PRIVACY POLICY OF THE IDENTT APPLICATION - Weryfikacja tożsamości KYC - IDENTT : Weryfikacja tożsamości KYC

PRIVACY POLICY OF THE “IDENTT” APPLICATION

Pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – „GDPR”), we inform you that:

The controller of personal data in connection with the use of the Application is Identt sp. z o.o., with its registered office in Wrocław (50-416), ul. Gen. Romualda Traugutta 45, entered in the Register of Entrepreneurs of the National Court Register maintained by the District Court for Wrocław-Fabryczna in Wrocław, 6th Commercial Division of the National Court Register under KRS number 0000586371, NIP (Tax ID) 8982215099, REGON 363017634, with a share capital of PLN 100,000.00 (hereinafter referred to as “we”, “our”, or “IDENTT”).

IDENTT cooperates with various organizations, such as banks, telecommunications operators, loan companies, financial institutions, etc. — in this Policy, each of these organizations is referred to as an “IDENTT Partner” or “Partner”.
Depending on the situation, your data collected during the verification process may be transferred by IDENTT to a specific IDENTT Partner (e.g. a bank, telecommunications operator, financial institution), but only to the Partner who directed you to the Application.

The identity and contact details of the specific IDENTT Partner correspond to the Partner from whom you received the link to the Application and will be included in that Partner’s privacy policy made available to you before starting the identity verification support process.

CONTACT DETAILS OF THE DATA CONTROLLER

You can contact IDENTT regarding the use of the Application:

By post: Identt sp. z o.o., ul. Gen. Romualda Traugutta 45, 50-416 Wrocław, Poland
By email: contact@identt.pl
By phone: +48 572 651 741.

You can contact the IDENTT Partner that processes your data and from whom you received the link to the Application using the methods and channels provided in that Partner’s privacy policy.

CONTACT DETAILS OF THE DATA PROTECTION OFFICER

We have appointed a Data Protection Officer (DPO). You may contact the DPO regarding all matters related to the processing of personal data and the exercise of your rights under data protection laws in connection with the use of the Application.

By post: Identt sp. z o.o., ul. Gen. Romualda Traugutta 45, 50-416 Wrocław, Poland
By email: iod@identt.pl
By phone: +48 572 651 741.

You can contact the Data Protection Officer of the IDENTT Partner who processes your data (and from whom you received the link to the Application) using the methods and channels provided in that Partner’s privacy policy.
USE OF THE APPLICATION
Using the Application is possible in two variants:

Variant 1 – Identity Verification Process Initiated by an IDENTT Partner
You were redirected to the Application via a dedicated link received from an IDENTT Partner during the identity verification process.
In the Application, you will read data from the electronic layer of your ID card or passport compliant with ICAO 9309 standards.
The data read in the Application are then processed by IDENTT outside the Application on behalf of the Partner, where IDENTT supports the identity verification process and prepares the verification result, which is then transferred to the IDENTT Partner who directed you to the Application. The Partner makes the final decision regarding the outcome of your identity verification.

In this variant, your data are processed by two independent data controllers:

IDENTT – for providing the Application’s functionality and reading/processing data from the identity document directly within the Application.

IDENTT Partner – for commissioning IDENTT to support the identity verification process and for receiving, analyzing, and using the verification result in its own processes (e.g. contract conclusion, identity verification, fraud prevention, etc.).

Detailed data of the IDENTT Partner (name, address, contact, privacy policy link) will be provided by the Partner before directing you to the Application.

Variant 2 – Local Data Preview on the Device
You downloaded the Application independently from the app store (Google Play or App Store). You can read data from the electronic layer of an ID document (ID card or passport) and view them in the Application. These data are not transmitted anywhere; only a local preview is possible. The data remain solely on your device and are automatically deleted from the Application after the preview ends.

SCOPE OF DATA PROCESSING

The scope of processed data depends on the variant:

Variant 1 – Identity Verification Process
We process the following personal data:

Data read from the electronic layer of your identity document (e.g. first name, last name, PESEL or other ID number, document series and number, issue and expiry dates, nationality, photo from the document, and other fields as contained in the document);

Metadata – Application activity logs, error logs, IP address (to the extent necessary), device type, operating system, application version, and analytical data (e.g. Firebase) to ensure security and proper functioning of the Application.

Variant 2 – Local Data Preview
The data read from the electronic layer of your document remain locally on your device and are not transmitted to IDENTT or any IDENTT Partner.
After the preview ends, the data are immediately deleted from the Application’s memory.
ROLES AND STAGES OF DATA PROCESSING
Since the Application is part of IDENTT’s support for the Partner’s identity verification process, IDENTT’s role changes depending on the processing stage:

Data collection stage (within the Application): IDENTT acts as an independent controller — IDENTT initiates the process, designs the Application, and reads data from the identity document.
Data comparison stage (outside the Application): IDENTT acts as a processor of the Partner and processes data solely on the Partner’s instructions under a data processing agreement.
Decision stage: The IDENTT Partner, as an independent controller, receives the verification result and makes the final decision in accordance with its own privacy policy.

PURPOSES AND LEGAL BASIS OF PROCESSING

Your personal data obtained:

1. in connection with the use of the Application is processed by IDENTT as the data controller for the following purposes:

to enable the reading of data from the electronic layer of an identity document for verification in order to provide you with a service through the Application – the legal basis is the necessity of processing for the performance of a contract (Article 6(1)(b) of the GDPR);

to provide the functionalities of the Application and ensure its proper operation and security – the legal basis is the pursuit of our legitimate interest (Article 6(1)(f) of the GDPR, where our legitimate interest is to display the content you request and to ensure the correct functioning of the Application);

for the marketing of IDENTT’s own products and services – the legal basis is the pursuit of our legitimate interest (Article 6(1)(f) of the GDPR, where our legitimate interest is direct marketing), provided that sending commercial information via electronic communication means as well as using telecommunications terminal equipment and automated calling systems for marketing purposes by us is only possible with your consent.

2. In each of the above cases, your personal data may also be processed by IDENTT as the data controller for the following purposes:

to perform our obligations arising from legal provisions – the legal basis is the necessity to comply with legal obligations (Article 6(1)(c) of the GDPR);

to establish, pursue or defend against claims – the legal basis is the necessity of processing for the performance of a contract or the pursuit of our legitimate interest (Article 6(1)(b) or Article 6(1)(f) of the GDPR, where IDENTT’s legitimate interest is the exercise of our rights);

for other purposes to which you have given your consent, if we ask for your consent to the processing of personal data and you grant such consent – the legal basis for processing personal data is consent (Article 6(1)(a) of the GDPR). Giving consent in such cases is voluntary, although it may be necessary to achieve the purpose of the processing.

3. in connection with the support provided to an IDENTT Partner in the identity verification process, your personal data is processed by IDENTT as a data processor on the basis of a data processing agreement concluded with the IDENTT Partner, for the purpose of supporting the identity verification process and transferring the verification result to the IDENTT Partner.

RECIPIENTS OF DATA

As part of your use of the Application, we may share your personal data obtained through the Application with an IDENTT Partner for the purpose of carrying out the identity verification process by that Partner. Your data will be transferred only to the IDENTT Partner that redirected you to the Application, which means your data will not be shared with any other IDENTT Partners than the one from whom you received the redirection to the Application for the purpose of verifying your identity.

Your personal data may also be transferred to entities processing personal data on our behalf, such as hosting service providers or partners providing technical services for IT systems and online platforms.

Your personal data may also be transferred to entities authorized to request such data under applicable laws (for example: courts, supervisory authorities).

RECIPIENTS OF DATA OUTSIDE THE EUROPEAN UNION

Your personal data may be transferred to recipients outside the territory of the EU or the EEA. In the case of cross-border transfers of data originating from the European Economic Area (EEA) to a country outside the EEA, such transfer of your personal data may take place if the European Commission has recognized the non-EEA country as providing an adequate level of data protection. Where data is transferred to countries outside the EEA that have not been recognized by the European Commission as ensuring an adequate level of protection, we will implement the Standard Contractual Clauses approved by the European Commission to ensure the protection of your personal data.

TYPE AND SOURCE OF PERSONAL DATA

In connection with the provision of identity verification support services, we process not only the data you provide to us, but also data obtained from our partners, including IDENTT Partners. This data may include information that is considered personal data, including identification data.

DATA RETENTION PERIOD

Your data will be stored for a period depending on the purpose of processing, specifically:

to enable the reading of data – for the time necessary to perform the reading and transfer the data for the identity verification support process, after which it is immediately deleted;
to enable the preview of data from the identity document – for the duration of the connection, and once it ends, the data is immediately deleted;
to provide you with the functionalities of the Application and ensure its proper operation and security – for the duration of the connection;
to perform our obligations arising from legal provisions – we may also process your data for the period necessary to fulfil those obligations;
to establish, pursue or defend against claims – for the period of the statute of limitations for potential claims, extended by three months;
for the marketing of our own products and services – until consent is withdrawn or until the processing purpose is fully achieved (where possible).
If you have given consent to the processing of your data, we will process it until you withdraw your consent or until the processing purpose is fully achieved (where possible).

DATA SUBJECT RIGHTS

For the data for which IDENTT is the data controller:

You have the right to access your data and the right to request its rectification if it is inaccurate, its deletion, or the restriction of its processing, as well as the right to data portability.
If we process your personal data based on consent, you have the right to withdraw that consent at any time. You may withdraw your consent by sending us an email at iod@identt.pl. Withdrawal of consent does not affect the lawfulness of the processing carried out before the withdrawal, nor does it affect the processing of your personal data carried out on a different legal basis (e.g. to perform our obligations arising from legal provisions).
Additionally, you have the right to object at any time—on grounds relating to your particular situation—to the processing of your personal data where the basis for processing is the so-called legitimate interest clause (Article 6(1)(f) of the GDPR) or public interest (Article 6(1)(e) of the GDPR), including profiling based on those provisions. In such a case, we will no longer process the personal data covered by the objection on that basis. The law grants us the right to refuse such a request if we demonstrate compelling legitimate grounds for further processing which override your interests, rights and freedoms, or if the data is necessary for the establishment, exercise or defence of legal claims. If personal data is processed for direct marketing purposes, you may object to the processing of your data for such purposes at any time. Once such a request is submitted, we will no longer process your data for direct marketing purposes.
For the data for which IDENTT is the data processor and an IDENTT Partner is the data controller, your rights are granted in accordance with the privacy policy of the respective IDENTT Partner.

RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY

You also have the right to lodge a complaint with a supervisory authority responsible for the protection of personal data in the Member State of your habitual residence, place of work, or the place of the alleged infringement. In the case of Poland, this authority is:

President of the Personal Data Protection Office (PUODO)
Address: ul. Stanisława Moniuszki 1A, 00-014 Warsaw
Telephone: +48 606 950 000

INFORMATION ON THE VOLUNTARY OR OBLIGATORY NATURE OF PROVIDING DATA

Providing personal data is voluntary; however, in the case of the data we request in connection with your use of the Application, its processing is a condition for the provision of the service.

INFORMATION ON AUTOMATED DECISION-MAKING, INCLUDING PROFILING

Data may be processed in an automated manner, e.g. for the automatic assessment of the authenticity of a document or when comparing a photograph from an identity document. However, this does not result in decisions producing legal effects based solely on automated processing. The final decision regarding the verification result is always made by a human, i.e. an employee of the IDENTT Partner.

EXPLANATION OF TERMS

You – any natural person whose personal data is processed by IDENTT within the Application.

Application – the “IDENTT” mobile application available in the Google Play and App Store, which enables the local OCR reading of data from an identity document and the reading of data from an identity document for the purpose of supporting the identity verification process.