How do OnlyFans' ID verification vendors store, process, and retain biometric data?
Executive summary
OnlyFans delegates collection and biometric processing to third‑party verification vendors and identifies the specific biometric category as Face Recognition Data used for age and identity verification [1]. Public materials from OnlyFans, vendor case studies, academic analysis and litigation suggest vendors perform facial scans, create biometric templates for matching, and retain data under varying policies that raise legal and security questions [2] [3] [4].
1. What biometric data OnlyFans says it collects
OnlyFans’ privacy policy explicitly states that biometric information it handles is limited to “Face Recognition Data,” and that this data is collected and processed by third‑party providers for age and identity verification purposes [1]. Multiple practical guides and platform overviews reiterate that creators must submit government ID and facial images as part of verification, implying vendors receive both document images and live face scans during onboarding [5] [6].
2. How vendors process biometrics during verification
Vendor materials and reporting indicate the typical workflow is automated: a user uploads a government ID and a selfie or live video, the vendor’s system extracts features, generates a biometric profile or 3D facial model, and matches that profile against the ID image to confirm identity and age [2] [3]. Academic critique warns these AI‑driven facial recognition approaches estimate age and create biometric templates that are high‑value targets and subject to algorithmic bias and false positives, but specifics—such as exact template formats or matching thresholds—depend on the vendor and are not publicly standardized [3].
3. How vendors store and retain biometric data
OnlyFans’ policy says users may withdraw consent to retention of Face Recognition Data and request deletion by contacting OnlyFans, while noting deletion requests may be constrained by legal reasons and retention rules set out elsewhere [1]. Vendor claims, such as Ondato’s case study, assert GDPR compliance and “secure” onboarding, which suggests retention and deletion workflows exist, but those vendor statements do not disclose granular retention periods, whether raw images or only hashed/encoded templates are kept, or the conditions triggering longer retention [2] [1].
4. Legal frameworks, compliance claims, and limits
Biometric retention is governed differently across jurisdictions: academic reporting and trade outlets point out that some laws (for example, Illinois’ BIPA) impose written‑policy and disclosure requirements for biometric collection and retention—requirements that have been the basis of litigation against OnlyFans [3] [7] [4]. The class action alleges OnlyFans failed to publish a BIPA‑compliant retention and deletion policy and improperly stored facial scans, while OnlyFans and its vendors have publicly emphasized GDPR and other compliance in marketing materials without resolving every statutory question raised in suits [4] [2].
5. Known controversies, security risks, and vendor accountability
Litigation filed against OnlyFans claims large‑scale re‑verification forced creators to submit facial scans and alleges inadequate disclosure, retention policy transparency, and internal access controls that could expose biometric data to ex‑employees—claims that frame biometric templates as both privacy and security liabilities [4]. Scholarly analysis warns that biometric data is a high‑value target, that vendor marketing can outpace independent validation, and that inconsistent retention policies across vendors create risk of long‑term exposure [3].
6. What users can do and what the sources don’t reveal
OnlyFans’ privacy page provides a mechanism to request withdrawal of consent and deletion of Face Recognition Data, but it also cautions that deletion requests may not always be possible for legal reasons and that re‑verification could be required if consent is withdrawn [1]. Public vendor case studies and reporting do not disclose exact retention periods, whether raw images or only biometric templates are retained, the cryptographic protections applied to templates, nor the vendor‑side access controls in operational detail; therefore precise technical assurances about storage formats and lifecycle cannot be asserted from the available sources [2] [3].
7. Bottom line
OnlyFans relies on third‑party vendors to collect facial biometrics, vendors create biometric profiles to match selfies to government IDs, and both OnlyFans’ policy and vendor materials claim deletion and regulatory compliance pathways—but public materials, litigation and academic scrutiny reveal gaps in transparency about exact storage formats, retention durations and internal safeguards, leaving unresolved questions about long‑term risk and vendor accountability [1] [2] [4] [3].