Privacy Notice | Affinidi

General

We, Affinidi Pte. Ltd together with our affiliates (collectively “Affinidi”) inform you about the processing of personal data for which we are responsible under the European Union (EU) 2016/679 General Data Protection Regulation (“GDPR”), Singapore Data Protection Act of 2012 and other applicable data protection laws of relevant jurisdictions.
This Privacy Notice (“Privacy Notice”) describes how we collect, use, disclose, and process your personal when you access or use our websites (which include affinidi.com, docs.affinidi.com, portal.affinidi.com, apikey.affindi.com, and events.affindi.com (collectively, “Websites”), as well as our products and services (which include the Affinidi Vault (Beta), Affinidi Login, Affinidi Desktop App, Reference App, Affinidi Portal, Affinidi Identity Verification, Affinidi Messaging, Affinidi CLI and any other products, tools or services offered by Affinidi, including any closed beta/open beta period (if applicable) of such products/services (collectively, our “Services”).
For clarity, in this Privacy Notice, the terms “we”, “us” and “our” refer to Affinidi while the terms “You”, “your” and “yours” refer to users of our Websites and Services (collectively referred to as “Data Subjects”).
Unless otherwise defined in this Privacy Notice, all capitalised terms shall have the meaning given under our “Terms and Conditions” linked here.
Data Protection Officer Contact: You can reach our data protection officer by sending an email to dataprotection@affinidi.com. We will respond to your inquiry within 30 days of receipt.
EU Representative: Affinidi’s data protection representative in the EU is Affinidi GmbH, Pariser Platz 6a, 10117 Berlin, Germany.
Exercising Your Rights: You can exercise your privacy and data protection rights by contacting dataprotection@affinidi.com. Please note that we cannot respond to your request if we cannot verify your identity and/or your authority to make the request. We may require additional information solely for the purpose of verifying your identity and/or authority to make the request. We will not use such additional information for any other purpose.
The following sections provide an overview of our typical data processing activities, grouped by categories of Data Subjects and processing purposes. For processing activities that relate only to specific events, or specific purposes, we will provide information separately where required.
In this Privacy Notice, the terms “data”, “personal data” and “personal information” are used interchangeably and refer to any information relating to an identified or identifiable natural person (as defined under applicable data protection laws).
We process personal information from or about the following categories of individuals, as detailed in the sections below:
1. Visitors of Websites
2. Developers as Users of Services
3. Consumers as Users of Services
4. Service Providers, Business Partners and their Employees
5. Business Contacts and Communication Partners
6. Newsletter Recipients
7. Participants in Surveys

1. Visitors of Websites

1.1. Web Server Log Data

a) Each time a visitor accesses our Websites, our web server processes data which the visitor’s browser automatically transmits.

b) We process the following personal data for the purposes of delivering the contents of the Websites you have accessed, ensuring the security of the IT infrastructure and correcting errors:

IP address allocated to your device
Date and time of the request, including time zone
Specific page or file accessed
HTTP status code and the data volume transmitted
Website from which their request originated
Browser type and version
Operating system of your device
Language settings

c) We process this data for delivering the contents of the Websites you have accessed, ensuring the security of the IT infrastructure, correcting errors and analysing website performance and usage patterns.

d) The legal basis for the processing web server log data (where GDPR applies) is our legitimate interest (Article 6 (1) (f) GDPR), specifically the operation of the Websites, ensuring IT security and facilitating user interaction.

e) We collect this data directly from your browser activity when you visit our Websites.

f) We retain web server log data for a maximum of six (6) months, after which it is deleted. This retention period is necessary to ensure website security, troubleshoot technical issues, and analyse usage patterns.

g) The recipient of the data is Amazon Web Services EMEA SARL (“AWS”), 38 Avenue John F. Kennedy, L-1855 Luxembourg (uses service providers in the USA), which we use as a processor within the framework of a data processing agreement. We have concluded the EU Standard Contractual Clauses (2021/914; Module 3) with AWS. Amazon Web Services, Inc. is certified in accordance with the EU-US Data Privacy Framework (Article 45 GDPR where the GDPR is applicable). You can request a copy of the main contractual provisions of the EU Standard Contractual Clauses at any time.

h) Use of the Websites requires processing of web server log data and cannot function otherwise.

1.2. Cookies and Similar Technologies

a) We use cookies and similar technologies on our Websites. Detailed information about the specific cookies we use, their purposes, legal basis, retention periods, and how to manage your cookie preferences can be found in our Cookie Policy.

b) This Privacy Notice should be read in conjunction with our Cookie Policy, which provides comprehensive information about our use of cookies and similar tracking technologies.

c) You can manage your cookie preferences at any time through our Cookie Setting Panel available on our Website or by following the instructions in our Cookie Policy.

2. Developers as Users of Services

2.1. Affinidi is not responsible for the data protection compliance of Developer’s own services or data processing activities. The Developer acts as a separate controller for their own data processing and therefore the Developer’s own privacy policy governs such processing.

2.2. Data of Developers is processed by Affinidi for the following purposes: (i) preparation and performance of our contractual relationship, (ii) fulfilment of legal requirements (including tax and commercial law obligations), (iii) product usage analytics to support product improvement, (iv) providing technical support, (v) fraud prevention and security monitoring, (vi) compliance with regulatory requirements.

2.3. The processed data includes:

Registration data: Login credentials (which may include email address), passphrase, and contract conclusion details
Billing data: payment card information, name, billing address, contact information, tax identification number
Decentralized ID (“DiD”): unique identifier assigned to the Developer
Authentication Tokens: tokens to identify access requests from the Developers
Project Data: Information relating to projects of the Developer projects
Usage Data and Monthly Active Users
HTTP data: protocol data generated when accessing our Services via HTTP(S), including IP address, type and version of browser, operating system, the page visited, the page previously visited (referrer URL), date and time of the visits
Communication Data and questions regarding support requests
Data from Affinidi Vault’s (Beta) cloud services, including data collected via Cloud Backup or Cloud Profile (where applicable)

2.4. The legal basis for the processing is (i) contractual necessity (Article 6 (1) (b) GDPR where applicable), where processing is necessary for the performance of our contract with you and (ii) legal obligations (Article 6 (1) (c) GDPR where applicable) where processing is necessary for in particular tax and commercial law provisions. The legal basis for the processing of technically required cookies in the Services is our legitimate interest in providing the technical functions of the relevant Services (Article 6 (1) (f) GDPR where applicable).

2.5. The data is either provided directly by the Developers or collected automatically through use of our Services.

2.6. The data is deleted in accordance with our retention policy and applicable legal requirements (e.g. commercial and tax law retention periods). In principle, Developer data is deleted no later than ten (10) years after the respective processing activity.

2.7. Except back-up data, developer data described in section 2.3 above may be shared with other Affinidi group companies for the purposes outlined above. All Affinidi companies have entered into EU Standard Contractual Clauses and maintain internal privacy and data collection policies.

2.8. In specific cases data may be transmitted to service providers, legal advisors, courts, or regulatory authorities as required by law or for the protection of our legitimate interests.

2.9. We also engage the following processors to perform Services on our behalf, in particular to provide, maintain and support IT systems: AWS for cloud infrastructure and hosting service, HubSpot, Inc. (“HubSpot”), Two Canal Park, Cambridge, MA 02141, USA for customer relationship management and marketing automation. We have concluded the EU Standard Contractual Clauses (2021/914; Module 3) with AWS and HubSpot. In addition, Amazon Web Services, Inc. and HubSpot are certified under the EU-US Data Privacy Framework (Article 45 GDPR where applicable). You can request a copy of the main contractual provisions of the EU Standard Contractual Clauses at any time.

2.10. Processing of Developer data is necessary to perform our contract with you. If the required data is not provided, the contract cannot be established or performed. Data that is not necessary for the performance of the contract will be labelled accordingly.

2.11. We do not engage in automated decision making, including profiling, that produces legal effects or similarly significantly affects Developers.

3. Consumers as Users of Services

3.1. Affinidi is not responsible for the data protection compliance of Developer’s services and data processing activities. The Developer acts as a separate controller for their data processing, and the privacy policy of the Developer applies to such processing.

3.2. For the use of Affinidi Vault (Beta)

3.2.1. While setting up your Vault, you have the option to either store data locally on your device or to create a Cloud Profile to store your data on the cloud.

3.2.2. If you opt to store your data locally on your edge device, Affinidi does not process or access this data. All data remains stored locally on your device under your control.

3.2.3. When you choose to create a Cloud Profile and consent to store your data on the cloud, Affinidi will store your data on your behalf with your explicit consent, until you decide to delete your Cloud Profile. Your data is encrypted, and only you can access the contents of your encrypted data. You retain full control over who can access and share your data.

3.2.4. When you log in to Affinidi Vault (Beta) using biometric data, Affinidi has no access to your biometric data. The biometric data used for authentication (fingerprints, facial recognition) is securely stored within your device (e.g., Apple’s Secure Enclave). Affinidi does not store or process biometric data on your device or in the cloud. The privacy policy of your device provider (e.g., Apple) governs how this biometric data is handled.

3.2.5. Separately, you may also opt to create a Cloud Backup, which stores data from both your edge device and Cloud Profile on Affinidi’s servers. Cloud Backup is designed for recovery purposes. By opting for Affinidi cloud service, you acknowledge that:

Server-Side Storage: Your data will be securely stored and processed on Affinidi’s cloud infrastructure. It will not be stored on your personal devices unless explicitly chosen by you.
Access and Control: You retain full control over who can access and share your data. Sharing preferences can be managed at any time through your Vault.
Encryption: All data stored in the Cloud Backup is encrypted both in transit and at rest. The private key remains with you, ensuring that Affinidi has no access to your files.
Data Retention: Data will be retained only as long as necessary to provide the service or comply with applicable laws. You can request deletion at any time, subject to our data retention policy.
Deletion of Cloud Backup: Cloud Backup can only be deleted by submitting a formal request via our Data Deletion Request Form. For processing deletion requests, we require your email address, Vault Backup ID, first name and last name to accurately identify and delete the correct data. Alternatively, you can follow the instructions provided in the email containing your Backup ID.

3.3. For the use of Affinidi Identity Verification (IDV)

3.3.1. Our IDV service is provided in partnership with Veriff OÜ (“Veriff”), 12932944, Niine 11, Tallinn 10414, Estonia, a third-party sub-processor, to verify your identity. This service enables us to create Verifiable Credentials (VCs) based on the verification results.

3.3.2. Role of Veriff as Sub-Processor: We have entered into a data processing agreement with Veriff as our processor/sub-processor. Veriff processes your data solely for the purpose of performing identity verification services on our behalf and on behalf of the Developer. The terms and conditions of Veriff apply to the Users when you use their platform.

3.3.3. In the IDV service, Affinidi acts as a data processor and uses the verification results to create and share VCs with you.

3.3.4. Personal data of Consumers are processed for the purposes of (i) preparation and performance of the contractual relationship, (ii) fulfilment of legal requirements, (iii) product usage analytics for product improvement, (iv) providing technical support, (v) credential issuance (for IDV services), and (vi) fraud prevention and security monitoring.

3.3.5. The following data is processed by Affinidi and/or its Third Party partners:

Contract data: Login credentials (can include email), passphrase, contract conclusion data
Decentralized ID (“DiD”): unique identifier assigned to the Consumer
Authentication Tokens: tokens to identify the access requests of the Consumer
Usage Data
HTTP data: protocol data generated when accessing our Services via HTTP(S), including IP address, type and version of browser, operating system, the page visited, the page previously visited (referrer URL), date and time of the visit. HTTP(S) data also accumulates on the servers of service providers (e.g. when requesting third-party content)
Communication data and questions regarding support requests

3.3.6. Backup Data: data from Affinidi Vault (Beta) account, in case you have opted for the cloud back-up option which includes back up of your edge profile data, VCs received, etc (stored in encrypted form, inaccessible to Affinidi).

3.3.7. When using the cloud profile, if the User opts to extract the data from any of the files into a profile, Affinidi uses AWS’s Textract service to extract the data and all such data will be stored with Affinidi for processing purposes and until the extracted data is stored with the User.

3.3.8. All the data stored on your Cloud Profile including the profile data if you have selected to store the data on cloud.

3.3.9. If the User has opted for Affinidi IDV, the following data will be processed either by Affinidi or its sub-processors/processors appointed by Affinidi:

Personal identification data (e.g., name, date of birth, and ID document details)
Biometric data (e.g., facial recognition for verifying the identity of the User with the document shared)
Images or videos of your ID document and/or your face for verification purposes (e.g. Image of your passport, driver’s license, etc.)
Data extracted from the documents for creation of identity VC

3.3.10. The legal basis for processing is (i) contractual necessity (Article 6 (1) (b) GDPR where applicable) where processing is necessary for contract performance (ii) compliance with legal obligations (Article 6(1)(c) GDPR where applicable), where in particular tax and commercial law provisions, (iii) consent (Article 6(1)(a) GDPR where applicable), where processing of your data for IDV purposes.

3.3.11. The data is either provided directly by the Consumers or collected automatically through service usage.

3.3.12. Data Retention Periods: (i) The data is deleted in accordance with legal requirements, e.g. retention periods under commercial and tax law. This means that the data will be deleted no later than ten (10) years after the respective processing activity or (ii) in case of Cloud Backup when the User terminates his contract with us or instructs us to delete the backup. (iii) Data relating to the liveness check will be deleted immediately after having finished the liveness check. (iv) The VC created for identity will be deleted immediately after it has been transferred to the User’s Vault. Affinidi does not retain any copy of the VC issued to Users.

3.4. Consumer data may be shared with other Affinidi group companies for the purposes outlined above. All Affinidi companies have entered into EU Standard Contractual Clauses and set up internal privacy and data collection policies.

3.5. In specific cases data may be transmitted to a collection of service providers, legal advisors and courts.

3.6. We may also enter into service agreements with other businesses to perform services on our behalf, in particular to provide, maintain and support IT systems. We have entered into a data processing agreements with AWS, HubSpot, and Veriff, which we use as processors/sub-processors.

3.7. We have concluded the EU Standard Contractual Clauses (2021/914; Module 3) with AWS, HubSpot and Standard Contractual Clauses (2021/914; Module 1 and 4) with Veriff. Amazon Web Services, Inc. and HubSpot, Inc. are certified in accordance with the EU-US Data Privacy Framework (Article 45 GDPR where the GDPR is applicable). You can request a copy of the main contractual contents of the EU Standard Contractual Clauses at any time. In addition, when your personal data is processed by a sub-processor, their privacy policy may also apply. We encourage you to review their privacy policy to understand how they handle your data.

3.8. For your convenience, the privacy policies of our key sub-processors can be accessed at the following links:

#	Sub-Processor	Privacy Policy
1	Amazon Web Services EMEA SARL	aws.amazon.com/privacy
2	HubSpot, Inc.	legal.hubspot.com/privacy-policy
3	Veriff OÜ	veriff.com/privacy-notice

3.9. Please note that by entering into relevant data processing agreements with our processors/sub-processors, we aim to ensure our sub-processors maintain appropriate data protection standards.

3.10. Processing of Consumer data is necessary in order to perform our contract with you. If required data is not provided, the contract cannot be established or performed.

3.11. We do not engage in automated decision making, including profiling, that produces legal effects or similarly significantly affects Consumers.

4. Service Providers, Business Partners and their Employees

4.1. Affinidi may process personal data regarding service providers, business partners and their employees to establish and maintain business relationships.

4.2. We process personal data of service providers, business partners and their employees, including name, title, postal address, email address, telephone number, employment details, employment history and any other details that they later choose to share in line with the necessities of the business relationship.

4.3. Personal data is collected from the applicable service provider, business partner, or their employees, or from publicly accessible sources like websites and business directories.

4.4. We process personal data about service providers, business partners and their employees for the purpose of preparation and performance of the contractual relationship and for the fulfilment of our legal requirements. the legal basis for such processing are (i) contractual necessity (Article 6(1)(b) GDPR where applicable) where we enter into or perform contracts and (ii) Legitimate Interest (Article 6(1)(b) GDPR where applicable), in particular for communication with contractually relevant contract persons, and (iii) legal obligations (Article 6(1)(f) GDPR where applicable), for compliance with statutory requirements, such as tax and commercial law.

4.5. The personal data is deleted in accordance with legal requirements, e.g. retention periods under commercial and tax law. This means that the data will be deleted no later than ten (10) years after the respective processing activity, unless longer retention is required by law.

4.6. Recipients of data about service providers, business partners and their employees may include banks for the processing of payments. Public authorities and offices may receive data within the scope of their duties, insofar as we are obligated or entitled to transmit data. Moreover, in specific cases data may be transmitted to a collection of service providers, legal advisors and courts. We may also enter into service agreements with other businesses to perform services on our behalf, in particular to provide, maintain and support IT systems.

4.7. Processing of the contact data from service providers and business partners and their employees is necessary to perform the contracts or orders. If the data is not provided, the contract cannot be established or performed and communication is not possible without the data.

5. Business Contacts and Communication Partners

5.1. Affinidi may process personal data regarding business contacts and communication partners to facilitate business communications and relationship development.

5.2. We process personal data including name, postal address, email address, telephone number, employment details, title or any other details shared in line with the business communications.

5.3. We process data for communication with actual and prospective business contacts and communication partners, including business development activities and professional networking.

5.4. The legal basis for processing is legitimate interest, specifically communication with prospective business contacts and communication partners (Article 6 (1) (f) GDPR where applicable).

5.5. We obtain personal data from our business contacts and communication partners directly, from our clients or their agents, and from third-parties that interact with us in connection with our services.

5.6. The data is retained in accordance with our policies and legal requirements. In principle data will be deleted no later than ten (10) years after the respective processing activity, unless longer retention period is required by law or legitimate business purposes.

5.7. We may engage service providers to perform services on our behalf, in particular to provide, maintain and support IT systems.

5.8. The provision of data is required for prospective business partners and communication partners. The communication is not possible without the data.

6. Meetings, Calls and Virtual Collaboration Tools (Video Recording and AI-Assisted Note-Taking)

6.1. Affinidi may host or participate in meetings, calls or virtual collaboration sessions (including via Microsoft Teams or similar platforms) with business contacts, partners, customers, suppliers and other communication partners.

6.2. In this context, we may process personal data relating to such participants, including: (i) audio and video recordings of meetings (including participants’ voices and images), (ii) transcripts or written summaries of meetings, (iii) meeting metadata (such as date, time, participant names and roles), (iv) chat messages or shared content generated during the meeting.

6.3. Personal data is processed for the purpose of: (i) documenting discussions, decisions and action items, (ii) internal follow-up, coordination and recordkeeping, and (iii) improving meeting efficiency and collaboration.

6.4. Video Recording: Where meetings are recorded using collaboration platforms such as Microsoft Teams, participants are informed at the start of the recording through verbal notifications or indicators provided by the platform. Participants may choose to disable their camera or object to recording, where feasible.

6.5. AI-assisted note-taking: In some meetings, Affinidi may use AI-powered tools (such as AI note-taking or transcription services) to generate meeting notes, summaries or action points. Where such tools are used, participants are informed in advance (e.g. via meeting invitations) and/or at the start of the meeting, and may object to the use of such tools. AI-generated outputs are used solely for the purposes described above and are subject to access controls and retention limitations.

6.6. The legal basis for processing personal data in this context is: (i) our legitimate interests (Article 6(1)(f) GDPR, where applicable) in conducting and documenting business communications, and/or (ii) consent (Article 6(1)(a) GDPR, where applicable), particularly for external participants or where AI-assisted note-taking is used, in accordance with applicable data protection laws.

6.7. Recordings, transcripts and AI-generated summaries are accessible only to authorized Affinidi personnel and are not shared externally unless required for the stated purposes or legal obligations.

6.8. Recordings of meetings (including audio and video), transcripts, AI-generated summaries, notes, and related meeting materials are retained only for as long as necessary to fulfil the purposes for which they were collected. Unless a longer retention period is required for legal, regulatory, or legitimate business purposes, such data is generally retained for no longer than one (1) year, after which it is securely deleted or anonymized.

6.9. If you subscribe to our newsletter, you will receive information about Affinidi and our Services.

6.10. We process your data for the purpose of sending the newsletters and related communications.

6.11. The data processed are: (a) contact information: name, email address; (b) HTTP data: protocol data generated when opening the newsletters via HTTP(S), including IP address, type and version of browser, operating system, the page visited, referrer URL, date and time of the visits.

6.12. The legal basis for the processing of data for newsletters is consent (Article 6 (1)(a) GDPR where applicable). Your consent is obtained when you subscribe to our newsletter.

6.13. Your contact details are provided directly by you when subscribing; HTTP data is automatically provided by your browser when opening newsletters.

6.14. We use HubSpot as our processor for newsletter services. We have concluded the EU Standard Contractual Clauses (2021/914; Module 3) with HubSpot. HubSpot, Inc. is certified in accordance with the EU-US Data Privacy Framework (Article 45 GDPR where the GDPR is applicable). You can request a copy of the main contractual contents of the EU Standard Contractual Clauses at any time.

6.15. Data related to newsletters will be retained until you unsubscribe from our newsletter services. You can withdraw consent at any time using the unsubscribe function in our newsletter.

Personal data is required to receive newsletters. Without providing personal data, the newsletters cannot be sent.

7. Participants in Surveys or Feedback

7.1. When individuals consent to participate in surveys, feedback collection, or studies (“Participants”), we process their personal data for conducting surveys, collecting feedback and finalize studies.

7.2. The data processed are: (i) contact information: name and email address (for non-anonymous surveys); (ii) professional information: industry the Participant works in, job role and title, the country of residence; (iii) survey responses: answers to the survey questions; (iv) communication data; (v) technical data: timestamps of the survey completion and submission.

7.3. The legal basis for processing survey data is consent (Article 6 (1)(a) GDPR where applicable).

7.4. The personal data is provided directly by the Participants.

7.5. Participants’ personal data is processed for the purpose of conducting and evaluating surveys/feedback using questionnaires for business development, product improvement and market research.

7.6. The survey and feedback data is retained for one (1) year after the survey is conducted, unless longer retention is necessary for legitimate business purposes or under relevant legislations such as commercial and tax law.

7.7. We use HubSpot as our processor for survey and feedback services. We have concluded the EU Standard Contractual Clauses (2021/914; Module 3) with HubSpot. HubSpot, Inc. is certified in accordance with the EU-US Data Privacy Framework (Article 45 GDPR where applicable). You can request a copy of the main contractual articles of the EU Standard Contractual Clauses at any time.

7.8. Participation in surveys and studies is entirely voluntary.

8. Limited-Use Applications & Events

8.1. We may offer certain applications or features for temporary, limited-use (e.g. proof of concepts, demos, event specific applications), either individually or in partnership with third parties. These services are not intended for general public or production use and may be modified or discontinued at any time.

8.2. Certain limited-use, early access, or closed beta Services operate on top of Affinidi’s infrastructure level capabilities, including gateway, routing, orchestration, and observability functionalities. The infrastructure-level processing described in this section reflects the current closed beta and early access deployment of these Services and does not limit the applicability of similar processing practices to other Services where relevant.

8.3. In operating these Services, Affinidi may process limited technical and operational data such as logs, metrics, traces, timestamps, identifiers, and configuration metadata. Depending on configuration and usage, such data may incidentally include personal data transmitted through the Services. This processing is carried out for purposes including system reliability, security monitoring, troubleshooting, service testing, and service improvement during the early access phase.

Affinidi applies privacy-by-design and data-minimisation principles to such processing, including limiting the scope and retention of observability data and applying reasonable technical safeguards (such as masking of clearly sensitive data categories) to reduce unnecessary exposure of personal data by default.

Technical logs and observability data relating to limited-use or beta Services are retained only for limited periods necessary to support testing, operational stability, and security. Where longer term retention or external storage is configured, such retention is managed by customers through their own systems and in accordance with their own legal obligations.

In this context, Affinidi generally acts as a data processor, processing personal data on behalf of customers in accordance with their configurations and instructions. Customers remain responsible for the content of data transmitted through the Services and for ensuring appropriate legal bases, notices, and safeguards.

8.4. The personal data processed may include, depending on the specific limited-use application, event, configuration and features used: (i) contract and account-related details (e.g., name, email, address, and any identifiers required for registration or using of the Services), (ii) device and technical information (e.g., IP address, browser type, operating system), (iii) Decentralized Identifier (DiD), (iv) event registration identifiers and (v) VCs issued for event participation (if applicable). Technical logs and observability data may incidentally include certain identifiers or technical metadata, but are subject to data-minimization and safeguarding measures (such as masking of clearly sensitive data categories) as described above. In addition, we may also process application usage data and activity logs, but these are aggregated and not linked to any identifiable individual; they are collected solely to improve our Services and functionality. The exact data collected may vary depending on the specific limited-use application or event and the features you choose to use.

8.5. The legal basis for processing limited-use application & event data is (i) contractual necessity (Article 6 (1) (b) GDPR where applicable), (ii) legal obligations (Article 6 (1) (c) GDPR where applicable) where processing is necessary for in particular tax and commercial law provisions, (iii) consent, where required (e.g. for marketing or optional features) and (iv) legitimate interest, such as fraud prevention, service improvement and security.

8.6. Data is either provided directly by you or collected automatically through application usage and event participation.

8.7. The data is processed for the purpose of (i) enabling participation in the event or limited-use application, (ii) providing technical support, (iii) improving functionality and user experience, and (iv) ensuring security and preventing misuse.

8.8. Limited use applications and events data is retained for one (1) year after the event concludes or the application becomes unavailable, unless longer retention is required for legitimate business purposes or by applicable law.

8.9. We may engage service providers to perform services on our behalf, in particular to provide, maintain and support IT systems.

9. AI Agents & Third-Party Agents

9.1. Certain features in our Services may enable interaction with AI Agents. Where an AI agent runs locally on your device, Affinidi does not process or store your prompts, transcripts, or outputs on Affinidi servers. Where AI Agent interactions rely on infrastructure-level gateway or routing capabilities, related technical processing (such as logging or observability) is carried out in accordance with the practices described in “Limited-Use Applications & Events” section above.

9.2. If you choose to use a Third Party Agent, data you provide (such as prompts, context, and metadata) may be transmitted to and processed by the Third Party and/or its model provider in their environment. In such cases, the Third Party’s privacy policy governs the processing of your data. We recommend reviewing their terms before use.

9.3. We do not use AI Agent interactions for profiling or automated decision-making that produces legal or similarly significant effects.

10. Your Rights and General Information

10.1. We do not engage in automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you.

10.2. You have the following rights under applicable data protection laws. To exercise any of these rights, please contact us at dataprotection@affinidi.com. We will respond to your request within one month of receipt, though this may be extended by two additional months for complex requests.

You may withdraw your consent at any time, if your data is processed based on your consent. The withdrawal of consent does not affect the lawfulness of processing before withdrawal. To withdraw consent, contact dataprotection@affinidi.com or use specific withdrawal mechanisms where provided (e.g., newsletter unsubscribe links).
You may at any time object to processing of your data if your data is processed based on our legitimate interest.
You may at any time request access to your personal data processed by Affinidi.
You have the right to data portability, where it is applicable.
You may request correction of inaccurate personal data at any time and also completion of incomplete personal data.
You may request erasure of your personal data at any time, provided that no right or legal obligation of Affinidi requires further processing of your personal data.
You may request restriction of processing for your data at any time.
You may at any time lodge a complaint with a supervisory authority.