Privacy Policy

Introduction & scope

Fidera provides identity verification and KYC infrastructure — document, biometric, and AML checks behind one API. This policy explains what personal data we process, why we process it, and the choices and rights you have. It applies to our websites, dashboards, APIs, and the verification flows we operate on behalf of our business customers.

Much of the data we handle is processed on behalf of the businesses that use Fidera to verify their end-users. In those cases the business is the controller and Fidera acts as a processor under their instructions and their own privacy notice. We also process some data for our own purposes — for example, to run and secure our service, meet legal obligations, and manage customer accounts — and in those cases we act as a controller. Where a business's notice and this policy differ for end-user data they collect through us, their notice governs that relationship.

Information we process

Depending on how Fidera is used, we may process the following categories of personal data:

• Government-ID documents. Images and parsed data from passports, driver's licenses, national IDs, and similar documents — including the name, date of birth, document number, and the machine-readable or barcode fields they contain.
• Biometric data. A selfie image and the face template or measurements derived from it, used to match a person against their document and to confirm liveness. This is sensitive data and we treat it accordingly.
• Contact & account data. Information used to create and manage accounts and communicate with you — such as name, email address, organization, and role.
• Technical & usage data. Device and connection details, IP address, log and event data, and information about how our APIs, SDKs, and dashboards are used — including signals that help us detect fraud and abuse.

How we use it

We use the data described above to:

• Verify identity & perform KYC. Authenticate documents, match faces, confirm liveness, and return verification decisions to the businesses that request them.
• Screen for fraud & AML risk. Run sanctions, politically-exposed-person, and adverse-media screening, and detect spoofing, deepfakes, and other abuse.
• Provide & secure the service. Operate, maintain, monitor, and improve our platform, and protect it and our users against security threats.
• Meet legal & compliance obligations. Maintain records and audit trails and respond to lawful requests where we are required to do so.

Legal bases

Where data-protection law such as the GDPR applies, we rely on one or more of the following legal bases, depending on the context:

• Consent — for example, for the processing of biometric data, obtained at the point of verification.
• Performance of a contract — to provide the verification and account services that have been requested.
• Legal obligation — to satisfy KYC, AML, and record-keeping requirements that apply to us or our customers.
• Legitimate interests — to secure our service, prevent fraud, and operate our business, balanced against your rights and freedoms.

Sharing & sub-processors

We do not sell personal data. We share it only as needed to run the service: with the business customer on whose behalf a verification is performed, with vetted sub-processors that power specific capabilities under contract, and where required by law.

Our infrastructure and core verification capabilities run on Amazon Web Services — including Rekognition for face match and liveness, Textract for document OCR, S3 for encrypted document storage, and AWS for hosting. We update this list and provide notice before engaging a new sub-processor.

Data retention

We keep personal data only for as long as it is needed for the purpose it was collected — to deliver and support the service, and to meet the legal, regulatory, and AML obligations that apply to us and our customers. Retention periods for end-user verification data are generally set by the business customer acting as controller and by the law that governs them.

When data is no longer needed for those purposes, we delete it or anonymize it so that it can no longer be linked to an individual. Where we are required to retain certain records, we keep only what is necessary for that obligation.

International transfers

Personal data may be processed in countries other than the one where it was collected. When we transfer data across borders, we put appropriate safeguards in place — such as the European Commission's Standard Contractual Clauses or equivalent mechanisms — so that it continues to receive an adequate level of protection. Where supported, data residency options let customers keep processing within a chosen region.

Your rights

Depending on where you live, you may have rights over your personal data, including the right to:

• Access a copy of the data we hold about you.
• Correct data that is inaccurate or incomplete.
• Delete data, subject to legal obligations that may require us to keep it.
• Port your data to another provider in a portable format.
• Object to certain processing or withdraw a consent you previously gave.

If a business used Fidera to verify you, the quickest route is often to contact that business directly, since they control their end-user data. You can also reach us at privacy@fideralabs.com and we will help route and respond to your request. We may need to verify your identity before acting on it.

Children

Fidera is built for businesses and is not directed to children. We do not knowingly collect personal data from children except where a verification is explicitly designed and authorized for that purpose by the controlling business and permitted by law. If you believe a child's data has been provided to us in error, contact us and we will take appropriate steps.

Changes to this policy

We may update this policy as our service and the law evolve. When we make material changes, we will update the date at the top of this page and, where appropriate, provide additional notice. We encourage you to review it from time to time.

Contact

Questions about this policy or how we handle your data are welcome. You can reach our privacy team at privacy@fideralabs.com.