Discord has a new company handling your face and your government ID, and it is making the same privacy promises that came right before tens of thousands of those documents leaked last fall.
The platform began testing Incode, an AI-powered identity verification firm, earlier this month for both ID scans and selfie-based age estimation. That trial runs through July 2026, next to parallel tests of Google Wallet and credit card checks.
Discord describes all of it as giving people more ways to prove they are old enough for age-restricted servers, channels, and sensitive content. What it does in real terms is widen the roster of outside companies you have to trust with your most sensitive documents to keep using a service that once asked for nothing more than a username.
The ID scan sends your government ID and a selfie straight to Incode, where Discord says “the entire process is fully automated so no human ever sees your ID,” that “everything is permanently deleted once your age is confirmed,” and that “your ID is never linked to your Discord account.”
The other option, selfie verification, runs on facial age estimation that Discord says “meets our strict requirements for on-device facial age estimation so your biometric data never leaves your phone.”
Discord CTO and co-founder Stanislav Vishnevskiy described Incode as an additional provider for countries that legally require age verification, pointing to a UK law that took effect in July 2025.
That law, the Online Safety Act, is the regulatory pressure that has pushed Discord through a rotating cast of verification vendors over the past year, from Persona to k-ID and now Incode.
Discord has reached for nearly identical wording before, and it did not prevent anything.
Back in April 2025, a company spokesperson said, “The information shared to power the age verification method is only used for the one-time age verification process and is not stored by Discord or our vendor. For Face Scan, the solution our vendor uses operates on-device, which means there is no collection of any biometric information when you scan your face. For ID verification, the scan of your ID is deleted upon verification.”
A July 2025 blog post offered the same reassurance, stating that “the video selfie used for facial age estimation never leaves their device.”
Then a third-party vendor got breached in October 2025, and more than 70,000 government IDs spilled out along with names, emails, and other personal data. Those exposed IDs came from age verification appeals.
Incode brings its own record to the arrangement. The company settled a class action under Illinois’ Biometric Information Privacy Act in November 2024 for $4 million. The plaintiffs alleged that Incode gathered biometric data, selfies and photo IDs, without the notice or consent the law requires.
The settlement covered people in Illinois who uploaded a selfie and photo ID to any application, software, or website an Incode customer operated between November 2018 and August 2024 without first receiving the disclosure BIPA mandates before biometric data can be taken.
Discord’s pledge that “everything is permanently deleted once your age is confirmed” also runs straight into Incode’s own published policies. Incode’s privacy policy and biometric data notice say the firm may hold biometric data for up to three years and keep other personal data “as long as necessary for the purpose(s) for which it has been collected and in accordance with applicable laws and regulations,” which is a polite way of saying indefinitely.
Incode’s policy also reserves the right to share personal data with service providers, analytics partners, business partners, and legal authorities, so the documents you hand over to clear an age gate can travel well beyond the company you handed them to.
