processor and never reach Humanos servers)Provided by you / payment processor
Technical and usage dataOperational logs and security events (personal identifiers are scrubbed before these logs are stored)Generated automatically

“Personal Data” means any information relating to an identified or identifiable individual. Identity documents and facial images are special category / sensitive data and are subject to additional safeguards.

4. How we use personal data and our legal bases

We process personal data for the following purposes and on the following GDPR legal bases:

PurposeLegal basis
Creating and managing your account and providing the ServicePerformance of a contract (Art. 6(1)(b))
Verifying your identity (KYC) and issuing verifiable credentialsPerformance of a contract; compliance with a legal obligation; explicit consent for biometric/identity data where required (Art. 9(2)(a))
Processing payments and managing billingPerformance of a contract; legal obligation
Securing the Service, preventing fraud and abuse, and maintaining audit logsLegitimate interests (Art. 6(1)(f)); legal obligation
Communicating with you about the ServicePerformance of a contract; legitimate interests
Complying with legal, regulatory and accounting obligationsLegal obligation (Art. 6(1)(c))

We process personal data lawfully, fairly and transparently; for specified, explicit and legitimate purposes; limited to what is necessary; kept accurate and up to date; and retained only as long as necessary.

5. International data transfers

Our primary data storage is located in the European Union (AWS eu-west-3, Paris). Some subprocessors operate, in whole or in part, outside the EU/EEA:

  • Stripe (United States) — operates under a PCI DSS Level 1 compliant channel.
  • Firebase / Google Cloud (EU/US) — Google-managed infrastructure.

Where personal data is transferred outside the EU/EEA, we rely on appropriate safeguards under the GDPR, such as the European Commission’s Standard Contractual Clauses and the providers’ equivalent transfer mechanisms.

6. Blockchain anchoring — important notice

When verifiable credentials are issued, only cryptographic hashes and decentralised identifiers (DIDs) are anchored on a public blockchain (Base). No personal data is ever written on-chain. Because public blockchains are immutable, any anchored data (which contains no personal data by design) is permanent and cannot be deleted.

7. How we protect personal data

We apply technical and organisational measures appropriate to the risk, including:

  • Encryption in transit: TLS 1.2+ on all connections, with no exceptions.
  • Encryption at rest: AES-256 across primary data stores (Atlas native, AWS KMS, Stripe-managed).
  • Access control: Role-based access control (RBAC), multi-factor authentication (MFA), VPN for administrative access, scoped API keys and rate limiting.
  • Data minimisation: Only data required for service delivery is collected and shared.
  • Audit trail: All access and modifications are logged and monitored centrally.
  • Geographic containment: Primary storage in the EU.

These measures are described in our Information Security Policy and Data Lifecycle documentation and are maintained under our ISO/IEC 27001:2022 certified Information Security Management System.

8. How long we keep personal data

We retain personal data only while there is a continued and valid reason to do so — for the duration of your relationship with us and as required to provide the Service, comply with legal and regulatory obligations, resolve disputes and enforce our agreements.

When data is no longer necessary, it is securely deleted from cloud storage, databases and backups using secure deletion protocols (such as cryptographic erasure or overwriting), or anonymised where appropriate. Backups are purged according to our backup retention schedule. Policy documentation and certain records are retained for at least six years where required.

9. Your rights

Subject to applicable law, you have the right to:

  • Be informed about how your personal data is used;
  • Access the personal data we hold about you;
  • Data portability — receive your data in a common, machine-readable format;
  • Erasure (“right to be forgotten”);
  • Rectification of inaccurate or incomplete data;
  • Object to processing and to lodge complaints;
  • Restrict processing;
  • Not be subject to solely automated decision-making, including profiling, that produces legal or similarly significant effects without human involvement;
  • Non-discrimination for exercising your rights.

To exercise these rights, contact us at privacy@humanos.tech. We will authenticate your request and respond within the timeframes required by law (generally within one month under the GDPR). Deletion may be limited where retention is necessary to comply with legal obligations, resolve disputes, enforce agreements or where it would disrupt an active contracted service.

You also have the right to lodge a complaint with the Portuguese supervisory authority, the Comissão Nacional de Proteção de Dados (CNPD), or with the supervisory authority of your country of residence.

10. Children

The Service is not directed to children below the age required to provide valid consent under applicable law, and we do not knowingly collect their personal data without appropriate authorisation.

11. Changes to this Privacy Statement

We may update this Privacy Statement from time to time. The latest version will always be available at this URL, with the effective date shown above. Material changes will be communicated through the Service or by other appropriate means.

12. Contact us

See also our Terms of Service and Cookie policy.