Which third-party vendors does OnlyFans use for identity verification and what are their data handling policies?

1. Who OnlyFans says does the verification work — Ondato in plain sight

OnlyFans has publicly partnered with Ondato for age and identity checks: Ondato’s site and case study state that their technology is a “key element of OnlyFans’ safety controls,” they provide NFC and document reading, and claim sub‑30‑second flows with very high accuracy — details OnlyFans highlights in its transparency and Ondato amplifies in marketing materials ^{[1] [2]}.

2. What the verification process actually collects and how it’s used

OnlyFans’ Privacy Policy describes the verification interaction: the third‑party collects a short .gif (from a selfie) and a government ID image, then uses “Face Recognition Data” to match the two images to verify age and identity; OnlyFans links this step to enabling creator payouts and anti‑fraud checks, and says financial data is also collected for those purposes ^[3].

3. Claimed compliance and vendor marketing vs. independent scrutiny

Ondato markets its service as compliant with AML, GDPR, FATF, NIST and eIDAS standards and emphasizes security features like NFC reading of passports and chip data ^[1]. Ondato’s case study for OnlyFans repeats the partnership and performance metrics and cites regulator Ofcom’s positive references in the same context ^[2]. Independent or critical perspectives about vendor practices are not present in the provided documents; available sources do not mention independent audits of ondato’s handling specific to OnlyFans beyond marketing and OnlyFans’ own statements (not found in current reporting).

4. Which other vendors are reported or rumored — mixed signals in secondary reporting

Several non‑OnlyFans websites and privacy guides mention other identity vendors such as Jumio and Veriff in generalized discussions of industry practices and age‑verification ecosystems, and some articles state OnlyFans systems are “GDPR‑ and CCPA‑compliant” and that vendors like Jumio and Veriff are compliant with global privacy laws ^[4]. However, those sources are not primary confirmations from OnlyFans; OnlyFans’ own published materials in this set explicitly describe a third‑party provider without naming multiple vendors ^{[3] [5]}. In short: Ondato is explicitly named in marketing and case materials, while mentions of Jumio, Veriff or others appear in secondary reporting and guides, not in OnlyFans’ privacy text provided here ^{[1] [4] [3]}.

5. Data retention, deletion and privacy claims — what’s said and what’s missing

A third‑party claim repeated in guides and Ondato marketing says identity records are deleted after the one‑time verification check — for example, some guides state “Ondato deletes all identity records after performing the one‑time verification check” and Ondato’s promotional material emphasizes streamlined, privacy‑minded flows ^{[6] [1]}. OnlyFans’ privacy page documents the data collected and the use of face recognition but in the provided snippets does not include a clear, detailed public timeline of how long vendors retain raw ID images or biometric templates; therefore, specific retention timelines and deletion mechanics are not found in current reporting ^{[3] [6]}.

6. Financial data and other third parties — payment processors and background checks

OnlyFans connects verification to payouts and anti‑fraud and says financial data is collected as part of verification ^[3]. Separate reporting documents OnlyFans’ partnerships around background checks (e.g., Checkr for criminal‑record screening) and notes controversy among creators about scope of those checks, but those pieces are about background‑check policy rather than the selfie/ID vendor workflow ^[7]. Payment processors (Stripe, PayPal and others) are repeatedly named in general reporting on how OnlyFans handles payments, but that is distinct from identity‑verification vendors ^{[8] [9]}.

7. Practical takeaways and limits of the public record

Documented facts in these sources: OnlyFans uses a third‑party identity/age verifier that collects ID photos and a selfie GIF and runs face recognition (OnlyFans privacy page), and Ondato is publicly presented as a key vendor and partner with detailed product claims ^{[3] [1] [2]}. What’s not fully documented in the provided materials: a complete roster of every vendor OnlyFans ever uses globally, precise data‑retention policies and deletion schedules applied to raw images or biometric templates, and independent audits confirming vendor claims — those details are not found in current reporting ^{[3] [1] [2]}.

If you want, I can (a) extract the exact verification wording from OnlyFans’ privacy/verification pages, (b) assemble the vendor claims side‑by‑side (Ondato vs. other industry vendors cited in guides), or (c) draft questions you could send OnlyFans or Ondato to get firm answers about retention, deletion, and third‑party subcontractors. Which would you prefer?