Privacy Notice
Version 3.1: January 2025
General
a) We, Affinidi Pte. Ltd., having our office at 15 Beach Road, #02-126, Beach Centre, Singapore 189677 (“Affinidi”) inform you about the processing of personal data for which we are responsible under the European Union’s General Data Protection Regulation (“GDPR”) and other relevant jurisdictions.
b) This Privacy Notice for Affinidi (“Privacy Notice”) describes how we may collect, use, disclose and process your personal data when you provide us with your personal data and/or access or use our websites (which include affinidi.com, docs.affinidi.com, portal.affinidi.com and apikey.affinidi.com, and events.affinidi.com (collectively, “Websites”), products/services (which include the Affinidi Vault (Beta), Affinidi Login, Affinidi Desktop App, Reference App, Affinidi Portal, Affinidi Identity Verification, Affinidi Messaging, Affinidi CLI and any other products, tools or services offered by Affinidi) including the closed beta/open beta period (if applicable) of such products/services (collectively, our “Services”).
c) For the sake of clarity, in this Privacy Notice, the terms “we”, “us” and “our” refers to Affinidi while the terms “You”, “yours” refers to the Users of our Websites and Services.
d) Unless defined hereunder, all capitalised terms under this Privacy Notice are more particularly defined under the “Terms and Conditions” linked here.
e) You can reach our data protection officer by sending an email to dataprotection@affinidi.com. Affinidi’s data protection representative in the EU is Affinidi GmbH, Pariser Platz 6a, 10117 Berlin, Germany.
f) You can exercise your privacy and data protection rights by contacting dataprotection@affinidi.com. Please note that we cannot respond to your request or provide you with personal data if we cannot verify your identity or authority to make the request and confirm the personal data relates to you. Thus, we may require that you submit additional personal data so that we can verify your identity. We will use such additional personal data submitted in connection with our verification process only to verify your identity and authority to make the request.
g) Please find below the most important information about our typical data processing sorted by groups of data subjects and types of data processing. For data processing activities that relate only to specific events, and processing activities, the obligations to provide information are met separately.
h) The terms “data”, “personal data” and “personal information” are used interchangeably in this policy, and in each case include any information relating to an identified or identifiable natural person.
i) We process personal information from or about the following categories of individuals, as more fully described in the sections below:
1. Visitors of Websites
2. Developers as Users of Services
3. Consumers as Users of Services
4. Service Providers, Business Partners and their Employees
5. Business Contacts and Communication Partners
6. Newsletter Recipients
7. Participants in Surveys
1.Visitors of Websites
1.1.Web Server Log Data
a) Each time a visitor to any of our Websites uses their browser to request access to a page on our Websites, our web server processes a range of data which the visitor’s browser automatically transmits to our web server.
b) We process the following data for the purpose of providing the contents of the Websites that you have visited, to ensure the security of the IT infrastructure used and to correct errors;
c) We process personal data of the visitors of our Websites such as the IP address allocated to their device, the date and time of the request, the time zone, the specific page or file accessed, the HTTP status code and the data quantities transmitted; in addition, the website from which their request originated, the browser used, the operating system of their device and the language used;
d) The legal basis for the processing of Web server log data obtained while using the Websites is our legitimate interest (Article 6 (1) (f) GDPR where the GDPR is applicable), specifically operation of any of the Websites and user interaction;
e) We obtain these categories of data directly and indirectly from activity on our Websites. For example, form submissions through our Websites or usage details of the Websites collected automatically;
f) The purpose of the data processing of web server log data is the online presentation of Affinidi and Affinidi services;
g) All data will be deleted after 6 months.
h) The recipient of the data is Amazon Web Services EMEA SARL (“AWS”), 38 Avenue John F. Kennedy, L-1855 Luxembourg (who uses service providers in the USA), which we use as processor within the framework of a data processing agreement. We have concluded the EU Standard Contractual Clauses (2021/914; Module 3) with AWS. You can request a copy of the main contractual contents of the EU Standard Contractual Clauses at any time. In addition, Amazon Web Services, Inc. is certified in accordance with the EU-US Data Privacy Framework (Article 45 GDPR where the GDPR is applicable);
i) Use of the Websites without disclosure of web server log data is not possible.
1.2. Cookies
We use cookies on our website. Cookies are small text files containing information that can be stored on the User's end device via the browser when visiting a website. Which cookies we use and further information on data protection in connection with the use of cookies can be found in our Cookie Policy.
2. Developers as Users of Services
2.1.Affinidi does not hold the data protection responsibility for the Developer's Services and data processing. The Developer is a separate controller for its data processing and therefore the privacy policy of the Developer applies.
2.2. Data about Developers are processed for the purposes of preparation and performance of the contractual relationship and for the fulfilment of legal requirements as well as product usage analytics for product improvement. Technical cookies may also be set within the respective Services so that they can function appropriately (e.g. session cookies to enable the different sessions within the login processes, security session cookies, cookies to prevent bot attacks).
2.3. The processed data includes:
a) Registration data: Login data (can contain email) and passphrase, data on the conclusion of the contract;
b) Billing data: card information, name, billing address, contact information, tax identification number;
c) Decentralized ID (“DiD”): as an unique identifier of the Developer;
d) Tokens to identify access requests of the Developers;
e) Project Data: Data points relating to projects of the Developers;
f) Usage Data and Monthly Active Users;
g) HTTP data: HTTP data is protocol data that is generated when the Website is visited via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons: This includes IP address, type and version of your Internet browser commer, operating system used, the page visited, the page previously visited (referrer URL), date and time of the visit. HTTP(S) data also accumulates on the servers of service providers (e.g. when requesting third-party content);
h) Communication Data and questions regarding support requests.
i) Data from Affinidi Vault’s (Beta) cloud services, including data collected via Cloud Backup or Cloud Profile.
2.4. The legal basis for the processing is our contract (Article 6 (1) (b) GDPR where the GDPR is applicable) and legal obligations, in particular tax and commercial law provisions (Article 6 (1) (c) GDPR where the GDPR is applicable). The legal basis for the processing within the technically required cookies within the Services is our legitimate interest in providing the technical functions of the relevant Services (Article 6 (1) (f) GDPR where the GDPR is applicable).
2.5.The data is either provided by the Developers themselves or collected automatically.
2.6. The data is deleted in accordance with legal requirements, e.g. retention periods under commercial and tax law. This means that the data will be deleted no later than 10 years after the respective processing activity.
2.7. Except back-up data, all other processed data as specified under clause 2.3 above might be shared with other Affinidi companies. All Affinidi companies have entered into EU Standard Contractual Clauses and set up internal privacy and data collection policies. In specific cases data may be transmitted to a collection of service providers, legal advisors and courts. We may also enter into service agreements with other businesses to perform services on our behalf, in particular to provide, maintain and support IT systems. We have entered into a data processing agreement with Amazon Web Services EMEA SARL (“AWS”), 38 Avenue John F. Kennedy, L-1855 Luxembourg (who uses service providers in the USA), HubSpot, Inc. (“HubSpot”), Two Canal Park, Cambridge, MA 02141, USA and Zendesk, Inc. (“Zendesk”), 989 Market Street, San Francisco, CA 94103, USA, which we use as processors. We have concluded the EU Standard Contractual Clauses (2021/914; Module 3) with AWS, HubSpot and Zendesk. You can request a copy of the main contractual contents of the EU Standard Contractual Clauses at any time. In addition, Amazon Web Services, Inc., HubSpot, Inc. and Zendesk, Inc. are certified in accordance with the EUUS Data Privacy Framework (Article 45 GDPR where the GDPR is applicable).
2.8. Processing of Developer data is necessary in order to perform the contract. If the data is not provided, the contract cannot be established or carried out. Data that is not necessary in order to perform the contract will be labelled accordingly.
3. Consumers as Users of Services
3.1. We point out that Affinidi does not hold data protection responsibility for the Developer's Services and data processing. The Developer is a separate controller for its data processing and in these cases the privacy policy of the Developer applies.
3.2. For the use of Affinidi Vault (Beta):
a) After setting up your Vault, you have the option to either store data locally on your device or to create a Cloud Profile to store your data on the cloud.
b) If you opt to store your data on your edge device, please note that Affinidi does not process or access this data. All data remains stored locally on your device. Provided however, when you choose to create a Cloud Profile and consent to store your data on cloud, Affinidi will store your data on your behalf with your consent until you decide to delete your Cloud Profile. This data is encrypted, and only you can access its contents.
c) When you log in to Affinidi Vault (Beta) using biometric data, Affinidi has no access to this biometric data. The biometric data used for authentication, such as fingerprints or facial recognition, is securely stored within your device (e.g., Apple’s Secure Enclave). Affinidi does not store or process this data, either on your device or on the cloud. The privacy policies of your device provider (e.g., Apple) govern how this data is handled. For more details, please refer to your device provider’s privacy policy.
d) Separately, you may also opt to create a Cloud Backup, which stores all your data from both your edge device and your Cloud Profile on Affinidi’s servers. Cloud Backup is designed for recovery purposes and can only be deleted by submitting a formal request via our Data Deletion Request Form. For processing this deletion, we require your email ID and Backup ID to accurately identify and delete the correct data. By opting for this service, you acknowledge that:
(i) Server-Side Storage: Your data will be securely stored and processed on Affinidi's cloud infrastructure. It will not be stored on your personal devices unless explicitly chosen by you.
(ii) Access and Control: You retain full control over who can access and share your data. Sharing preferences can be managed at any time through your Vault.
(iii) Encryption: All data stored in the Cloud Backup is encrypted both in transit and at rest. The private key remains with you, ensuring that Affinidi has no access to your files.
(iv) Data Retention: Data will be retained only as long as necessary to provide the service or comply with applicable laws. You can request deletion at any time, subject to our data retention policy.
(v) Deletion of Cloud Backup: To delete your Cloud Backup, please submit a formal request via our Cloud Backup Deletion Form and include your email ID and Backup ID for accurate identification. Alternatively, follow the instructions provided in the email containing your Backup ID.
3.3. For the use of Affinidi Identity Verification (IDV):
a) If you opt for the Identity Verification (IDV) service provided through Affinidi, we partner with Veriff OÜ (“Veriff”), a third-party sub-processor, to verify your identity. This service enables us to create Verifiable Credentials (VCs) based on the verification results, which are shared with you.
b) Role of Veriff as Sub-Processor: Veriff, being data processor/sub-processor, processes your data solely for the purpose of performing the identity verification service on our behalf and on behalf of the Developer. Affinidi uses the verification results to create and share VCs with you. The terms and conditions of Veriff would be applicable to the Customers and Developers when they use their platform.
3.4. Data about Consumers are processed for the purposes of preparation and performance of the contractual relationship and for the fulfilment of legal requirements as well as product usage analytics for product improvement. Technically required cookies may also be set within the respective Services so that the Services can function technically (e.g. session cookies to enable the different sessions within the login processes, security session cookies, cookies to prevent bot attacks).
3.5. The following data is processed by Affinidi and/or its Third Party partners:
a) Contract data: Login data (can contain email) and passphrase, data on the conclusion of the contract;
b) Liveness Check: biometric data regarding the face of the User;
c) Decentralized ID (“DiD”): as an unique identifier of the Consumer;
d) Tokens to identify the access requests of the Consumer;
e) Usage Data;
f) HTTP data: HTTP data is protocol data that is generated when the Website is visited via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons: This includes IP address, type and version of your Internet browser, operating system used, the page visited, the page previously visited (referrer URL), date and time of the visit. HTTP(S) data also accumulates on the servers of service providers (e.g. when requesting third-party content);
g) Communication data and questions regarding support requests.
h) Back up data from your Affinidi Vault (Beta) account, in case you have opted for the cloud back-up option which includes back up of your edge profile data, VCs received, etc.
i) When using the cloud profile, if the User opts to extract the data from any of the files into a profile, Affinidi will use AWS’s Textract service to extract the data and all such data will be stored with Affinidi for processing purposes and until the extracted data is stored with the User.
j) All the data stored on your Cloud Profile including the profile data if you have selected to store the data on cloud;
k) If the User has opted for Affinidi Identity Verification, the following data will be processed either by Affinidi or its sub-processors/processors appointed by Affinidi:
(i) Personal identification data (e.g., name, date of birth, and ID document details).
(ii) Biometric data (e.g., facial recognition for verifying the identity of the User with the document shared).
(iii) Images or videos of your ID document and/or your face for verification purposes (e.g. Image of your passport, driver’s license, etc.)
(iv) Data extracted from the documents for creation of identity VC
3.6. The legal basis for processing is our contract (Article 6 (1) (b) GDPR where the GDPR is applicable) and legal obligations, in particular tax and commercial law provisions (Article 6(1)(c) GDPR where the GDPR is applicable). The legal basis for the processing within the technically required cookies within the Services is our legitimate interest in providing the technical functions of the relevant Services (Article 6 (1) (f) GDPR where the GDPR is applicable).
3.7. The processing of your data for IDV purposes is based on your consent (Article 6(1)(a) GDPR where applicable).
3.8. The data is either provided by the Consumers themselves or collected automatically.
3.9. The data is deleted in accordance with legal requirements, e.g. retention periods under commercial and tax law. This means that the data will be deleted no later than 10 years after the respective processing activity or in case of Cloud Backup when the User terminates his contract with us or instructs us to delete the backup.
3.10. Data relating to the liveness check will be deleted immediately after having finished the liveness check.
3.11. The VC created for identity will be deleted immediately after it has been transferred to the User’s Vault. Affinidi does not retain any copy of the VC issued to Users.
3.12. Data might be shared with other Affinidi companies. All Affinidi companies have entered into EU Standard Contractual Clauses and set up internal privacy and data collection policies. In specific cases data may be transmitted to a collection of service providers, legal advisors and courts. We may also enter into service agreements with other businesses to perform services on our behalf, in particular to provide, maintain and support IT systems. We have entered into a data processing agreements with Amazon Web Services EMEA SARL (“AWS”), 38 Avenue John F. Kennedy, L-1855 Luxembourg (who uses service providers in the USA), HubSpot, Inc. (“HubSpot”), Two Canal Park, Cambridge, MA 02141, USA and Veriff OÜ, 12932944, Niine 11, Tallinn 10414, Estonia (“Veriff”) which we use as processors. We have concluded the EU Standard Contractual Clauses (2021/914; Module 3) with AWS, HubSpot and Standard Contractual Clauses (2021/914; Module 1 and 4) with Veriff. You can request a copy of the main contractual contents of the EU Standard Contractual Clauses at any time. In addition, Amazon Web Services, Inc. and HubSpot, Inc. are certified in accordance with the EU US Data Privacy Framework (Article 45 GDPR where the GDPR is applicable).
3.13. When your personal data is processed by a sub-processor, their privacy policy may also apply. We encourage you to review their privacy policy to understand how they handle your data.
3.14. For your convenience, the privacy policies of our key sub-processors can be accessed at the following links:
| Sr. No. | Name of the Sub-processor | Link to their Privacy Policy |
|---|---|---|
| 1 | Amazon Web Services EMEA SARL | Privacy Policy |
| 2 | HubSpot, Inc. | Privacy Policy |
| 3 | Veriff OÜ | Privacy Policy |
3.15. Please note that while we ensure our sub-processors maintain appropriate data protection standards, we are not responsible for their independent privacy practices as outlined in their respective policies.
3.16. Processing of User’s data is necessary in order to perform the contract. If the data is not provided, the contract cannot be established or carried out.
4. Service Providers, Business Partners and their Employees
4.1. Affinidi may process personal data regarding service providers, business partners and their employees.
4.2. We process personal data about service providers, business partners and their employees, such as name, title, postal address, email address, telephone number, employment, employment history and any other details that they later choose to share.
4.3. The legal basis for processing is our contract (Article 6(1)(b) GDPR where the GDPR is applicable (preparation and execution of the contract) in the case of contracts with natural persons, our legitimate interest, namely communication with contractually relevant contact persons (Article 6(1)(f) GDPR where the GDPR is applicable and always legal obligations, in particular tax and commercial law provisions (Article 6(1)(c) GDPR where the GDPR is applicable).
4.4. Data about service providers, business partners and their employees may be collected from the applicable service provider, business partner, or their employees, or from publicly accessible sources like websites.
4.5. We process data about service providers, business partners and their employees for the purpose of preparation and performance of the contractual relationship and for the fulfilment of legal requirements.
4.6. The data is deleted in accordance with legal requirements, e.g. retention periods under commercial and tax law. This means that the data will be deleted no later than 10 years after the respective processing activity.
4.7. Recipients of data about service providers, business partners and their employees may include banks for the processing of payments. Public authorities and offices may receive data within the scope of their duties, insofar as we are obligated or entitled to transmit data. Moreover, in specific cases data may be transmitted to a collection of service providers, legal advisors and courts. We may also enter into service agreements with other businesses to perform services on our behalf, in particular to provide, maintain and support IT systems.
4.8. Processing of the contact data from service providers and business partners and their Employees is necessary to perform the contract or order. If the data are not provided, the contract cannot be established or carried out. The provision of data is required for prospective service providers, business partners and their employees. The communication is not possible without the data.
5. Business Contacts and Communication Partners
5.1. Affinidi may process personal data regarding Business Contacts and Communication Partners.
5.2. We process personal data about our business contacts and communication partners, such as name, postal address, email address, telephone number, employment, title or any other details that they later choose to share with us.
5.3. The legal basis for processing data from actual and prospective business contacts and communication partners is legitimate interest, specifically communication with prospective business contacts and communication partners (Article 6 (1) (f) GDPR where the GDPR is applicable).
5.4. We obtain these categories of personal information from our business contacts and communication partners, from our clients or their agents, and from third-parties that interact with us in connection with the services we perform.
5.5. We process the data from prospective business contacts and communication partners for the purpose of communication with them.
5.6. The data is deleted in accordance with legal requirements, e.g. retention periods under commercial and tax law. This means that the data will be deleted no later than 10 years after the respective processing activity.
5.7. We may enter into service agreements with other businesses to perform services on our behalf, in particular to provide, maintain and support IT systems.
5.8. The provision of data is required for prospective business partners and communication partners. The communication is not possible without the data.
6. Newsletter Recipients
6.1. If you subscribe to our newsletter, you will receive information about Affinidi, our Services.
6.2. If you subscribe to our newsletter, we process your data for the purpose of sending the newsletter.
6.3. The data processed are: a) Name, email address; b) HTTP data; and This is protocol data that is generated for technical reasons when opening the newsletter via the Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes IP address, type and version of your Internet browser, operating system used, the page visited, the page previously visited (referrer URL), date and time of the visit.
6.4. The legal basis for the processing of data for newsletters is consent (Article 6 (1)(a) GDPR where the GDPR is applicable).
6.5. Your contact details are provided by the newsletter recipient when subscribing to the newsletter, the further data are automatically provided by your browser.
6.6. We use service providers as processors within the framework of a data processing agreement, in particular for the provision, maintenance and servicing of IT systems. We have entered into a data processing agreement with HubSpot, Inc. (“HubSpot”), Two Canal Park, Cambridge, MA 02141, USA, which we use as our processor. We have concluded the EU Standard Contractual Clauses (2021/914; Module 3) with HubSpot. You can request a copy of the main contractual contents of the EU Standard Contractual Clauses at any time. In addition, HubSpot, Inc. is certified in accordance with the EU-US Data Privacy Framework (Article 45 GDPR where the GDPR is applicable).
6.7. Data relation to newsletters will be deleted when you unsubscribe. A revocation of the consent is possible at any time. Please use the unsubscribe function in the newsletters for this purpose.
6.8. Personal data is required to receive newsletters. Without providing personal data, the newsletters cannot be sent.
7. Participants in Surveys or Feedback
7.1. In the case where individuals have given their consent to participate in surveys/feedback or studies (“Participants”), we are processing their personal data for surveys and studies.
7.2. The data processed are:
a) Name, email address (if not anonymous surveys);
b) Industry the participant works in, the participant’s job role and title, and the country of residence;
c) Answers to the survey questions;
d) Communication data;
e) Timestamps of the surveys;
7.3. The legal basis for the processing of data is consent (Article 6 (1)(a) GDPR where the GDPR is applicable);
7.4. The personal data about Participants is provided by the Participant;
7.5. Participant personal data are processed for the purpose of conducting and evaluating surveys/feedback using questionnaires for business development reasons;
7.6. The data is deleted in accordance with legal requirements, e.g. retention periods under commercial and tax law. This means that the data regarding surveys/feedback will be deleted one year after the survey was conducted.
7.7. We may enter into service agreements with other businesses to perform services on our behalf, in particular to provide, maintain and support IT systems. We have entered into a data processing agreement with HubSpot, Inc. (“HubSpot”), Two Canal Park, Cambridge, MA 02141, USA, which we use as our processor. We have concluded the EU Standard Contractual Clauses (2021/914; Module 3) with HubSpot. You can request a copy of the main contractual contents of the EU Standard Contractual Clauses at any time. In addition, HubSpot, Inc. is certified in accordance with the EU-US Data Privacy Framework (Article 45 GDPR where the GDPR is applicable);
7.8. Participation in surveys and studies is voluntary.
8. Your Rights and General Information
8.1 No automated decision-making takes place.
8.2 You have the following rights.
a) You may withdraw your consent at any time, if your data is processed based on your consent. The withdrawal of consent does not affect the lawfulness of processing before the withdrawal of consent.
b) You may at any time object to the further processing of your data if your data is processed based on our legitimate interest.
c) You may at any time request access to your personal data processed by Affinidi.
d) If our processing is based on your consent you have the right to data portability.
e) You may request rectification of your personal data at any time.
f) You may request erasure of your personal data at any time, provided that no right or legal obligation of Affinidi requires further processing of your personal data.
g) You may request restriction of processing for your data at any time.
h) You may at any time lodge a complaint with a supervisory authority.