Legal information about TrustMyAge

Definitions Last updated: 2025-12-18

TrustMyAge is a service operated by Bearsoft S.L.U., with registered office at Calle José María Jimeno Jurío 19, bajo, 31013 Ansoáin, Navarra, Spain. You can contact us using our contact page.

To better understand this document, here are the key definitions:

• Service: the TrustMyAge age-verification solution, available on the web and through its API.
• Integrator: the company, organisation or professional that integrates TrustMyAge into its own website or app to verify whether its users are adults.
• User: the natural person who uses TrustMyAge to verify that they are of legal age.
• OTP: a one-time, temporary code sent by email to the User, valid for a limited time.
• Email hash: a cryptographic fingerprint derived from the email address, generated using hashing and pepper techniques, used solely to identify whether a user was previously verified without storing the email in plain text.
• Reusable age token: an opaque identifier linked to the email hash that enables different integrated Sites to recognise that a person has already been verified as an adult, without knowing their identity or sharing personal data between them.
• TrustMyAge: the system, brand and set of services provided by Bearsoft S.L.U.

Terms of Use

1. Purpose and scope

These terms govern the use of the TrustMyAge Service by both Users and Integrators who implement it on their platforms. The purpose of the Service is to enable reliable age-of-majority checks using secure, automated methods and, where applicable, human review, so that platforms integrating TrustMyAge can comply with applicable regulations and restrict access to content or services for under-age persons.

2. Verification flow and available methods

TrustMyAge uses a step-by-step verification flow designed to minimise data processing and always preserve anonymity with respect to the Integrator:

• Minimal identification by email: the User enters their email address to receive a one-time OTP code. TrustMyAge does not store the email in plain text, but only an irreversible hash (with pepper) in order to recognise future verifications.
• Automatic verification using age estimation and liveness: first, the system performs an automatic check using AI, temporarily analysing the facial image to estimate whether the person clearly appears older than the configured age threshold (for example, 25+) and whether there is proof of life (liveness).
• Human review with identity document (fallback): if the automatic system cannot conclude with sufficient confidence that the person is of legal age or if there are doubts, the User is asked to show a valid identity document (for example, ID card) to the camera on both sides and to provide an additional liveness selfie. These images are manually reviewed by authorised staff to confirm or reject that the person is an adult.

In all cases, once the verification has been completed, the images are irreversibly deleted and only the email hash and the verification status linked to the reusable age token are retained.

3. Use of AI

TrustMyAge uses AWS AI services solely to automatically analyse the facial image and estimate whether the person appears to be above a certain age, as well as to detect liveness. This analysis is carried out as part of the verification flow and is strictly limited to this purpose. The data processed by the AI are handled as processing on behalf of third parties under data processing agreements and security measures aligned with the GDPR.

4. Reliability and warranties

TrustMyAge provides the service applying appropriate technical, organisational and human measures and following industry best practices to ensure a reliable determination of age of majority. However, no system can guarantee an absolute zero-risk scenario. TrustMyAge acts with professional diligence and good faith and will not be liable for damage or consequences arising from circumstances beyond its reasonable control, misuse of the service by third parties, or the use of falsified documents that cannot be detected with reasonable means at the time of verification.

5. Redirection and verification process

When an Integrator needs to verify a User’s age, the User is redirected to the TrustMyAge platform using secure tokens. The User completes the verification process on the TrustMyAge website. Once it is finished, TrustMyAge informs the Integrator only of the result (adult or minor) and, where applicable, provides a reusable age token that allows future checks without repeating the process, all without disclosing the email address or other personal data to the Integrator.

6. Use of tokens and security

Communication between the Integrator and TrustMyAge is carried out using unique, single-use tokens and reusable age tokens linked to the email hash. The Integrator is responsible for keeping its API credentials confidential and for using the tokens solely in accordance with the TrustMyAge documentation. Any misuse will be the sole responsibility of the Integrator.

7. Use of the API by integrators

Integrators can connect to TrustMyAge through its API. By doing so, they accept that the verification result issued by TrustMyAge will be binding to determine whether a user is an adult or a minor for the purpose of accessing their site or service. The Integrator undertakes to comply with the laws applicable in its jurisdiction, to inform its users that the verification process will be handled by TrustMyAge, and to use the information provided solely for age-control purposes.

8. Acceptable use of the service

• It is forbidden to use TrustMyAge for unlawful purposes or to infringe the rights of third parties.
• It is forbidden to tamper with, attempt to decompile, interfere with or bypass the security measures of the service.
• It is forbidden to collect or process data obtained through the service in a way that breaches data protection regulations.
• The Integrator must clearly and accurately inform its users that TrustMyAge is being used as an age-verification solution.
• The Integrator may not sublicense or resell access to the service without TrustMyAge’s prior express written consent.

9. Availability and maintenance

TrustMyAge works to provide a continuous and stable service, although interruptions may occur due to maintenance, technical improvements or causes beyond our reasonable control. Such interruptions do not in themselves constitute a breach of contract.

10. Pricing and billing

Integrators who use the service via API agree to pay the price per verification or the applicable plan. The fee is charged for each verification token request, regardless of whether the result is positive or negative. Prices and commercial terms may be updated by TrustMyAge with reasonable prior notice to Integrators.

11. Intellectual property

The software, design, brand, logos, documentation, API, integration models and all other elements of the service are the exclusive property of TrustMyAge or its licensors. No usage rights are granted other than those strictly necessary to access and integrate the service in accordance with these terms.

12. Confidentiality

Each party undertakes to keep confidential the technical, commercial or strategic information received from the other party, not to disclose it to third parties without prior consent and to use it only to fulfil what is set out in these terms, applying appropriate security measures.

13. Provision of the service and warranties

• TrustMyAge provides the service with the required level of professional diligence and in line with industry best practices.
• TrustMyAge does not guarantee the complete absence of errors, interruptions or fraud that cannot be detected with reasonable means, although it actively works to minimise them.

14. Limitation of liability

TrustMyAge will not be liable for any damage or loss arising from misuse of the service by Integrators or Users, from the Integrator’s failure to fulfil its legal or contractual obligations, from technical failures beyond its reasonable control, from the use of falsified documents that cannot be detected with reasonable means, or from business decisions taken by the Integrator on the basis of the verification result.

15. Sub-processors and third parties

TrustMyAge may use external providers for technical tasks such as sending emails, hosting servers or image recognition services (for example, Amazon Web Services). All of them operate under contractual agreements that guarantee compliance with data protection and security rules, acting as processors or sub-processors.

16. Term, suspension and termination

• This agreement remains in force while the Integrator uses the service.
• TrustMyAge may suspend or limit access to the service if it detects security risks, misuse, non-payment or breaches of these terms.
• The Integrator may stop using the service at any time. The obligations relating to confidentiality, intellectual property and limitation of liability will remain in force after termination of the agreement.

17. Changes

TrustMyAge may update these terms for legal, technical or service-improvement reasons. Updated versions will be published on this page and will indicate the effective date. Continued use of the service after publication implies acceptance of the changes.

18. Notices

Notices to Integrators will be sent by email to the address provided at registration. Notices to TrustMyAge must be submitted through the contact page indicated on the website.

19. Governing law and jurisdiction

This agreement is governed by Spanish law and, with regard to data protection, by Regulation (EU) 2016/679 (GDPR) and the national rules implementing it. The parties will seek to resolve any dispute amicably. If no agreement is reached, they submit to the Courts and Tribunals of Pamplona (Navarra), Spain, unless otherwise required by law.

Privacy Policy

At TrustMyAge we take the privacy of Users and Integrators very seriously. This document explains which data we process, for what purposes, how we protect them and what your rights are.

1. Data controller

TrustMyAge is a service operated by Bearsoft S.L.U., with registered office at Calle José María Jimeno Jurío 19, bajo, 31013 Ansoáin, Navarra, Spain. You can contact us through the contact page.

2. Data processed by the service

• 📧 User email address, used solely to send the verification OTP code. We do not store the email in plain text: we only generate and keep an irreversible hash with pepper to recognise whether a user has been verified before.
• 🔐 Email hash and reusable age token, which allow age-of-majority checks to be repeated without running the process again, without the Integrator knowing the email or other identifying data.
• 🖼️ Temporary facial images (selfie / liveness) for automatic verification using AI.
• 📄 Images of the identity document and additional selfie in cases where human review is required. These images are used solely to confirm whether the person is of legal age.
• 📈 Minimal technical data (IP address, user agent, date/time, technical identifiers) needed for security, fraud prevention and logging.
• 📊 Contract and billing data of the Integrator (trade name, contact details, payment information) where applicable.

3. Purposes of processing

• ✔️ To reliably verify whether the User meets the required minimum age, through automatic analysis and, where applicable, human review of the document.
• ✔️ To enable the Integrator to comply with its legal obligations regarding age checks and to block access for under-age users.
• ✔️ To avoid the User having to repeat the verification in the future by using the email hash and reusable age token.
• ✔️ To ensure service security, detect fraudulent use, generate technical audit logs and comply with legal or regulatory obligations.

4. Legal basis for processing

Processing of User data is mainly based on the User’s explicit consent (Art. 6.1(a) and, in the case of biometric data, Art. 9.2(a) GDPR) and on compliance with legal obligations relating to age verification where applicable (Art. 6.1(c)). Processing of Integrator data is based on the performance of the service contract (Art. 6.1(b) GDPR).

5. Bank verification (if used)

If verification methods using a payment card are enabled, a small temporary charge may be made and refunded after validation. The transaction is processed through secure payment providers under contract with TrustMyAge. We do not store the User’s card details.

6. Images, documents and biometrics

Facial images and, where applicable, identity document images are used solely to determine whether the person is of legal age. Automatic analysis is performed using AI and, if necessary, a human review is carried out by authorised staff bound by strict confidentiality agreements. Once verification has been completed, all images and documents are irreversibly deleted within a short and reasonable period, and only the email hash and verification result are retained.

7. Data sharing and third parties

TrustMyAge does not disclose Users’ personal data in plain text to Integrators. The Integrator only receives the verification result (adult or minor) and, where applicable, a reusable age token. We may share data with providers acting as processors or sub-processors (for example, hosting, email or image-recognition services) under contracts that ensure compliance with the GDPR.

8. Location of processing

All data processing carried out by TrustMyAge takes place exclusively on servers located within the European Union, so data never leave the European Economic Area. No international data transfers are carried out.

For automatic age verification and liveness detection we use the Amazon Rekognition service, operated by Amazon Web Services, Inc. This provider acts as a data processor under contract, complying with GDPR requirements, including the AWS Data Processing Addendum (DPA) and, where needed, Standard Contractual Clauses (SCCs). Amazon Rekognition processes images on a temporary basis and solely for the purpose of age verification, without training its own models or retaining biometric data. We use servers located in the European region (eu-west-1).

9. Security measures

• 🔐 Encryption of communications between the User’s browser, the Integrator and the TrustMyAge servers.
• 🔒 Restricted access to data, limited to staff and systems that need it for verification.
• 🛡️ Liveness checks, abuse detection and audit logs to prevent fraudulent use.
• 🗑️ Automatic deletion of images and documents once verification has been completed, keeping only the email hash and the essential technical logs.

10. Data retention

• 🕐 The email hash and age token are retained for as long as necessary to allow future verifications and to demonstrate that the service is operating correctly.
• 📄 Facial images and identity documents are retained only for the time strictly necessary to carry out the automatic verification and, where applicable, the human review; they are then irreversibly deleted.
• 📈 Minimal technical data and log records are retained for the periods required to comply with legal, security and audit obligations.

11. Data subject rights

The User and the Integrator can exercise their rights of access, rectification, erasure, objection, restriction of processing and data portability by sending a request through the contact page. They can also withdraw their consent at any time, with no retroactive effect, and lodge a complaint with the competent supervisory authority (for example, the Spanish Data Protection Agency).

12. Minors

TrustMyAge is designed solely to verify that users are adults. We do not intentionally process minors’ data, except to the strictly necessary extent to determine that they do not meet the required age and to block their access. If we detect that we are holding unnecessary data relating to a minor, we will securely delete it.

13. Data protection officer or contact point

For any questions regarding privacy or the processing of personal data, you can contact us through the TrustMyAge contact page. We will handle requests within the maximum period established by law.

Cookie Policy

TrustMyAge only uses strictly necessary technical cookies required for the safe and correct operation of the service. We do not use advertising or tracking cookies.

• A session cookie to maintain your progress during the verification process and to temporarily link your age token.
• An anti-fraud cookie that protects against CSRF attacks and abusive use of forms.

You can configure your browser to block or delete cookies, but the service may not work properly without them.

Contact

• 📧 General support and technical enquiries via our help page.
• 🔒 Privacy and data-protection enquiries via the specific contact form provided on the website.
• 🏢 Postal address: Bearsoft S.L.U., Calle José María Jimeno Jurío 19, bajo, 31013 Ansoáin, Navarra, Spain

We will respond to all privacy-related requests and rights exercises within the maximum period set by law.

Back to home