Privacy Policy
Effective date: 2025-11-17 · Last updated: 2025-11-17
Controller:
Fusion Technologies FZCO, Dubai Silicon Oasis, DDP, A1 Building, Dubai, UAE. License #43448
(privacy@facekyc.com).
This policy covers FaceKYC identity and company verification services (KYC/KYB), including OCR, facial biometrics and liveness, API and console.
1. Data we process
- Identity & document: name, surname, date of birth, nationality, document number, MRZ, CAN, validity, document images (front/back).
- Biometrics & liveness: face video/frames, facial templates/embeddings, anti-spoofing signals.
- Technical data: IP, device, technical logs, session metadata.
- Results: face-to-ID match, formal checks, risk flags, decision (approved/review/rejected) and audit trail.
2. Purposes
- Verify identity or corporate existence (KYC/KYB) and prevent fraud/abuse.
- Deliver results to business customers through console/API and webhooks.
- Security, audit logging and service improvement.
- Compliance with legal obligations (AML/CFT, accounting, claims).
3. Legal bases
- Legal obligation where the customer is subject to KYC/AML and instructs us to perform verification.
- Legitimate interests to prevent fraud and ensure identity, with safeguards.
- Explicit consent for biometric processing where no applicable legal obligation covers it. Consent is granular, recorded and may be withdrawn without retroactive effect.
4. Retention
- Staging (raw images/OCR): up to 72 hours after consolidation and technical audit.
- Consolidated KYC/KYB record: up to 5 years (or AML-required term) from relationship end or per contract.
- Embeddings/video: minimum necessary for verification and evidence; deleted/anonimised after the operational period or upon consent withdrawal where applicable.
5. Sharing & processors
We may act as a processor for customers (controllers) or as a controller on our own behalf. We use service providers (OCR, hosting, fraud analytics, communications) under DPAs. A list of subprocessors and locations is available on request (privacy@facekyc.com).
6. International transfers
Where data leaves the EEA/UK, we apply safeguards (SCCs/IDTA, transfer assessments and supplementary measures). Details available on request.
7. Security
Encryption in transit, access controls, tenant segregation, audit logging, penetration testing and retention/purge policies. Log minimisation (masking identifiers).
8. Automated decisions
Technical scoring (OCR/MRZ/biometrics) may be applied. Where decisions have legal or similarly significant effects, we ensure human review on request and a right to contest.
9. Your rights
Access, rectification, erasure, objection, restriction, portability, and not to be subject to automated decisions, as applicable. Contact: privacy@facekyc.com. In the EU you may lodge a complaint with your supervisory authority.
10. Minors
B2B service not directed at individuals under 18.
11. Contact & DPO
Controller: Fusion Technologies FZCO, Dubai Silicon Oasis, DDP, A1 Building, Dubai, UAE. Email: privacy@facekyc.com. If a DPO is appointed, we will publish their contact here.
12. Changes
Updates will be posted on this page with a new effective date.