looking into the providers for verification like this is really revealing. they pass the puck of data storage and security at least a couple of companies deep, for one. notably, looking a k-ID's privacy policy, there's also data handling policies specific to each contract, so you have to ask Tumblr (in this case) specifically.
"Documents are deleted after confirmation" is also, uh, not true (or at the very least deeply misleading as it implies instantaneous deletion and no data transfer).
k-ID and Tumblr hold the "is an adult" information only, seemingly, but k-ID outsources its verification to a plethora of third parties dependent on your location. I'm looking into one for the UK right now (VerifyMy Ltd) even though ive got no intention of ever giving my biometrics to use social media, and they pretty openly state in their short-form privacy policy overview that they will store your data "for a limited time in line with their policies" (though for verification methods like card they don't personally (haven't the spoons to check their third party payment processer's policy as well), and in certain US states they have to legally delete everything Immediately apparently). The storage window is 28 days for verified adults - which doesn't seem that long, except to anyone who's data was being help in that 28 day period when a breach inevitably happens.
They also. Share your data with third parties. To "improve the accuracy of their service" - which is pretty blatantly going to be training their AIs.
Also, from what I could find, k-ID haven't ended their partnership with ZenDesk - who's support system (specifically their third-party partners, because it's always the companies they outsource the outsourcing to), you might be aware, had an ENORMOUS data-breach associated with their work with Discord earlier this year. This information was being stored despite, on the front end, there being assurances that data was being immediately deleted and would only be on your device (which is true in the Genie Wording way - technically discord and k-ID didn't have that data - but not true at all in the spirit of the promise).
Anyway fuck this noise right to hell. I'm going to call this statement from Tumblr outright misleading - if they're going to make promises regarding the private policies of the nesting-doll of third party data processors k-ID sits upon, they should bloody well be held partly liable. Cos you are certainly never given transparent information about the layers of data handling, storage and third party processing within these systems.
TL;DR: Do not ever give these companies your face or ID. I can't even call the card verification a good option, frankly, but if you ever have to verify your age see if you can get a perpetual age pass without sharing something that you don't already risk if you ever shop online.
