Data & privacy

Passkeys, biometrics and your privacy — what Credicorp sees

If you use a passkey to sign in to your Credicorp account, the sign-in may involve a biometric check on your device — fingerprint, face ID, or a device PIN. This page explains what happens to that data and what Credicorp receives.

What Credicorp does not receive

When you authenticate using biometrics (fingerprint, Face ID, Windows Hello), the biometric check happens entirely on your device, inside the secure hardware of the phone, laptop, or security key. Your fingerprint image, face geometry, or PIN is:

  • Never transmitted over the internet.
  • Never sent to Credicorp's servers.
  • Never stored by us.

This is by design under the WebAuthn / FIDO2 standard. Your device uses the biometric to unlock the private key stored in its secure element, then sends only a cryptographic signature to us — never the biometric data itself.

What Credicorp does receive

When you sign in with a passkey, we receive:

  • A cryptographic signature from your passkey that proves you are in possession of the device where the passkey was created.
  • The public key associated with your passkey credential (this was stored when you first registered the passkey).
  • A confirmation that the authentication was completed — pass or fail.

We store the public key on our servers so that we can verify your future sign-ins. The public key cannot be used to impersonate you — it is designed to be shared. Only the private key (which never leaves your device) can produce a valid signature.

Is biometric data "special category data" under UK GDPR?

Under UK GDPR, biometric data used for the purpose of uniquely identifying a natural person is special category data, requiring a higher standard of protection. Because Credicorp never receives or processes your biometric data — only a cryptographic signature derived from it — we do not process special category data in connection with passkeys.

What if I use a hardware security key instead?

Hardware keys (such as a YubiKey) require you to physically touch the key, not a biometric. The touch is a "user presence" confirmation, not biometric identification. No biometric data of any kind is involved.

See also: How passkeys work on Credicorp sign-in, What personal data do you collect about directors?, What are my rights under UK GDPR?.

Already a customer? Sign in to your account Sign in

Ready to apply?

Apply online in minutes. We lend to UK limited companies and LLPs — no personal guarantee required.

Apply for a Credicorp loan →
Back to Help Centre