Privacy Policy

Last updated: May 23, 2026

TosiName provides verified digital identity services. This policy explains what we collect, why we collect it, and how we handle your information.

1. Data We Process

We process the following categories of data to provide the service:

• Account information, such as your email and authentication details.
• Identity verification information from KYC checks.
• Linked digital account handles, proof links, and Reveal Link activity.
• If you link an X account, we collect your X user ID, username/handle, display name, and profile image URL to prove account ownership and show the linked identity in TosiName.
• Basic security logs used to keep the service safe and prevent abuse.

2. Why We Process Data

• To create and secure your account.
• To verify legal identity and operate proof-of-human / proof-of-name features.
• To verify ownership of linked accounts such as X after you authorize the connection.
• To prevent fraud, abuse, and unauthorized access.
• To measure product usage and reliability (page views, time on page, and client errors).
• To comply with legal obligations.

3. Service Providers

We use trusted processors to deliver the service:

• Neon (authentication and database infrastructure)
• Shufti (KYC verification provider)
• Resend (transactional email delivery)
• Stripe (payments)
• PostHog (product analytics, with consent)
• Sentry (error and performance monitoring)

4. International Data Transfers

Some of our service providers process data outside the European Economic Area. Shufti's sub-processors include staff-based operations in Pakistan and the United Arab Emirates used for manual identity review. These transfers are governed by Standard Contractual Clauses approved by the European Commission, which provide appropriate safeguards for your personal data.

5. Data Retention

We retain data only as long as needed for service operation, security, and legal compliance. Reveal Links are time-limited. When you close your account, access is immediately disabled and account data is scheduled for deletion after a 90-day retention period. During that period, processing is restricted to security, abuse prevention, fraud investigation, dispute handling, legal claims, accounting, and compliance purposes. We may retain limited records for longer where required by law or where necessary for the establishment, exercise, or defence of legal claims. Our KYC verification provider (Shufti) retains identity verification records for up to 7 years per their regulatory obligations.

6. Your Rights

Depending on your jurisdiction, you may have rights to:

• Access your personal data
• Request correction of inaccurate data
• Request deletion of your data
• Request export of your data
• Object to or restrict certain processing

7. Cookies and Analytics Consent

We use an analytics consent banner. If you accept, we store a consent cookie and collect limited product analytics through PostHog (such as visited pages, time spent, and key product events) to improve the service. We configure these analytics to reduce personal data exposure. If you reject, PostHog analytics collection is disabled.

We remember an accepted analytics choice for 6 months and a rejected analytics choice for 3 months. You can reopen cookie settings at any time here: Cookie settings.

We also use Sentry to monitor application reliability and diagnose technical failures (for example, crash and error reports). Sentry data is used for security and service operation.

8. Account Closure

You can close your account directly from the dashboard. When you close your account, we immediately disable access to the account and deactivate published proof URLs and Reveal Links. We then schedule account data for deletion after 90 days. During this retention period, we restrict processing to security, abuse prevention, fraud investigation, dispute handling, legal claims, accounting, and compliance. We may retain limited records for longer where required by law or where necessary for the establishment, exercise, or defence of legal claims.

Note that our KYC verification provider (Shufti) retains verification records for up to 7 years as required by their legal and regulatory obligations; TosiName does not control this retention.

9. Security

We use technical and organizational safeguards, including signature verification for KYC callbacks, security headers, and abuse rate limiting. No system is perfectly secure, but we continuously improve controls.

10. Contact

For privacy requests, contact: privacy@tosiname.com

For security reports, contact: security@tosiname.com