Privacy Policy
VOVE ID Global Privacy Policy
Last Updated: March 26, 2025
Thank you for reading the VOVE ID Privacy Policy. This comprehensive policy explains how VOVE ID (“we”, “us”, “our”) collects, uses, and protects personal data across all our services and platforms. It covers the privacy practices for:
End-Users – individuals undergoing identity verification via our SDK or API at the request of one of our business clients (our “Customers”).
Website Visitors – individuals visiting our website or using our online resources (including cookie tracking and analytics).
Business Clients – representatives and users of our business Customers who access the VOVE ID dashboard and services (B2B users).
We are committed to protecting your data in compliance with the EU General Data Protection Regulation (GDPR) and applicable global privacy laws. This policy is designed to be easy to navigate with clear sections for each user category, and written in accessible, professional English.
Controller vs. Processor – Understanding Our Role: In providing identity verification services to our Customers, VOVE ID acts as a data processor handling End-Users’ personal data on behalf of the Customer (who is the data controller deciding the purposes and means of processing). In other words, if you are verifying your identity through VOVE ID, the company that directed you to our service (our Customer) determines why your data is processed, and we process it according to their instructions. This also means the Customer must have a valid legal basis for asking us to verify your identity and must inform you how both they and VOVE ID handle your data. For other data interactions – such as when you visit our own website or when we manage a Customer account – VOVE ID is the data controller of that information.
Please Note: If you are an End-User undergoing verification, be sure to review the privacy notice of the company that requested the verification (our Customer) in addition to this policy.
That company’s privacy notice will explain their purposes and legal bases for verifying your identity and how to exercise your rights with them. This VOVE ID policy explains how we process your data as part of providing our services to them. Sections of this policy also include placeholders or notes that may be tailored for specific client integrations or requirements. We are happy to address any client-specific questions as needed.
Below you will find a table of contents for easy navigation:
1. Key Definitions
2. Personal Data We Collect
2.1 End-Users (Identity Verification Data)
2.2 Business Clients (B2B User Data)
2.3 Website Visitors (Online Data)
3. Purposes and Legal Bases for Processing
3.1 For End-Users (Identity Verification)
3.2 For Business Clients (Service Delivery)
3.3 For Website Visitors (Site Functionality & Analytics)
4. Data Sharing and Disclosure
5. Data Storage and International Transfers
6. Security Measures
6.1 Technical Safeguards
6.2 Organizational Measures
7. Data Breach Response
8. Data Retention
9. Your Rights as a Data Subject
9.1 Exercising Your Rights
10. Automated Decision-Making and Profiling
11. Updates to this Privacy Policy
12. Contact Us
1. Key Definitions
For clarity, here are some key terms used in this policy:
Personal Data – any information relating to an identified or identifiable natural person (a “Data Subject”). This includes information like name, identification numbers, location data, online identifiers, and factors specific to physical, genetic, mental, economic, or social identity. In our context, even a photo or ID document you provide is personal data.
Processing – any operation performed on personal data, such as collection, use, storage, or deletion.
Data Subject – the individual whom the personal data is about (here, End-Users, website visitors, or client representatives – you).
Data Controller – the entity that determines the purposes and means of processing personal data. For identity verification services, our Customer (the business that requested your verification) is the controller of End-Users’ data. For data collected from our own website or in managing client relationships, VOVE ID is the controller.
Data Processor – the entity that processes personal data on behalf of a controller. VOVE ID acts as a processor when handling End-Users’ data for identity verification at our Customers’ direction.
Customer (Client) – a business or organization that uses VOVE ID services to verify the identities of End-Users. For example, a bank or fintech company that integrates our SDK to confirm their users’ identities.
End-User – an individual who is being verified through VOVE ID’s service at the request of a Customer. For example, if you are a customer of a bank that uses VOVE ID for KYC, you are the End-User in this context.
Website Visitor – anyone who visits our websites (e.g., voveid.com) or interacts with our online content.
B2B User – an individual acting on behalf of a business Customer, such as an employee or administrator who accesses the VOVE ID dashboard or API.
Services – VOVE ID’s identity verification solutions and related services (including our SDKs, APIs, dashboard, and website).
SDK – Software Development Kit; our SDK is integrated into our Customer’s mobile or web application to capture ID documents, selfies, etc., for verification.
These definitions align with GDPR terminology (see GDPR Article 4 for formal definitions of personal data, controller, processor, etc.). Understanding these roles is important because our obligations to you can differ depending on whether we are acting as a controller or processor of your data.
2. Personal Data We Collect
We collect different types of personal data depending on how you interact with VOVE ID. This section describes the categories of data we handle for End-Users, Business Clients, and Website Visitors.
2.1 End-Users (Identity Verification Data)
If you are an End-User undergoing identity verification through our SDK or platform, we may collect the following types of personal data about you:
Identity Information: Details that help identify you, such as your full name, date of birth, place of birth, address, nationality, and other information you or our Customer provide in the verification flow. This often comes from the identity document you submit (e.g., the name and birthdate on your ID or passport).
Document Details: Information extracted from your ID documents, including document type (passport, ID card, driver’s license, etc.), document number, expiration date, issuance country, and security features. We may collect images or scans of your ID document (front and back) as part of this process.
Biometric Data (Photo/Video): Your photograph, selfie, or live video captured during the verification, and derived biometric identifiers. For example, we might capture a live selfie video to perform a 3D “liveness check” and face recognition against your ID photo. This can generate biometric data used to uniquely identify you (e.g. facial measurements or templates). Sensitive Data Notice: Biometric data for identification is considered a special category of personal data under GDPR. We only process this data to the extent necessary for fraud prevention and identity verification, and in compliance with applicable laws (for instance, obtaining your explicit consent for biometric processing if required by law).
Contact Information (if provided): In some cases, we might collect contact details like your email address or phone number. This could happen if our Customer asks us to contact you with a verification link or code, or if such information is included on your ID document. We use this information solely for assisting with the verification process (e.g., sending a one-time passcode) unless otherwise specified.
Technical and Device Data: Information about the device and network you use to perform the verification. This includes IP address (and approximate geolocation derived from it), device type (e.g., model, OS, browser), unique device identifiers, language settings, and telemetry data (such as sensor data from the camera during liveness checks). We collect this to ensure security (for example, detecting suspicious devices or multiple attempts) and to enhance the user experience (like optimizing video quality for your device).
Verification Metadata: Data generated during the verification session, such as timestamps of when steps are completed, transaction or session IDs, logs of any errors, and the final verification result (e.g., “verified” or specific flags for issues like a document being expired or a face mismatch). We may also record the reason if a verification fails (e.g., “document photo not clear” or third-party watchlist check result).
Fraud Prevention Data: Any additional information we derive to prevent fraud. For example, we might analyze patterns (like whether the same device or ID was used in prior fraud attempts) or use third-party checks (like verifying the authenticity of the ID document or checking your name against sanction lists or politically exposed persons (PEP) lists if our Customer requires AML screening). This can include risk scores or flags that help our Customer decide whether to approve or reject a transaction.
Note: The exact data collected about you as an End-User can vary depending on the integration and our Customer’s needs. We aim to collect only the data that is necessary for your verification. You will typically see on the verification interface what data is being requested (e.g., which type of ID, whether a selfie is needed, etc.). If new types of data need to be collected, we or our Customer will inform you at that time. If you have any questions about specific data being collected for your verification, please refer to the Customer who is verifying you or contact us using the information below.
2.2 Business Clients (B2B User Data)
If you are a business client or an authorized user of our services (for example, you work for a company that has a VOVE ID account, and you log into our dashboard or use our API), we collect personal data to manage our relationship and enable your use of VOVE ID. This may include:
Contact Details: Your name, work email address, phone number, job title/role, and the company you represent. We collect this when you or your employer signs up for VOVE ID services, when you correspond with us, or through a contract. We use this to identify you, communicate with you, and authenticate your access to the dashboard.
Account Credentials: If you have a login to our dashboard or platform, we will process your username, password (stored in hashed form), and any account identifiers. For API usage, we issue API keys or tokens linked to your account. It is your responsibility to keep login credentials confidential; we will never ask for your password via email or phone.
Account Usage Data: Information on how and when you use our B2B services. For example, we may log when you last logged in, actions taken in the dashboard (such as initiating a verification or viewing results), settings you configure, audit logs of data access, and usage statistics. This is to provide the service (and show you your activity), as well as for security (audit trails) and improving our platform.
Business Information: Details about the organization you represent, which might include billing address, tax ID/VAT number, subscription plan, and transaction history. While this is often not personal data (if it’s about a company), some elements like a business contact person’s name or business email could be personal data. We process this to fulfill our contract and legal obligations (invoicing, accounting).
Communications: Copies of communications with you or your colleagues. For instance, if you email our support or sales team, join a demo or call, or use a chat feature, we may keep records of that correspondence and any information you provide. This helps us follow up on your requests and train our team to better serve you.
Preferences and Feedback: We may also store information you provide about your preferences (e.g., product settings, notification preferences) and any feedback or survey responses you give. This personal data is used to customize your experience and improve our services.
Verification of Client Identity: In some cases, especially for compliance, we might need to verify the identities of our business clients or their representatives (for example, if required by anti-money laundering regulations when we onboard a fintech client). This could involve collecting a copy of an ID or proof of authority from you as a client representative. We will only ask for such information when legally required and will treat it with the same care as End-User verification data.
Note: Business client data is typically business-related (professional contact information), and we expect that it is provided by you in your capacity as a representative of a company. We do not require any sensitive personal data from our B2B users unrelated to the service. Please ensure that any personal data of others you provide to us (e.g., adding a team member to the account) is shared in compliance with privacy laws and with their consent if necessary.
2.3 Website Visitors (Online Data)
When you visit our website, use our online services, or interact with us online (for example, reading our documentation or blogs, or contacting us through a web form), we collect some data about you and your device. This includes:
Usage Data: Information on how you use our website – e.g., the pages or documentation you view, the links you click, the date and time of access, the duration of visits, and the referring page (the webpage that led you to ours). This helps us understand what content is useful to visitors and improve our site’s design and content.
Device and Browser Information: Technical details such as your IP address (which can indicate your general location), browser type and version, device type (e.g. mobile or desktop, operating system), screen resolution, and language settings. We collect this through server logs and analytics tools to ensure the website displays correctly and to perform debugging and security monitoring.
Cookies and Tracking Identifiers: We use cookies and similar technologies (like web beacons or local storage) to enhance your experience on our site. Cookies are small text files that our site saves on your browser. Some cookies are essential for site functionality (e.g., to remember your language preference or keep you logged in if the site has a login); others are for analytics or advertising. For example, we might use Google Analytics or a similar tool which sets cookies to collect aggregated usage statistics (like number of visitors, popular pages). We may also use cookies for marketing purposes, such as Google or LinkedIn pixels, to track conversions and retarget visitors with our ads (with your consent). Our Cookie Notice provides details on each cookie, its purpose, and how to manage your preferences.
Form Inputs and Communications: If you fill out a form on our website (such as a “Contact Us”, signup or demo request form, or comment field), we will collect the information you provide. Typically this includes your name, email, phone, company, and the content of your message. We use this to respond to your inquiry or process your request (for example, creating a trial account or registering you for a newsletter). We may also keep a copy of our correspondence for record-keeping.
Newsletter/Marketing Signup: If you subscribe to our newsletter or opt-in to marketing communications, we will collect your contact details (email, and possibly name) and your communication preferences. We will send you updates and information in line with what you signed up for, and you can opt out at any time.
Social Media and Third-Party Links: If you arrive at our site via social media or interact with our social media widgets (like a “Share” or “Like” button), those platforms may collect certain information through their own cookies. We do not control those interactions – please refer to the privacy policies of the respective platforms. We may receive aggregate data from social platforms (for example, how many people clicked on our post). Similarly, if our site has third-party embedded content (like a video player or code sandbox), those third parties might collect usage data subject to their own policies.
Cookies & Consent: When you first visit our site, you will see a cookie banner or notice. Except for strictly necessary cookies, we will not set cookies (especially analytics or advertising cookies) unless you consent. You can manage your cookie preferences at any time via our cookie settings tool on the website. For more details, read our Cookie Notice (linked above), which is incorporated into this Privacy Policy. (If you are reading this policy on a client’s platform where our SDK is embedded, note that cookie usage may differ – the above mainly applies to the VOVE ID website itself.)
3. Purposes and Legal Bases for Processing
We only process personal data when we have a specific purpose and a lawful basis under GDPR for doing so. This section explains why we use personal data for each category of individuals, and the legal grounds that make the processing lawful. Given the global reach of our service, we primarily rely on GDPR bases, but we also adhere to other applicable laws in jurisdictions we operate (we can provide additional details for specific regions upon request).
3.1 For End-Users (Identity Verification)
When processing End-Users’ data for identity verification services, VOVE ID is acting on behalf of our Customer (the data controller). The purposes and legal bases typically include:
Identity Verification & Fraud Prevention: The core purpose is to verify your identity documents and biometrics to confirm you are who you claim to be, and to detect and prevent fraud. This involves checking the authenticity of IDs, comparing your live image to your ID photo, and running any required security checks (like AML watchlists if applicable). The lawful basis for this processing is usually legitimate interests – specifically, the legitimate interest of our Customer in preventing identity fraud and ensuring the person is correctly identified. Preventing fraud is recognized as a legitimate interest under GDPR. In many cases, there is also a legal obligation: for example, our Customer might be required by law to verify identities (know-your-customer regulations, age verification laws, etc.), which would provide a lawful basis (compliance with a legal obligation) for processing your data. Additionally, the verification may be necessary for the performance of a contract between you (the End-User) and our Customer – for instance, if you are registering for a service, you must verify your identity as a condition to complete the signup (making it necessary to fulfill the service you requested). We rely on our Customer to determine the appropriate lawful basis in their context, but we ensure our processing is in line with those purposes.
Consent for Specific Uses: In certain jurisdictions or for certain types of data, our Customer might seek your consent before processing. For example, biometric data (like a facial scan) may require your explicit consent under GDPR Article 9, unless another exception applies. If you are asked to agree (e.g., by ticking a box or proceeding after seeing a notice) before we capture your selfie or ID, that consent will serve as an additional legal basis for us and our Customer to process that data. We will only use biometric data to the extent necessary for verification, and in compliance with any consent obtained. You have the right to withdraw consent at any time, but note that this might prevent completion of the verification or the related service.
Service Delivery on behalf of Customer: We process and transfer the verification results back to the Customer to enable them to deliver their service to you (e.g., opening your account or approving your transaction). The lawful basis here can be framed as legitimate interests of both the Customer and you as the End-User – you have an interest in accessing the service securely, and the Customer has an interest in confirming your identity to provide that service safely. In cases where you directly interact with our verification service as part of signing up for the Customer’s service, it may also be considered as processing necessary for performance of a contract with you (the contract being your agreement to undergo KYC to use the Customer’s platform).
Quality Improvement & Training (Limited, with Safeguards): We continually work to improve our identity verification technology (for example, refining our document recognition algorithms or reducing bias in face matching). To do this, we may use anonymized or aggregated data from past verifications. Wherever possible, we transform data so that it can no longer be linked to a specific individual (thus no longer personal data). If we ever need to use any identifiable data for internal development (we strive not to), we will ensure a lawful basis such as legitimate interests (our interest in improving our services) with robust safeguards, or we will seek additional consent. Important: Any such use for improvement is separate from the verification we perform for our Customer and is done under VOVE ID’s role as a controller. We do not use your data for general product development in a way that would impact your privacy without ensuring it’s either anonymized or done with high security and legal compliance. Our primary focus is to use real data only to the extent necessary and to rely on synthetic or anonymized data for training whenever feasible.
Compliance and Legal Claims: We may process End-User data if necessary to comply with laws or respond to legal processes. For instance, under certain regulations we might need to retain verification logs for a certain period, or to provide information to law enforcement or regulators upon valid request (see Data Sharing below). The lawful basis could be compliance with a legal obligation. Similarly, if we need to process data to establish, exercise, or defend legal claims (for example, to demonstrate that a verification was performed correctly in case of a dispute), we would rely on legitimate interests (our interest in defending our business or our Customer’s interest in fraud prosecution).
Customization Note: The exact lawful basis can vary by Customer and jurisdiction. For example, a financial institution in the EU might cite GDPR Article 6(1)(c) (legal obligation) for KYC processing, whereas a sharing-economy platform might use Article 6(1)(f) (legitimate interests). In all cases, VOVE ID’s processing of End-User data is limited to the purposes of identity verification, fraud prevention, and compliance, as instructed by the Customer and allowed by law. We do not process End-User personal data for any new or incompatible purpose. If a Customer requests any processing outside the scope of our service, they are responsible for ensuring it’s lawful and properly communicated to you.
3.2 For Business Clients (Service Delivery)
For our business clients and their users, VOVE ID acts as a data controller when processing your personal data in the context of providing identity verification services to your organization. Our purposes and lawful bases include:
Providing the Service & Fulfilling Our Contract: We use client contact and account data to set up and administer your organization’s account, authenticate you, and provide our identity verification services to your company. This includes maintaining your dashboard, enabling you to run verifications, and providing support. The lawful basis is performance of a contract – when your company signed up, an agreement is in place, and we need to process your (the user’s) data to fulfill our obligations under that contract (e.g., to ensure only authorized users access the account, to deliver usage reports, etc.). If you personally didn’t sign the contract but are an authorized user, our lawful basis is our legitimate interest in providing the service to your employer and ensuring authorized access.
Communication and Support: We process your contact information to communicate with you about the service. This includes sending service-related announcements (e.g. updates about platform availability, security or privacy updates to this policy), responding to support requests, and notifying you of new features or improvements. The lawful basis here is legitimate interests – it’s in our interest (and usually yours) to keep you informed about the service you are using. For example, if we are performing maintenance, we have a legitimate interest in emailing users about downtime. When you reach out with a question, it’s our legitimate interest to use your info to respond. In some cases, communications may be necessary for contract performance (for instance, sending you an onboarding email to activate your account might be considered part of delivering the service). We ensure that any marketing-oriented communications are only sent in compliance with applicable laws (see the next point).
Marketing and Insights: If you are a business contact who has shown interest in VOVE ID (e.g., by signing up for a trial or downloading a whitepaper), we may send you relevant marketing communications such as product updates, newsletters, or event invites. We will do this either with your consent (for example, if you tick a box agreeing to updates) or under legitimate interests if you are an existing customer or have a context where such contact is expected (the GDPR and some laws allow B2B marketing to existing customers on the basis of legitimate interest, sometimes called a “soft opt-in,” as long as there’s an easy opt-out). In every case, you have the right to opt out of marketing emails by clicking “unsubscribe” in the message or contacting us. We do not spam and we do not share your contact info with third parties for their own marketing.
Billing and Administration: We process the necessary personal data for billing and account administration. For example, our finance system will contain the billing contact’s name and contact details, invoices issued, and payment status. The lawful bases are contracts (we have to bill as part of the service agreement) and legal obligations (we must keep certain records for tax and accounting). If we use a payment processor or handle credit card information, that information is processed securely and in compliance with payment card industry standards; we typically only keep payment details via accredited payment processors, not in our own systems.
Security and Abuse Prevention: To protect our services and your account, we monitor and log certain activities in the client dashboard and API. For example, we may log failed login attempts, usage patterns that indicate potential misuse, or accesses that trigger security rules. The lawful basis is legitimate interests – both ours and yours – in maintaining a secure service. This helps prevent unauthorized access to sensitive verification data and ensures we meet our contractual promise of secure processing. If we detect an issue (like a compromised account API key), we will use your contact data to alert you and help resolve it.
Service Improvement and Analytics: We might use business clients’ usage data (aggregated and anonymized where possible) to understand how our services are performing, which features are used most, and what could be improved. For example, we could analyze the average time to complete a verification or which features clients use often. The lawful basis is legitimate interests – running an efficient and user-friendly service. These analyses are about our product usage and generally do not focus on individuals, but to the extent any personal data is involved (like an admin’s clicks), we anonymize or aggregate it. If we want to use any identifiable feedback or case study involving a person, we would ask for consent.
Compliance and Legal Requirements: We may process client data to comply with laws (e.g., know-your-business requirements, export restrictions, etc.). If, for instance, you are in a regulated sector, we might be required to do due diligence. This could include using your data to confirm we can lawfully offer you our services (like checking against sanctioned persons lists if required by law for our contracts). The lawful basis would be legal obligation or our legitimate interest in complying with law and preventing misuse of our services.
In summary, for B2B users we primarily use your data to run our business relationship with your company – providing the service, supporting you, improving the product, and meeting our legal duties. We do so in a way that respects your privacy and we do not use your information for unrelated purposes like unrelated third-party advertising.
3.3 For Website Visitors (Site Functionality & Analytics)
For visitors to our website (who may not be directly using our identity verification service), we process personal data mainly to operate our website and learn how to improve it. The purposes and legal bases include:
Operate and Secure the Website: When you load our website pages, our systems inevitably process your device and network data to deliver the content to you. This includes routing the content to your IP address and adapting the presentation to your device. The lawful basis for basic site operation is our legitimate interest in providing an informative and secure website (GDPR Recital 49 also recognizes ensuring network and information security as a legitimate interest). We also log events (like errors or unusual access patterns) to maintain security – again under legitimate interests (protecting our site and users from malicious activity). Without this processing, the website cannot function properly.
Analytics and Performance Tracking: We would like to understand how visitors engage with our site so we can improve layout, content, and performance. For this, we use analytics tools that collect Usage Data and set non-essential cookies. The lawful basis for analytics cookies is consent. When you first visit, we will only activate our analytics (e.g., Google Analytics) if you consent via the cookie banner. If you opt in, we process data like page views, clicks, and general geo-location to generate insights (e.g., which countries have the most visitors, which pages get the most attention). This helps us make decisions such as improving popular docs or optimizing load times. You can withdraw consent at any time by adjusting your cookie settings (this won’t affect the basic browsing of the site). We configure our analytics tools to respect privacy – for instance, we might mask part of your IP address and we don’t allow the analytics provider to use the data for their own purposes.
Personalizing Your Experience: We may use cookies to remember choices you make, such as your language preference or other settings, so that you have a consistent experience on return visits. The lawful basis for these preferences could be consent (if not strictly necessary) or legitimate interest if it’s strictly for enhancing user experience in a minimal way. For example, remembering a language preference could be seen as a legitimate interest because it’s expected and has minimal privacy impact. In any case, you have control via browser settings or our cookie banner to disable such cookies if you prefer.
Responding to Your Requests: If you submit a contact form, sign up for a newsletter, or ask for a demo, we will use the data you provide to fulfill that request. The lawful basis depends on context: it could be consent (if you clearly opted to provide your details), or it could be a pre-contractual step (if you’re inquiring about our services, we consider you a prospective customer and our follow-up as something you requested). In all cases, we will use your info only to respond appropriately – e.g., if you asked a question, to answer it; if you signed up for a newsletter, to send it. If you become a customer, your data will then be handled per the Business Clients section; if not, we may periodically reach out with your consent or legitimate interest as described in Marketing above, but you can opt out.
Advertising and Retargeting: We do not sell your data to advertisers. However, we may run our own online ads and use tools (like Google Ads or LinkedIn) to measure their effectiveness or to “retarget” visitors (show our ads to people who have visited our site). This may involve setting third-party cookies or pixels. The lawful basis for any such marketing cookies is consent. If you do not allow marketing cookies, you won’t receive retargeting from us. If you do consent, those third parties (like Google) may collect some of your Usage Data on our site to help us know, for example, whether someone who saw an ad ended up visiting our site, or to allow us to show an ad for our service to you on another website. We will provide details of any such cookies in our Cookie Notice and honor your choice.
Compliance and Protection: We might process website visitor data to comply with legal requirements or to protect our rights. For example, we may keep server logs (including IP addresses) for a certain period as a security measure and to investigate if our site is misused (like a hacking attempt or someone posting illegal content in a form). The lawful basis would be legitimate interests (maintaining security and legal compliance) or legal obligation if we are required to retain certain data. These logs are generally only accessed when necessary (e.g., debugging or security analysis) and are securely deleted after the retention period (see Data Retention below).
In summary, for website visitors, most non-essential processing (like analytics/ads) only occurs if you consent. Essential processing for functioning and security is based on our legitimate interests in running a reliable, safe website that you expect to interact with when you navigate to it. We aim to be transparent and give you control over any data that isn’t strictly necessary for the basic use of our web resources.
4. Data Sharing and Disclosure
We treat your personal data with care and confidentiality. We do not sell personal data to third parties. However, in order to operate our services, we sometimes need to share data with certain trusted parties. Here we outline who those parties are, and under what circumstances data is shared:
Our Customers (Business Clients): If you are an End-User being verified, we will share the results of your identity verification with the Customer that requested it. In fact, providing the verification result to them is the purpose of the service – for example, we may forward the verification report, your identity documents, and related data to the company that needs to vet your identity. That Customer will use the information according to their own privacy notice and applicable law. We only disclose your data to the specific Customer who authorized your verification; we do not broadcast it to anyone else. If multiple companies separately ask you to verify (e.g., you sign up at two different banks that both use VOVE ID), each company sees only their own requests’ data.
Service Providers (Sub-processors): We rely on reputable third-party service providers to help us deliver our services. These providers act as sub-processors, meaning they process personal data on our behalf (and under our instructions). Key sub-processors include:
Cloud Hosting and Infrastructure: We use Google Cloud Platform (GCP) in the European Union to host and store the majority of personal data. Your verification data, our databases, and servers are in secure data centers in the EU. Google acts as our sub-processor to store and transmit data, but it cannot use your data for any other purpose. We have a GDPR-compliant Data Processing Addendum with Google which includes Standard Contractual Clauses for any necessary transfers (see International Transfers section).
Identity Verification Tools: In some cases, we may use third-party software or services integrated into our verification process. For example, we might use a document authenticity checking service, biometric algorithm vendor, or AML database provider. These providers would receive the necessary data (e.g., an ID image or a name to check against a sanction list) and return results to us. They are bound by contracts to only use the data for the intended verification task.
Communication Services: We use certain tools to communicate with End-Users and Clients. For instance, an email delivery service (to send codes or receipts), or SMS gateway (to send text verifications), or a customer support platform (to manage inquiries). These processors may handle personal data like your email, phone, or name in the context of those communications. They are obligated to keep it secure and confidential.
Analytics and Marketing Partners: For our website, we may use analytics providers (like Google Analytics) or advertising platforms (like Google Ads, LinkedIn) as described earlier. These act as processors or independent controllers in their domain. We ensure any data sharing is minimized (for example, we might share a hashed identifier or use built-in privacy settings). They cannot identify you personally from the data we share for analytics, and any broader use (like by Google for ad personalization) is subject to your consent and their privacy policy.
Other Vendors: We may engage other vendors for specific services like data backups, content delivery networks (CDNs), or security monitoring. Any such vendor with access to personal data is vetted for security and privacy and bound by a strict contract. We maintain an up-to-date list of significant sub-processors which we can provide to our Customers or Data Protection Authorities upon request.
We choose sub-processors carefully, ensuring they have strong data protection practices. All our sub-processors are bound by Data Processing Agreements that impose GDPR-level protections (including confidentiality, security measures, and third-party audits). Before onboarding new sub-processors, we assess their security controls. We remain responsible for any processing they do on our behalf.
Within Our Corporate Group: If VOVE ID is part of a group of affiliated companies (for example, if we have subsidiaries or branch offices in other countries), we may share data within that corporate family as needed to operate the service. For instance, if our R&D team is in a different country, or if a subsidiary provides support services, they might access data. Any internal transfers will follow the same security standards and, if transferring outside of your region (e.g., EU), will be covered by intra-group agreements with Standard Contractual Clauses or equivalent safeguards. [Note: As of this policy date, VOVE ID primarily operates remotely from [Morocco and Estonia]; we will update this section if our corporate structure changes.]
Legal and Regulatory Disclosure: We may disclose personal data to third parties when required by law or necessary to protect rights. This includes:
Law Enforcement and Government Authorities: If we receive a legally binding request (such as a court order or subpoena) for information, we will evaluate it carefully. If required, we will provide the minimum necessary data to comply with the request. For example, if a law enforcement investigation asks for certain verification records and the request is valid under law, we may have to furnish those records. Where permitted, we will inform affected data subjects or Customers of such requests.
Regulators and Data Protection Authorities: As an organization under GDPR, we cooperate with data protection regulators. If a Data Protection Authority (DPA) conducts an inquiry or if we’re required to demonstrate compliance, we might share relevant records (which could include personal data) with that authority.
Protecting Rights and Safety: We reserve the right to disclose data if necessary to protect the rights, property, or safety of VOVE ID, our Customers, End-Users, or the public. For example, disclosing information to prevent harm or report illegal activities (like a fraud scheme). This would be based on our legitimate interests in security and safety. Any such disclosure will be done in line with applicable laws.
Business Transfers: If VOVE ID is involved in a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, personal data might be transferred to the successor or acquiring entity. We would ensure that any such entity is bound to respect this Privacy Policy (or you would be given notice and a chance to opt-out if laws provide for that). We would also require the receiving party to only use your data for the same purposes we collected it, unless you consent to new processing.
We emphasize that any third party that receives personal data from us will have to agree to protect it in accordance with applicable data protection laws. We do not allow any third-party recipients to use personal data for their own marketing or purposes not described in this policy.
Furthermore, we never share End-User verification data with other clients or any unauthorized parties – each Customer only has access to their data. Internally, access to personal data is strictly limited: our staff access your data on a “need-to-know” basis and with least privilege, meaning only the personnel who require it for their job (for example, a support engineer troubleshooting view it. All employees and contractors are under confidentiality obligations.
5. Data Storage and International Transfers
We understand the importance of keeping personal data not only secure, but also in appropriate locations. Here we describe where we store data and how we handle international data transfers.
Primary Storage in the EU: All personal data collected through VOVE ID’s services is, by default, stored on secure servers located in the European Union. We utilize Google Cloud Platform data centers in the EU (for example, in Belgium and/or the Netherlands) for our databases, file storage, and servers. By keeping data in the EU, we ensure that your information is protected under the stringent data protection laws of the European Economic Area (EEA). Google Cloud has robust security certifications and complies with the EUe of Conduct, and acts only on our instructions regarding your data. We do not store personal data in jurisdictions without adequate data protection unless necessary and with proper safeguards, as explained below.
Geographic Scope of Operations: VOVE ID’s main operations currently are based in Morocco and the EU. We may have personnel or partners outside the EU who assist with providing our services (for example, a support center or development team). However, even if our team is outside the EU, they will access data remotely on EU servers. We have strict controls and monitoring to ensure that all access is secure (e.g., via encrypted connections and VPN) and limited to authorized purposes.
Transfers Outside of the EU: Whenever we (or our sub-processors) transfer personal data from the EU to a country that is not deemed “adequate” by the European Commission (meaning the country’s privacy laws are not considered equivalent to EU standards), we rely on approved legal mechanisms to ensure your data remains protected. The primary mechanism we use is the European Commission’s Standard Contra (SCCs). These are contractual commitments between us (or our partners) and the data importer that require the same level of data protection as in the EU. For example:
If our Customer is outside the EU and needs to receive End-User data (e.g., a bank in MENA or the US using our service), our contract with that Customer will include SCCs obligating them to protect the data.
If we use a sub-processor in the US or another country (for instance, an email service), we will have an SCC or an equivalent arrangement in place with them. Additionally, where appropriate, we implement additional safeguards on these transfers, such as encryption in transit and at rest, and policies to handle any government access requests for data (in line with the Schrems II ruling requirements).
Other Transfer Mechanisms: If SCCs are not applicable or sufficient in a scenario, we may rely on other GDPR-approved mechanisms: for instance, an adequacy decision (if the data is transferred to a country that the EU has deemed adequate, like Switzerland or likely the UK), or binding corporate rules (if we ever establish those for intra-group transfers), or your explicit consent in rare cases (with clear notice of risks). We will always choose the mechanism that best protects data and is feasible for the given transfer.
Data Localisation (if applicable): Some of our Customers or data subjects might be in countries with data localization laws (requiring data to stay within a country). If such laws apply, we will comply accordingly. For example, if a particular country in which we expand mandates that citizens’ data stays on servers in that country, we will set up the necessary infrastructure or partner with a local provider under equivalent protections. We will inform the affected users in our privacy communications if this becomes relevant.
Access from Other Regions: Even when data is stored in the EU, it might be accessed by you or by our Customer from wherever you/they are (since identity verification is online). For instance, if you are in MENA or Africa and verifying your identity, your data travels to our EU servers for processing, and the results are accessed by the company in your country. This is considered an international transfer from the EU perspective if the data goes to a non-EU company (the Customer). In such cases, as noted, we ensure our contracts with those Customers include EU model clauses and that they handle your data lawfully.
Retention of Data in Region of Origin: If required by our Customer or by law, we can ensure that a copy of the verification data is provided back to the Customer to store in their region. However, our own copy will reside in the EU (unless otherwise arranged contractually).
In summary, our approach is to minimize cross-border transfers and, when they are necessary, to safeguard them thoroughly. We want you to know that wherever your data goes, it remains under the protection of strong privacy commitments. If you have questions about our international data handling or want to obtain a copy of the relevant transfer safeguards (like SCCs), please contact us (see Contact Us section). We may redact certain contractual provisions for confidentiality, but we can explain the protections in place.
6. Security Measures
VOVE ID takes data security extremely seriously. We employ a multi-layered security program to protect personal data from unauthorized access, alteration, disclosure, or destruction. Our security measures follow industry best practices and are continually updated to address evolving threats. In this section, we outline key technical and organizational measures we have implemented to safeguard your information.
6.1 Technical Safeguards
Data Encryption: All personal data is encrypted both in transit and at rest. This means that when your data is being transmitted between your device and our servers (or between our servers and sub-processors), we use strong encryption protocols (such as HTTPS/TLS) to prevent eavesdropping. Similarly, stored data (databases, backups, etc.) is encrypted using state-of-the-art encryption algorithms. Encryption ensures that even if data were to fall into the wrong hands, it would be unreadable.
Access Control and Authentication: Access to our systems and data repositories is strictly controlled via role-based access control (RBAC). Only authorized personnel with a need-to-know can access personal data, and their access is limited to the minimum tier role. We enforce strong authentication (including multi-factor authentication (MFA) for our employees and admins) to prevent logins. Administrative access to sensitive systems is logged and regularly reviewed.
Network Security: Our servers are protected by firewalls and network segmentation. We isolate environments so that, for example, public-facing systems are separated from internal databases. We employ intrusion detection and prevention systems (IDS/IPS) and continuous network monitoring. Regular security scans and penetration tests are conducted to find and patch vulnerabilities. We also utilize secure VPNs and encrypted channels for any remote administration.
Secure Software Development: Our engineering team follows secure coding practices and frameworks. We conduct code reviews and use automated scanning tools to detect security weaknesses in our software. Before new features or updates are deployed, they undergo testing (including security testing). We also run a bug bounty or responsible disclosure program encouraging security researchers to report issues to us.
Data Minimization and Pseudonymization: Whenever feasible, we reduce the amount of identifiable data in our systems. For example, for machine learning training we use anonymized data. Within operational systems, we may pseudonymize data (replace direct identifiers with codes) so that full identification is only possible with a separate lookup (which is tightly controlled). This way, even if an internal database is accessed, the data is not immediately identified without the key.
Monitoring and Logging: We have extensive logging of access and actions in our systems. Critical systems generate alerts for unusual activities (e.g., multiple failed login attempts, large data exports, etc.). We employ 24/7 infnitoring, so our security team is notified quickly of potential incidents or anomalies. Our logging also helps in forensic analysis if something does go wrong, so we can trace the issue.
Backups and Recovery: We perform regular backups of critical data to prevent loss. Backups are encrypted and stored securely (with the same data residency considerations – e.g., within the EU). We test our disaster recovery plans periodically to ensure that we can restore availability and access to data in a timely manner in case of a physical or technical incident. The default retention period for backups is l, 90 days) after which they are securely deleted, in line with our retention policy.
6.2 Organizational Measures
Access Policies and Training: All VOVE ID employees and contractors undergo background checks as allowed by law and must sign confidentiality agreements. We provide regular training to all staff on privacy and data security practices, ensuring they understand their responsibilities to protect personal data and recognize social engineering or other risks. Our internal policies dictate how data is handled, reported, and disposed of. Only a small, vetted team has access to production personal data, and that too under strict circumstances.
Dedicated Security & Privacy Team: We have a dedicated team responsible for overseeing security and data protection compliance. This includes security engineers, compliance officers, and a Data Protection Officer (DPO) (if applicable by law or appointed by us voluntarily). This team conducts risk assessments and privacy impact processors. We also engage independent auditors or experts to assess our security controls regularly (including annual penetration testing and possibly SOC 2 or ISO 27001 audits as we grow).
Third-Party Risk Management: Before we onboard any sub-processor or vendor who might handle personal data, we perform a due diligence assessment of posture. We ensure there is a Data Processing Agreement in place. We require our sub-processors to have appropriate certifications or audits (like ISO 27001, SOC 2, or similar) or to otherwise demonstrate compliance with GDPR. We monitor their compliance and will terminate contracts if a vendor doesn’t meet our security requirements.
Least Privilege & Need-to-Know: As noted, internally we adhere to the principle of least privilege. Our support or verification agents can only see data relevant to the task (e.g., a support agent might see an End-User’s verification session details only when troubleshooting that session for the Customer, and even then, sensitive data like full ID images may be hidden or masked unless absolutely necessary). Access to production data is logged and requires managerial approval.
Physical Security: Although we rely heavily on cloud infrastructure, any office or data center environment we operate in is secured. Our offices have access controls (badges/biometrics) and visitor policies. For cloud data centers, we rely on provider physical security (which for Google Cloud includes 24/7 guard surveillance, biometric access, etc.). We do not store sensitive personal data on employee laptops or devices; everything is in secure cloud environments. Employee devices are encrypted and centrally managed to enforce security (with remote wipe, etc.).
Incident Response Plan: We have an incident response plan that outlines the steps for detecting, containing, investigating, and notifying appropriate parties of security incidents. Key staff are trained on emergency procedures. We simulate breach scenarios to ensure readiness. See the next section on Data Breach Response for details on how we handle any actual incidents.
Certifications and Compliance Programs: We continuously review our security controls against industry standards and emerging threats to keep our protections up to date.
Our goal is to maintain a “state-of-the-art” security posture in line with GDPR’s requirement for appropriate technical and organizational measures (Article 32). Data security isn’t a one-time effort – we treat it as an ongoing priority that is embedded in all aspects of our operations. If you have specific questions about our security measures, we can provide further information (subject to not exposing sensitive info that could itself be misused).
7. Data Breach Response
Despite best efforts, no system is 100% secure. In the unlikely event of a personal data breach (a security incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data), VOVE ID has a clear plan to respond quickly and effectively in order to minimize any harm and comply with our legal obligations.
Identification and Containment: Our monitoring systems and staff are trained to detect potential security incidents. The moment we suspect a data breach, our incident response team swings into action. We gather details on what happened, what data is involved, and which individuals might be affected. We work to immediately contain the breach – for example, isolating impacted systems, revoking compromised credentials, or shutting down an attack in progress – to prevent further unauthorized access.
Assessment: We will assess the scope and severity of the breach. This means determining how much data and which individuals are impacted, the type of data (for instance, whether it included sensitive information like IDs or biometrics), and the potential consequences for users. We also determine whether the breach is likely to result in any risk to individuals’ rights and freedoms – GDPR makes a distinction between breaches that pose a risk and those that don’t, which influences notification requirements.
Internal Notification: Our internal escalation policy ensures that the right people are informed, including executive leadership, our Data Protection Officer (if one is appointed), and our security team. If the breach involves systems managed by a sub-processor, we also inform that sub-processor and coordinate response efforts.
Fixing the Issue: We will identify the root cause of the breach and take corrective actions to prevent a recurrence. This could involve patching software, changing configurations, enhancing monitoring, or even disciplining or re-training staff if human error was involved. We document everything we learn for accountability and improvement.
Notification to Affected Parties: We are committed to transparency about serious incidents. As a data processor for End-User data, we will notify the affected Customer (data controller) without undue delay after breach. This allows our Customer to then fulfill their obligation to notify regulators or individuals as required. We will provide them with all relevant information about the breach, including the nature of the incident, the data affected, likely consequences, and measures taken to mitigate it. We will assist our Customer in communicating with their end-users if needed.
If VOVE ID is the data controller of the data involved (e.g., a breach of website visitor or client account data), we have legal duties to notify:
Supervisory Authority: If the breach is likely to result in a risk to individuals’ rights and freedoms (for example, risk of identity theft, fraud, reputational harm, or other significant effect), we will report the breach to the relevant Data Protection Authority without undue delay and, where feasible, within 72 hours more of it. Our report will include the nature of the breach, categories and approximate number of affected individuals and records, likely consequences, and measures taken or proposed to address it. If we can’t provide all details within 72 hours, we will provide initial info and supply more as soon as possible.
Affected Individuals: If the breach is likely to result in a high risk to your rights and freedoms, we will also inform you (the impacted individuals). High risk means you could potentially suffer significant harm – for example, if your identity information or password was leaked and could be misused. Our communication will be in clear language, describing what happened and any steps you should take to protect yourself (like changing passwords or being vigilant against scams), as well as providing our contact information for more information. We may not contact individuals directly if the data was End-User data under a Customer’s control – in that case, typically the Customer will handle individual notices, often with our help. If we have made the data unintelligible (e.g., strong encryption) or taken measures that neutralize the risk, or if individual notification would involve disproportionate effort (in which case we’d do a public announcement), GDPR may not require an individual. But our default approach is to err on the side of caution and transparency.
Regulatory Compliance: We document all breaches and our responses, per GDPR’s accountability principle. If required, we will liaise with Data Protection Authorities to provide additional information. We view regulatory inquiries not as adversarial but as an opportunity to ensure we’ve properly addressed the issue. We will follow any guidance given by authorities regarding further actions.
Continuous Improvement: After resolving a breach, we conduct a post-mortem analysis to learn from it. We update our security measures and response plan based on any lessons learned. Our goal is to prevent future incidents and to strengthen our systems. Often, breaches (even minor ones) lead to implementing even tighter controls.
Rest assured, we treat any security incident with the utmost urgency and integrity. Protecting your data is our top priority, and in the rare event something goes wrong, we will do everything in our power to set it right and keep you informed every step of the way.
8. Data Retention
We only keep personal data for as long as it is necessary to fulfill the purposes outlined in this policy, or as required by law or our contractual obligations. Holding data for longer than needed can increase privacy risks, so we aim to minimize retention. Below we explain how long different types of data are retained and the criteria we use to determine retention periods.
End-User Verification Data: By default, VOVE ID will retain the personal data collected during an identity verification for a limited period, after which it is deleted or irreversibly anonymized. Our standard retention policy for verification records is no longer than 3 years from the date of verification. In many cases, we retain detailed data (e.g., images, video, documents) for a shorter period (for example, [90 days] in “active” storage accessible to our Customer) and then archive the data in a secure, access-restricted form for the remainder of the retention. Archived data is kept only for purposes of audits, compliance, or handling disputes and is not readily accessible for routine use. After the retention period expires, we securely delete the personal data, including backups.
Client-Specific Retention: Some of our enterprise Customers may request a different retention period to meet their own regulatory requirements. For instance, a financial institution might need to keep KYC records for 5 years by law, or conversely a privacy-conscious service might ask us to delete data sooner (say, after 30 days). We offer flexibility to our Customers to configure retention within our platform or by requesting it. If the Customer sets a custom retention, that will override our default for that data (and you would typically be informed via the Customer’s privacy notice). In any case, we never retain End-User personal data indefinitely and we will follow the controller’s instructions in this regard.
Biometric Data: For biometric identifiers (like facial templates), we apply even stricter retention in line with legal guidance. For example, templates may be retained only for as long as needed to complete the verification and then deleted or stored separately with additional protection. As noted earlier, by default we do not keep biometric face data longer than 3 years, and often much shorter. Some laws (like Illinois’ BIPA in the U.S.) require deletion of biometrics once the purpose is fulfilled, or within 3 years. We design our retention to meet the most stringent applicable rule.
Anonymized Data: We may retain anonymized data (which is no longer personal data) derived from verifications for analytics or training purposes beyond the retention period, since it poses no privacy risk. For instance, statistical information like “pass rates” or non-identifiable features used to improve our algorithms can be kept to improve our service over time. This data will not identify you and is not subject to deletion upon request because it’s not tied to any individual.
Business Client Data: If you are a Customer or user of our B2B service, we retain your data for the duration of the business relationship and thereafter as needed. Specifically:
Your account information and user profile are kept as long as your company remains a customer and your login is active. If you leave the company or your account is deactivated, we will remove or anonymize personal data associated with your user after a reasonable period, except to the extent it’s contained in business records we must retain.
Contract and transaction information (like the master agreement, billing records, support tickets) are retained for the term of the contract and typically at least 3 years after termination. This is to comply with legal record-keeping requirements (for example, accounting/tax laws might require 7 years retention of invoices) and to have necessary information in case of any post-contract obligations or disputes. We archive old client records securely and restrict access.
Communications with you (emails, chat logs) might be retained for a shorter period [e.g., 2 years] unless they contain important business info we need to keep longer. We periodically clean out older communications that are no longer needed.
If you unsubscribe from marketing communications, we will keep your contact on a suppression list indefinitely to ensure we respect that unsubscribe request (this is a standard practice to avoid accidentally emailing those who opted out). The suppression list contains minimal info (usually just email and opt-out status).
Website Visitor Data:
Web server logs (which may contain IP addresses and visit timestamps) are generally kept for a short period, typically several weeks to a few months (e.g., 1-3 months) unless they are needed longer for security analysis. We rotate and delete logs regularly. Logs required for legal or security investigations may be kept until those issues are resolved.
Analytics data is retained as per our configuration with our analytics provider. We currently set our Google Analytics data retention to 14 months by default (which is a common default), meaning data older than that is automatically deleted from Analytics reports. We don’t store raw analytics beyond the provider’s retention.
Cookies set on your browser have their own expiration durations. Some cookies (like session cookies) expire when you close your browser. Others (like preferences or analytics cookies) might persist for a few months or a year or two. Our Cookie Notice details the lifespan of each cookie. You can clear cookies from your browser at any time to delete those immediately.
Information you submit via forms (like contact requests) is stored in our systems (CRM or email) typically until it’s no longer needed. If you don’t become a customer or the conversation doesn’t continue, we might delete your inquiry after [12-24 months]. If you do engage with us (say you become a customer), the data becomes part of client records and follows the client retention policy.
Recordings of any user sessions (if we ever use tools that record how users interact on our site, which we currently do not, or if we have webinar recordings that include attendees) are kept only as long as necessary for analysis or providing the service.
Legal Holds: Occasionally, we may need to suspend deletion of certain data if it is subject to a legal hold – for example, if a lawsuit, investigation, or audit requires us to preserve evidence. In such cases, we will retain the relevant data until the hold is lifted, and then proceed with deletion or anonymization.
Deletion Procedures: When data reaches the end of its retention period, we delete it securely. Physical deletion from databases and file systems is performed, and for backups, data is overwritten or purged once the backups expire. Where deletion is not immediately feasible (perhaps it’s in cold storage), we ensure it’s isolated and protected until deletion is possible. We also ensure that our sub-processors delete data from their systems once it’s no longer needed. If we have communicated deletion or account closure to you, we follow through with permanent deletion (except for the limited data we may need to retain as noted).
To summarize, our retention approach is: keep data for only as long as necessary, and no longer. By default, we avoid indefinite retention. We balance retention needs with privacy, meaning we keep data long enough to serve legitimate purposes (like fraud prevention – sometimes historical data helps identify repeat fraudsters – or compliance record-keeping), but not so long that it becomes an unnecessary risk or burden.
If you have specific questions about how long your personal data is kept in a particular context, or if you believe we are still holding data that we shouldn’t, please contact us. In some cases, you may also exercise your right to erasure (right to be forgotten), which we address in the next section.
9. Your Rights as a Data Subject
As a user of our services or visitor to our site, you have certain rights regarding your personal data under GDPR and other data protection laws. We are committed to honoring your rights and providing you with control over your information. Below, we outline your key data subject rights and how you can exercise them. (If you are in a jurisdiction with additional rights, such as California or Brazil, those would generally be addressed separately; this section focuses on GDPR-defined rights which we extend broadly.)
Right to Be Informed: You have the right to clear and transparent information about how we process your personal information, essentially, the purpose of this Privacy Policy. We aim to provide all details about our data practices. If anything is unclear, you can always ask us for more information.
Right of Access: You have the right to request confirmation of whether we are processing your personal data, and if so, to receive a copy of that data, along with supplementary information. This is commonly known as a “Data Subject Access Request” (DSAR). For example, you can ask us to provide the data we have about you in our systems. We will provide it free of charge, usually within one month. If you request additional copies, we may charge a reasonable fee based on administrative costs.
Right to Rectification: You have the right to have inaccurate personal data corrected and incomplete data correction. If you see that we hold incorrect information about you (e.g., a misspelled name or outdated contact info), please let us know so we can fix it. In many cases (like a client user profile), you can correct your data directly through account settings.
Right to Erasure (Right to be Forgotten): You have the right to request deletion of your personal data in certain circumstances. For instance, if the data is no longer necessary for the purposes it was collected, or if you withdraw consent and we have no other legal ground for processing, or if you object to processing and we have no overriding legitimate grounds, or if we unlawfully processed your data, you can ask us to erase it. We will honor valid erasure requests and delete your data, and also direct our processors to do so, except where we are required to keep the data (for example, due to legal obligations or defense of legal claims). We will inform you if that’s the case.
Right to Restrict Processing: You have the right to request that we limit the processing of your personal data in certain situations . This could apply if you contest the accuracy of the data (we’ll restrict processing while verifying accuracy), or if the processing is unlawful but you prefer restriction over deletion, or if we no longer need the data but you need it for a legal claim, or if you have objected to processing (pending verification of overriding grounds). When processing is restricted, we will store your data but not use it (except, for example, to establish or defend legal claims, or with your consent). We’ll let you know when a restriction is lifted.
Right to Data Portability: For data you provided to us, you have the right to receive it in a structured, commonly used, machine-readable format, and the right to have us transmit that data to another controller where technically. This right applies when the processing is based on your consent or on a contract with you, and is carried out by automated means. In practice, this might apply if, say, you provided data in a signup form and want to reuse it elsewhere. We will provide the data in a CSV or similar format that is easy to import, upon request. Note that this right is not an obligation to keep data longer for the sake of portability; it only covers what we have.
Right to Object: You have the right to object to processing of your personal data at any time, when such processing is based on our legitimate interests, or if we were performing a task in public interest/exercise of official authority (which we typically don’t). If you object, we must stop processing your data unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is for the establishment, exercise, or defense of legal claims. You also have an absolute right to object to any direct marketing uses of your data. For example, if you receive marketing emails from us and don’t want them, you can object (unsubscribe) and we will stop. If you object to processing for fraud prevention (legitimate interest), we will consider your request and balance it against the necessity of the processing.
Right not to be subject to Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing, including profiling, if it produces legal effects or similarly significant effects on you (a) necessary for entering into or performing a contract, (b) authorized by law, or (c) based on your explicit consent. In simpler terms, if a computer says “no” (for example, denies a verification) with no human involvement, and that denial has a big impact on you, you can request human intervention or challenge the decision. We address our approach to automated decisions in the next section. In our processes, we include human review especially for borderline or failed cases to ensure fairness. As an End-User, you can also raise any concerns through our Customer or directly to us, and we will have a person examine the situation.
Right to Withdraw Consent: When we rely on your consent to process data (for example, your consent to use cookies or to process biometric data), you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing already carried out, but it will stop the future processing of the data involved. For example, you can change your cookie settings to withdraw consent for analytics, or if you consented to a biometric verification and then change your mind before completion, you can notify us or the Customer to halt the process. Do note that if you withdraw consent needed for a service (like identity verification), it may impede the ability to complete that service.
These rights are not absolute – there are exceptions and conditions under which they apply. For example, we might not erase data that we are required by law to keep, or we might refuse an access request that is manifestly unfounded or excessive (but we would provide a justification in such cases). However, we will always assess and respond to your requests in good faith and in accordance with applicable laws.
9.1 Exercising Your Rights
How to Make a Request: To exercise any of your data subject rights, you can contact us using the information in the Contact Us section of this policy. The easiest method is usually to email us at [email protected] [subject:privacy] with your request. Please describe what right you want to exercise and any relevant details (for example, the context in which you interacted with us, so we can locate your data). You can also send requests via postal mail to our address or use any online portal we might provide for privacy requests.
Identity Verification: For security, we may need to verify your identity before acting on your request. This is to ensure lose or delete data at the request of someone impersonating you. We might ask you to provide information that matches our records, or if necessary, a copy of an ID (we’ll only use it to confirm identity, and then delete that copy). For End-Users, since we might only have your data via a Customer, we might refer you to the Customer to validate your identity and request (since they initially collected your info).
Acting on Behalf of Another: If you are an authorized agent making a request on someone else’s behalf, we will require proof of authorization (for example, a power of attorney or a written consent from the data subject).
Fees and Timing: In general, we do not charge a fee for fulfilling rights requests. If a request is unusually burdensome or repetitive, the law permits a reasonable fee or even refusal, but we will typically try to provide at least one copy of your data for free. We aim to respond to all valid requests within one month of receiptuest is complex or we have a high volume of requests, we may extend this by an additional two months, but if so, we will inform you within the first month and explain why. For example, an access request that involves pulling data from multiple systems might take longer; we’ll keep you updated.
Interaction with Our Customers (for End-Users): If you are an End-User whose data we process on behalf of a Customer, it is often most efficient to direct your request to that Customer first. As the data controller, they have the responsibility to address your rights. For instance, if you want a copy of your verification data, the company you verified with might provide that to you (often they have it in their dashboard). If you request deletion through the Customer, they will instruct us to delete records as needed. That said, you are not prohibited from contacting us directly – we will assist and coordinate with the Customer to the extent we are allowed. Under GDPR, as a processor we must assist the controller in meeting data subject requests. So if we use it and we know it relates to a Customer’s data, we might consult them (to verify, for example, that releasing the data to you is appropriate and doesn’t violate someone else’s privacy, etc.) and then proceed accordingly.
Objecting to or Limiting Processing: If you choose to object to processing or withdraw consent, we will explain the consequences (if any) to you. For example, if you object to processing necessary for our service to a Customer, we might have to inform the Customer that we can no longer process your upcoming verifications. If you withdraw consent for marketing emails, we will stop those right away (it may take a few days to propagate across systems, but usually it’s immediate via the unsubscribe link). If you want to restrict processing, we will mark your data as restricted and not use it (aside from storing it) until the matter is resolved.
Denial of Requests: In rare cases, we might not be able to fulfill a request. Examples include: we cannot delete data that is required by law (we would inform you of this and only retain what’s necessary); we cannot provide data that would infringe on another’s rights (if your data is mixed with others’ and revealing it would impact others’ privacy, we’ll work to isolate your data); or if you request excessive copies or make repetitive requests, we might refuse or charge a fee. If we refuse any part of a request, we will clearly explain why, and outline any further options (like complaining to a DPA, see below).
Complaints: We encourage you to contact us first to resolve any questions or issues about your personal data. However, if you believe we have not complied with your data protection rights, you also have the right to lodge a complaint with a Data Protection Supervisory Authority (such as the CNDP in Morocco, or the Data Protection Authority in your EU country, or the UK’s ICO if in Britain, etc.). You can do so in the EU Member State where you reside, where you work, or where you believe the infringement occurred. We will cooperate fully with any inquiries by a regulator and strive to resolve issues amicably.
In summary, your rights are vital to us. We have established procedures to ensure we can honor them. Please don’t hesitate to exercise these rights – they are designed to give you control and peace of mind regarding your personal data.
10. Automated Decision-Making and Profiling
VOVE ID’s services involve advanced technology, including artificial intelligence (AI) and machine learning, to perform identity verification efficiently and accurately. We want to be transparent about how automated processing works in our system, and the role of humans in the decision-making loop.
Automated Processes in Verification: When you undergo identity verification through VOVE ID, several steps are automated. For example, our system may automatically check if the ID document you submitted is authentic (e.g., by detecting security features or comparing it against templates), or automatically compare your selfie to the photo on your ID using facial recognition algorithms. We also might have automated fraud checks – for instance, flagging if the same ID has been used multiple times or if certain risk indicators are present (like the document is expired or the video is suspected to be spoofed). These automated processes help to streamline verification, often in real-time or within minutes.
Significance of Decisions: Typically, the outcome of an automated process is a recommendation or score rather than a final verdict. For instance, our system might produce a confidence score that your selfie matches your ID photo, or a result that the ID passed authenticity checks. These results are then used by our Customer (the company verifying you) to decide whether to approve your verification or not. In many cases, the decisions that affect you (e.g., can you open the account or not) are made by our Customer, potentially with input from our automated results.
Human Oversight: We incorporate human review and oversight in our identity verification workflow to avoid solely automated decisions that could significantly affect individuals. Many identity verification outcomes are reviewed by trained verification specialists, especially if the automated system is unsure or flags an issue. For example, if our algorithms can’t confidently verify your document or face, the case may be escalated to a human verifier who will manually inspect the images and make a determination. This hybrid approach combining automated and human oversight ensures higher accuracy and fairness. We solely on algorithms to accept or deny an identity – there is usually a human in the loop either at VOVE ID or at our Customer’s side reviewing the results, particularly for borderline cases.
No Legal or Similarly Significant Decisions by VOVE ID Alone: VOVE ID itself typically does not make any decisions with legal or similarly significant effect on you without human involvement. Our service provides identity verification results to our Customer. It is ultimately our Customer’s decision to, say, onboard you as a client or not, based on those results and their own assessment. That said, we acknowledge that a negative verification result can have a significant impact (e.g., you might not get to use a service if your identity can’t be verified). Therefore, we design our systems to minimize errors and allow recourse.
Your Rights regarding Automated Decisions: Under GDPR, you have the right not to be subject to a decision based solely on automated processing that significantly affects you, and request a human intervention, to express your point of view, and to contest the decision. If you ever feel that an automated decision through our system was incorrect or unfair, you can contact our Customer or us to request a manual review. For example, if your verification was denied and you believe it was a mistake (perhaps the photo quality was poor or the system made an error), you can ask for a re-verification or review. Our Customer may have their own process for handling such appeals, and we will assist them by providing any necessary information or performing a second look through a human verifier.
Profiling: Profiling in our context could mean analyzing aspects of you like behavior or characteristics to assess risk of fraud. We do generate risk profiles in a limited sense (e.g., device reputation, past verification outcomes). However, we do not profile you for marketing or make personal predictions outside of identity verification. Any profiling we do is solely aimed at verifying identity and detecting fraud, not to evaluate your personality, habits, or creditworthiness, for instance.
Model Training and Fairness: Our AI models (for face matching, etc.) are trained on diverse datasets with the aim of being fair and unbiased. We actively monitor for and mitigate biases (such as differences in accuracy across different demographic groups). We also regularly test the performance of our automated checks to ensure reliability. If any systematic issue is found, we update our models and, in the interim, rely more on human checks. We understand the sensitivity around automated biometric matching and strive to meet high accuracy standards to avoid false rejections or false acceptances.
Transparency: If a particular decision or outcome was significantly driven by automation, we or our Customer will, upon request, provide you with meaningful information about the logic involved. We might describe, for example, “Your document was flagged as potentially forged by our automated system due to a mismatch in data, which contributed to the decision to require further review.” We won’t reveal proprietary algorithms in detail, but we will explain the general factors.
In summary, while VOVE ID employs sophisticated automated systems to make identity verification fast and secure, we do not hand over your fate to a machine without recourse. We blend technology with human judgment to ensure decisions are accurate and justified. If you ever feel an automated part of our service has caused an incorrect outcome for you, let us or the business you were signing up with know – you have the right to have a real person look into it and to provide any additional information that might help correct the outcome.
11. Updates to this Privacy Policy
We may update or modify this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. We want you to always be aware of how we handle your personal data, so we will notify you of significant changes and post the revised policy with an updated effective date.
Version and Date: At the top of this policy, you can find the “Last Updated” date. That date indicates when the current version took effect. Older versions of our Privacy Policy can be provided upon request for reference (or may be archived on our website).
Notification of Changes: If we make material changes to this policy – for example, if we start processing data for a new purpose, or if we change how long we keep data, or if we engage new categories of recipients – we will take appropriate measures to inform you. This might include:
Posting a prominent notice on our website or dashboard (such as a banner or pop-up) informing of the update.
Sending an email notification to our Customers or to users (if we have your email on file) describing the changes.
In some cases, we might seek your consent to the new practices, if required by law. For example, if a new purpose would rely on consent or if we were to start processing sensitive data in a new way, we’d ensure you have a choice before that happens.
Minor changes (like clarifications, grammatical fixes, or updates that do not significantly affect privacy) may be made without a specific notice, beyond just updating the policy on our site. However, we strive not to make any surprise changes.
Reviewing the Policy: We encourage you to review this Privacy Policy periodically to stay informed about our data practices. If you continue to use VOVE ID services or our website after a new version of the policy is in effect, it will be deemed acceptance of the updated terms (to the extent allowed by law). If you do not agree with any changes, you should discontinue use of our services, and you may exercise your rights (such as requesting deletion of your data).
For our Customers: if we update this policy, it does not reduce your rights under any existing contract with us; it’s mainly to ensure transparency. We synchronize our privacy commitments in this public notice with our contractual commitments in Data Processing Agreements.
Customization Note: If an individual Client using VOVE ID has their own privacy notice referencing ours, they should update their references when we change this policy. We can provide a summary of key changes to assist with any communications you might need to do on your side.
We will not retroactively apply any material changes to data we collected in the past without your consent or a lawful basis. Any changes will apply going forward from the effective date.
If you have any questions or concerns about changes to this Privacy Policy, please reach out to us using the contact details below.
12. Contact Us
We welcome any questions, concerns, or requests regarding this Privacy Policy or our data practices. Your privacy is important to us, and we are here to help.
Email: You can reach our privacy team at [email protected]. This is the quickest way to get a response on any privacy-related inquiry, including exercising your rights.
Postal Mail: If you prefer, you may write to us at: VOVE ID Privacy Team 16192 Coastal Highway, Lewes, County of Sussex, State of Delaware, 19958, USA (Please include “Attn: Privacy” or “Attn: Data Protection Officer” on the envelope so it reaches the correct team.)
Data Protection Officer (DPO): We have appointed a Data Protection Officer to oversee our GDPR compliance. You may contact our DPO at [email protected] or via the postal address above (Attn: Data Protection Officer). The DPO is happy to address any issues regarding how we handle personal data.
We endeavor to respond to all legitimate inquiries as promptly as possible, typically within a few business days. If you are contacting us to exercise your rights, please see the section above on what information to include to help us process your request efficiently.
If you have a concern about privacy or data use that we have not addressed satisfactorily, you also have the right to contact your local data protection authority as mentioned. But we do hope to resolve any issues directly.
Thank you for trusting VOVE ID with your identity verification needs. We value that trust and are committed to safeguarding your personal information. This Privacy Policy is meant to provide transparency and assurance of that commitment. We are continuously improving our practices and policies, and your feedback is welcome.
Last updated