Privacy Policy
Last updated: 13 April 2026
1. Who We Are
Five ID Limited ("Five ID", "we", "us", "our") is the Data Controller for the personal data we process. We are registered in England and Wales under company number 15793519, with our registered office at 1 St. Katharine's Way, Office 05B147, London, E1W 1UN. Five ID is a wholly owned subsidiary of Palm Check Inc., a company incorporated in the State of Delaware, USA.
For UK users: We process your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
For EEA users (including Ireland): We process your data in accordance with the EU General Data Protection Regulation (EU GDPR). Our EU GDPR representative is Rickert Rechtsanwaltsgesellschaft m.b.H., Colmantstraße 15, 53115 Bonn, Germany (info@rickert.law).
If you have any questions about this Policy or wish to exercise your data protection rights, please contact our Data Protection Officer at dpo@five.id.
2. What Data We Collect and Why
2.1 Palm Biometric Authentication
Purpose: To verify your identity and prevent fraud at Five ID-enabled terminals.
Palm biometric template: A mathematical representation of your palm, created from a scan taken during onboarding or at a terminal.
Authentication event logs: A record of the time, terminal, and outcome of each authentication attempt.
2.2 Payment Processing
Purpose: To set up and administer your Five ID account, authenticate payment transactions, communicate with you about your account and payments, provide customer support, and enable our payment processing partners to process payments on your behalf using your linked payment method.
Authentication event data: A record of the time, terminal, and outcome of each payment authentication, used by Five ID to communicate transaction instructions to our payment processing partners.
Name and contact details: Your full name and mobile phone number, used to identify you, administer your account, provide customer support, and communicate with you about your account and payments.
Payment method details: Details of your linked payment method — for example, bank account details for direct debit, card details for card payments, or wallet identifiers for other supported payment methods — collected and held by our payment processing partners directly to set up and administer payments.
Transaction history: Records of amounts, dates, merchants, and outcomes of payment transactions, used to manage your account, assess spending limits, and resolve disputes.
Our payment processing partners act as independent data controllers in respect of the payment credential data they hold about you under your direct relationship with them through the Five ID platform. Their privacy policies govern their processing of that data.
2.3 Access Control
Purpose: To authenticate your entry to premises or facilities at participating locations.
Authentication event logs: Time, terminal, and outcome of access authentication attempts at participating locations.
Location pass data: A reference identifier linking your Five ID account to your access pass at a participating location (e.g. a gym membership number).
Membership system data: When you scan your palm, Five ID calls the membership management system operated by or on behalf of the venue to verify your access rights. That system may be operated by a third-party provider contracted by the venue. Five ID receives only an access confirmation or denial, and where provided by the membership system, limited account status information such as membership tier or expiry date.
2.4 Loyalty Programme — Palm-Linked
Purpose: To credit your loyalty account when you authenticate via palm scan at participating locations.
Loyalty account identifier: The reference number linking your Five ID account to your loyalty programme account, to enable us to instruct the loyalty operator to credit your account.
Transaction-linked events: A record of the time and location of loyalty credits instructed by us on your behalf.
2.5 Loyalty Programme — Card Fingerprint Service
Purpose: To credit your loyalty account automatically each time you pay at a participating terminal using a payment card you have linked to that loyalty programme.
This service is available to any person who pays at a participating Five ID terminal — you do not need a Five ID account to use it.
Card fingerprint: A pseudonymous identifier generated by our payment processing partner that is specific to the Five ID platform. This identifier represents your payment card within our systems but cannot be used to identify your card number or access your payment account. We do not store your card number.
Loyalty account identifier: The reference number linking your card fingerprint to your loyalty programme account at the participating operator, enabling us to instruct that operator to credit your account when a matching card fingerprint is detected.
Transaction-linked events: A record of the time, terminal, and outcome of loyalty credits instructed on the basis of card fingerprint matching.
This service requires a separate, per-operator consent given by pressing the consent button displayed on the terminal screen at the time of a qualifying payment. See Section 3.5 for our lawful basis and Section 10 for your right to withdraw consent.
3. Our Lawful Basis for Processing
The subsections below set out, for each processing activity, the lawful basis under UK/EU GDPR Article 6 and — where we process biometric data (special category data) — the separate condition under Article 9(2).
3.1 Palm Biometric Authentication
Personal Data Involved: Palm biometric template; authentication logs.
Article 6 Lawful Basis: Art. 6(1)(b) — necessary for performance of our contract with you.
Article 9(2) Condition (biometric data): Art. 9(2)(a) — your explicit consent, obtained separately at onboarding.
3.2 Payment Processing
Personal Data Involved: Authentication event data (Five ID); name, contact details, transaction history (Five ID); payment method credentials (payment processing partners — independent controllers).
Article 6 Lawful Basis: Art. 6(1)(b) — performance of contract (Five ID processing of authentication and transaction data only); Art. 6(1)(c) — compliance with legal obligations. Payment processing partners' processing of payment credential data is governed by their own lawful basis.
Article 9(2) Condition (biometric data): Not applicable.
3.3 Access Control
Personal Data Involved: Authentication event logs; location pass identifier.
Article 6 Lawful Basis: Art. 6(1)(b) — necessary for performance of our contract with you.
Article 9(2) Condition (biometric data): Art. 9(2)(a) — your explicit consent, obtained separately at access control enrolment.
3.4 Palm-Linked Loyalty
Personal Data Involved: Loyalty account identifier; loyalty event records.
Article 6 Lawful Basis: Art. 6(1)(b) — performance of contract; Art. 6(1)(a) — your consent to link your loyalty account.
Article 9(2) Condition (biometric data): Art. 9(2)(a) — your explicit consent to biometric data being used for loyalty crediting.
3.5 Card Fingerprint Loyalty
Personal Data Involved: Card fingerprint (pseudonymous identifier) generated by our payment processing partners; loyalty account identifier; transaction-linked events.
Article 6 Lawful Basis: Art. 6(1)(a) — freely given, specific, informed, and unambiguous consent, given by pressing the terminal consent button at the time of payment. Consent is per loyalty operator and may be withdrawn at any time.
Article 9(2) Condition (biometric data): Not applicable — card fingerprints are pseudonymous payment references, not biometric data derived from physical characteristics. Article 9 does not apply.
The consent prompt displayed at the terminal identifies Five ID as the data controller, describes what will be linked, names the loyalty operator at that location, and provides information about your rights. You are not required to consent in order to complete your payment. Each loyalty operator requires a separate consent — consenting at one operator's terminal does not link your card to any other operator's programme.
You may withdraw your consent for any or all loyalty links at any time by contacting support@five.id. On withdrawal, we will delete the link between your card fingerprint and the relevant loyalty identifier within 30 days. Loyalty credits already applied before withdrawal are not affected.
3.6 Fraud Prevention
Personal Data Involved: All categories above.
Article 6 Lawful Basis: Art. 6(1)(f) — legitimate interest in preventing fraud, balanced against your rights; Art. 6(1)(c) — compliance with applicable law (including AML obligations).
Article 9(2) Condition (biometric data): Art. 9(2)(a) — explicit consent; Art. 9(2)(g) — substantial public interest. Applicable DPA 2018 Schedule 1 condition: Part 2, paragraph 10 (preventing or detecting unlawful acts). This condition requires that processing is necessary for the purpose and that seeking consent would prejudice that purpose.
Note on consent: Your consent to biometric data processing is a standalone, specific consent obtained at onboarding — it is not bundled with your acceptance of our Terms and Conditions. You may withdraw this consent at any time by contacting dpo@five.id. Withdrawal will not affect the lawfulness of processing that occurred before your withdrawal.
4. Biometric Data — Additional Information
4.1 How we collect it
During onboarding: We collect your palm biometric data when you create a Five ID account. You will be asked to provide explicit, standalone consent for this data collection before your palm signature is created.
During authentication: When you hold your palm over a Five ID terminal, we capture a palm scan and compare it against our database. We can only confirm whether you are a Five ID customer after the scan has been taken and processed. Terminal signage and this Privacy Policy explain this process in advance.
4.2 Consent at terminals
By holding your palm over a Five ID terminal, you consent to the collection and processing of your biometric data for the purpose of identity authentication and fraud prevention for that transaction. We maintain clear signage on each Five ID terminal's screen, which must prominently state: (a) that biometric data is collected; (b) that Five ID Limited is the Data Controller; (c) how to exercise your data protection rights; and (d) where to find this Privacy Policy.
5. Sources of Personal Data
Directly from you: during account creation, authentication events, or payment enrolment.
From your payment method provider or bank: Our payment processing partners may collect payment credential data directly from your payment method provider or bank, with your authorisation, to set up and process payments using your linked payment method. Five ID is not the controller of this credential data and does not receive or store it.
From participating locations: access pass identifiers or loyalty account references, to enable the relevant Ancillary Service.
6. How Long We Keep Your Data
We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected and to meet our legal obligations.
6.1 Palm biometric template
Retention Period: Deleted within 30 days of account closure or consent withdrawal.
Deletion Trigger: Account closure or biometric consent withdrawal.
Legal Basis for Retention: Retention beyond this point has no lawful basis — deletion is mandatory.
6.2 Authentication event logs
Retention Period: 12 months from the date of the event.
Deletion Trigger: Rolling deletion; earlier on account closure.
Legal Basis for Retention: Legitimate interest in fraud investigation and dispute resolution.
6.3 Transaction records (payment)
Retention Period: 6 years from end of the tax year in which the transaction occurred.
Deletion Trigger: Expiry of legal retention period.
Legal Basis for Retention: Companies Act 2006; tax record-keeping obligations; AML Regulations 2017.
6.4 Payment method credentials
Retention Period: Not stored by Five ID — held by payment processing partners under their own retention policies.
Deletion Trigger: N/A.
Legal Basis for Retention: N/A — Five ID is not the controller of this data.
6.5 Name and contact details
Retention Period: Duration of active Five ID account + 2 years post-closure.
Deletion Trigger: Account closure + 2-year limitation backstop.
Legal Basis for Retention: Limitation Act 1980 (contractual claims); legitimate interest.
6.6 Access control event logs
Retention Period: 12 months from the date of the event.
Deletion Trigger: Rolling deletion; earlier on account closure.
Legal Basis for Retention: Legitimate interest in security and access dispute resolution.
6.7 Loyalty event records
Retention Period: Duration of active loyalty programme link + 6 months.
Deletion Trigger: Programme deactivation.
Legal Basis for Retention: Legitimate interest in resolving loyalty credit disputes.
6.8 Card fingerprint — loyalty link
Retention Period: Until consent is withdrawn or loyalty programme link is deactivated, then deleted within 30 days.
Deletion Trigger: Consent withdrawal or programme deactivation.
Legal Basis for Retention: Art. 6(1)(a) — consent. No lawful basis for retention once consent is withdrawn. Deletion is mandatory.
For queries about specific retention periods not listed above, please contact our DPO at dpo@five.id.
7. Who We Share Your Data With
Payment processing partners: We share authentication signals and transaction references with our payment processing partners to enable payment processing across all supported payment methods. Our payment processing partners act as independent data controllers in respect of the payment credential data they hold about you directly. They are authorised payment institutions regulated by the FCA (UK) and, where applicable, the Central Bank of Ireland.
Palm Check Inc. (parent company): As our parent company incorporated in Delaware, USA, Palm Check Inc. may access certain operational and account data for group governance, fraud prevention, and IT infrastructure purposes. Any such transfer to the USA is subject to appropriate safeguards — see Section 8 below.
Loyalty programme operators: When a matching card fingerprint is detected, Five ID sends an automated credit instruction to the relevant loyalty operator's API. This instruction contains only your loyalty account identifier and the transaction amount — your card fingerprint is never shared. Each loyalty operator is an independent data controller in respect of your loyalty account and programme membership.
Access control operators: We share authentication signals with participating venues' access management systems. Five ID is responsible for the biometric processing and template security; the venue operator is an independent controller in respect of its own membership data and access policy.
Fraud prevention agencies: We may share data with fraud prevention agencies and law enforcement where required or permitted by law.
Debt recovery: If a payment remains unpaid, we may share limited data with a third-party debt recovery service, as set out in our Payment Processing Terms.
Legal obligation: We may disclose data to courts, regulators, or law enforcement agencies where we are legally required to do so.
Third-party service providers: We use third-party providers for cloud infrastructure, security monitoring, and analytics. All providers are bound by confidentiality and data processing obligations that meet UK/EU GDPR requirements.
We do not sell your personal data.
8. International Data Transfers
Cloud infrastructure. Your personal data is stored on servers operated by Amazon Web Services (AWS) in Frankfurt, Germany. Frankfurt is located within the European Economic Area (EEA). For UK users, transfers to EEA countries are permitted under the UK GDPR Adequacy Regulations 2021, which recognise the EEA as providing an adequate level of data protection. For EEA users (including Irish users), no transfer outside the EEA takes place in respect of cloud infrastructure storage.
Payment processing partners. Where personal data is transferred to our payment processing partners in connection with payment processing, those partners act as independent data controllers and their own international transfer frameworks govern that data. Please refer to your payment processing partner's privacy policy for details.
Palm Check Inc. (parent company). Five ID is a wholly owned subsidiary of Palm Check Inc., a company incorporated in the State of Delaware, USA. Palm Check Inc. may access certain operational and account data for group governance, fraud prevention, and IT infrastructure purposes. Any transfer of personal data to Palm Check Inc. is subject to the EU Standard Contractual Clauses approved by the European Commission, supplemented by the UK ICO's International Data Transfer Addendum. Both instruments are executed between Five ID and Palm Check Inc. These safeguards apply to transfers in respect of both UK users (under UK GDPR) and EEA users (under EU GDPR). A copy of the relevant safeguards is available on request from dpo@five.id.
For further information about any of the safeguards described in this section, please contact our DPO at dpo@five.id.
9. Automated Decision-Making
Five ID uses automated processing to authenticate your identity. This section explains how that works and what it means for you, as required by UK GDPR Article 22(2)(b) and EU GDPR Article 22(2)(b).
9.1 What we do
When you hold your palm over a Five ID terminal, we: (a) capture a palm scan and convert it into biometric measurements; (b) compare those measurements against your stored palm signature; (c) generate a confidence score indicating the likelihood that you are the registered account holder; and (d) authenticate you if the confidence score meets or exceeds our matching threshold, or decline authentication if it does not.
9.2 The significance of this decision
The outcome of this automated process has a significant effect on you: a successful match will enable a payment, unlock access, or credit a loyalty account; a failed match will decline the transaction or deny access. No human review takes place during the automated matching process.
9.3 How accurate is it?
Our biometric matching algorithm is designed to minimise two types of error: incorrectly authenticating the wrong person (a false match), and failing to authenticate a genuine registered customer (a false non-match).
In a small number of cases, a genuine customer may not be recognised — particularly if the palm scan quality is affected by factors such as lighting conditions, skin condition, injury, or an unusual scanning angle. If this happens, you will be prompted to try again. If the terminal continues to decline authentication, you can pay by another method or contact the venue directly for access queries.
We keep our error rates under continuous review. If you would like information about our current technical performance, please contact our DPO at dpo@five.id.
9.4 What happens if you are declined
If a Five ID terminal declines to authenticate you: (a) you will receive a notification at the terminal; (b) for payment transactions, you will need to pay by another means (e.g. card or cash, where accepted by the merchant); and (c) for access control, you should contact the venue directly.
9.5 Your right to request human review
You have the right to: (a) request that a decision which produces a significant effect on you is reviewed by a human being; (b) express your view about the automated decision; and (c) contest any decision made about you on an automated basis. To exercise this right, contact us at dpo@five.id describing the decision you wish to contest. We will respond within one calendar month.
10. Your Data Protection Rights
Under data protection law, you have the following rights. You do not normally need to pay a fee to exercise them. We will respond to all requests within one calendar month of receipt. We may require proof of identity before responding.
Right of access: You may ask us for a copy of the personal data we hold about you. Contact us at dpo@five.id.
Right to rectification: You may ask us to correct any inaccurate data or complete any incomplete data we hold about you.
Right to erasure: You may ask us to delete your personal data in certain circumstances, for example where it is no longer necessary for the purpose for which it was collected.
Right to restriction of processing: You may ask us to limit how we use your personal data in certain situations.
Right to object: You may object to our processing of your personal data where we rely on legitimate interests as our lawful basis.
Right to data portability: You may ask us to provide your personal data to you or to another organisation in a structured, commonly used format, where our processing is based on consent or contract and is carried out by automated means.
Right to withdraw consent: Where we rely on consent as our lawful basis, you may withdraw that consent at any time by contacting dpo@five.id. Withdrawal will not affect the lawfulness of processing before your withdrawal.
11. How to Complain
If you have concerns about our use of your personal data, please contact our DPO in the first instance at dpo@five.id.
11.1 UK users
If you remain unhappy after contacting us, you have the right to make a complaint to the Information Commissioner's Office (ICO):
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Helpline: 0303 123 1113. Website: www.ico.org.uk.
11.2 EEA users (including Irish users)
If you are located in the EEA, you have the right to lodge a complaint with your local supervisory authority. Irish users may contact the Data Protection Commission (DPC):
Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28. Tel: +353 1 765 0100. Website: www.dataprotection.ie.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by email or prominent notice within the Service before the changes take effect. The date of the latest update is shown at the top of this Policy. We encourage you to review it periodically.
Privacy Policy
Last updated: 13 April 2026
1. Who We Are
Five ID Limited ("Five ID", "we", "us", "our") is the Data Controller for the personal data we process. We are registered in England and Wales under company number 15793519, with our registered office at 1 St. Katharine's Way, Office 05B147, London, E1W 1UN. Five ID is a wholly owned subsidiary of Palm Check Inc., a company incorporated in the State of Delaware, USA.
For UK users: We process your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
For EEA users (including Ireland): We process your data in accordance with the EU General Data Protection Regulation (EU GDPR). Our EU GDPR representative is Rickert Rechtsanwaltsgesellschaft m.b.H., Colmantstraße 15, 53115 Bonn, Germany (info@rickert.law).
If you have any questions about this Policy or wish to exercise your data protection rights, please contact our Data Protection Officer at dpo@five.id.
2. What Data We Collect and Why
2.1 Palm Biometric Authentication
Purpose: To verify your identity and prevent fraud at Five ID-enabled terminals.
Palm biometric template: A mathematical representation of your palm, created from a scan taken during onboarding or at a terminal.
Authentication event logs: A record of the time, terminal, and outcome of each authentication attempt.
2.2 Payment Processing
Purpose: To set up and administer your Five ID account, authenticate payment transactions, communicate with you about your account and payments, provide customer support, and enable our payment processing partners to process payments on your behalf using your linked payment method.
Authentication event data: A record of the time, terminal, and outcome of each payment authentication, used by Five ID to communicate transaction instructions to our payment processing partners.
Name and contact details: Your full name and mobile phone number, used to identify you, administer your account, provide customer support, and communicate with you about your account and payments.
Payment method details: Details of your linked payment method — for example, bank account details for direct debit, card details for card payments, or wallet identifiers for other supported payment methods — collected and held by our payment processing partners directly to set up and administer payments.
Transaction history: Records of amounts, dates, merchants, and outcomes of payment transactions, used to manage your account, assess spending limits, and resolve disputes.
Our payment processing partners act as independent data controllers in respect of the payment credential data they hold about you under your direct relationship with them through the Five ID platform. Their privacy policies govern their processing of that data.
2.3 Access Control
Purpose: To authenticate your entry to premises or facilities at participating locations.
Authentication event logs: Time, terminal, and outcome of access authentication attempts at participating locations.
Location pass data: A reference identifier linking your Five ID account to your access pass at a participating location (e.g. a gym membership number).
Membership system data: When you scan your palm, Five ID calls the membership management system operated by or on behalf of the venue to verify your access rights. That system may be operated by a third-party provider contracted by the venue. Five ID receives only an access confirmation or denial, and where provided by the membership system, limited account status information such as membership tier or expiry date.
2.4 Loyalty Programme — Palm-Linked
Purpose: To credit your loyalty account when you authenticate via palm scan at participating locations.
Loyalty account identifier: The reference number linking your Five ID account to your loyalty programme account, to enable us to instruct the loyalty operator to credit your account.
Transaction-linked events: A record of the time and location of loyalty credits instructed by us on your behalf.
2.5 Loyalty Programme — Card Fingerprint Service
Purpose: To credit your loyalty account automatically each time you pay at a participating terminal using a payment card you have linked to that loyalty programme.
This service is available to any person who pays at a participating Five ID terminal — you do not need a Five ID account to use it.
Card fingerprint: A pseudonymous identifier generated by our payment processing partner that is specific to the Five ID platform. This identifier represents your payment card within our systems but cannot be used to identify your card number or access your payment account. We do not store your card number.
Loyalty account identifier: The reference number linking your card fingerprint to your loyalty programme account at the participating operator, enabling us to instruct that operator to credit your account when a matching card fingerprint is detected.
Transaction-linked events: A record of the time, terminal, and outcome of loyalty credits instructed on the basis of card fingerprint matching.
This service requires a separate, per-operator consent given by pressing the consent button displayed on the terminal screen at the time of a qualifying payment. See Section 3.5 for our lawful basis and Section 10 for your right to withdraw consent.
3. Our Lawful Basis for Processing
The subsections below set out, for each processing activity, the lawful basis under UK/EU GDPR Article 6 and — where we process biometric data (special category data) — the separate condition under Article 9(2).
3.1 Palm Biometric Authentication
Personal Data Involved: Palm biometric template; authentication logs.
Article 6 Lawful Basis: Art. 6(1)(b) — necessary for performance of our contract with you.
Article 9(2) Condition (biometric data): Art. 9(2)(a) — your explicit consent, obtained separately at onboarding.
3.2 Payment Processing
Personal Data Involved: Authentication event data (Five ID); name, contact details, transaction history (Five ID); payment method credentials (payment processing partners — independent controllers).
Article 6 Lawful Basis: Art. 6(1)(b) — performance of contract (Five ID processing of authentication and transaction data only); Art. 6(1)(c) — compliance with legal obligations. Payment processing partners' processing of payment credential data is governed by their own lawful basis.
Article 9(2) Condition (biometric data): Not applicable.
3.3 Access Control
Personal Data Involved: Authentication event logs; location pass identifier.
Article 6 Lawful Basis: Art. 6(1)(b) — necessary for performance of our contract with you.
Article 9(2) Condition (biometric data): Art. 9(2)(a) — your explicit consent, obtained separately at access control enrolment.
3.4 Palm-Linked Loyalty
Personal Data Involved: Loyalty account identifier; loyalty event records.
Article 6 Lawful Basis: Art. 6(1)(b) — performance of contract; Art. 6(1)(a) — your consent to link your loyalty account.
Article 9(2) Condition (biometric data): Art. 9(2)(a) — your explicit consent to biometric data being used for loyalty crediting.
3.5 Card Fingerprint Loyalty
Personal Data Involved: Card fingerprint (pseudonymous identifier) generated by our payment processing partners; loyalty account identifier; transaction-linked events.
Article 6 Lawful Basis: Art. 6(1)(a) — freely given, specific, informed, and unambiguous consent, given by pressing the terminal consent button at the time of payment. Consent is per loyalty operator and may be withdrawn at any time.
Article 9(2) Condition (biometric data): Not applicable — card fingerprints are pseudonymous payment references, not biometric data derived from physical characteristics. Article 9 does not apply.
The consent prompt displayed at the terminal identifies Five ID as the data controller, describes what will be linked, names the loyalty operator at that location, and provides information about your rights. You are not required to consent in order to complete your payment. Each loyalty operator requires a separate consent — consenting at one operator's terminal does not link your card to any other operator's programme.
You may withdraw your consent for any or all loyalty links at any time by contacting support@five.id. On withdrawal, we will delete the link between your card fingerprint and the relevant loyalty identifier within 30 days. Loyalty credits already applied before withdrawal are not affected.
3.6 Fraud Prevention
Personal Data Involved: All categories above.
Article 6 Lawful Basis: Art. 6(1)(f) — legitimate interest in preventing fraud, balanced against your rights; Art. 6(1)(c) — compliance with applicable law (including AML obligations).
Article 9(2) Condition (biometric data): Art. 9(2)(a) — explicit consent; Art. 9(2)(g) — substantial public interest. Applicable DPA 2018 Schedule 1 condition: Part 2, paragraph 10 (preventing or detecting unlawful acts). This condition requires that processing is necessary for the purpose and that seeking consent would prejudice that purpose.
Note on consent: Your consent to biometric data processing is a standalone, specific consent obtained at onboarding — it is not bundled with your acceptance of our Terms and Conditions. You may withdraw this consent at any time by contacting dpo@five.id. Withdrawal will not affect the lawfulness of processing that occurred before your withdrawal.
4. Biometric Data — Additional Information
4.1 How we collect it
During onboarding: We collect your palm biometric data when you create a Five ID account. You will be asked to provide explicit, standalone consent for this data collection before your palm signature is created.
During authentication: When you hold your palm over a Five ID terminal, we capture a palm scan and compare it against our database. We can only confirm whether you are a Five ID customer after the scan has been taken and processed. Terminal signage and this Privacy Policy explain this process in advance.
4.2 Consent at terminals
By holding your palm over a Five ID terminal, you consent to the collection and processing of your biometric data for the purpose of identity authentication and fraud prevention for that transaction. We maintain clear signage on each Five ID terminal's screen, which must prominently state: (a) that biometric data is collected; (b) that Five ID Limited is the Data Controller; (c) how to exercise your data protection rights; and (d) where to find this Privacy Policy.
5. Sources of Personal Data
Directly from you: during account creation, authentication events, or payment enrolment.
From your payment method provider or bank: Our payment processing partners may collect payment credential data directly from your payment method provider or bank, with your authorisation, to set up and process payments using your linked payment method. Five ID is not the controller of this credential data and does not receive or store it.
From participating locations: access pass identifiers or loyalty account references, to enable the relevant Ancillary Service.
6. How Long We Keep Your Data
We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected and to meet our legal obligations.
6.1 Palm biometric template
Retention Period: Deleted within 30 days of account closure or consent withdrawal.
Deletion Trigger: Account closure or biometric consent withdrawal.
Legal Basis for Retention: Retention beyond this point has no lawful basis — deletion is mandatory.
6.2 Authentication event logs
Retention Period: 12 months from the date of the event.
Deletion Trigger: Rolling deletion; earlier on account closure.
Legal Basis for Retention: Legitimate interest in fraud investigation and dispute resolution.
6.3 Transaction records (payment)
Retention Period: 6 years from end of the tax year in which the transaction occurred.
Deletion Trigger: Expiry of legal retention period.
Legal Basis for Retention: Companies Act 2006; tax record-keeping obligations; AML Regulations 2017.
6.4 Payment method credentials
Retention Period: Not stored by Five ID — held by payment processing partners under their own retention policies.
Deletion Trigger: N/A.
Legal Basis for Retention: N/A — Five ID is not the controller of this data.
6.5 Name and contact details
Retention Period: Duration of active Five ID account + 2 years post-closure.
Deletion Trigger: Account closure + 2-year limitation backstop.
Legal Basis for Retention: Limitation Act 1980 (contractual claims); legitimate interest.
6.6 Access control event logs
Retention Period: 12 months from the date of the event.
Deletion Trigger: Rolling deletion; earlier on account closure.
Legal Basis for Retention: Legitimate interest in security and access dispute resolution.
6.7 Loyalty event records
Retention Period: Duration of active loyalty programme link + 6 months.
Deletion Trigger: Programme deactivation.
Legal Basis for Retention: Legitimate interest in resolving loyalty credit disputes.
6.8 Card fingerprint — loyalty link
Retention Period: Until consent is withdrawn or loyalty programme link is deactivated, then deleted within 30 days.
Deletion Trigger: Consent withdrawal or programme deactivation.
Legal Basis for Retention: Art. 6(1)(a) — consent. No lawful basis for retention once consent is withdrawn. Deletion is mandatory.
For queries about specific retention periods not listed above, please contact our DPO at dpo@five.id.
7. Who We Share Your Data With
Payment processing partners: We share authentication signals and transaction references with our payment processing partners to enable payment processing across all supported payment methods. Our payment processing partners act as independent data controllers in respect of the payment credential data they hold about you directly. They are authorised payment institutions regulated by the FCA (UK) and, where applicable, the Central Bank of Ireland.
Palm Check Inc. (parent company): As our parent company incorporated in Delaware, USA, Palm Check Inc. may access certain operational and account data for group governance, fraud prevention, and IT infrastructure purposes. Any such transfer to the USA is subject to appropriate safeguards — see Section 8 below.
Loyalty programme operators: When a matching card fingerprint is detected, Five ID sends an automated credit instruction to the relevant loyalty operator's API. This instruction contains only your loyalty account identifier and the transaction amount — your card fingerprint is never shared. Each loyalty operator is an independent data controller in respect of your loyalty account and programme membership.
Access control operators: We share authentication signals with participating venues' access management systems. Five ID is responsible for the biometric processing and template security; the venue operator is an independent controller in respect of its own membership data and access policy.
Fraud prevention agencies: We may share data with fraud prevention agencies and law enforcement where required or permitted by law.
Debt recovery: If a payment remains unpaid, we may share limited data with a third-party debt recovery service, as set out in our Payment Processing Terms.
Legal obligation: We may disclose data to courts, regulators, or law enforcement agencies where we are legally required to do so.
Third-party service providers: We use third-party providers for cloud infrastructure, security monitoring, and analytics. All providers are bound by confidentiality and data processing obligations that meet UK/EU GDPR requirements.
We do not sell your personal data.
8. International Data Transfers
Cloud infrastructure. Your personal data is stored on servers operated by Amazon Web Services (AWS) in Frankfurt, Germany. Frankfurt is located within the European Economic Area (EEA). For UK users, transfers to EEA countries are permitted under the UK GDPR Adequacy Regulations 2021, which recognise the EEA as providing an adequate level of data protection. For EEA users (including Irish users), no transfer outside the EEA takes place in respect of cloud infrastructure storage.
Payment processing partners. Where personal data is transferred to our payment processing partners in connection with payment processing, those partners act as independent data controllers and their own international transfer frameworks govern that data. Please refer to your payment processing partner's privacy policy for details.
Palm Check Inc. (parent company). Five ID is a wholly owned subsidiary of Palm Check Inc., a company incorporated in the State of Delaware, USA. Palm Check Inc. may access certain operational and account data for group governance, fraud prevention, and IT infrastructure purposes. Any transfer of personal data to Palm Check Inc. is subject to the EU Standard Contractual Clauses approved by the European Commission, supplemented by the UK ICO's International Data Transfer Addendum. Both instruments are executed between Five ID and Palm Check Inc. These safeguards apply to transfers in respect of both UK users (under UK GDPR) and EEA users (under EU GDPR). A copy of the relevant safeguards is available on request from dpo@five.id.
For further information about any of the safeguards described in this section, please contact our DPO at dpo@five.id.
9. Automated Decision-Making
Five ID uses automated processing to authenticate your identity. This section explains how that works and what it means for you, as required by UK GDPR Article 22(2)(b) and EU GDPR Article 22(2)(b).
9.1 What we do
When you hold your palm over a Five ID terminal, we: (a) capture a palm scan and convert it into biometric measurements; (b) compare those measurements against your stored palm signature; (c) generate a confidence score indicating the likelihood that you are the registered account holder; and (d) authenticate you if the confidence score meets or exceeds our matching threshold, or decline authentication if it does not.
9.2 The significance of this decision
The outcome of this automated process has a significant effect on you: a successful match will enable a payment, unlock access, or credit a loyalty account; a failed match will decline the transaction or deny access. No human review takes place during the automated matching process.
9.3 How accurate is it?
Our biometric matching algorithm is designed to minimise two types of error: incorrectly authenticating the wrong person (a false match), and failing to authenticate a genuine registered customer (a false non-match).
In a small number of cases, a genuine customer may not be recognised — particularly if the palm scan quality is affected by factors such as lighting conditions, skin condition, injury, or an unusual scanning angle. If this happens, you will be prompted to try again. If the terminal continues to decline authentication, you can pay by another method or contact the venue directly for access queries.
We keep our error rates under continuous review. If you would like information about our current technical performance, please contact our DPO at dpo@five.id.
9.4 What happens if you are declined
If a Five ID terminal declines to authenticate you: (a) you will receive a notification at the terminal; (b) for payment transactions, you will need to pay by another means (e.g. card or cash, where accepted by the merchant); and (c) for access control, you should contact the venue directly.
9.5 Your right to request human review
You have the right to: (a) request that a decision which produces a significant effect on you is reviewed by a human being; (b) express your view about the automated decision; and (c) contest any decision made about you on an automated basis. To exercise this right, contact us at dpo@five.id describing the decision you wish to contest. We will respond within one calendar month.
10. Your Data Protection Rights
Under data protection law, you have the following rights. You do not normally need to pay a fee to exercise them. We will respond to all requests within one calendar month of receipt. We may require proof of identity before responding.
Right of access: You may ask us for a copy of the personal data we hold about you. Contact us at dpo@five.id.
Right to rectification: You may ask us to correct any inaccurate data or complete any incomplete data we hold about you.
Right to erasure: You may ask us to delete your personal data in certain circumstances, for example where it is no longer necessary for the purpose for which it was collected.
Right to restriction of processing: You may ask us to limit how we use your personal data in certain situations.
Right to object: You may object to our processing of your personal data where we rely on legitimate interests as our lawful basis.
Right to data portability: You may ask us to provide your personal data to you or to another organisation in a structured, commonly used format, where our processing is based on consent or contract and is carried out by automated means.
Right to withdraw consent: Where we rely on consent as our lawful basis, you may withdraw that consent at any time by contacting dpo@five.id. Withdrawal will not affect the lawfulness of processing before your withdrawal.
11. How to Complain
If you have concerns about our use of your personal data, please contact our DPO in the first instance at dpo@five.id.
11.1 UK users
If you remain unhappy after contacting us, you have the right to make a complaint to the Information Commissioner's Office (ICO):
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Helpline: 0303 123 1113. Website: www.ico.org.uk.
11.2 EEA users (including Irish users)
If you are located in the EEA, you have the right to lodge a complaint with your local supervisory authority. Irish users may contact the Data Protection Commission (DPC):
Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28. Tel: +353 1 765 0100. Website: www.dataprotection.ie.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by email or prominent notice within the Service before the changes take effect. The date of the latest update is shown at the top of this Policy. We encourage you to review it periodically.