Privacy Policy

1. Extent of policy

2. Terms and Meanings

Agreement - a commercial contract that regulates the Section of Kycaid’s provided to a Client, established between a Kycaid entity and that Client (or an entity representing that Client, or an entity otherwise authorized to distribute the Services to that Client);

AML/CFT - refers to the legal regulations and standards for Anti-Money Laundering / Combating the Financing of Terrorism legal, as outlined in the recommendations of the FATF, EU regulations, and national legislation;

BIPA – mean the Biometric Information Privacy Act of 2008 in Illinois, US;

CCPA – mean the California Consumer Privacy Act of 2018, Civil Code sections 1798.100;

Client - a legal entity or individual that uses, or is entitled to use, Kycaid’s Services in accordance with the respective Agreement and as authorized by the respective Kycaid entity. The Clients provide their personal data to Kycaid on behalf of the respective Client using that Client's websites/platforms;

Consent - refers to any voluntary, specific, informed and unequivocal expression of the Data Subject’s preferences, through which they indicate their agreement to the processing of their personal data, either by means of a statement or through a clear affirmative action;

Customer due diligence procedure - the process and regulations set forth by the Client in accordance with relevant laws, which include the obligations for identifying its customers, associated risks and verifying their identities (may be referred to as ‘KYC’ in this Notice);

Data Controller, or Controller - refers to a natural or legal entity, public authority, agency or any other organization that, either independently or in collaboration with others,establishes the objectives and methods for processing Personal data; for instance, Client or Kycaid when it pursues its own objectives - as defined in this Notice;

Data Processor, or Processor - a natural or legal entity, public authority, agency or other organization that handles personal data on behalf of the controller; for instance, Kycaid when it manages data for its Clients;

Data Providers - third-party service providers or governmental entities utilized to gather supplementary information required for the Section of the Services;

Data Subject - any individual whose personal data may be processed by Kycaid on behalf of the Controller (such as the Client’s customers);

eIDAS framework - a collection of regulations that encompasses the following legal scope:

• Regulation No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC;
• ETSI EN 319 401: Electronic Signatures and Infrastructures (ESI); General Policy Requirements for Trust Service Providers;
• ETSI EN 319 411-1: Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 1: General requirements;
• ETSI EN 319 411-2: Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 2: Requirements for trust service providers issuing EU qualified certificates;
• ETSI TS 119 461: Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service components providing identity proofing of trust service subjects;

EEA - European Economic Area (the European Union Member States, Norway, Iceland and, Liechtenstein);

EU GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

Filing system – any structured collection of Personal data that can be retrieved based on defined criteria, regardless of whether it is centralised, decentralised, or distributed either functionally or geographically, used for the relevant Service Section;

Kycaid ID - a collection of technical features and associated services offered by Kycaid to Applicants, designed to help simplify identity verification and, upon request, facilitate the sharing of Personal data with Kycaid’s Clients. The commercial name of product may vary within Clients frameworks;

Livechat - a system that enables Users to engage in real-time communication with Kycaid’s support team through a chatbox on the Website page within the browser.

Personal data - refers to any information that pertains to an identified or identifiable Data Subject;

Personal data breach - a breach of data security resulting in the unlawful destruction, loss, alteration, unauthorised disclosure, or access to personal data that is transmitted, stored, or otherwise processed;

Politically Exposed Persons (PEPs) - individuals who currently hold or have previously held prominent public positions PEPs can include government officials, military officers, judges, senior sporting officials, and high-ranking executives of state-owned enterprises, as well as their relatives and close associates;

Privacy Policy or Notice - this Privacy Policy available at https://kycaid.com/privacy-policy/;

Processing - any operation or series of operations carried out on personal data or collections of personal data, regardless of whether these actions are performed through automated methods. This includes activities such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Service(s) - the personal identity verification service along with associated services offered by Kycaid;

Special categories of personal data - personal data disclosing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as genetic or biometric data used to uniquely identify a natural person, or other comparable sensitive information;

Standard Contractual Clauses - standard contractual terms and conditions adopted by the European Commission (or relevant UK authorities) that provide appropriate safeguards for data transfers from the EEA and the UK to third countries, which are signed by both the Controller and the Processor, where applicable;

Subject - the legal entity identified as the certified holder in a QWAS certificate. A Subject may also qualify as a Data Subject within the meaning of the EU/UK GDPR;

Third-Party Processors - processors authorised to perform specific processing activities under the direct instruction or authority of Kycaid;

UK GDPR - EU GDPR as incorporated into the United Kingdom’s domestic legal frameworks;

User or Applicant - any individual or whom the identity verification process (or any of its components) is conducted as part of the Services offered to a Client (may be referred to as 'you' in this Notice);

Website – www.kycaid.com.

3. Objectives of processing personal data

4. Kycaid’s Data Processing Principles

Kycaid complies with the Personal data protection principles set out in the EU GDPR and the UK GDPR along with other relevant laws. Under these principles, Kycaid assists Controllers in ensuring that Users’ Personal data is:

• Processed only for clearly defined and lawful purposes, without any further use that would conflict with them;
• Treated in a lawful, equitable, and open way in relation to the Data Subject;
• Kept precise and up-to-date;
• Adequate, relevant, and limited to what is necessary for the purposes of processing;
• Handled in a way that guarantees their proper security;
• Kept in a form that enables identification of Data Subjects, only for the duration required by the processing purposes;
• Not transmitted beyond the European Economic Area (EEA) or the UK without proper protection measures.

5. Data processing activities

Kycaid performs various types of automated processing, which include, but are not limited to: collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure via transmission, dissemination or other means of making data available, alignment or combination, restriction, and erasure or destruction.

6. Personal Data Processed by Kycaid

Depending on the specific Service provided to Clients, we may collect and process the following types of Personal data from Users:

Types of personal data	Sample Data
General data	Full name, sex, personal identification code or number, date of birth, legal capacity, nationality and citizenship, location (street, city, country, and postcode).
Identification Document Information	Document type, issuing country, number, expiry date, MRZ, embedded barcode information (depending on the document), and security features.
Biometrical data	Facial characteristics.
Facial image data	Photos of the user’s face (including selfies), images or scans of the face on identification documents, videos, and audio recordings.
Contact details	Phone number, address and e-mail address
Banking details	Cardholder’s name, expiration date, first six and last four digits of the card number. If the Client uses Enable Banking: account details, balances, credit limits, and transaction history.
Credit Data	If the Client uses TransUnion of Canada Inc.: credit information records
Technical data	Information about dates, times, and activities within the Services; IP address and domain name; hardware and software characteristics (e.g., camera type and name); and general geographic location (e.g., city, country) of the User’s device.
Transaction data	Full names of both sender and recipient, their addresses, and the unique identifiers of the counterparties as provided by Kycaid and the respective Client.
Crypto transaction data (Crypto Travel Rule Solution and Wallet Address)	Full names of sender and recipient, sender’s physical (geographical) address, national ID or customer identification number (not the transaction number) uniquely identifying the originator to the ordering institution, date and place of birth, recipient account number (e.g., wallet address), wallet address hash, asset type, blockchain, creation and update dates, VASP ID owner, source type, source provider, and client ID.
Geolocation data	IP address.
Unique identifier	ID assigned to the Applicant solely for the purpose of identifying the User within the Kycaid system.
Publicly Available Information	Information about a person’s status as a Politically Exposed Person (PEP) or inclusion on sanctions lists.
Device Behavior Information	User ID, device fingerprint (screen size, user agent, browser, incognito mode, device type, operating system, geolocation), screen resolution, session language settings, operating system verification, window focus/blur activity, and time of day.
Supplementary information	Data submitted by the User during interactions with Kycaid (e.g., requests, reports).

7. Legal Basis for Personal Data Processing

When our Company is tasked by its Clients to carry out identity verification procedures for their Users, the processing of Personal data by Kycaid is based on the legal grounds relied upon by those Clients under their Agreements. In accordance with Article 6 of the EU and UK GDPR, Controllers must have a valid legal basis for processing Personal data. The majority of our Clients rely on the following legal grounds for such processing:

• 1.

  Article 6 (1)(a) of the GDPR: “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”;

• 2.

  Article 6(1)(c) of the GDPR: “[personal data] processing is necessary for compliance with a legal obligation to which the controller is subject”;

• 3.

  Article 6(1)(e) of the GDPR: “[personal data] processing is necessary for the performance of a task carried out in the public interest”;

We may handle your Special Categories of Personal data when a Client has a valid legal basis for such processing. Clients processing biometric data to uniquely identify a User typically rely on the following legal grounds:

• 1.

  Article 9(2)(a) of the GDPR: “the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provides that the prohibition referred to in paragraph 1 may not be lifted by the data subject”;

• 2.

  Article 9(2)(g) of the GDPR: “processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”;

For the exact legal basis of processing Special categories of personal data, please refer to the privacy policy of the Client whose services you want to use.

When Kycaid pursues its objectives, as outlined in Section 3 of this Notice, it relies on Article 6(1)(f) of the GDPR – legitimate interest. This legitimate interest stems from the essential need to conduct internal analysis and continuously develop and enhance Kycaid’s Services, which Clients use to detect fraud and unlawful activities, prevent money laundering, terrorist financing, and other actions considered of significant public interest in some jurisdictions. In such cases, Kycaid relies on its legitimate interests only if the Client has granted permission to process data for Kycaid’s purposes.

When Kycaid acts as a data controller to provide Applicants with Kycaid ID, the processing of standard Personal data is based on the necessity to perform a contract with the Applicant (Article 6(1)(b) of the GDPR). Biometric data processing within the Kycaid ID Section is carried out on the basis of the Applicant’s explicit consent (Article 9(2)(a) of the GDPR).

Kycaid may be subject to a “litigation hold” requirement, including an ongoing legal claim, judicial procedure, or other legal obligation. In such cases, Kycaid relies on the legal basis under Article 6(1)(c) of the GDPR, which provides that processing Personal data is necessary to fulfill a legal obligation to which Kycaid is bound.

8. Processing personal Data of Children

Kycaid may handle Personal data of children, defined as individuals below the age of majority according to the national laws of the Client’s country of incorporation, provided that the person with parental responsibility has given consent, or in cases where the child is legally able to consent to processing themselves under applicable national laws. As the data controller, the Client is responsible for determining when parental consent is necessary, considering the type of Personal data collected, and for ensuring compliance with regulatory requirements and age limits regarding data processing without parental consent in the jurisdictions where the Client operates and collects data. If Kycaid becomes aware that a child’s Personal data has been submitted without the required parental consent (for example, during an internal audit), such data may be removed without undue delay.

9. eID-Based Identity Verification

This part of the Privacy Policy describes how data is processed within the services related to issuing a qualified electronic signature or seal, enabling an entity to establish a business relationship through the eIDAS repository framework.

This section is applicable once the procedures and relevant documentation for the eIDAS framework are made publicly available in Kycaid’s repository.

10. Duration of Personal Data Storage

The duration of data retention is determined by the specific purpose of processing. Clients decide how long Personal data should be kept and when it should be deleted. Typically, in accordance with AML/CFT requirements, regulated financial institutions must retain User data for five years following the end of the Client–User relationship or the date of a one-off transaction. In certain jurisdictions, the mandatory retention period may be longer.

Please note that if you, as a User, wish to request the deletion of Personal data you provided for a specific Client, such requests should be submitted directly to the Client responsible for your verification process. For further guidance, refer to Section 11.

Generally, Personal data, including biometric information, is retained and stored by Kycaid and will be permanently deleted according to the Client’s instructions once the Client’s initial purpose or the retention period required by applicable law has expired, but not exceeding the duration of the contractual relationship with the Client.

When Kycaid determines compatible purposes independently or is subject to a legal requirement, Personal data, including biometric data, will be deleted once Kycaid’s purposes for collecting such data have been fulfilled. For residents of Texas, this occurs one (1) year after the purpose’s expiration, or five (5) years from the date the data was submitted to the Kycaid system, whichever comes first. For residents of Illinois, the retention period for Personal data, including biometric information, is three (3) years from the date the data was submitted to the Kycaid system.

11. Your Rights as a Data Subject

Upon receiving a written request from a Client, Kycaid provides assistance in enabling the Client to facilitate the exercise of Data Subjects’ rights. In accordance with applicable privacy legislation, you are entitled to the following rights:

• to receive confirmation regarding whether your personal data are being processed;
• to have your personal data rectified, meaning to correct inaccurate information or complete incomplete data;
• to request the erasure of your personal data (the “right to be forgotten”). Please note that this right is not absolute and applies only if:
  • your personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  • you object to the processing and there are no overriding legitimate grounds for the Client’s processing;
  • your personal data have been processed unlawfully.
• to restrict the processing of your personal data where:
  • the accuracy of the personal data is contested (for the period during which the Client can verify its accuracy);
  • the processing is unlawful, and you object to the erasure of the personal data and request the restriction of their use instead;
  • the Client no longer needs the personal data for the purposes of processing, but it is required by you to establish, exercise, or defend legal claims;
  • you have objected to the processing pending verification of whether the Client’s legitimate grounds override yours.
• to be informed about the rectification or erasure of your personal data, or the restriction of their processing;
• to data portability, meaning the right to receive your personal data in a suitable format so that you can provide it to another party or request the transfer of your personal data from one controller to another;
• to object to the processing of your personal data when such processing is based on the legal grounds of public interest or legitimate interest, as specified in points (e) and (f) of Article 6(1) of the GDPR;
• not to be subject to a decision based exclusively on automated processing, unless one of the following applies:
  • the decision is necessary for entering into or performing a contract between you and the Data Controller;
  • the decision is permitted by the law applicable to the Data Controller and such law also provides appropriate safeguards for your rights, freedoms and legitimate interests;
  • the decision is based on your explicit consent;
• to lodge a complaint with a supervisory authority. If you wish to raise a complaint regarding the processing conducted by one of our Clients (i.e., the service for which you underwent verification), please use the channels indicated in that Client’s privacy policy. If your concern relates to Kycaid’s own processing activities (you can verify this it here), you may submit a complaint using the following link.

To exercise any of the rights above, or to request that Kycaid forward your inquiry to the relevant Client, please send an email to [email protected]. We will respond with details on the measures taken within one month of receiving your request. If necessary, and depending on the complexity or volume of requests, this period may be extended by up to two additional months. In such cases, we will notify you of the extension and provide the reasons within one month of receiving your request.

Please note that when you request the exercise of any of the rights described above, we may need to verify that you are the legitimate owner of the data or otherwise authorized to make the request, either due to a Client’s instructions or our own legal obligations.

Kycaid ensures that submitting a request to access your Personal data is free of charge, except in cases where requests are manifestly unfounded, excessive, or repetitive, in which case a reasonable fee may apply.

12. Revoking consent and raising an objection to the legitimate interest mechanism

Kycaid assists Controllers (Clients) with providing mechanisms for withdrawal of consent (Article 7(3) EU GDPR and UK GDPR) and objection to processing based on legitimate interests (Article 21(1) EU GDPR and UK GDPR).
Depending on the legal grounds a Client relies on for processing (e.g., consent or legitimate interest), the right to withdraw consent or to object to processing may be exercised.

Kycaid does not independently decide on such requests, as it acts solely in accordance with the written instructions of Clients, who remain the controllers of the Personal data. Kycaid’s role is limited to forwarding a User’s request to the relevant Client for whom the verification was performed.

To withdraw your consent or object to processing by Kycaid, you can submit your request by sending an email to: [email protected]. Please note that to object to processing based on legitimate interest, your grounds must outweigh ours. Due to the critical role of identity verification and fraud prevention in the global financial system—considered a matter of public interest—it is uncommon that we will have no compelling reason to continue processing Personal data despite an objection.

In most cases, there are more appropriate alternatives than fully stopping the processing. For instance, it would be unsafe to hide records of prior fraudulent activity, as this could allow someone to impersonate another person and misappropriate funds.

13. Duties

14. Particular actions to guarantee data security

Kycaid implements concrete measures to protect Personal Data, including, but not limited to, the following:

• Kycaid’s specially designed API interface (iFrame) allows Data Subjects to submit their Personal Data directly to Kycaid’s secure servers;
• Whenever applicable, the processing of Personal Data is carried out in accordance with relevant Agreements, Non-Disclosure Agreements, and Data Processing Agreements that comply with the EU GDPR and the UK GDPR;
• All Personal Data is stored securely on Google Cloud servers located in secure European data centres, including those in Belgium, meeting high-level security standards;
• Staff involved in Personal Data processing are officially authorised, undergo mandatory background checks where required, and participate in regular training.
• Personal Data is encrypted at all times;
• For certain types of Personal Data (e.g., children’s Personal Data or sensitive data under applicable laws) that may be unlawfully processed, Kycaid takes all necessary steps to promptly identify and either delete or, where appropriate, encrypt such data upon submission;
• Kycaid conducts regular internal and external audits of data protection and information security, along with vulnerability assessments. Compliance with the EU GDPR, the UK GDPR, ISO/IEC 27001, SOC 2 Type 2, and PCI DSS standards is continuously verified;
• Physical, software, and network security measures, as described below, are implemented to ensure comprehensive protection.

15. Disclosure of Personal Data

• Third-party processors, as reasonably required, to carry out a section of the Service under an Agreement with the respective Client that engages them to process certain data;
• Data providers, when their services are necessary for the provision of a section of the Service under an Agreement with the respective Client.

Kycaid requires that third parties respect the security of Personal Data and handle it in accordance with applicable law. Furthermore, third parties are generally restricted to accessing or using Personal Data solely for the purpose of providing services to Kycaid and must give reasonable assurances that they will safeguard the data appropriately, in line with Section 13.4 of this Notice.

In some cases, certain third-party subprocessors may engage specific data providers who are permitted to maintain and use the data for their own legitimate purposes.

16. Managing Personal data breaches

In the event of a Personal Data breach, or if a breach is suspected, it must be reported immediately to the Data Protection Officer (DPO) or a company director. Where applicable, the breach is also reported to the relevant data protection authority, the respective Client, and, if necessary, the individual affected.

The report provides complete and accurate information about the incident, including its causes and scope, and outlines the corrective measures planned to address and mitigate the breach.

17. Cross-Border data transfers

Kycaid confirms that all Personal Data is stored on its servers located within the EU and/or in accordance with any national data localisation requirements applicable in specific jurisdictions. Clients have the option to select the location for Personal Data processing (including storage) to ensure compliance with the relevant legal provisions.

Where it is necessary for the provision of the Service or to enable convenient and reliable communication with Data Subjects, Kycaid may transfer Personal Data outside the EU/EEA, the UK, or other relevant jurisdictions (if applicable), to the third parties and recipients listed in Section 15 of this Notice.

Whenever Personal Data is transferred outside the EEA or the UK, Kycaid applies appropriate safeguards in accordance with Chapter V of the EU GDPR or the UK GDPR. Such transfers are conducted on the basis of an EU Adequacy Decision (or UK Adequacy Regulations) or through the use of Standard Contractual Clauses. Third-party processors also rely on suitable safeguards, including binding corporate rules, Standard Contractual Clauses, or other lawful mechanisms.

Cross-border transfers of Personal Data from the UK to EU/EEA countries are permitted by the UK Government. For international data transfers from other jurisdictions (when services are provided on behalf of companies outside Europe), Personal Data is transferred either to countries with an adequate level of protection or using data transfer mechanisms permitted under applicable laws, such as appropriate contractual measures.

To maintain transparency and comply with applicable data protection legislation, Kycaid outlines below the non-EU countries to which Personal Data may be transferred, along with the relevant safeguards applied.

18. Special Provisions for residents of the states of Illinois, Washington, or Texas (USA)

Kycaid may process certain types of Personal Data classified as biometric identifiers (including facial geometry scans and voiceprints) and biometric information (data generated from such identifiers) for the purpose of verifying the identity of Users.

Whenever such biometric identifiers and/or biometric information (together referred to as “biometric data”) are used as part of the Services provided by Kycaid to any Client, this data is processed by Kycaid on the Client’s behalf and permanently deleted in accordance with Section 10 of this Notice. In such cases, Kycaid does not carry out any actions involving this data other than storing it for the period required under the applicable law.
In all cases, Kycaid collects and processes biometric data only after obtaining the written informed consent of the relevant Data Subject. If there is any conflict or inconsistency between other Sections of this Privacy Policy and the provisions of this special notice, the latter shall prevail whenever the laws of the states of Illinois, Washington, or Texas (USA) govern the legal relationship between Kycaid and a Data Subject.

Clients are independently responsible for complying with the privacy regulations, including BIPA, providing all necessary disclosures and obtaining all required consents.

19. Sale of personal data and CCPA Compliance

Kycaid does not sell Personal data and strictly complies with restrictions and prohibitions under CCPA and the EU or the UK GDPR.

Kycaid is committed to complying with the California Consumer Privacy Act (CCPA) and other applicable California privacy laws. This section supplements our main Privacy Policy and applies to California residents who provide personal information to Kycaid.

The following categories of personal information may be collected, processed, and stored by Kycaid in the course of providing services to California residents:

Identifiers	Full name, postal address, email address, Internet Protocol (IP) address, Social Security number, driver’s license number, identity document details (such as type of document, issuing country, number, expiry date, MRZ, data encoded in document barcodes, which may vary depending on the document, and security features), or other similar identifiers.
Categories of Personal Information as defined in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))	Full name, signature, Social Security number, postal address, email address, telephone number, identity document details (including document type, issuing country, number, expiry date, MRZ, data encoded in document barcodes, which may vary depending on the document, and security features), driver’s license or state ID card number, bank account information, credit or debit card information (including cardholder name, expiry date, and the first six and last four digits of the card number), or any other financial information, such as documents provided to verify the source of funds or wealth.
Protected characteristics or classifications as recognized under California or federal law	Age (applicable to Users over 40) and citizenship.
Commercial information	Records of personal assets
Biometric information	Facial features.
Internet or comparable network activity	History of access and details of your interactions with our services
Audio, electronic, visual, thermal, olfactory, or other related information	Photographs of the face (including selfies), images or scans of the face on identification documents, videos, and audio recordings.
Professional or job-related information	Occupation, employment details.
Confidential personal data	Information related to health, including vaccination certificate data, test certificate data (NAAT/RT-PCR or rapid antigen tests), and certificates for individuals who have recovered from COVID-19.

Kycaid collects the personal information described above from the following sources: directly from clients or their agents, directly from users, and indirectly through interactions with our services and platforms.

Kycaid may share personal information with third parties when necessary to provide services, operate our platforms, or comply with legal obligations. Any third parties are limited to using personal information only for the specified purposes and are contractually obligated to safeguard it appropriately.

The categories of personal information that may be shared correspond to those listed in the table above. Kycaid does not sell personal information and only discloses it when required for legal, regulatory, or legitimate business purposes.

California residents have specific rights regarding their personal information under CCPA. Kycaid respects and guarantees these rights, which include:

• Right to know: You may request information about the categories of personal information collected, the purposes for which it is used, and the categories of third parties with whom it is shared.
• Right to delete: You may request deletion of your personal information, subject to certain exceptions. Deletion requests may be denied if retaining the information is necessary to ensure security, exercise legal obligations or human rights, comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.), comply with other applicable laws, or for legitimate business purposes.

Kycaid provides accessible mechanisms to exercise these rights and responds to requests in accordance with CCPA requirements.

California residents may exercise their CCPA rights by submitting a valid request to Kycaid via email at [email protected].Only you or an authorized representative registered with the California Secretary of State may make a request.

Requests must provide sufficient detail to identify the personal information and allow verification of your identity or authority. If identity or authority cannot be verified, Kycaid cannot respond to the request.

As a Service Provider, Kycaid assists businesses in responding to CCPA requests in accordance with the business’s written instructions.

Kycaid endeavors to respond to valid CCPA requests within one month, and no later than two months when additional time is required. Requests are handled in accordance with the procedures outlined in the relevant section 11 of this Privacy Policy, including the method of response, applicable fees, and timeframes.

Kycaid does not discriminate against individuals for exercising their CCPA rights. Unless permitted by law, we will not:

• Deny access to our websites or services;
• Provide a different level or quality of services.

20. Details of the Kycaid company

Kycaid is incorporated in the United Kingdom as a legal entity under the name Compligate Ltd (registration number 15376538) and operates globally.

21. Modifications to this Notice

This Privacy Policy is regularly reviewed and updated to ensure compliance with applicable data protection laws.

Kycaid reserves the right to modify this Notice at any time and for any reason. Any changes will take effect immediately upon posting the updated Privacy Policy on our Website. Users of our Website acknowledge and agree that they are not entitled to receive specific notice of such updates. You are encouraged to review this Privacy Policy periodically to stay informed of any changes.

If you wish to review a previous version of this Privacy Policy, please contact us at [email protected]. Our technical and legal support teams are available 24/7 and will respond to your request promptly.