Privacy Policy

KYC Assist, Inc.

Last updated: November 4, 2025

0. Introduction & Scope

Who this policy applies to and why we process data.

This Policy governs the processing of Personal Data in connection with the Services provided by KYC Assist, Inc. to its business Clients. We are primarily a Business-to-Business (B2B) service provider.

Client Responsibility Note:

This Policy does not replace the privacy policy of our Client. For questions about how your data is used after verification, please consult the Client's policy.

1. Data Roles & Responsibilities

Defining Controller (Client) vs. Processor (KYC Assist) roles.

Client (Data Controller)

The business (or Client) determines the purpose and means of processing your Data. They are responsible for obtaining your consent, providing privacy notices, and handling your final verification decisions.

KYC Assist (Data Processor)

We process Data only on the documented instructions of the Client (per the DPA and Order) to perform specific Services like verification and screening. We are not responsible for direct compliance with consumer rights requests.

2. Categories of Personal Data

Detailed list of End User Data processed via the Services.

  • Identity & Contact Data: Full legal name, date of birth, nationality, physical address, and (optionally) phone number/email, derived from government documents.
  • Sensitive Data (Biometrics): Facial scans, video frames, and derived biometric templates (e.g., face vectors) used for liveness and anti-spoofing checks. This requires the explicit, legally compliant consent obtained by our Client.
  • Document Data: Images of government-issued IDs, document numbers, MRZ codes, issue/expiry dates, and authenticity features.
  • Compliance Data: Results from AML (Anti-Money Laundering) screening, sanctions list checks (OFAC, UN, EU), and Politically Exposed Persons (PEP) screening.

3. Processing Purposes & Legal Basis

Justification for processing End User Data under GDPR and other regimes.

Primary Purposes of Processing:

  • Identity Verification: Confirming the validity and authenticity of identity documents and the individual presenting them (liveness check).
  • Regulatory Compliance: Assisting Clients in meeting their statutory KYC and AML obligations.
  • Fraud Prevention: Detecting and preventing identity theft, document forgery, and account takeover attempts.

Legal Bases (GDPR-aligned):

Legal Obligation

Processing is necessary for the Client to comply with sector-specific laws (e.g., banking regulations, AML directives).

Consent

The legal basis for processing Biometric Data (Sensitive Data). This is obtained by the Client before submission.

Contractual Necessity

Processing is necessary to fulfill the contract between KYC Assist and the Client (B2B service provision).

4. Data Disclosure & Subprocessors

Information about third-party sharing and international transfers.

We do not sell (as defined by CCPA/CPRA) End User Personal Information.

Subprocessors & Vendors:

KYC Assist uses vetted third-party Subprocessors (e.g., cloud hosting providers, identity data vendors) to perform specific verification functions. A complete list of Subprocessors is available upon request (or within the DPA).

International Data Transfers:

As a company incorporated in the United States, Data is transferred to the U.S. and may be processed internationally. Transfers from the EEA/UK are protected by robust legal mechanisms, typically Standard Contractual Clauses (SCCs), as outlined in the Data Processing Addendum (DPA).

5. Data Security & Retention

The safeguards we employ and how long data is stored.

Security Measures:

We maintain high-standard technical, administrative, and physical safeguards. This includes:

  • Encryption of Data in transit (TLS) and at rest (AES-256).
  • Strict access controls (least privilege principle).
  • Regular security audits and compliance with industry standards (e.g., SOC 2, ISO 27001-aligned policies).

Data Retention & Deletion:

Data retention is determined by the Client (Controller) via the DPA, typically based on the retention requirements of applicable AML/KYC laws (e.g., 5-7 years). Upon instruction, or at the end of the required period, Data is securely deleted or anonymized.

6. Exercising Your Data Rights

Your rights under GDPR, CCPA/CPRA, and other privacy laws.

MANDATORY STEP FOR END USERS:

To exercise any data right (e.g., Right of Access, Erasure, or Correction), End Users must contact the KYC Assist Client directly, as they are the primary Data Controller. We will fully support our Client in fulfilling their obligations.

Key Rights Summary:

GDPR Rights (EU/EEA):

  • Right of Access/Portability
  • Right to Rectification/Erasure
  • Right to Restriction of Processing

CCPA/CPRA Rights (CA):

  • Right to Know/Access
  • Right to Delete/Correct
  • Right to Limit Use of Sensitive Personal Information

7. Children's Privacy

Our policy regarding individuals under the age of 16/13.

Our Services are designed for use by business Clients for identity verification, which typically involves individuals over the age of majority.

KYC Assist does not knowingly collect or solicit Personal Data from children under the age of 16. If a Client submits data belonging to a minor, the Client confirms they have obtained verifiable parental consent required by law (e.g., GDPR, CCPA/CPRA).

8. Contact & Legal Inquiries

How to reach us for legal and privacy inquiries.

KYC Assist, Inc. (Legal & Compliance)

1234 Compliance Way, Suite 100

Wilmington, DE 19801, United States

Email for Privacy & Legal Matters:

legal@kyc-assist.com

Your trust drives our compliance.