Legal · Compliance Posture

Compliance posture.

A public statement of how the InkID protocol and its products position themselves under the privacy, biometric, AI, and consumer-protection regimes that apply to what we do — and the architectural choices that make those positions stand up.

Effective May 22, 2026 Version 1.0 Reviewed quarterly

1. Our approach to compliance

InkID's products operate at the intersection of creative work and evidence — two domains that, when combined, draw the attention of multiple regulatory regimes at once: biometric-privacy law, data-protection law, AI law, copyright and trademark law, consumer-protection law, and federal communications law. Most companies in our category respond to that overlap with hedging language ("InkID's behavioral data may constitute biometric information…"). We have taken the opposite approach: where the law makes a sharper architecture safer, we build the sharper architecture instead of hedging.

What follows is a public statement of the positions we take, the architectural choices that support them, and the limits of those positions. Where a regulatory framework is still settling — most notably the EU AI Act — we say where we land and why, and we commit to updating this page when our position changes.

2. The architecture of the posture

Several of the positions below depend on architectural facts about the InkID protocol. We restate them here because they are the structural basis of compliance:

  1. Counter-based, not timing-based. The behavioral evidence InkID captures consists of integer counters (keystrokes, deletions, paste events, session duration). InkID does not capture inter-key timing, typing rhythm, dwell time, flight time, or any keystroke-dynamics signal. The keystroke-timing signal that biometric and health research literature has linked to neurological and identity inference is simply not recorded by InkID at any layer.
  2. Non-possession of raw behavioral data. Raw per-event behavioral data is processed on the user's device into aggregated session summaries; the per-event integers are folded into the summary and discarded. InkID's servers never receive per-event behavioral data. Only the derived per-dimension verification score reaches our infrastructure.
  3. Independent anchoring. The cryptographic anchor for every InkID record is provided by an independent RFC 3161 Time-Stamp Authority operating outside InkID's control. If InkID disappears tomorrow, every record made under it remains independently verifiable.
  4. Cryptographic erasure. Revocation is cryptographic. When a user revokes their record, the underlying evidence is destroyed in a way the protocol can attest to; the anchor token remains as a verifiable receipt of what was once there.
  5. Process language, not verdict language. InkID reports corroboration states ("consistent," "limited," "inconclusive," "the editorial record differs from the declaration") — never verdicts ("authentic," "fake"). The protocol describes process; it does not render judgement about people.

These are properties of the architecture, not toggles in a configuration file. They cannot be silently disabled by an update.

3. Biometric privacy (BIPA, CUBI, WMHMDA)

Our positionInkID's counter-based editorial metrics fall outside the enumerated categories of the Illinois Biometric Information Privacy Act (740 ILCS 14/1 et seq., "BIPA"), the Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code Ch. 503, "CUBI"), and the Washington biometric statute (RCW 19.375). We do not adopt the common industry hedge that our data "may constitute biometric information." It does not, and the architecture is built to make that statement true.

BIPA, CUBI, and the Washington statute define biometric identifiers narrowly: retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry. Aggregated behavioral counters — keystrokes typed, deletions made, pause events counted — are not within those enumerated categories. The keystroke timing signals that some courts and commentators have argued might fall within a broader biometric reading are not captured by InkID at any layer: not on the user's device, not on our servers, not anywhere.

As defense-in-depth, we apply the protections BIPA and similar statutes would require regardless of whether the threshold is met: explicit written consent before any behavioral data collection, a published purpose limitation, a 3-year retention cap, prohibition on sale, and destruction obligations on user revocation. The Washington My Health My Data Act (RCW 19.373) regulates "consumer health data"; InkID does not analyze, infer, or store information about consumers' physical or mental health, and the keystroke-dynamics signals research has linked to neurological conditions are not captured.

4. Data privacy (GDPR, UK GDPR, state privacy laws)

Our positionInkID is built to a privacy-by-design standard that meets or exceeds GDPR Article 25. Initial product launches are United States only; European Union and United Kingdom launches are gated on a completed GDPR / UK GDPR compliance review, with localized notices and a Data Protection Officer engagement at that time.

The architectural choices described in §2 align with several GDPR principles natively: data minimization (Article 5(1)(c)) — the smallest evidence sufficient for verification; storage limitation (Article 5(1)(e)) — three-year retention cap on aggregated summaries, immediate discard of per-event data; integrity and confidentiality (Article 5(1)(f)) — encryption in transit and at rest, on-device processing of the most sensitive data category. Where a user exercises GDPR rights — access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21) — InkID responds within the applicable timeframes set out in each product's privacy policy.

State privacy laws — Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, and others — apply where their thresholds and residency criteria are met. InkID's product privacy policies enumerate the specific rights available in each state. We do not engage in cross-context behavioral advertising or in any practice that would constitute "sale" of personal information under those statutes.

5. CCPA & CPRA

Our positionInkID does not sell or share personal information as those terms are defined under the California Consumer Privacy Act (as amended by the California Privacy Rights Act). We have not done so in the preceding twelve months and have no plans to do so. When InkID acts as a service provider to a business Customer (e.g., a publisher using InkTrust), we contract as a CCPA "service provider" with the corresponding restrictions on use of the data we Process on the Customer's behalf.

California residents have the right to know, the right to delete, the right to correct, the right to opt out of sale or sharing, the right to limit use of sensitive personal information, and the right to non-discrimination. The mechanisms for exercising those rights are described in each InkID product's privacy policy, and InkID will not retaliate against any user for exercising them.

6. The EU AI Act

Our positionInkID's core scoring is rule-based statistical aggregation and threshold logic; it is not an "AI system" within the meaning of the EU AI Act's primary definition. Where InkID products offer analytical AI features (for example, analytical craft feedback in InkWave's Inkwell), those features are clearly demarcated, opt-in, and never used to determine the verification outcome.

InkID has taken several positions on EU AI Act exposure: (a) the protocol does not perform employment screening, credit scoring, biometric identification, educational assessment, or any other Annex III high-risk use; (b) where any future feature would do so, the feature will not be shipped without an EU AI Act Article 9 conformity assessment first; (c) InkID does not market itself as an "AI detector" and explicitly disclaims that use case — we record human evidence at the source, we do not classify AI output after the fact; (d) the AI Training Rights Declaration format published at inkid.io/spec/ai-training-rights/v1 is a writer-facing directive, not an AI system. We commit to updating this position as the AI Act's implementing acts, codes of practice, and guidance from the AI Office land.

7. Children's privacy & COPPA

Our positionInkID products enforce a 16+ age gate — above the federal Children's Online Privacy Protection Act (COPPA) threshold of 13. The 16+ floor is uniform across all jurisdictions and is not configurable by region.

The 16+ threshold is set higher than COPPA's 13 because (a) GDPR Article 8 sets the child-consent threshold at 16 in several EU member states, and we operate at the more protective bound; (b) the heightened consent regimes that apply to behavioral data Processing (Illinois BIPA, Texas CUBI) carry obligations that we hold ourselves to at 16+; and (c) the practical target audience for InkID products is professional and aspiring adult creators. Inkid.io itself does not knowingly collect personal information from visitors under 16.

8. Federal Wiretap Act & two-party-consent states

Our positionInkID products do not operate on email or real-time messaging platforms. The protocol's first-party adapters and generic capture modes hardcode a deny-list of communication-platform domains. Any proposal to support a communication-platform surface requires written counsel sign-off on federal Wiretap Act (18 U.S.C. § 2511) and state two-party-consent analysis before any code is written.

Measuring how a communication is composed in a communication context — even in aggregate — is likely interception within the meaning of the federal Wiretap Act. California, Florida, Illinois, Massachusetts, Maryland, Montana, Nevada, New Hampshire, Pennsylvania, and Washington additionally require all-party consent for the recording of a communication. InkID products obtain only the sender's consent, which is insufficient under those state regimes for recording the recipient side of a conversation. The architecture removes the risk by refusing to operate on those surfaces at all.

9. Open standards & interoperability

Our positionInkID is interoperable by design. Every InkID record is a signed C2PA-compatible content credential; the AI Training Rights Declaration format is published as an open, royalty-free standard. We do not seek to lock customers in to InkID-specific tooling.

Specific commitments: (a) the verification record emitted by every InkID-bound work is structured for the Coalition for Content Provenance and Authenticity (C2PA) open standard, so any provenance tool that reads C2PA manifests can parse the credential without InkID-specific code; (b) the AI Training Rights Declaration format is published under a Creative Commons Attribution 4.0 license at inkid.io/spec/ai-training-rights/v1; any third party may implement it; (c) the InkID protocol specification (INKID-PROTO/v0.9) is published openly and includes the dimension definitions, activation rules, timestamp procedure, and signature scheme — per-author weighting is private (Kerckhoffs's principle, applied to authorship); (d) cryptographic anchors are RFC 3161, an IETF Internet Standard, with FreeTSA — an independent service operated outside InkID — as the launch Time-Stamp Authority; redundant anchors across multiple independent TSAs are on the roadmap.

10. Methodology transparency & Daubert-readiness

Our positionInkID is built to be peer-reviewable and Daubert-ready. The methodology is public; error-rate disclosure, structured peer-review publication, and Daubert-frame review are on the roadmap as part of the protocol's progression toward use in legal proceedings.

The Daubert standard (Fed. R. Evid. 702, Daubert v. Merrell Dow Pharmaceuticals, 509 U.S. 579 (1993)) governs admissibility of expert testimony in federal court and is followed in most state courts. The factors — testability, peer review, known error rates, standards controlling the technique's operation, and general acceptance in the relevant scientific community — are addressable directly by an open, peer-reviewed protocol with transparent error-rate reporting. We have published the protocol specification openly to enable testability and peer review; structured Daubert-readiness review (including adversarial test corpora, false-acceptance and false-rejection-rate measurement, and academic publication) is in progress and will be added to this page as it lands.

11. Incident response

Our positionInkID maintains a documented incident-response procedure aligned with GDPR Article 33 timing. Personal-data-breach notifications to affected individuals and supervisory authorities are made without undue delay, and within seventy-two (72) hours where Article 33 applies.

The procedure includes triage, containment, notification, and a structured post-incident review. The architectural minimization described in §2 means that several categories of incident that affect peer services cannot affect InkID by construction: a server breach cannot expose per-event behavioral data because none is stored on InkID infrastructure; keystroke-timing patterns cannot be reconstructed from anything we hold because timing is not captured.

12. The Truth Pledge

Our positionEvery claim on this site is substantiated. Where evidence is in development, we say so. Where the protocol does not yet do something, we do not imply that it does. Authorship is too important to overstate.

The Truth Pledge is a public commitment that operates as a constraint on InkID's marketing, investor, and external claims. Specific commitments under the Pledge include: (a) no fabricated accuracy percentages — only numbers that are substantiated by published methodology and an accuracy study available on request; (b) no "industry-leading," "best-in-class," "forensic-grade," "proven," "guaranteed," or other capability superlatives that are not substantiated; (c) no verdict vocabulary in user interfaces — InkID reports process, not authenticity verdicts; (d) no green/red classification color pairs; (e) public claim language must match the number actually live on the surface the claim describes. The Pledge is enforced internally by a compliance-integrity check at commit time and is reviewed quarterly.

13. Contact & reporting

To report a concern about InkID's compliance with any of the regimes described on this page, to request supporting documentation referenced here, or to follow up on any specific position:

InkID, Inc.
Compliance & legal: legal@inkid.io
Privacy: privacy@inkid.io

A note on this pageThis Compliance Posture is a statement of position, not a contract. It does not modify or supersede the obligations set out in each product's privacy policy, the InkID Terms of Service, or the InkID Data Processing Agreement. Where the wording of those documents differs from anything here, those documents control. This page will be updated as positions evolve or as new regimes come into effect; the Effective date at the top will move with each revision.