Data Privacy Statement of Identomat Inc. v2.0
Last updated: October 30, 2024
1. Introduction
Identomat Inc. ("Identomat," "we," "us," or "our") is committed to protecting the privacy and security of the personal data we process. This Data Privacy Policy outlines how we collect, use, disclose, and safeguard personal data in compliance with the General Data Protection Regulation (GDPR) and other applicable laws.
2. Data Controller and Data Processor Roles
Under GDPR, Identomat operates as a Data Processor when processing personal data on behalf of our clients (the Data Controllers) who engage us for identity verification and related services. We adhere to documented instructions from our clients regarding the handling of personal data.
3. Personal Data We Collect and Process
Identomat processes the following categories of personal data as required to provide identity verification and related services:
Identomat Inc. ("Identomat," "we," "us," or "our") is committed to protecting the privacy and security of the personal data we process. This Data Privacy Policy outlines how we collect, use, disclose, and safeguard personal data in compliance with the General Data Protection Regulation (GDPR) and other applicable laws.
2. Data Controller and Data Processor Roles
Under GDPR, Identomat operates as a Data Processor when processing personal data on behalf of our clients (the Data Controllers) who engage us for identity verification and related services. We adhere to documented instructions from our clients regarding the handling of personal data.
3. Personal Data We Collect and Process
Identomat processes the following categories of personal data as required to provide identity verification and related services:
- Identification Data: Name, nationality, personal identity code, gender, date of birth, and address.
- Document Data: Copy of identification documents such as passport or ID card, issuing authority details, expiry date, etc.
- Biometric Data: Facial recognition data collected to verify identity, processed but not stored.
- Digital Interaction Data: Images, video, and audio collected as part of liveness and identity verification.
4. Purpose and Legal Basis of Processing
The processing activities undertaken by Identomat are necessary to:
The processing activities undertaken by Identomat are necessary to:
- Perform identity verification services as per contractual obligations (GDPR Art. 6(1)(b)).
- Comply with anti-money laundering and other legal requirements (GDPR Art. 6(1)(c)).
- Ensure legitimate interests in fraud prevention and secure client identity management(GDPR Art. 6(1)(f)).
5. Security of Personal Data
We implement industry-standard technical and organizational measures to ensure the security and confidentiality of personal data, as outlined below:
We implement industry-standard technical and organizational measures to ensure the security and confidentiality of personal data, as outlined below:
- Data Encryption: Data is encrypted during transmission (TLS/SSL) and storage (256-bit encryption).
- Access Control: Access to data is limited to authorized personnel only, with strict authentication protocols.
- Pseudonymization and Anonymization: Personal identifiers are replaced with pseudonyms when feasible.
- Regular Audits: Periodic assessments of security measures are conducted to ensure ongoing protection.
6. Data Sharing and Transfers
Identomat does not share personal data with third parties except:
Identomat does not share personal data with third parties except:
- As required by law or to protect our legal rights.
- For the performance of our services, with authorized sub-processors such as Amazon Web Services (AWS) and Google Cloud, located in compliance with GDPR requirements and bound by Standard Contractual Clauses (SCCs).
7. Data Retention
Personal data processed for identity verification is retained only for the duration necessary to fulfill contractual obligations with our clients. Biometric data used for identity verification is processed in real-time and not stored beyond the verification session. Personal data is securely deleted or anonymized upon the end of the contract or upon client instruction.
8. Data Subject Rights
Identomat supports data subjects' rights under GDPR, including:
Personal data processed for identity verification is retained only for the duration necessary to fulfill contractual obligations with our clients. Biometric data used for identity verification is processed in real-time and not stored beyond the verification session. Personal data is securely deleted or anonymized upon the end of the contract or upon client instruction.
8. Data Subject Rights
Identomat supports data subjects' rights under GDPR, including:
- Access and Rectification: Data subjects may request access to their personal data or correction of inaccurate data.
- Erasure (Right to be Forgotten): Data subjects can request the deletion of their data in accordance with GDPR Art. 17.
- Restriction and Objection: Data subjects may request restriction of processing or object to processing under certain conditions.
- Data Portability: Data subjects have the right to receive their data in a structured, commonly used format.
Requests may be submitted to Identomat’s Data Protection Officer (DPO) as outlined in Section 12.
9. Sub-Processing and Onward Transfers
Identomat uses select sub-processors for cloud storage and system operations, listed in our Data Processing Agreement. We ensure these providers meet GDPR standards, including SCCs for any data transfers outside the EEA.
10. Incident Notification
In the event of a personal data breach, Identomat will notify affected clients and, as required, the relevant supervisory authorities without undue delay, and no later than 24 hours after becoming aware of the breach, per GDPR requirements.
11. Updates to this Privacy Policy
Identomat may update this policy to reflect operational, legal, or regulatory changes. Updates will be communicated to clients, and the latest version will always be available on our website.
12. Contact Information
For privacy-related inquiries, requests, or concerns, please contact our Data Protection Officer:
Data Protection Officer
Identomat Inc.
Email: legal@identomat.com
Address: 60 Hazelwood Dr, Champaign, IL 61820, USA
9. Sub-Processing and Onward Transfers
Identomat uses select sub-processors for cloud storage and system operations, listed in our Data Processing Agreement. We ensure these providers meet GDPR standards, including SCCs for any data transfers outside the EEA.
10. Incident Notification
In the event of a personal data breach, Identomat will notify affected clients and, as required, the relevant supervisory authorities without undue delay, and no later than 24 hours after becoming aware of the breach, per GDPR requirements.
11. Updates to this Privacy Policy
Identomat may update this policy to reflect operational, legal, or regulatory changes. Updates will be communicated to clients, and the latest version will always be available on our website.
12. Contact Information
For privacy-related inquiries, requests, or concerns, please contact our Data Protection Officer:
Data Protection Officer
Identomat Inc.
Email: legal@identomat.com
Address: 60 Hazelwood Dr, Champaign, IL 61820, USA