Summary of Age Assurance written record

Last Modified: Date: June 25, 2025
Note: This information is for UK Users only.

Introduction

This document will cover a summary of the written compliance record required by the UK Online Safety Act (“OSA”) and detail how the Age Assurance methodologies are used through All Pass Trust (“APT”). This summary will detail the different kinds of age assurance and how they are used for the purpose of ensuring that children are not normally able to encounter pornographic content.

Types of age verification method

    1. Credit Card with 3D Secure Authentication

    Provider: Internal billing system, Probiller

    User process:

    • User selects “Verify by credit card” (3DS) as the verification method.
    • Redirected to Probiller billing UI.
    • Inputs required:
      • Credit card number
      • CVV
      • Expiry date
      • Name and billing address
    • User clicks “Verify Now” to trigger a £0 authorization.
    • Probiller initiates a 3DS challenge with the card issuer.
    • Users complete the challenge, e.g. via one-time-password (OTP) or via app
    • If result indicates 18+, APT flags user as verified

    Reasoning:

    • Per Ofcom’s guidance on highly effective age assurance measures, in the UK individuals must be over 18 to obtain a credit card, therefore credit card issuers are obliged to verify the age of applicants before providing them with a credit card.
    • 3D Secure (3DS) adds strong customer authentication, adding an extra level of security confirming ownership of the card.

    2. Email-Based Digital Footprint Age Estimation

    Provider: VerifyMyAge Ltd. (VMA)

    User process:

    • User selects “Verify by email” in APT.
    • User manually enters their email address.
    • VMA sends a time-limited OTP link to the email.
    • User clicks the link to verify ownership.
    • VMA analyses the email’s digital footprint using:
      • Financial institutions
      • Utility providers
      • Public records
    • VMA estimates the user’s age.
    • If result indicates 18+, APT flags user as verified

    Reasoning:

    • Per Ofcom’s guidance on highly effective age assurance measures, Email-based age estimation is listed as capable of being highly-effective.
    • The user must validate ownership of their email address via a link sent to their inbox.
    • VMA estimate user age using email-linked data sources (e.g. financial, government, utility provider verification footprints).
    3. Mobile-network operator (MNO)

    Provider: OneID Ltd

    User process:

    • User selects “Verify by mobile” in APT.
    • Enters mobile number.
    • Receives and enters OTP.
    • Grants consent to allow data to be used to prove age
    • OneID queries MNO for verified status
    • If result indicates 18+, APT flags user as verified

    Reasoning:

    • Per Ofcom’s guidance on highly effective age assurance measures, “Mobile-network operator (MNO) age checks” are listed as capable of being highly effective.
    • The guidance states that each of the UK’s MNOs has agreed to a code of practice whereby they apply a content restriction filter to prevent minor’s access to age-restricted websites, which can only be removed by proving they are an adult.
    • The user must enter their mobile phone number and is then sent an SMS text message using a one-time password (OTP) to prove their possession of the device associated with the mobile number.
    • OneID uses SIM registration and carrier account metadata to confirm that mobile SIMs are assigned to adult users
    • If result indicates 18+, APT flags user as verified
    4. Open Banking

    Provider: OneID Ltd

    User process:

    • User selects “Verify by online banking” in APT.
    • User selects the name of their bank
    • Redirected to bank login.
    • Logs in and consents to data sharing.
    • OneID retrieves verified status from the bank.
    • If result indicates 18+, APT flags user as verified

    Reasoning:

    • Open banking is listed as being capable of highly effective age assurance in Ofcom’s guidance.
    • Financial institutions reliably verify age during account setup.
    • OneID confirms user’s adult status directly via bank-verified data with explicit user permission.

Privacy and security

APT does not collect, access, or process any of the personal data submitted during the age verification itself. APT collects data that is evaluated as strictly necessary to meet regulatory obligations and serve the APT purposes. All verification activities are conducted independently by trusted third-party providers, who return only a binary outcome, pass or fail, to APT. This ensures that identity or age-related data is never shared with or retained by APT or other Aylo products.

The only case that data is collected and processed by an Aylo product is the Probiller verification via Credit Card. Nonetheless, this information is not transferred to the APT platform.

In particular, the data processed by APT to all the above processes is limited to:

  • APT account credentials
    • email address (hash format in order to protect the data)
    • password (hash format in order to protect the data)
  • The age verification outcome (pass/fail)
  • Jurisdictional information - Country (in order to apply the correct age-gating based on country requirements)
  • Technical data e.g., IP address, browser type for the delivery of the service (webpage)

To find out more about our privacy practices, please visit:
APT: Privacy Notice

Contesting an incorrect age assurance status

Our data minimal approach to age assurance means that we cannot know why the data checked by our vendors has resulted in an incorrect status. To allow for this outcome, we permit users to try multiple age assurance methods before concluding a result. The breadth of age assurance measures offered ensures that an adult has multiple opportunities to prove their age. If after exhausting all options a user still believes that their age assurance status has been made incorrectly, they may contact the customer care team from the site where age assurance was initiated through APT.