NameID - Privacy Notice

PRIVACY NOTICE

Introduction

This is the Privacy Notice of NAME ID TECHNOLOGY LTD, a private limited company incorporated in England and Wales with company number 15936181. The company’s registered office is located at 20 Wenlock Road, London, England, N1 7GU (hereinafter referred to as “we”, “our”, or “us”).

We are a service provider offering identity verification, business verification and anti-fraud solutions to our customers (including KYC, KYB and AML-related services), through the use of proprietary technology and trusted external data sources. This Privacy Notice explains how we process personal data when delivering these services, operating our website, managing customer relationships or responding to user requests.

We process personal data in accordance with the applicable data protection laws, including the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This Notice is intended to provide transparency to individuals whose data we process and to explain our responsibilities and your rights under these laws.

If you have any questions about this Privacy Notice or the way we handle your personal data, you can contact us at:

Email: info@nameid.io

We are committed to protecting your privacy and will respond to all inquiries in accordance with applicable data protection laws.

Scope

This Privacy Notice governs the collection, use, disclosure and retention of personal data processed by Name ID in connection with:

The provision of our identity and business verification services, compliance screening and fraud prevention systems on behalf of our business customers;

Interactions with our website and digital resources;

Communications initiated by individuals through web forms, demo requests, job applications or support channels;

Internal analytics, monitoring, product development and security operations where we act as a controller.

This Notice applies to all users of our services and website, including end-users undergoing verification, customer representatives, visitors and other individuals who interact with us directly or indirectly. If you are undergoing identity verification initiated by one of our customers, we act as a data processor and the customer remains the primary controller of your personal data.

Our Role as Data Controller and Data Processor

Depending on the context and nature of the processing activity, NAME ID TECHNOLOGY LTD may act either as a data processor or a data controller, as defined under the UK General Data Protection Regulation (UK GDPR).

We act as a data processor when we process personal data on behalf of our business customers, who determine the purpose and means of the processing. This includes activities such as identity verification, document checks, biometric data capture, and sanctions screening carried out under the customer’s instructions. In these cases, our customers remain the data controllers.

We act as a data controller when we determine the purposes and means of processing ourselves. This includes:

Operating and analysing demonstration environments;

Conducting internal analytics and service improvement;

Managing marketing communications and customer onboarding;

Maintaining reusable identity profiles with the user’s consent;

Conducting recruitment and responding to job applications.

Where required, we inform data subjects of our specific role at the point of data collection and ensure that all responsibilities under applicable data protection law are fulfilled in accordance with our role.

Definitions

For the purposes of this Privacy Notice, the following definitions apply:

Customer refers to any legal entity or organisation that engages Name ID to provide identity verification, business verification, regulatory compliance or related services. The Customer acts as a controller when determining the purpose and means of personal data processing.

User or Data Subject means a natural person whose personal data is processed by Name ID. This includes individuals undergoing identity verification, business representatives, beneficial owners, website visitors, and anyone who interacts with Name ID services or systems.

Personal Data means any information relating to an identified or identifiable natural person as defined in the UK GDPR. It includes identifiers such as name, identification number, location data, online identifier or other factors specific to a person’s identity.

Special Categories of Personal Data refers to personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a person, data concerning health, or data concerning a person’s sex life or sexual orientation.

Processing means any operation or set of operations performed on personal data, whether or not by automated means. This includes collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, restriction, erasure or destruction.

Controller means the legal entity or natural person that alone or jointly determines the purposes and means of personal data processing.

Processor means a legal entity or natural person that processes personal data on behalf of the controller, based on documented instructions.

Third Party refers to any legal or natural person, public authority, agency or body other than the data subject, controller, processor or persons under their direct authority who are authorised to process personal data.

Services means the identity verification, business verification, compliance screening, fraud prevention and related services provided by Name ID to its Customers.

Website refers to the official Name ID website located at https://nameid.io including all its subdomains and web-based interfaces.

Supervisory Authority means an independent public authority responsible for monitoring the application of data protection law. In the United Kingdom, this is the Information Commissioner's Office (ICO).

Data Protection Laws means all applicable laws and regulations relating to the processing of personal data including the United Kingdom General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and any related guidance or codes of practice issued by the ICO.

Principles of personal data processing

We are committed to ensuring that all personal data is processed in accordance with the following core principles established under applicable Data Protection Laws:

Lawfulness, fairness and transparency.

Personal data is processed lawfully, fairly and in a transparent manner in relation to the data subject. We ensure that individuals are provided with clear information about how and why their data is processed.

Purpose limitation.

Personal data is collected for specified, explicit and legitimate purposes and is not further processed in a manner that is incompatible with those purposes.

Data minimisation.

Personal data collected and processed is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

Accuracy.

Personal data is accurate and, where necessary, kept up to date. We take every reasonable step to ensure that inaccurate personal data is rectified or erased without delay.

Storage limitation.

Personal data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which it is processed, unless a longer retention period is required or permitted by applicable law.

Integrity and confidentiality.

Personal data is processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. We apply appropriate technical and organisational measures to safeguard data.

Accountability.

We are responsible for ensuring and demonstrating compliance with the data protection principles outlined above through documented policies, procedures and regular reviews.

Purposes of Personal Data Processing

We process personal data for clearly defined and lawful purposes in accordance with our role as either a data processor or a data controller. The scope and purpose of processing may vary depending on the data subject's relationship with us and the applicable legal and contractual obligations. This section outlines the specific purposes for which personal data is processed.

Performance of Services on Behalf of Customers

When acting as a data processor for our business customers, we process personal data for the performance of contractual agreements, to provide services as requested by our customers, and to fulfil compliance requirements under applicable anti-money laundering (AML), counter-terrorist financing (CTF), and know-your-customer (KYC) or know-your-business (KYB) frameworks. This includes:

Conducting identity and business verification;
Processing biometric and document-based data to support verification processes;
Screening against sanctions, watchlists, and politically exposed person (PEP) databases;
Supporting internal due diligence procedures of our customers. Upon completion of verification or when data is no longer necessary, and upon the customer’s written instruction, we return or securely delete personal data from our systems without retaining backup copies, unless otherwise required by law.

Processing for Our Own Purposes

Where we act as a data controller, we may process personal data for our own legitimate interests or in fulfilment of legal obligations. These purposes include:

Improving and developing our verification services, including the use of biometric data and machine learning for fraud detection and liveness checks, where permitted and with necessary safeguards;

Preventing, detecting, and investigating fraudulent or unlawful activities by checking user data against confirmed or suspected records of illegal conduct;

Performing profiling, risk analysis, and statistical evaluations related to AML/CTF and fraud detection;

Identifying users or customer representatives for authentication or access management;

Complying with applicable legal requirements for the establishment, exercise, or defence of legal claims;

Maintaining wallet address attribution records for cryptocurrency compliance with the Travel Rule, linking wallet addresses to verified individuals or entities and flagging unusual or suspicious activity for reporting purposes;

Keeping records of lawful basis for processing activities in accordance with accountability principles under UK GDPR.

Use of the Name ID Identity Profile Users may choose to create a reusable verification profile that can be shared with multiple customers at their discretion. This profile may include identity documents, biometric data, contact information, and verification history. The data is processed by us as a data controller, and upon a user’s request, we act as a processor when transmitting data to other verification recipients. The profile system supports data portability rights under applicable data protection laws.

Business Communication and Marketing

We process data of customer representatives and prospective customers for the purpose of establishing or maintaining business relationships. This includes:

Exchanging communication via forms, emails, and demo requests;

Performing due diligence and onboarding procedures;

Managing customer accounts and service use;

Issuing updates regarding our products or features using soft opt-in rules or explicit consent.

Demonstration Services

When users access our service demonstration features via the website or applications, we may process:

Identity document data including type, issuing country, number, expiration, and machine-readable zones;

Biometric and facial data such as live selfies and document photos;

Contact details and identifiers such as user ID;

Device and technical data including geolocation, IP address, browser and software specifications. This data is processed for a maximum of 30 days unless another retention justification applies. Special categories of personal data, such as biometrics, are only processed with the user’s explicit consent and are securely erased when the retention period or purpose expires.

Recruitment and Talent Management

We collect and process data submitted by job applicants to assess their qualifications, communicate about the hiring process, and consider candidates for future opportunities. This includes:

Name, contact information, and submitted application materials;

Internal evaluation records and communication history. Application data is typically retained for five years following a rejection or withdrawal, to allow follow-up if the position reopens or future roles arise.

Livechat and Contact Forms

When users interact with us via livechat or complete a contact form, we collect the personal data submitted to process and respond to the request. This may include:

Name, email address, phone number, and inquiry details. We may retain this data for up to three years in order to respond to follow-up requests or ensure accountability in case of service-related issues.

Cookie-Based Tracking

When individuals interact with our website, we use cookies and similar tracking technologies for the following purposes:

Enhancing security and performance;

Personalising content and remembering preferences;

Performing analytics and fraud detection;

Managing advertising and promotional outreach. Details of the technologies used and applicable retention periods are available in our Cookie Policy.

Development and Research

We may process technical and behavioural data to test, calibrate and improve our services. This includes:

Algorithm training for fraud detection;

Monitoring operational anomalies and non-conformities;

Enhancing system functionality based on user behaviour and system performance. Data processed for these purposes is retained only for the duration required to achieve the specified research or development objective.

Data Disposal and Erasure

When data is no longer required for its original purpose or reaches the end of its retention period, we erase it securely from our systems. Depending on the storage medium and sensitivity of the data, we use:

Secure digital deletion and overwriting methods for server-based systems;

Deletion from physical devices in accordance with OS-level processes;

Destruction of removable media using methods such as shredding or incineration where necessary;

Permanent anonymisation for analytical datasets where appropriate. All data deletion activities are subject to internal audit and accountability controls to ensure compliance with UK GDPR and other applicable data protection laws.

Processing of Biometric Data and Consent

We process biometric data, such as facial geometry or liveness detection patterns, only where there is a valid legal basis in accordance with Article 9 of the UK GDPR. In most cases, the lawful basis for processing biometric data is the individual’s explicit consent.

Consent Mechanism

Explicit consent is obtained through a clear affirmative action using our digital interfaces. For example, when engaging in identity verification or using demonstration features, individuals are presented with a dedicated consent screen which explains the nature, purpose, and scope of biometric data processing. Consent is typically collected via a checkbox or similar mechanism that requires the user to actively confirm agreement before proceeding. In some use cases, a signed electronic form or other written acknowledgement may be used.

Right to Withdraw Consent

Individuals have the right to withdraw their consent at any time, in accordance with Article 7(3) of the UK GDPR. Instructions on how to withdraw consent are provided at the point of collection and are also available upon request. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal, but it may limit the ability to use certain features or services that rely on biometric verification.

We do not use biometric data for any purpose beyond what is explicitly described at the time of collection, and all such data is processed securely and deleted when no longer required for the stated purpose.

Key Types of Personal Data Processing

We engage in various personal data processing activities to deliver our services, meet regulatory obligations, and enhance our systems. These activities are performed either under the instructions of our customers or based on our own legal responsibilities. Data processing may include operations such as collection, structuring, consultation, storage, modification, retrieval, disclosure, alignment, restriction, erasure, and destruction.

General personal data

Full name, sex, personal identification code or number, date of birth, legal capacity, nationality and citizenship, location (street, city, country, and postcode).

Identity and Biometric Verification Procedures

As part of our identity verification workflows, we extract and evaluate data from official identity documents including passports, national identity cards, and driver’s licences. These procedures involve:

• Validating document integrity and consistency

• Detecting tampering, image manipulation, or screenshot usage

• Assessing embedded document security features such as MRZ codes, holograms, barcodes, and microchips

• Performing facial recognition analysis by comparing document photos with live facial captures submitted by users

Liveness detection techniques are used to confirm that the individual undergoing verification is a real, live person rather than a static image or spoofing attempt. These techniques may involve analysing facial movements or behavioural patterns and are applied in accordance with UK GDPR requirements for biometric data processing, subject to appropriate safeguards and, where applicable, explicit consent.

Decision Support via Automated and Manual Review

We provide verification results using a combination of automated systems and human analysts. Automated outcomes may be reviewed manually in cases where:

• Inconclusive or ambiguous data is detected • Risk indicators or specific checks require escalation • Our customer requests manual confirmation

Although our platform generates identity reports, the ultimate decision to approve or reject a user is always made by our customers. We do not issue final decisions on onboarding or account access.

Remote Identity Interviews

We offer tools to support live video interviews for remote identity confirmation, typically carried out when customers are subject to additional regulatory obligations. These sessions may include real-time review of identity documents and interview questions. Operators may include our customers' staff or dedicated agents acting on their behalf.

Third-Party Data Validation and Screening

To assist customers with enhanced due diligence, we may provide access to third-party validation tools to check personal data against public or proprietary sources. Examples of data categories verified include:

• Government-issued identity registries

• International sanctions lists and politically exposed person (PEP) databases

• Credit bureaus and address validation sources

• Adverse media databases

• Social security or national insurance registries

• Additional checks may involve reputation screening of phone numbers, email addresses, or IP addresses.

Business Entity Verification (KYB)

When engaged in Know Your Business (KYB) procedures, we gather and verify corporate data, including company registration details, management structure, beneficial ownership, and relevant legal documents.

Fraud Prevention and Identity Risk Controls

Our fraud mitigation processes are tailored to detect anomalies and identity misuse through:

• Geolocation and device fingerprinting

• Analysis of behavioural interactions with the system

• Cross-checks on user-provided contact information • Detection of repeated or multi-account activity

Fraud indicators are used to assign internal risk labels but do not directly result in service denial. Customers receive insights to assist in their own decision-making.

Product Enhancement and Systems Testing

As a data controller, we analyse anonymised and pseudonymised data to refine our tools and improve fraud prevention accuracy. Our development work includes:

• Training machine learning models

• Conducting performance reviews of analysts and systems

• Evaluating new verification workflows and fraud detection tools

• Collecting user experience feedback for UI improvement

All development data is processed under strict security safeguards.

Shared Verification Profiles

To streamline repeat verifications, we enable users to reuse their previously verified data across multiple customer platforms. This functionality is activated only with the user’s express permission and is compliant with data portability rights.

Transparency of Automated Checks

Where automated processing carries legal or similar consequences, we apply all safeguards required by law. This includes the right to human review, the ability to contest outcomes, and a clear explanation of decision logic.

Demonstration Environments

Data processed within our demo features is used solely to showcase our services. It may include:

• Identity document information

• Facial imagery and biometric markers

• Device and location metadata

Demo data is retained for no longer than 30 days unless otherwise specified by policy or user agreement. All biometric processing within demo flows requires informed user consent.

Research and Interface Improvement

We use monitoring tools to evaluate how users interact with our dashboard and website. These tools help identify areas for functional improvement or accessibility refinement. Personal data is pseudonymised during such evaluations to maintain confidentiality.

User-controlled verification data sharing

We offer users the ability to reuse their identity verification data with other participating services, subject to their explicit consent. This functionality supports data portability rights under the UK GDPR and allows individuals to share verified identity profiles across platforms where permitted and requested.

Categories of Personal Data We Process

We process different categories of personal data depending on the specific service provided, the relationship with the individual, and applicable regulatory or contractual obligations. These categories include, but are not limited to, the following:

General Identification Data

Full name, gender, personal identification number, date of birth, nationality, citizenship, and legal capacity. We may also collect information related to your location, such as street address, city, postal code, and country.

Identity Document Information

Details extracted from official documents, including document type, issuing country, identification number, expiry date, machine-readable zones (MRZ), barcode content, and other security elements embedded within the document.

Facial image data

Still and video images of the face captured through selfie verification or from uploaded documents. This may include voice and audio recordings where relevant.

Biometric Data

Data derived from facial features for the purposes of facial recognition and liveness detection. This may include facial maps or biometric templates, processed only with consent or legal authorisation.

Contact Details

Personal and business contact information, such as email addresses, phone numbers, and residential or corporate addresses.

Financial Information

Details limited to identity-related financial identifiers, such as cardholder name, card expiration date, and the first six and last four digits of the payment card number. This does not include full payment credentials.

Technical and Behavioural Data

Information collected from users' interactions with our systems and websites, such as:

IP address and domain name

Device fingerprint (including browser type, screen resolution, camera identifiers)

Operating system and software attributes

Session data, language preferences, battery level, user agent, and device signals
This may also include behavioural cues such as keystrokes, mouse movement, focus shifts, and gesture detection.

Geolocation Information

General geographic information inferred from IP addresses and device data, used to enhance security, prevent fraud, and support localisation of services.

Unique Internal Identifiers

Identifiers such as User ID, generated solely to link the user to their record within our system without directly identifying them to third parties.

Public Records and Sanctions Data

Information obtained from publicly available databases, such as sanctions lists, politically exposed person (PEP) databases, and adverse media sources, used to assess compliance and risk profiles.

Communication Data

Information submitted through support requests, contact forms, job applications, or email correspondence. This may include the content of the communication, attached files, and any other information voluntarily provided.

All personal data is collected and processed in accordance with applicable laws and regulatory requirements. Where required, explicit consent is obtained for the processing of sensitive or special categories of data.

We apply strict access controls, pseudonymisation, and encryption to all personal data, and ensure that data minimisation and proportionality principles are respected throughout our processing operations.

Processing Children’s Personal Data

Our services are not intended for individuals under the age of eighteen. We do not knowingly collect or process personal data from individuals who are under eighteen years of age. We do not target or advertise our services to minors and we take appropriate measures to ensure that our systems and customer interfaces are not directed toward or designed to attract children.

If we become aware that personal data has been collected from a child under eighteen without the appropriate legal basis or parental authorisation where required, we will take immediate steps to delete such data and prevent further processing. This includes removing access credentials, purging records and notifying relevant parties if necessary.

If you are a parent or legal guardian and you believe that your child has submitted personal data to us without your consent, you may contact us using the contact information provided in this notice. We will respond to all such requests promptly and in accordance with applicable data protection laws.

We encourage all customers to take appropriate precautions when sharing personal information online and to avoid submitting personal data if they are under the legal age required to enter into contractual relationships or consent to data processing in their jurisdiction.

Legal Bases for Processing Personal Data

Our processing of personal data is governed by the applicable legal bases outlined in the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The justification for each processing activity depends on the context in which the data is handled, our role in the process, and the nature of the personal data involved.

Legal Grounds When Processing on Behalf of Customers

When acting as a data processor on behalf of our business customers, we carry out personal data processing strictly according to their instructions. These customers, as data controllers, are responsible for determining and documenting the appropriate legal basis. The most common legal grounds applied by our customers include:

According to UK GDPR Article 6(1), processing may be lawful if:

it is necessary to comply with a legal obligation to which the controller is subject (e.g., anti-money laundering or counter-terrorist financing laws);

it is necessary for the performance of a task carried out in the public interest, especially within regulated financial or compliance services;

the data subject has provided valid and informed consent for one or more specific purposes.

For special categories of personal data, such as biometric data, additional legal grounds may apply under UK GDPR Article 9(2):

where processing is necessary for reasons of substantial public interest under applicable legal frameworks;

where the individual has given explicit consent to the processing of such data.

We encourage individuals to consult the privacy policy of the respective customer to understand the precise lawful basis used.

Legal Grounds When We Act as a Data Controller

In instances where we determine the purposes and means of processing, we act as a data controller. These activities may include service enhancement, fraud detection, product development, and internal operations. In such cases:

According to UK GDPR Article 6(1), we rely on the lawful basis that the processing is necessary for the purposes of our legitimate interests, provided these interests are not overridden by the rights and freedoms of the data subject.

If we process special category personal data, such as biometric identifiers, we do so under UK GDPR Article 9(2) where processing is necessary for reasons of substantial public interest, subject to appropriate safeguards.

Identity Profile Management

Where individuals create a reusable identity verification profile for use across multiple platforms, we process standard personal data in accordance with the contractual obligation established between the individual and our company. In cases where biometric data is part of the profile, processing is carried out on the basis of the individual’s explicit consent, in accordance with UK GDPR Article 9(2).

Legal Basis for Specific Processing Activities

We apply the following legal bases to particular processing operations:

In accordance with UK GDPR Article 6(1), personal data submitted via contact forms or live chat is processed either to take pre-contractual steps at the individual’s request or under our legitimate interest in delivering timely and relevant support.

Marketing communications are sent based on the individual's consent, which is obtained via opt-in mechanisms provided on our websites, as required under UK GDPR Article 6(1).

User data is processed both to comply with employment law obligations and under our legitimate interest in assessing applications and conducting recruitment activities, pursuant to UK GDPR Article 6(1).

The use of cookies and similar tracking technologies involves two separate legal grounds: for non-essential cookies, we obtain consent in accordance with UK GDPR Article 6(1); for essential cookies required for website functionality, we rely on our legitimate interest.

Personal data collected during service demonstrations is processed on the basis of explicit consent and additionally under our legitimate interest to analyse and enhance our service offering, as permitted by UK GDPR Article 6(1) and, where applicable, Article 9(2).

Compliance with Legal and Regulatory Requirements

We may also process personal data when it is required to fulfil legal or regulatory duties, including but not limited to responses to law enforcement requests, court proceedings, or compliance audits. Such processing is justified by the necessity to comply with legal obligations in line with UK GDPR Article 6(1).

All processing activities are conducted in accordance with the principles of lawfulness, fairness, and transparency. We continuously assess our legal bases and ensure that our practices uphold the rights and freedoms of data subjects at all times.

Data Retention

We store personal data strictly for the purposes for which it was collected and in line with the requirements of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, relevant anti-money laundering regulations, and other applicable UK legislation. Regulated financial institutions in the UK are generally obliged to retain user data for five years after the end of their relationship with the user or from the date of an occasional transaction, though some laws or regulations may require longer retention.

When we act solely as a data processor on behalf of our Customers, the Customer sets the retention period and instructs us on the deletion of personal data. If you, as a user, wish to request the erasure of data submitted to a particular Customer, you should contact that Customer directly. Once the Customer approves such a request and provides instructions to us, we fulfill them as long as they do not conflict with our legal obligations.

We retain certain categories of personal data, including biometric data, for as long as is required by our contractual arrangement with the Customer or by UK law, and we securely erase the data once the purpose for which it was collected is achieved or once the legally mandated retention period ends. This erasure ensures the data cannot be recovered by any forensic means.

To remove personal data from our systems, we locate the relevant unique identifier in our databases, find all connected references, and delete them. We then erase the corresponding data from our cloud storage and internal records. When deleting data from local equipment, we use secure methods in accordance with operating system protocols or physically destroy the storage medium if the information is particularly sensitive. We apply similar steps for removable media, using secure wiping or physical destruction if necessary. For mobile devices, we revert them to factory settings before disposal or reassignment, ensuring no residual information remains.

We prohibit the storage or processing of sensitive personal data on personal or otherwise unsecured devices. Generally, we complete valid requests to delete personal data within 30 days, reflecting the complex nature of our infrastructure and processes.

In exceptional circumstances, we may extend the data retention period by up to 90 days from the date of a Customer’s deletion request if required by ongoing legal or regulatory obligations, investigations of fraud or illegal activities, or the defense of legal rights. Once these considerations no longer apply, the data is permanently deleted.

In some instances, we keep pseudonymised data for research and improvement of our identity verification systems to detect and prevent fraud. Such data is kept only as long as needed to develop, train, and validate our systems. Records confirmed to involve fraudulent activity may be stored longer to protect the security of our services and comply with legal or contractual requirements, always respecting data minimization principles under the UK GDPR.

If data is needed for legal proceedings or for defending claims, it remains under a litigation hold for the duration of those proceedings. After the proceedings conclude, or once there is no longer a lawful basis to retain the data, it is securely erased and becomes irrecoverable. We do not store personal data beyond the period allowed by UK law, and as soon as the relevant retention period or justification ends, the data is destroyed in a way that ensures it cannot be reconstructed.

Rights of Data Subjects

Under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable legislation, individuals (Data Subjects) have several key rights concerning the processing of their personal data. Where the Company acts as a data processor on behalf of its Customers, it supports these Customers in addressing any requests to exercise the following rights:

Right of Access

The User has the right to know whether their personal data is being processed. If it is, the User is entitled to receive a copy of the data and to be informed about how it is being used and stored.

Right to Rectification

The User can request that any inaccurate or incomplete personal data be corrected or supplemented. This ensures that all personal information remains accurate and up-to-date.

Right to Erasure (“Right to be Forgotten”)

The User can request the deletion of their personal data when it is no longer needed for the original purpose, when the User objects to the processing and there are no overriding legitimate grounds to continue, or when the data has been processed unlawfully. However, legal requirements or the controller’s legitimate interests may limit or postpone the exercise of this right.

Right to Restrict Processing

The User can request that the processing of their data be restricted if there is a dispute about its accuracy or lawfulness, if the User no longer wishes for it to be erased but does not need it for ongoing purposes, if the User requires the data to establish or defend legal claims, or if the User has objected to the processing while the controller determines whether its legitimate interests override the User’s rights.

Right to Be Informed of Rectification or Erasure

The User has the right to be notified when any rectification, erasure, or restriction of their personal data is carried out. This allows the User to confirm that the requested changes have taken effect.

Right to Data Portability

The User can request to receive their personal data in a structured, commonly used, and machine-readable format. This facilitates transferring data to a different controller or service provider if desired.

Right to Object

The User may object to the processing of their personal data when it is carried out on the basis of legitimate interests or for a task performed in the public interest. The controller must then demonstrate compelling legitimate grounds that override the User’s objection.

Right Not to Be Subject to Automated Decisions

The User has the right not to be subjected to decisions based solely on automated processing (including profiling), unless such processing is necessary for performing a contract, is expressly permitted by law (and includes safeguards for the User’s rights), or is based on the User’s explicit consent.

Right to Lodge a Complaint

If the User believes their data protection rights have been violated, they may lodge a complaint with the Information Commissioner’s Office (ICO), which is the UK’s supervisory authority. If the concern relates to how a Customer handles data, the User should refer to that Customer’s privacy policy. If the User believes the Company’s own data processing activities infringe on their rights, the User can contact the Company directly. Further information on lodging complaints is available on the ICO’s website for UK residents.

Verification and Fees

When the User exercises any of these rights, the Company may need to verify the User’s identity or their authority to act on someone else’s behalf. The Company does not charge fees for handling such requests unless they are manifestly unfounded, repetitive, or excessive. In such cases, a reasonable fee may apply in accordance with the UK GDPR and the Data Protection Act 2018.

Withdrawing Consent and the Right to Object to Legitimate Interests

We assist our Customers (acting as Controllers) in providing mechanisms for withdrawing consent in accordance with Article 7(3) of the UK GDPR, as well as for objecting to processing based on legitimate interests in line with Article 21(1) of the UK GDPR. The specific rights that may be exercised depend on the legal basis for processing selected by the Customer, whether it is consent or legitimate interest.

We do not unilaterally decide on requests to withdraw consent or object to processing, as we operate under the written instructions of our Customers, who control the personal data. Our role is to redirect any request from a user to the relevant Customer for whom the user’s verification was performed. If you wish to withdraw consent or object to processing carried out by us, you can use our designated request form. However, please note that in order to object to data processing effectively, you must present overriding grounds that outweigh our legitimate interests. Since verifying identities and preventing fraud serves a recognized public interest in the global financial system, there will often be compelling, overriding reasons for continuing the processing of personal data. For instance, if there is evidence of fraud, it would be disproportionate to erase or conceal such data when doing so could enable individuals to avoid detection and potentially commit fraud again.

Responsibilities

We are fully committed to ensuring accountability and good governance in every aspect of personal data processing, as mandated by the UK General Data Protection Regulation (UK GDPR), and the Data Protection Act 2018. This commitment is reflected in how we assign roles, responsibilities, and authority throughout the organisation, as well as in the policies, procedures, and training programs we adopt.

To begin with, we have designated a Data Protection Officer (DPO) or an equivalent compliance officer who oversees all data protection matters and can be reached at info@nameid.io.

This individual is responsible for maintaining and continuously improving our data protection framework, including implementing the necessary policies, procedures, risk assessments, and training materials. They also ensure that we meet our obligations under the applicable data protection laws, monitor any changes in those laws or in regulatory guidance, address and report personal data breaches promptly, investigate and respond to complaints from Data Subjects, and interact with supervisory authorities as needed.

All personnel within the organisation bear responsibility for properly handling personal data and must comply with this Privacy Notice and any related internal rules. They are expected to keep any personal data secure and not to disclose it to unauthorised third parties. They must direct any data protection requests, queries, or complaints to the DPO, as well as report any actual or suspected data protection breaches without delay. In cases where there is uncertainty about how to handle a data protection matter, they are required to seek advice from the DPO to ensure compliance.

When we function as a data processor on behalf of a Customer, we do so following that Customer’s documented instructions, thereby supporting the Customer’s obligations as a controller under the relevant legal framework. This support may involve assisting with responses to Data Subject requests, breach notifications, and any audits under Article 28 of the UK GDPR. On the other hand, when we act as a data controller, we determine the purposes for which personal data is processed and the means by which this processing is carried out. In this capacity, we take care to ensure that all such processing is conducted lawfully, fairly, and transparently, and we enter into appropriate agreements with any third-party processors or service providers that may handle personal data on our behalf, imposing clear obligations related to security, confidentiality, and Data Subjects’ rights.

In all cases, before engaging a third-party processor, we examine its ability to guarantee that personal data is treated securely and in line with data protection standards. A written contract is then established, specifying the categories of data that will be processed, the purposes of processing, and the data protection requirements that the third party must meet. Throughout this arrangement, we remain ultimately responsible for safeguarding any personal data entrusted to us.

To maintain high standards of data protection, we regularly review and update our policies, practices, and governance documentation. We pay close attention to any changes in the law, new regulatory guidance, and evolving internal practices. These updates are reflected in staff training programs, ensuring that our organisation consistently applies sound data protection principles and remains in full compliance with applicable legal requirements.

Specific Measures to Ensure Data Protection

Legal and Contractual Commitments

We ensure that all personal data processing is governed by appropriate agreements (e.g., Service Agreements, Data Processing Agreements, Non-Disclosure Agreements). These agreements reflect the requirements of applicable data protection laws, and they obligate all parties involved—including third-party providers—to maintain suitable safeguards and confidentiality.

Secure Data Submission and Storage

Personal data is submitted via secure interfaces (such as dedicated web portals or application integrations) that employ industry-standard transport encryption (e.g., TLS). Once received, the data is stored in data centers that meet recognized standards for physical and environmental security. For example, such facilities often feature restricted access zones, surveillance systems, redundant power, and fire suppression. The data itself is protected using encryption at rest, access control lists, and logical segmentation to prevent unauthorized access or accidental disclosure.

Access Controls and Employee Authorization

We employ a role-based access control system to ensure only authorized personnel can view or handle personal data. Internal policies outline the criteria for granting, reviewing, and revoking access privileges. All employees with data access undergo security and privacy training, and background checks may be carried out where permitted by local law. Each individual is also bound by strict confidentiality obligations.

Encryption and Additional Technical Protections

We utilize encryption solutions to protect data both at rest and in transit. Other security measures typically include firewalls, intrusion detection/prevention systems, endpoint protection tools, and rigorous patch management practices. Regular vulnerability assessments and penetration tests help identify and address any potential weaknesses in the environment.

Handling of Special Categories of Data

In situations where certain data types (e.g., biometrics, government identifiers, or data relating to minors) require added protection or specific legal bases, we verify that such requirements are met before processing begins. If local law restricts the collection or handling of particular data (for instance, imposing age thresholds or requiring explicit consent), we make every effort to detect and remove, mask, or further encrypt such data if there is no lawful basis for retaining it.

Ongoing Audits and Compliance

We monitor and evaluate our data security posture through regular internal audits and vendor assessments, among other measures. These reviews help us maintain alignment with recognized best practices, confirm that our controls remain effective, and adapt our technical and organizational safeguards to evolving threats, technologies, and regulatory requirements.

Personal Data Breaches

A personal data breach occurs when personal data is lost, altered, accessed, or disclosed without authorization or in a manner that compromises its confidentiality, integrity, or availability. If we detect or suspect such a breach, we immediately:

Notify Internal Stakeholders

We inform our data protection officer (or equivalent privacy/compliance manager), as well as relevant members of management. This rapid communication structure ensures swift action to contain and mitigate the incident.

Assess and Contain

We conduct an investigation to identify the nature and scope of the breach, determine which data subjects may be impacted, and ascertain the potential risks to affected individuals. Containment strategies may include isolating affected systems, revoking user access, or restricting network traffic.

Notify Authorities and Individuals

Where legally required, we promptly report the breach to the appropriate supervisory authority within the statutory timeframe. If there is a significant risk to the rights and freedoms of individuals, we also inform affected data subjects about the breach, describing what has happened, the likely consequences, and any recommendations for personal mitigation measures.

Remediate and Improve

After addressing the immediate incident, we analyze the root causes and implement corrective actions. These may involve additional staff training, refinement of technical controls, or policy updates. We maintain a detailed breach register to support ongoing learning and transparency.

Data Disclosure

We may disclose personal data to various external parties for a range of legitimate and lawful reasons. In doing so, we always strive to meet the requirements of applicable data protection regulations and to uphold fundamental privacy principles, such as data minimization and confidentiality. The categories of external parties to whom we may disclose personal data and the circumstances under which this may occur are described below.

Third Parties

In order to provide and improve our services, we may engage third-party processors or service providers to carry out certain tasks on our behalf. Examples include data hosting services, identity or KYC verification specialists, fraud detection platforms, or analytics providers. Prior to entering into any agreement with such third parties, we conduct due diligence to confirm that they maintain adequate technical and organizational measures for data security and privacy. Once we are satisfied with their security posture and compliance framework, we establish a written contract that clearly outlines the scope of the data processing activities, confidentiality obligations, security standards, and each party’s respective responsibilities under applicable data protection laws.

In some instances, a third-party processor may rely on additional sub-processors to deliver the contracted services. For example, the processor might outsource certain hosting functions to infrastructure-as-a-service providers. We require our primary vendors to proactively vet and continuously monitor these sub-processors to ensure that personal data is consistently afforded a high level of protection. If at any point these sub-processors fail to meet our security or privacy requirements, we take appropriate measures in coordination with our primary vendors, which can include suspending or terminating the arrangement.

Where we operate within a broader corporate group or hold affiliations with other entities, we may share personal data with parent or sister companies for operational, administrative, or compliance-related purposes. Any such data transfers are carried out only to the extent permitted by law and under conditions that safeguard the rights and freedoms of data subjects. This often involves implementing intra-group data sharing agreements or other suitable contractual mechanisms to maintain security and confidentiality.

Recipients

Beyond third-party processors or service providers, we may occasionally be required to disclose personal data to additional recipients in accordance with legal or contractual obligations. These recipients typically include regulatory authorities, government agencies, law enforcement, or judicial bodies. For example, we may receive a valid court order compelling us to provide specific records, or we might be legally required to share data to assist in investigations or regulatory audits. In such scenarios, we carefully review each request to ensure it is justified, lawful, and proportionate. Only those personal data elements strictly necessary to fulfill the request are disclosed, and where relevant, we inform or consult with the affected data subjects or the appropriate supervising authorities.

Where we act as a data processor on behalf of a customer, our disclosure of personal data to other entities generally occurs under the instructions of that Customer. For instance, a customer may direct us to share the results of a background check with a specific partner or to provide documentation for auditing or compliance reasons. In these instances, we follow the Customer’s lawful instructions, provided that they align with the terms of our data processing agreement and do not contravene any legal or ethical standards. If the data subject has given explicit consent for certain uses or disclosures, or if another lawful basis (such as performance of a contract or protection of vital interests) applies, we may disclose personal data under those circumstances as well.

Regardless of the reason for disclosure or the nature of the recipient, we apply the principle of data minimization to ensure that only the information strictly necessary for the intended purpose is shared. We also adopt robust operational and technical measures to safeguard personal data before, during, and after any transfer. These measures may include encryption of sensitive fields, secure file transfer protocols, audit logs, and the anonymization or pseudonymization of data when full disclosure of identifiable information is not essential. All such data-sharing activities are carefully documented, allowing us to maintain proper records of the information flows and to demonstrate our accountability for protecting personal data in line with applicable legislation.

International Data Transfers

We confirm that personal data is generally stored in servers located within the European Union (EU) or in other regions that meet national data localization requirements. Where local regulations necessitate storing data within a specific jurisdiction, we can accommodate such needs in accordance with Customers’ contractual preferences and applicable laws.

Should it be necessary for service delivery or to maintain convenient and reliable communication with Data Subjects, we may transfer personal data outside the European Economic Area (EEA), the United Kingdom (UK), or other relevant jurisdictions. For example, certain third-party processors or recipients—described in the “Data Disclosure” section of this Notice—may be located outside these regions.

When transferring personal data internationally, we implement safeguards consistent with Chapter V of the UK GDPR. These safeguards may include reliance on UK Adequacy Regulations, the use of Standard Contractual Clauses approved by the UK Information Commissioner’s Office, or other lawful transfer mechanisms such as binding corporate rules. Any third-party processors we engage must also ensure that appropriate legal bases or protective measures are in place for cross-border data transfers. Where transfers are made to countries for which the UK Government has issued an adequacy decision, we rely on that authorisation to facilitate the transfer.

If we conduct international data transfers from countries outside of the United Kingdom (for example, when providing services on behalf of non-UK Customers), we will transfer personal data only to locations that are recognised as offering an adequate level of protection under UK law, or we will use appropriate safeguards such as standard contractual clauses or other legally recognised mechanisms. By applying these measures, we ensure that personal data remains protected throughout the entire cross-border transfer process.

Sale of Personal Data

We do not sell personal data under any circumstances. We do not engage in any activity that constitutes the sale, lease, exchange or monetisation of personal data as defined under applicable data protection laws. This includes laws and frameworks such as the United Kingdom General Data Protection Regulation, the Data Protection Act 2018 and, where relevant, foreign legislation such as the California Consumer Privacy Act.

We do not transfer personal data to third parties for commercial gain or for any purpose not explicitly described in this notice. All data sharing is carried out on the basis of a valid legal ground and solely for the provision of services, compliance with legal obligations or fulfilment of legitimate business functions as described in the section on data sharing.

Where we use service providers, partners or subprocessors to support our technical operations, their access to personal data is strictly governed by data processing agreements that prohibit further use, disclosure or sale of the data and require the application of appropriate security safeguards.

If our data processing activities change in a way that may affect this commitment, we will update this notice accordingly and provide transparent information to affected individuals in advance of such changes.

Changes to this Notice

We review and update this Privacy Notice at least once per year or more frequently as necessary to ensure ongoing compliance with relevant laws, regulations and best practice guidelines. Any updates or amendments will be promptly published on our website with a clear indication of the date on which the latest version takes effect.

If significant amendments are made, especially those affecting the way we process your personal data or your rights as a data subject, we will inform you directly via email communications. Additionally, we will prominently announce these updates on our website to ensure full transparency and adequate notice.

We strongly recommend reviewing this Privacy Notice periodically to stay informed about how we handle and protect your personal data. If you have any questions regarding changes to this Notice, please contact us directly using the contact details provided within this document.