A verification company has to earn this page.
KeyProof asks renters to prove who they are. That only works if the proof itself is handled carefully. This page explains how we design for that, what protects the site today, and what we will not do with the data. Plain English, and honest about what is live versus still being built.
The design principle: hold less
The safest data is data we never store. KeyProof is designed around outcomes, not documents:
- Results, not ID documents. Verification checks are designed to be performed by specialist regulated providers. KeyProof records the outcome (verified or not, licence valid or not), not a copy of the passport or licence for the operator to keep.
- The operator sees a result, not a file of IDs.At handover the operator confirms the person collecting the car against the verified selfie, view-only, scoped to their own bookings, and automatically deleted. No downloadable pile of identity documents sitting in a portal.
- Retention is a promise with code behind it. Our privacy notice sets out how long each kind of data is kept, and deletion runs automatically rather than relying on someone remembering.
What protects the site today
While KeyProof is pre-launch, the personal data we handle is what you send through our forms. That is protected by:
- Encryption in transit. The whole site is HTTPS only, and the non-www and www addresses resolve to one canonical origin.
- A UK/EU database region for enquiry and signup data, with access limited to the two founders.
- Rate limiting and abuse controls on every public form, so they cannot be scripted or scraped.
- Separate authenticated access for the operator cockpit, which holds no renter verification data.
- A short list of vetted providers. Every third-party service we use, what it handles and where, is published on our sub-processors page. Nothing is added there before it is actually in use.
Before the product goes live
The renter verification flows (identity, licence, e-signature, deposit) are still in development and are not processing anyone's data yet. Before they do, each flow gets a data protection impact assessment, a data-processing agreement with the provider that performs it, and an update to the privacy notice and sub-processor list. That order is deliberate: the paperwork exists before the data does, not after.
Who is accountable
KeyProof is operated by KeyProof Ltd, registered in England & Wales, the data controller for the site. The full detail, including your rights and how to exercise them, is in the privacy notice. Data-protection enquiries go to privacy@keyproof.co.uk.
Found a security problem?
If you believe you have found a vulnerability in keyproof.co.uk, email security@keyproof.co.uk with enough detail to reproduce it. We read every report, we will not take legal action against good-faith research, and we ask that you give us a reasonable window to fix the issue before publishing anything.