Privacy Policy
Last updated: September 29, 2025
Identis B.V. ("Identis", "we," "our," or "us") is committed to protecting your privacy and handling your personal data with transparency, care, and compliance with applicable laws. This Privacy Policy explains in detail how we collect, use, share, and safeguard your personal data when you use our identity verification, consent management, and profile services (collectively, the "Services").
1. Scope of this Policy
This Privacy Policy applies to:
- All Users who create an Identis account.
- All Partners who integrate or receive user data through Identis.
- Visitors to our websites and digital platforms.
It does not apply to third-party services that we do not own or control. When using a third-party service (such as Stripe Identity for verification), their privacy policies also apply.
2. Categories of Data We Collect
a. Identity Verification Data (via Verification Providers)
Handled by third-party Verification Providers (e.g., Stripe Identity):
- Identity documents (passport, ID card, driver's license)
- Document numbers, issue and expiry dates
- Biometric data (selfies, liveness checks)
- Government-issued identifiers such as BSN (only when legally required)
Identis does not store these documents. We only receive the verified result and selected attributes.
b. Basic Profile Data (stored by Identis)
- Full name
- Date of birth
- Nationality
- Residential address
- Contact details (email, phone)
- Profile metadata (avatar, bio, preferences)
- Marketing consent and communication preferences
c. Consent Data
- Records of when and how you provided consent
- What data you consented to share and with which Partner
- Audit trail of consent updates or withdrawals
d. Technical and Usage Data
- IP addresses, browser types, operating systems
- Login timestamps, activity logs
- Device identifiers and app usage metrics
3. Purposes of Processing
We use your data for the following purposes:
- Identity verification & KYC: To fulfill AML/CTF legal obligations.
- Profile management: To provide you with an Identis profile you can share and update.
- Consent enforcement: To control what information is disclosed to which Partners.
- Marketing (optional): To share your data with Partners for marketing if you have opted in.
- Compliance & auditing: To satisfy Wwft (NL) and AMLD5/6 (EU) requirements.
- Security & fraud prevention: To prevent misuse, fraud, and unauthorized access.
- Service improvement: To analyze usage and enhance our Services.
4. Legal Bases for Processing (GDPR)
- Consent: For sharing profile information and marketing data.
- Contract: To provide Services to you under our Terms of Service.
- Legal obligation: To meet AML/KYC requirements and retention laws.
- Legitimate interest: To secure our systems, prevent abuse, and improve Services.
5. Data Sharing
With Partners
- KYC data: Verified attributes (name, date of birth, nationality, address, verification status, verification date).
- Profile data: Only fields you choose to share (email, phone, avatar, preferences).
- Marketing: Only if you have granted explicit marketing consent.
With Verification Providers
Identity documents and biometrics are collected and stored by Verification Providers, not Identis. Identis only receives verification outcomes.
With Authorities
On lawful request, full KYC/AML data (including documents and biometrics) may be disclosed by Verification Providers to competent authorities such as FIU, DNB, AFM, and tax authorities.
With Service Providers
Hosting, databases, analytics, and cloud services may process your data under GDPR-compliant agreements.
6. Data Retention
- KYC data: Retained by Verification Providers for 5 years after the end of the business relationship, as required by law.
- Profile data: Stored until your account is deleted or you request erasure.
- Consent records: Retained for as long as required for compliance, typically 5 years.
- Technical logs: Retained for shorter operational periods, unless needed for security investigations.
7. User Rights
As a data subject under GDPR, you have the right to:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Correct inaccurate or incomplete information.
- Erasure: Request deletion of your data where no legal obligation prevents it.
- Restriction: Limit certain processing of your data.
- Portability: Receive your data in a structured, machine-readable format.
- Objection: Withdraw consent at any time for marketing or other non-mandatory processing.
- Complaint: File a complaint with your local supervisory authority (in the Netherlands, the Autoriteit Persoonsgegevens).
To exercise your rights, contact us at privacy@identis.com.
8. Security Measures
We use technical and organizational safeguards to protect your data:
- End-to-end encryption in transit and at rest
- Strict access controls and role-based permissions
- Audit logs for sensitive operations
- Regular security assessments and penetration tests
However, no system can guarantee absolute security. Users are encouraged to secure their accounts (e.g., enabling multi-factor authentication).
9. International Data Transfers
If your data is transferred outside the European Economic Area (EEA), Identis ensures appropriate safeguards such as:
- Adequacy decisions by the European Commission
- Standard Contractual Clauses (SCCs)
- Binding Corporate Rules (BCRs) where applicable
10. Children's Data
Our Services are not designed for individuals under 18. We do not knowingly process children's data without parental consent.
11. Changes to this Policy
We may update this Privacy Policy from time to time. Material changes will be communicated to you via email or in-app notification. Your continued use of the Services after changes constitutes acceptance.
12. Contact Information
For questions, requests, or concerns about this Privacy Policy or our practices:
Summary for Users
- You are in control: Share only what you choose via consent.
- Minimal sharing: Partners receive only verified attributes and optional profile data.
- No raw documents: Identity documents stay with Verification Providers.
- Your rights guaranteed: GDPR rights apply, including access, erasure, and objection.
- Legal compliance: Data retention follows Wwft (NL) and AMLD5/6 (EU).