Verifyo

Privacy Policy

Your privacy is fundamental to everything we do at Verifyo.

Effective Date: July 25, 2025 (or the date you accept these Terms)

1. Introduction

This Privacy Notice ("Notice") describes how HIPS Payment Group Ltd, trading as Verifyo ("Verifyo," "we," "us," or "our"), processes personal data in connection with our compliance and identity verification services, including Know Your Customer ("KYC"), Know Your Business ("KYB"), Anti-Money Laundering ("AML") checks, sanctions screening, zero-knowledge proof credentials ("ZKYC"), and related APIs, dashboards, and developer tools (collectively, the "Services").

HIPS Payment Group Ltd is incorporated in Ireland (Company Number 639131) with its registered office at 77 Sir John Rogerson's Quay, Block C, Grand Canal Docklands, Dublin 2, D02 VK60, Ireland and is subject to the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Irish Data Protection Act 2018.

We are committed to protecting your privacy and ensuring that your personal data is handled in accordance with Applicable Laws. This Notice explains what personal data we collect, how we use it, with whom we share it, how long we retain it, and the rights you may exercise.

2. Scope of this Notice

This Notice applies to personal data processed by Verifyo in the following contexts:

  • Individual Users who complete KYC verification with Verifyo to obtain a reusable ZKYC credential.
  • End Users whose data is submitted by a business customer for verification, screening, or Travel Rule compliance.
  • Business Customer Representatives, such as directors, officers, employees, and beneficial owners, whose personal data is provided to Verifyo in the course of KYB or onboarding checks.
  • Website Visitors, Developers, and API Users who interact with verifyo.com, dashboards, or developer tools.

This Notice does not apply to third-party websites, platforms, or services that may request ZKYC credentials or integrate with Verifyo. Those third parties act as separate data controllers and are responsible for their own privacy practices.

3. Personal Data We Collect

Depending on your relationship with Verifyo, we may collect and process the following categories of personal data:

  • Identification Information: name, date of birth, nationality, gender, government identifiers (passport, national ID, driver's licence), and photographs of identity documents.
  • Biometric and Liveness Data: facial images, templates, video recordings, and results of biometric comparison used solely for identity verification and fraud prevention.
  • Contact Information: residential address, email address, phone number.
  • Business and KYB Data: company name, registration number, jurisdiction, registered address, details of directors, shareholders, and ultimate beneficial owners.
  • AML and Compliance Data: sanctions/PEP status, adverse media checks, source of funds/wealth (where applicable), and results of fraud or risk screening.
  • Device and Technical Data: IP address, browser type, operating system, device identifiers, geolocation (where enabled), log files, and access metadata for dashboards or APIs.
  • Usage Data: records of verification attempts, account activity, support requests, and communications with Verifyo.
  • Inferences and Risk Scores: fraud indicators, compliance risk scores, verification outcomes.
  • Cookies and Similar Technologies: strictly necessary and functional cookies used to operate websites and dashboards (see Section [Cookies ] for more).

We do not intentionally collect sensitive personal data unrelated to verification (such as health, religious beliefs, or political opinions), and business customers are prohibited by contract from providing such data.

4. How We Collect Personal Data

We collect personal data from multiple sources, including:

  • Directly from you, when you provide information during verification, submit documents, or communicate with us.
  • From business customers, when they submit End User or representative data for compliance checks.
  • From documents and devices, when we extract metadata from submitted identity documents or capture device/browser information.
  • From public registries and databases, such as corporate registries, electoral rolls, land registries, sanctions lists, and publicly available government records.
  • From third-party service providers, including biometric technology vendors, sanctions list providers, and fraud prevention agencies.
  • From affiliates within HIPS Payment Group, to ensure group-wide compliance and consistency.
  • Automatically, through cookies, server logs, and analytics tools when you interact with our websites, dashboards, or APIs.

5. How We Use Personal Data

We use personal data for the following purposes, in compliance with GDPR and other Applicable Laws:

  • Identity Verification: to confirm that submitted identity documents are genuine and that you are who you claim to be.
  • Reusable ZKYC Credentials: to issue and manage zero-knowledge proof attestations that allow you to prove compliance status without repeatedly sharing raw personal data.
  • AML/KYC Compliance: to assist business customers in fulfilling their obligations under AMLD5/6, MiCA, FATF guidance, and related laws.
  • Fraud Detection and Security: to identify suspicious activity, prevent identity theft, and secure our Services.
  • KYB and Corporate Due Diligence: to verify company registration, directors, shareholders, and beneficial owners.
  • Service Delivery and Support: to operate APIs, dashboards, and tools, and to respond to inquiries or requests.
  • Legal and Regulatory Compliance: to comply with Irish and EU laws, respond to lawful requests, and enforce our contractual rights.
  • Service Improvement: to analyse aggregated and anonymised data in order to improve verification accuracy and develop new features.
  • Recordkeeping and Audit: to maintain evidence of verification outcomes and compliance activities, as required by AML and financial services regulations.

We do not use your personal data for advertising or marketing purposes.

6. Legal Bases for Processing

We process personal data only where a lawful basis under Article 6 GDPR (and where applicable, Article 9 for special categories of data) applies. Depending on the context, processing may be based on:

  • Performance of a Contract (Art. 6(1)(b)): when processing is necessary to provide our Services, such as verifying identity or issuing ZKYC credentials.
  • Compliance with Legal Obligations (Art. 6(1)(c)): when required to comply with EU or Irish laws, including AMLD5/6, MiCA, sanctions regulations, and other regulatory frameworks.
  • Legitimate Interests (Art. 6(1)(f)): where processing is necessary to prevent fraud, ensure system security, or improve our verification technology, provided such interests are not overridden by your rights.
  • Consent (Art. 6(1)(a)): where explicitly required, such as for biometric data (selfie videos, facial geometry) in certain jurisdictions. You may withdraw consent at any time.
  • Vital Interests (Art. 6(1)(d)): in rare cases, to protect an individual's life or safety.
  • Substantial Public Interest (Art. 9(2)(g)): where applicable for AML, sanctions, and fraud prevention measures.

When Verifyo acts as a processor, our business customers (the controllers) are responsible for ensuring that a valid legal basis exists for the personal data submitted to us.

7. How We Share Personal Data

We share personal data only as necessary, in compliance with GDPR, and under strict confidentiality and security obligations:

  • With Business Customers: the entity that requested the verification will receive results (e.g., "verified," "not verified," risk flags).
  • With Affiliates: within the HIPS Payment Group, to ensure consistent compliance and security practices.
  • With Service Providers and Sub-Processors: trusted third parties who assist us in providing Services, including cloud hosting providers (e.g., AWS EU data centres), biometric vendors, sanctions screening providers, and fraud prevention services.
  • With Public Authorities: where required by law, regulation, or valid legal process (e.g., regulators, financial intelligence units, or courts).
  • With Professional Advisors: lawyers, auditors, and consultants bound by confidentiality obligations.
  • With Successors: in connection with a merger, acquisition, or restructuring of Verifyo, subject to continued protection of personal data.
  • With Industry Networks: in limited cases, anonymised or pseudonymised data may be shared with fraud prevention consortiums or AML/KYC industry initiatives, where legally permitted.

We never sell personal data or use it for advertising purposes.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this Notice, or as required by law:

  • Verification Data: typically retained for up to 5 years in line with AML requirements, unless a shorter or longer period is mandated by law.
  • Biometric Data: stored only for the duration of the verification process and deleted or anonymised promptly thereafter, unless law requires limited retention for audit or fraud prevention.
  • Business Customer Records: retained for the duration of the contractual relationship and as required by legal or regulatory obligations.
  • Technical Logs: retained for security, troubleshooting, and audit purposes, usually for up to 12 months unless a longer period is required.
  • Anonymised or Aggregated Data: may be retained indefinitely for statistical or research purposes, provided it can no longer identify individuals.

Where Verifyo acts as a processor, we retain data according to the instructions of the controller (our business customer).

9. International Transfers

Verifyo is headquartered in Ireland and processes most personal data within the European Economic Area (EEA). However, some personal data may be transferred to or accessed from countries outside the EEA, including where our service providers or affiliates operate.

When such transfers occur, we implement safeguards to ensure compliance with GDPR, including:

  • Adequacy Decisions: where the European Commission has recognised a country as providing adequate protection.
  • Standard Contractual Clauses (SCCs): approved by the European Commission, supplemented by technical and organisational measures where necessary.
  • Binding Corporate Rules: where applicable within the HIPS Payment Group.
  • Additional Safeguards: encryption, pseudonymisation, strict access controls, and risk assessments.

You may request further details or copies of the safeguards we use by contacting us (see Section 15).

10. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These measures include:

  • Encryption of data in transit and at rest.
  • Access Controls based on least-privilege and role-based permissions.
  • Regular Testing including vulnerability scans, penetration testing, and code reviews.
  • Monitoring and Logging of system access and activity.
  • Data Minimisation and pseudonymisation where feasible.
  • Vendor Security Reviews and contractual data protection requirements for all sub-processors.
  • Employee Training on data protection, confidentiality, and security practices.
  • Incident Response Procedures including GDPR-compliant breach notification to regulators and affected individuals, where required.

Despite these safeguards, no system is completely secure. Verifyo cannot guarantee absolute protection, but we continuously assess and improve our security posture.

11. Biometric Data

As part of our Services, Verifyo may process biometric data, such as facial images, templates, or liveness detection videos, in order to verify identity and prevent fraud.

  • Purpose: Biometric data is used exclusively for one-time verification, matching submitted images to government-issued documents, and preventing impersonation or spoofing.
  • Legal Basis: Where required by GDPR, we rely on your explicit consent (Art. 9(2)(a)) to process biometric data. In other contexts, biometric processing may fall under substantial public interest (Art. 9(2)(g)) in relation to AML and fraud prevention obligations.
  • Retention: Biometric data is retained only for as long as necessary to complete the verification process, then deleted or irreversibly anonymised.
  • Protection: Biometric data is stored securely, encrypted, and subject to heightened access restrictions.
  • No Sale or Profit: Verifyo does not sell, lease, or monetise biometric data in any way.

Where Verifyo acts as a processor, biometric processing is carried out solely under the instructions of the relevant business customer (controller).

12. Your Rights

Under GDPR and other applicable laws, you have the following rights in relation to your personal data:

  • Right of Access: to request confirmation as to whether we process your personal data and to obtain a copy.
  • Right to Rectification: to have inaccurate or incomplete data corrected.
  • Right to Erasure ("Right to be Forgotten"): to request deletion of your personal data, subject to legal or regulatory retention requirements.
  • Right to Restrict Processing: to request suspension of processing under certain conditions.
  • Right to Object: to object to processing based on legitimate interests or direct marketing (though Verifyo does not use data for marketing).
  • Right to Data Portability: to receive personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
  • Right to Withdraw Consent: where processing is based on consent, you may withdraw at any time without affecting the lawfulness of prior processing.
  • Right to Lodge a Complaint: with the Irish Data Protection Commission (www.dataprotection.ie) or your local supervisory authority.

To exercise these rights, please contact us at privacy@verifyo.com. We may require additional information to verify your identity before fulfilling a request.

13. Cookies and Similar Technologies

13.1 What are cookies? Cookies are small text files that are placed on your device when you access a website. They are widely used to make websites function, to provide secure login, and to collect information about how users interact with online services.

13.2 Types of cookies we use

  • Strictly Necessary Cookies -- These are essential for the operation of our Services. They enable basic functions such as page navigation, secure login, and access to protected areas. Our websites cannot function properly without these cookies.
  • Functional Cookies -- These allow us to remember choices you make (such as language or region) and provide enhanced, personalised features.
  • Analytics Cookies (only if applicable) -- If enabled, these cookies collect aggregated information about how visitors use our websites (e.g., number of visits, most visited pages). The data is anonymised and used only to improve performance and usability.
  • No Advertising Cookies -- Verifyo does not use advertising, targeting, or retargeting cookies.

13.3 Legal basis for cookies

  • For strictly necessary cookies, the legal basis is legitimate interests (Art. 6(1)(f) GDPR), as they are required for the secure operation of our Services.
  • For analytics or functional cookies (if used), the legal basis is your consent (Art. 6(1)(a) GDPR). You can withdraw consent at any time.

13.4 Managing cookies You can control and manage cookies in your browser settings. Most browsers allow you to block or delete cookies, or to configure them to alert you when a cookie is being set. Please note that if you block or disable certain cookies, some parts of our Services may not function properly.

13.5 Similar technologies We may also use similar technologies, such as local storage or secure session tokens, strictly for authentication and security purposes.

14. Children's Privacy

Verifyo's Services are not intended for children under the age of 18. We do not knowingly collect personal data from children without parental or guardian consent, where required by law. If we learn that we have inadvertently collected data from a child in violation of applicable laws, we will take steps to delete it promptly.

15. Changes to this Privacy Notice

We may update or amend this Privacy Notice from time to time to reflect changes in our practices, Services, or Applicable Laws.

  • Updated versions will be published on verifyo.com with a revised "Effective Date."
  • Where changes are material, we will provide reasonable notice through appropriate means (such as dashboard notifications or email to registered contacts).
  • Continued use of our Services after the Effective Date constitutes acceptance of the updated Privacy Notice.

For business customers with a separate contract or data processing agreement in place, any amendments to that agreement will be governed by the amendment procedure set out in that document.

16. Contact Information

If you have questions, concerns, or requests regarding this Privacy Notice or our data practices, you may contact us at:

HIPS Payment Group Ltd -- Verifyo Attn: Data Protection Officer / Privacy Officer 77 Sir John Rogerson's Quay, Block C, Grand Canal Docklands, Dublin 2, D02 VK60 Dublin, Ireland

Email: support@verifyo.com

You also have the right to lodge a complaint with the Irish Data Protection Commission (www.dataprotection.ie) or your local supervisory authority.