Skip to main content
OnPoint
← Back to onpointtech.co

Legal

Privacy Policy

Effective May 9, 2026

OnPoint Technologies (“OnPoint”, “we”, “us”) provides a passport OCR API used by businesses to extract structured data from passport images. This Privacy Policy explains what we collect, what we do with it, and what we don’t do with it.

1. The data you send us

When you call our extraction API or use the in-browser demo, you send us a passport image (JPG, PNG, or PDF). We treat that image, the machine-readable zone (MRZ) we decode from it, and the structured fields we return as customer data.

  • In-memory only. Customer data is processed entirely in memory inside an isolated worker. It is not written to any database, object store, or backup.
  • Discarded on response. The image and any derived data are released the moment the HTTP response is returned to your server. This is enforced at the application layer, not as a retention policy.
  • No human review. Customer data is never used to train models, never shown to OnPoint employees, and never shared with any third party.

2. The data we keep about your account

To run the service we do retain a small amount of operational data about you and your team:

  • Account. Email, name, password hash (bcrypt), email verification status, and timestamps.
  • API keys. A salted hash of each key (the plaintext is shown to you exactly once), label, last-used timestamp.
  • Usage metadata. For each extraction we keep a row containing: timestamp, success/failure, latency, the API key used, and a per-field confidence score. We do not store the underlying image or extracted values.
  • Billing. Stripe customer ID, payment status, credit ledger transactions. Card numbers are handled by Stripe directly and never reach our servers.

3. Where data lives

Account, billing, and usage metadata are stored in a managed Postgres database in the European Union. Backups are encrypted at rest and retained for 14 days. We use Stripe (US) for payments and Resend (US) for transactional email; both are subject to their own privacy policies.

4. How we use it

  • To run the extraction API and bill you for credits used.
  • To enforce rate limits, detect abuse, and respond to security incidents.
  • To send transactional email (verification, receipts, security).
  • To compute aggregate, anonymized service metrics.

We do not sell personal data. We do not share personal data with advertisers, brokers, or analytics partners.

5. GDPR / your rights

OnPoint acts as a processor of customer data (passport content) and a controller of account data. If you are based in the EU/UK you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your account and all associated data (also available self-service from the dashboard).
  • Export your data in a portable format.
  • Object to processing or restrict it.
  • Lodge a complaint with your local data protection authority.

To exercise any of these rights, email onpoint.tech@outlook.com. We respond within 30 days.

6. Sub-processors

The current sub-processors that touch operational data:

  • Railway (US/EU) — application hosting.
  • Stripe (US/IE) — payments and invoicing.
  • Resend (US) — transactional email delivery.
  • Cloudflare (US/EU) — DDoS protection and edge.

7. Security

Transport is TLS 1.2+ with HSTS preloaded. Data at rest is encrypted using AES-256. Access to production systems is gated by SSO with hardware-backed keys and is audit-logged. Suspected security incidents can be reported to onpoint.tech@outlook.com.

8. Children

OnPoint is not intended for use by individuals under 16. We do not knowingly collect data from children.

9. Changes

Material changes to this policy are notified by email at least 30 days before they take effect. The effective date at the top of this page always reflects the current version.

10. Contact

OnPoint Technologies — Data protection inquiries: onpoint.tech@outlook.com.