CAIRL Trust Center

CAIRL is designed to minimize data exposure at every layer:

• Claims, not documents — Connected services receive verification results (e.g., “age verified”), not your ID, selfie, or biometric data. Claims are scoped to the requesting service and do not provide a universal identity profile across services.
• Consent required — Every data share requires explicit user authorization. Verification claims are generated per request and are not reused or shared across services without user consent.
• Revocable access — You can revoke access to any connected service at any time
• Private by default — No data is shared with connected services unless you choose to share it
• Data minimization — We are designed to collect only the data necessary to perform verification and deliver the services you use

Biometric data is handled with strict controls:

• Explicit consent required before any biometric collection — obtained through a dedicated consent screen in the verification interface, separate from Terms of Service acceptance
• Session-based processing — session-specific biometric data is processed in real time and is not retained beyond what is required to complete the verification session
• Biometric reference (facial embedding) may be retained solely for uniqueness enforcement (one human = one account) and fraud prevention
• Deletion within 30 days of account closure, deletion request, or withdrawal of consent
• AWS Rekognition processes biometric data solely on CAIRL's behalf and under its instructions. CAIRL does not permit the use of this data for model training

We do not sell, lease, or otherwise monetize biometric data.

CAIRL does not use your data for advertising, cross-service tracking, or behavioral profiling. We do not use your personal information, biometric data, or verification records to train machine learning models. Your data is used only for verification, security, and fraud prevention.

CAIRL uses industry-standard and modern security practices:

• Encryption at rest: AES-256
• Encryption in transit: TLS 1.3
• Key management: Dedicated key management systems with strict access controls and automatic rotation
• Infrastructure: AWS + Vercel under a shared responsibility model
• Bot protection: Cloudflare Turnstile
• Phone verification: Twilio (OTP delivery)
• Access controls: Role-based, least privilege, MFA required for all staff
• Authentication: Passkey-first (WebAuthn) with passwords as fallback
• Audit logging: All access to user data by CAIRL personnel is logged and subject to periodic audit

We operate with a defense-in-depth model across infrastructure, application, and data layers.

For full details, see our Security Overview.

CAIRL is not a data broker, not an advertising platform, and not a surveillance system.

We do not monetize your data. We provide verification infrastructure — not identity resale. CAIRL provides verification signals and claims based on submitted information. CAIRL is not a government authority, certification body, or regulated KYC provider unless explicitly stated in a separate written agreement.

We design our systems to support major regulatory frameworks:

• BIPA / State biometric laws — Explicit consent, published retention and destruction schedule, deletion on request
• GDPR — Data minimization, consent and legitimate interest legal bases, data controller/processor model, Standard Contractual Clauses for international transfers
• CCPA — No sale of personal information, authorized agent support, non-discrimination
• COPPA — Guardian-managed participation for minors through circles with verifiable parental consent

We are actively preparing for SOC 2 Type II audit. We do not claim certification until audits are complete and the auditor's report is received.

CAIRL is not a HIPAA covered entity or business associate unless explicitly contracted under a Business Associate Agreement.

• Payments are processed by Stripe — CAIRL does not store full card numbers
• CAIRL does not act as a financial intermediary, payment processor, or custodian of funds
• Business User prepaid wallets are service balances only — not deposit accounts, stored value instruments, or financial products

You can:

• Access your data — Request a copy of all personal information we hold
• Delete your data — Including biometric references, subject to applicable legal, security, and fraud prevention requirements
• Export your data — Receive your data in a portable format
• Revoke connections — Remove access for any connected service
• Manage cookie preferences — Through our Cookie Preference Center

at any time.

If you discover a vulnerability, contact: security@cairl.app

We respond to all reports and follow responsible disclosure practices. We ask that you not access other users' data and not publicly disclose vulnerabilities until we have addressed them.

• Privacy Policy
• Terms of Service
• Security Overview
• Cookie Policy
• Data Processing Agreement
• Acceptable Use Policy

Address: reAPPlicate Incorporated, 3200 NW 62nd Avenue #22, Margate, FL 33063