Scope

This Privacy Notice outlines how we process personal data, commit to protecting your information, and provide the framework through which effective management of data protection matters can be achieved while providing our Services. This Privacy Notice does not cover ho The KYB Clients may treat Users' personal data. Clients provide this information in their privacy statements which are not subject to The KYB's control.

If you are a California resident, you may find information about the CCPA application in Provision 16 of this Notice.

If you are a resident of Illinois, Washington, or Texas, it is necessary to refer to the “Special notice to residents of the states of Illinois, Washington, or Texas (USA)” (Provision 17 of this Privacy Notice). In case of any conflict or ambiguity between the Special Notice and the other provisions of this Privacy Notice, the former will prevail.

Definitions

Agreement

the Service Provider Agreement concluded with each Client, its annexes and appendices;

Client

the legal entity to which The KYB provides Services under the Agreement;

Service(s)

the personal identity verification service and connected services provided by THE KYB;

Data Controller, or Controller

the Client where it, alone or jointly with others, determines the purposes and means of the processing of personal data by written instruction for processing activities given to The KYB;

Data Processor, or Processor

The KYB where it processes personal data on behalf of a Data Controller;

Third-Party Processors

processors authorised to exercise certain processing activities under the direct authority of The KYB;

Data Providers

third-party service providers or public authorities used to collect additional information necessary for the provision of the Services;

Data Subject

any individual (hereafter - User) whose personal dataThe KYB may process on behalf of the Controller (the Client’s customers);

Personal data

any information relating to an identified or identifiable Data Subject;

Special categories of personal data

personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, or data concerning health or data concerning a natural person's sex life or sexual orientation;

Data concerning health

personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

Filing system

any structured set of personal data which is accessible according to specific criteria, whether centralised, decentralised, or dispersed on a functional or geographical basis used for service provision;

User

any individual in respect of whom the identity verification procedure (or any of its elements) is performed as part of the Services provided to a Client (may be referred to as ‘you’ in this Notice);

Website

thekyb.com;

Processing

any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Personal data breach

a breach of data security leading to unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed;

Consent

any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which they, by a statement or by clear affirmative action, signify agreement to the processing of their personal data;

Livechat

a system that allows Users to have a real-time interaction with The KYB’s support team in a chatbox on the Website page in the browser;

Customer due diligence procedure

the process and rules established by the Client in line with applicable regulations, including the requirements for identifying its customers, related risks and checking they are who they say they are (may be referred to as ‘KYC’ in this Notice);

Standard Contractual Clauses

standard sets of contractual terms and conditions adopted by the European Commission (or UK-designated authorities) and ensuring appropriate safeguards for data transfers from the EEA and the UK to third countries, which the Controller and the Processor both sign up to, where necessary;

EEA

European Economic Area (the European Union Member States, Norway, Iceland and, Liechtenstein);

AML/CFT

Anti-Money Laundering / Combating the Financing of Terrorism legal rules and standards as envisaged in FATF recommendations, EU regulations, and national legislation;

Politically Exposed Persons (PEPs)

individuals who are or have been entrusted with prominent public functions (e.g., heads of state or government, senior politicians, senior government, judicial or military officials, senior executives of state-owned corporations, important political party officials), as well as their relatives and close associates;

CCPA

the California Consumer Privacy Act of 2018, Civil Code sections 1798.100.

Principles of personal data processing that The KYB adheres to

The KYB adheres to the principles of personal data protection as envisaged in the EU GDPR and the UK GDPR. In accordance with these principles, The KYB assists the Controller in ensuring that the User’s personal data is:

1. Processed fairly and lawfully and in a transparent manner in relation to the Data Subject;

2. Processed for specified, explicit, and legitimate purposes only and not further processed in a manner that is incompatible with those purposes;

3. Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;

4. Kept accurate and up to date;

5. Retained in a form permitting identification of Data Subjects for no longer than is necessary for the purposes for which they are processed;

6. Processed in a manner that ensures their appropriate security;

7. Not transferred outside the European Economic Area (EEA) or the UK without adequate protection.

Purposes of personal data processing

Performance of the Agreement

While serving Clients, The KYB mainly processes your data as a Processor for the Client's benefit. The KYB processes personal data for the performance of the Agreements, including indicated services, obligations arising from the Agreement, and related rights, as well as for the execution of rights and fulfilment of obligations deriving from legal acts and processing Users' requests.

The KYB collects and further processes Users' data for the Client, which may include matters of compliance with applicable AML/CFT and/or other laws and regulations and/or the Client's internal customer due diligence procedures. Once personal data is no longer necessary for the relevant purpose, The KYB erases it from its servers upon the Client's written instruction without leaving any backup copies after transferring it to the Client.

Other purposes

We may process your data for purposes that serve The KYB's legitimate interests, which include the following purposes:

Where it’s not prohibited by applicable laws and provided we have permission from our Clients, we may process some personal data, including biometrics, to develop and improve identity verification services to prevent and detect fraud and other illicit activity as part of substantial public interest via machine learning.;

Given the nature of our Services, we are to detect and prevent criminal activity, fraud, and money laundering by checking the provided User data against records of confirmed or suspected illegal activity, fraud or money laundering. If any sign of this appears, we will inform our Clients of this;

In connection with the purpose above, we may also conduct profiling, statistical analysis, and analytics in AML/CFT tendency, fraud detection, and prevention. The System may aggregate the User's data with other Users' data to generate reports and charts our Clients may use when assuming the risk likelihood associated with specific characteristics;

We sometimes may be obliged to process or retain all or part of personal data for the establishment, exercise, or defence of legal claims;

We process some personal data while adhering to the principles of personal data handling, namely lawfulness and accountability, by obtaining the legal basis for processing specific personal data concerning certain Users, as required under laws applicable to such Users. Obtaining and maintaining records that we have obtained on such a legal basis is essential to prove that we comply and adhere to our legal obligations outside and in the European Union and the United Kingdom.

Data processing activities

The KYB provides multiple types of automated processing, including, but not limited to, collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination (if so legally binding), or otherwise making available, alignment or combination, restriction, erasure or destruction.

Document check

For fraud detection, The KYB subjects personal data from photos and scanned copies of documents to automated reading and verification of authenticity by conducting different checks, such as completeness of records, screenshots detection, or cross-checking of all data from all submitted documents (e.g., name, date, and signature). We also check the document's security features, including the embedded security chip, machine-readable zone (MRZ), barcodes, QR codes and other security components used for genuine data validation. The The KYB system analyses the results of the above to make an inference regarding the document’s trustworthiness.

Data validation

These data validation checks enable Clients to verify data against databases of third-party data providers and detect whether the User is involved in illicit activities, money laundering or terrorism financing. To do this, we will check the data extracted from the uploaded documents or provided by the User against a database of third-party data providers. The data providers we may use depend on the Client’s needs and the User’s location and may include ID registers, proof of address checks, the Social Security Administration and other government or commercial sources and databases, consumer credit agencies, PEP lists, global and country-specific sanctions lists, and adverse media sources.

Throughout the course of the Client’s relationship with the User, we may assist the Client in periodically screening the User’s data against databases to help prevent, detect, and investigate fraud and money laundering.

Know Your Business or KYB check

If the Client subscribes to the KYB check, it requires us to verify the existence, details, ownership, and control structure (e.g., ultimate beneficial owner(s)) of a legal entity through analysis of corporate documents and review of corporate registries, where available.

Fraud detection

The KYB implements a fraud detection and control network based on the anti-fraud checks required by our Clients and those included in our Services by default (e.g., Photoshop use or risk triggers calculation). Such checks require collecting, analysing, and re-using recorded User data.

Generally, The KYB verifies whether the User’s attributes—geolocation (IP address), device signature (operating system and camera name), email address, or mobile phone—have previously been involved in or related to any fraudulent activity or may currently signal suspicious behaviour patterns and otherwise point out that the User is fake. At the Client’s order, we may check information with our Data Providers on AML/CFT regulations requirements, such as screening through adverse media mentions match or checking for residency in high-risk countries. Besides, we check whether the User creates multiple identities by inspecting whether we have previously verified a User on behalf of a particular Client using biometric data comparison techniques.

All these checks are designed to help us and Clients assess the likelihood of customer trustworthiness, flag potentially fraudulent activities and assign a relevant risk score when the Client needs to acknowledge cases when Users generate multiple identities, compromise their data, or manipulate device or network information. The Client may consult with the fraud detection and control network on the fraud-related level of risk of the User under the onboarding process without accessing any personal data.

Types of personal data processed by The KYB

We may collect and further process the following personal data of Users depending on the particular Service being provided to the Client:

Categories of personal data

Examples

We may process your data for purposes that serve The KYB's legitimate interests, which include the following purposes:

General personal data
Full name, sex, personal identification code or number, date of birth, legal capacity, nationality and citizenship, location (street, city, country, and postcode).

Identity document data
Document type, issuing country, number, expiry date, MRZ, information embedded into document barcodes (may vary depending on the document), security features.

Banking details
Cardholder name, expiry date, first 6 and last 4 digits of the card number.

Contact details
Address, e-mail address, and phone number.

Technical data
Information regarding the date, time, and activity in the Services; IP address and domain name; software and hardware attributes (e.g., camera name and type); general geographic location (e.g., city, country) from User’s device.

Geolocation data
IP address

Unique identifier
Applicant ID created only for identifying the User in the The KYB system

Relevant publicly available data
Information regarding a person’s status as a Politically Exposed Person (PEP) or presence on sanctions lists.

Additional information
Data provided by the User during communication with The KYB (e.g., requests, reports).

Processing children’s personal data

The KYB may process the personal data of children, understood as individuals under the age of majority under the national laws of the Client’s country of incorporation, only when the Client ensures that the person with parental responsibility for the child has consented to such processing. Otherwise, if a child’s personal data is accidentally submitted to The KYB, it will be deleted without undue delay.

The lawfulness of personal data processing

When The KYB is engaged by its Clients to perform identity verification procedures in respect of their Users, the processing of personal data by The KYB is covered by those legal grounds that are relied on by certain Clients The KYB has the Agreement with. In line with Article 6 of the EU and UK GDPR, Controllers should rely on an appropriate legal ground when processing personal data. Most of our Clients rely on the following grounds for processing personal data:

Article 6(1)(c) of the GDPR: “[personal data] processing is necessary for compliance with a legal obligation to which the controller is subject”;

Article 6(1)(e) of the GDPR: “[personal data] processing is necessary for the performance of a task carried out in the public interest”;

Article 6 (1)(a) of the GDPR: “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”.

We may process your sensitive data if the Client has a reasonable legal ground for such processing.

Where The KYB pursues its purposes, The KYB relies on Article 6(1)(f) of the GDPR – legitimate interest. Our legitimate interest arises from the strict necessity of internal analysis and ongoing development and improvement of The KYB's services that our Clients use to detect fraud and illicit activities to prevent money laundering, terrorist financing, fraud, and other activities, which are considered a matter of substantial public interest. In this case, we use legitimate interest if the Client grants us permission to process data provided that The KYB's purposes are compatible with those initial purposes for which the personal data has been collected. Such purposes are compatible due to the obligations or interests of our Client regarding the combat of fraud and detection of any illegal actions.

The KYB may be under a 'litigation holds' requirement, such as an existing legal claim, juridical procedure, or other legal obligation. In this case, The KYB applies the legal ground specified in Article 6(1)(c) of the GDPR, which states that processing personal data is necessary to comply with a legal obligation to which The KYB is subject.

Personal data retention period

The retention period depends entirely on the processing purpose. Our Clients define how long personal data should be stored and when to delete it. Generally, in line with AML / CFT regulations, regulated financial companies are obliged to store the User's data for five years after the termination of the Client’s relationship with the User or the date of the occasional transaction. In some jurisdictions, there may be a longer mandatory data retention period.

Please note that if you, as a User, would like to make a request to delete the personal data that you have provided for the purpose of a particular Client, please make that request directly to the Client that controls your verification process.

In general, personal data, including biometric data, will be retained and stored by The KYB and will be permanently destroyed when the Client’s initial purpose and/or retention period prescribed by applicable law expires or The KYB compatible purposes for collecting the biometric data have been satisfied or after five (5) years from the individual's last interaction with The KYB, whichever occurs first, or three (3) if there is a local specific legislative requirement.

Data Subjects’ rights

Upon written request from the Client, The KYB assists the Client in exercising the Data Subject’s rights. According to privacy laws, you have the right:

to obtain confirmation as to whether or not your personal data are being processed;

to rectify personal data, or, in other words, to correct the wrong information or complete it;

to erase personal data, or “right to be forgotten”. Please note that this right is not absolute and applies only if (i) your personal data is no longer necessary in relation to the purposes for which was collected or otherwise processed, (ii) you object to the processing, and there are no overriding legitimate grounds for the processing of Client; (iii) the personal data have been unlawfully processed;

to restrict personal data processing where (i) the accuracy of the personal data is contested (during the period when the Client is able to verify its accuracy); (ii) the processing is unlawful, and you object to the erasure of the personal data and request to restrict their use instead; (iii) the Client no longer needs the personal data for the purposes of the processing, but they are required by you to establish, exercise or defend legal claims; (iv) you have objected to processing pending the verification whether Client’s legitimate grounds override those of yours;

to be informed as to rectification or erasure of personal data or restriction of their processing;

to data portability, or, in other words, to receive your personal data in an appropriate format to be able to provide it to another party or transfer your personal data from one controller to another;

to object to personal data processing if the processing is justified by the ‘public interest’ or ‘legitimate interest’ legal grounds as set out in points (e) and (f) of Article 6(1) of the GDPR;

not to be subject to a decision based solely on automated processing unless (i) such decision is necessary for entering into, or performance of, a contract between you and the data controller; (ii) such decision is authorised by the law to which the data controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests or (iii) such decision is based on your explicit consent;

to lodge a complaint with the supervisory authority. When it is related to the processing activities of our Clients (the service you were verified for), please refer to the methods specified in their privacy policies.

To ask The KYB to execute the rights mentioned above or redirect the request to the Client, you should send a free-form email to [email protected] or use this form. The information on actions taken in response to any request is provided to you within one month. That period may be extended by two further months where necessary, considering the complexity and number of the requests. In this case, we will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.

Please be kindly aware that when you ask us for the execution of the rights as stated above, we may have to take steps to verify that you are the legitimate data owner and/or authorised to make the request due to the Client's request or our own legal obligation.

The KYB guarantees that making a request for receiving personal data is free unless a reasonable cost is to be charged where requests are unfounded or excessive, or repetitive in character.

Withdrawing consent and objection to legitimate interest mechanism

The KYB assists the Controllers (Clients) with the obligation of providing the mechanism for withdrawal of consent (Article 7 (3) EU GDPR and UK GDPR) and objection to processing based on legitimate interests (Article 21 (1) EU GDPR and UK GDPR).

Depending on the legal basis of processing that the Client relies on (consent or legitimate interest), the right to withdraw consent or the right to the object of processing can be exercised.

The KYB does not make decisions regarding such requests on its own, as The KYB acts in accordance with the written instructions of the Client, who exercises control over personal data. The KYB can only redirect the User’s request to the Client for whom the User was verified.

Please note that to request a restriction or objection to processing, there should be overriding grounds to those we have under the legitimate interest. We underline that due to the importance of identity verification and fraud prevention to the world's financial system - so-called public interest - for which the personal data checks are carried out, it will be rare that we have no compelling, overriding grounds to continue using the personal data following a restriction or objection. Generally, under the given circumstances, there are better options than to terminate the processing of personal data under the restriction or objection request. For example, it would be unfair to hide the result of previous fraudulent patterns that could allow a person to steal money from the account by pretending to be another person.

Responsibilities

[a] The KYB’s responsibilities, and the DPO

The KYB is responsible for establishing policies and procedures in order to comply with the EU GDPR and the UK GDPR. Our Data Protection Officer can be contacted via the following e-mail address: [email protected].

[b] The KYB DPO’s responsibilities

The KYB’s Data Protection Officer holds responsibility for

drawing up guidance and promoting compliance with this Privacy Notice;

appropriate compliance with the EU GDPR, UK GDPR and Data Protection Act 2018;

ensuring that any personal data breaches are resolved, catalogued and reported appropriately in a swift manner;

investigating and responding to complaints regarding data protection, including Data Subject’s requests.

[c] The KYB’s personnel responsibilities

The KYB personnel involved in personal data processing comply with the requirements of this Privacy Notice and other internal rules. This personnel ensures that:

all personal data is kept securely;

no personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorised third party;

any queries, requests and complaints regarding data protection are promptly directed to the Data Protection Officer;

any data protection breaches are swiftly brought to the attention of the Management and the Data Protection Officer;

where there is uncertainty regarding a data protection matter, advice is sought from the Data Protection Officer.

[d] Third-Party Processors acting on behalf of The KYB

Where third-party companies are engaged to process personal data on behalf of The KYB, responsibility for the security and appropriate use of the data remains with The KYB.

Before engaging a Third-Party Processor, The KYB ensures that it provides sufficient guarantees as regards personal data security. In particular, a written contract establishing the types of personal data to be processed and the purposes of such processing, as well as containing provisions on personal data protection, are concluded between The KYB and the Third-Party Processor.

Personal data breaches

Where a personal data breach occurs or is suspected, it is reported immediately to the Data Protection Officer (DPO) or the Director and, where applicable, to the data protection authority, the respective Client and, if applicable, to the individual affected by the breach. The report includes full and accurate details of the incident (including its reasons and magnitude) and sets out the planned measures intended to eliminate the breach.

The report is provided directly to the concerned Client, and further breach mitigation is supported.

Data disclosure

[a] Third Parties

If the Client agrees, The KYB may have to apply third parties for data processing activities, which include the following categories:

Third-party processors as reasonably necessary for the provision of a service under the Agreement with a respective Client;

Data providers when it is supposed to be used for the provision of Service under the Agreement with a respective Client; and

The KYB Group of companies for assistance in service delivery and The KYB EU representativefor granting the opportunity to Data Subjects and Supervisory authority to address The KYB within EU borders for the purposes of Article 27 of the EU GDPR.

The KYB requires the Third Parties to respect the security of personal data and treat it according to the applicable law. In addition, Third Parties are mostly limited to only accessing or using personal data to provide services to The KYB and must provide reasonable assurances they will appropriately safeguard the data.

[b] Recipients

Where it is required by law, The KYB may have to provide personal data to the Recipients, which includes the following categories:

Governmental bodies and regulatory authorities, judicial bodies, investigation bodies, sworn bailiffs, and notaries based on written and concrete requests or the duties binding upon The KYB or its Clients stipulated by the legal enactments. Such sharing is conducted in line with strict compliance with derogations of the EU GDPR and the UK GDPR; and

Any other Clients provided that there is a legitimate interest or any other legal reason for doing so, obtained consent or where The KYB has been instructed to share the information on behalf of our Clients as specified above.

The KYB group of companies and the EU Representative

The KYB is a group of companies established as a network of the following legal entities operating worldwide. The The KYB services are provided by the operating company, The KYB, which acts for and on behalf of itself and the other members of the The KYB group of companies.

International data transfers

The KYB confirms that all personal data is submitted by Data Subjects The KYB’s servers located in the EU and/or subject to any national localisation requirements in the respective countries where such requirements exist. The Client may choose the location of personal data processing (including storage) to comply with the applicable laws.

Where it is necessary for service provision or to ensure convenient and reliable communication with the Data Subjects, The KYB transfers personal data outside of the EU/EEA, or the UK to the Third-Parties and Recipients.

Whenever a transfer of personal data outside the EU or the EEA is carried out, The KYB implements appropriate safeguards as set out in Chapter V of the EU GDPR by transferring on the basis of the EU Adequacy Decision (or UK Adequacy Regulations) and by concluding Standard Contractual Clauses with the Controller. Third-Party Processors likewise rely on appropriate safeguards, which include Binding Corporate Rules, Standard Contractual Clauses, etc. Cross-border personal data transfers from the UK to the EU/EEA countries are permitted by the UK Government.

Sale of personal data and CCPA reference

It should be underlined that The KYB does not sell personal data and strictly complies with restrictions and prohibitions under CCPA and the EU or the UK GDPR.

Special notice to residents of the states of Illinois, Washington, or Texas (USA)

Personal data processed by The KYB may include certain ‘biometric identifiers’ (such as scans of facial geometry or voiceprints) and ‘biometric information’ (data extracted from and based on biometric identifiers), which are used to verify the identity of the User.

Whenever such biometric identifiers and/or biometric information (collectively ‘biometric data’) are used as part of the services rendered by The KYB to any Client, such data shall be processed by The KYB on behalf of such Client and permanently deleted. In the latter case, The KYB shall not perform any operations regarding such data other than its storage for the period required by the applicable law.

In any event, biometric data shall only be collected and further processed by The KYB after having obtained written informed consent of the respective Data Subject to such collection and further processing.

In case of any conflict or inconsistency between the other provisions of this Privacy Notice and the terms of this special notice, the latter shall prevail whenever the laws of the states of Illinois, Washington, or Texas (USA) are applicable to the legal relationship between The KYB and any Data Subject.

Changes to this Notice

This Privacy Notice is constantly reviewed and amended in order to provide appropriate compliance with the relevant data protection laws.

The KYB reserves the right to make amendments to this Notice at any time and for any reason. Any amendments will be effective immediately upon us posting the updated Privacy Notice on our website. Users of our website waive the right to receive specific notice about such amendments. You are invited to review this Privacy Notice at any time to stay informed about updates.

If you want to observe the previous version of this Privacy Notice, please contact us at [email protected]. Our technical and legal support teams work 24/7 and will answer you shortly.