Privacy & Cookie Policy

1. Introduction and Scope

This Privacy & Cookie Policy (“Policy”) describes how IdentiGate OÜ (“IdentiGate”, “we”, “us”, “our”), a private limited company incorporated under the laws of the Republic of Estonia, collects, uses, discloses, and protects personal data when you use our digital identity and Advanced Electronic Signature services and related platforms.

IdentiGate provides digital identity certificate services that enable individuals to authenticate their identity and create Advanced Electronic Signatures in accordance with Article 26 of Regulation (EU) No 910/2014 (the “eIDAS Regulation”), as amended by Regulation (EU) 2024/1183 (“eIDAS 2.0”). Our services require the collection and processing of identity verification data from government-issued NFC-enabled travel documents.

This Policy applies to all individuals who use our services, visit our websites, or otherwise interact with IdentiGate. We are committed to protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), the Estonian Personal Data Protection Act (isikuandmete kaitse seadus, IKS), the eIDAS Regulation, and applicable United States state privacy laws.

2. Data Controller and Contact Details

The data controller responsible for processing your personal data is:

For matters relating to data protection, including exercising your rights as a data subject, you may contact our Data Protection Officer (Gustav Poola) at dpo@identigate.com.

3. Personal Data We Collect

To provide our digital identity and Advanced Electronic Signature services, we collect and process the following categories of personal data:

3.1 Identity Verification Data (from NFC-Enabled Travel Documents)

During the onboarding process, you are required to scan your government-issued NFC-enabled passport or identity card. The document scanning, NFC chip reading, and biometric verification are performed using FaceTec Technology, which IdentiGate operates on its own EU-based infrastructure. No personal data is transmitted to FaceTec, Inc. We collect the following data directly from the document’s NFC chip:

• Full name (first name, middle name where applicable, and last name)
• Date of birth
• National identity code (where available and applicable — not all jurisdictions include this on travel documents)
• Travel document number
• Document expiry date
• NFC chip serial number (for document authenticity verification)
• Facial biometric template (a mathematical representation derived from the document photo for comparison purposes — we do not store the original photograph)

3.2 Biometric Verification Data

To verify that you are the legitimate holder of the identity document, we process biometric data using liveness detection and facial recognition technology provided by FaceTec, Inc. (“FaceTec”). The FaceTec software is operated by IdentiGate on our own servers — no biometric data or personal data is transmitted to FaceTec. We process:

• Live facial biometric template (a mathematical representation derived from the camera image captured during onboarding for comparison with the document template — the original image is not stored after processing)
• Liveness detection data (to confirm the presence of a real, live person as opposed to a photograph, video, or mask)

FaceTec provides its technology as a software license. IdentiGate operates the FaceTec software on its own infrastructure within the EU. No biometric data or personal identifying information is transmitted to FaceTec, Inc. or to servers outside of IdentiGate’s control.

3.3 Account and Service Data

• Email address and contact information
• Account credentials (passwords are stored only in hashed form)
• Certificate subscription details and transaction history
• Digital certificate metadata (issuance date, validity period, certificate serial number)

3.4 Technical and Usage Data

• Device identifiers and operating system information
• IP addresses and approximate geographic location
• Service access logs and authentication timestamps
• Browser type and language preferences

3.5 Payment Information

Payment processing is handled entirely by the Apple App Store and Google Play Store payment mechanisms. IdentiGate does not process, store, or have access to your payment card details. We retain only transaction references and billing records necessary for accounting and legal compliance purposes.

4. Purposes and Legal Bases for Processing

We process your personal data only when we have a valid legal basis under applicable law. The following summarizes our processing activities:

5. Special Categories of Data (Biometric Data)

The facial biometric templates we process constitute special category data under Article 9 of the GDPR. We process this data only with your explicit consent, which you provide during the onboarding process before any biometric data is collected.

You may withdraw your consent to biometric processing at any time. However, please note that withdrawal of consent will prevent us from providing the digital identity and Advanced Electronic Signature services, as identity verification is essential to ensure the security and integrity of the Digital Certificates we issue.

Why biometric verification is objectively necessary: Biometric identity verification is not an optional data collection measure — it is the core technical mechanism through which we ensure that the person requesting a Digital Certificate is the legitimate holder of the identity document presented. Without biometric liveness verification, the system cannot distinguish a real person from a photograph, video replay, or deepfake attack. In a mobile-first, remote onboarding context, no alternative verification method (such as physical in-person attendance) can achieve the same level of assurance. This requirement stems from the fundamental security obligations of digital identity and electronic signature services under the eIDAS Regulation, which mandates that the signatory must be reliably identified and linked to the signature. We therefore process biometric data not as an additional feature but as the essential security foundation of the entire service.

6. Automated Decision-Making and Profiling

The identity verification process involves automated decision-making, including biometric facial matching and document authenticity checks performed by FaceTec Technology. These automated processes determine whether your identity can be verified and whether a Digital Certificate can be issued to you.

The legal basis for this automated processing is your explicit consent (Article 22(2)(c) GDPR) and the necessity for the performance of the contract (Article 22(2)(a) GDPR).

You have the right to:

• Obtain meaningful information about the logic involved in the automated decision-making process;
• Request human intervention in the verification process if automated verification fails or produces an incorrect result;
• Express your point of view and contest any decision based solely on automated processing.

To exercise these rights, please contact us at privacy@identigate.com.

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements. Our retention practices are designed to comply with GDPR data minimization principles.

Retention periods:

• Identity verification records and certificate data: Retained for the lifetime of the certificate plus 7 years, as required by Estonian accounting and commercial law obligations.
• Biometric templates: Retained for the duration of your active subscription only. Biometric templates are deleted within 30 days of subscription cancellation or account deletion, except where a longer retention period is required by law.
• Account information: Retained while your account is active and for 7 years thereafter for accounting and legal compliance purposes as required by the Estonian Accounting Act (Äriseadustik).
• Technical logs: Generally retained for 12 months for security, troubleshooting, and fraud prevention purposes.
• Communication records: Retained for 3 years from the date of the communication.

8. Data Sharing and Disclosure

We do not sell your personal data. We may share your data with the following categories of recipients only as necessary for the purposes described in this Policy:

8.1 Sub-Processors

We engage trusted third-party service providers (sub-processors) to perform functions on our behalf. These providers are contractually bound by data processing agreements to process personal data only as instructed and to maintain appropriate security measures. Our current sub-processors include:

• Cloud Infrastructure Provider: Hetzner Online GmbH (Germany) — hosting and data storage services.
• Payment Processing: Apple Inc. (App Store) and Google LLC (Play Store) — subscription payment processing. IdentiGate does not have access to payment card details.

A complete and current list of sub-processors is available upon request at privacy@identigate.com. We will notify you of any material changes to our sub-processors before they begin processing your data.

Embedded Software Components: The App incorporates FaceTec Technology for identity document scanning, NFC chip reading, biometric liveness detection, and facial matching. IdentiGate operates the FaceTec software on its own EU-based infrastructure. FaceTec, Inc. does not receive, process, or store any personal data from our users. FaceTec provides a software license only and is not a data processor under the GDPR.

8.2 Relying Parties

When you use your Digital Certificate to authenticate or create an Advanced Electronic Signature with third-party services (“Relying Parties”), certain information contained in your certificate (such as your name and certificate validity) will be disclosed to those parties. This disclosure is inherent to the function of digital certificates and electronic signatures.

8.3 Legal and Regulatory Authorities

We may disclose personal data to supervisory authorities, law enforcement agencies, or other public authorities when required by law, in response to valid legal process, or to protect our legal rights.

8.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the acquiring entity, subject to the same privacy protections described in this Policy. We will notify you of any such transfer before your data is subject to a different privacy policy.

9. International Data Transfers

IdentiGate is established in Estonia, a member state of the European Union. Your personal data is primarily processed and stored within the European Economic Area (EEA).

Third-party software: While the App incorporates technology from FaceTec, Inc. (a US-based company), no personal data is transmitted to FaceTec. All FaceTec software is operated by IdentiGate on our own EU-based infrastructure. As no personal data leaves IdentiGate’s control to reach FaceTec, no international data transfer occurs in connection with this technology.

Where we transfer personal data to countries outside the EEA that have not been recognized by the European Commission as providing an adequate level of data protection (for example, in connection with cloud infrastructure or other service providers), we implement appropriate safeguards, including EU Standard Contractual Clauses approved by the European Commission, to ensure your data remains protected.

You may request information about any international transfers of your personal data by contacting us at privacy@identigate.com.

10. Your Rights

Depending on your location and applicable law, you may have the following rights regarding your personal data:

10.1 Rights Under the GDPR (EEA Residents)

• Right of access: Obtain confirmation of whether we process your data and receive a copy of your personal data (Article 15 GDPR).
• Right to rectification: Request correction of inaccurate or incomplete personal data (Article 16 GDPR).
• Right to erasure: Request deletion of your personal data in certain circumstances (Article 17 GDPR). Please note that erasure of biometric data and identity records will result in termination of the Services and revocation of your Digital Certificate.
• Right to restriction: Request limitation of processing in certain circumstances (Article 18 GDPR).
• Right to data portability: Receive your data in a structured, commonly used, and machine-readable format (Article 20 GDPR).
• Right to object: Object to processing based on legitimate interests (Article 21 GDPR).
• Right to withdraw consent: Withdraw previously given consent at any time (Article 7(3) GDPR). Withdrawal does not affect the lawfulness of processing prior to withdrawal.
• Rights related to automated decision-making: Not to be subject to a decision based solely on automated processing, including profiling, and to obtain human intervention (Article 22 GDPR). See Section 6.

10.2 Rights Under U.S. State Privacy Laws

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, or other U.S. states with comprehensive privacy laws, you may have additional rights including:

• Right to know what personal information is collected, used, and disclosed
• Right to delete personal information
• Right to correct inaccurate personal information
• Right to opt out of the sale or sharing of personal information (we do not sell personal data)
• Right to non-discrimination for exercising your privacy rights

10.3 Exercising Your Rights

To exercise any of your rights, please contact us at privacy@identigate.com or use the contact details in Section 2. We will respond to your request within the timeframes required by applicable law (within one month for GDPR requests, extendable by two further months for complex requests; within 45 days for U.S. state law requests).

We may need to verify your identity before processing your request. If we are unable to fulfill your request due to legal obligations or exceptions, we will explain the reasons.

10.4 Right to Lodge a Complaint

If you believe we have not handled your personal data lawfully, you have the right to lodge a complaint with a supervisory authority. For Estonia, this is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at aki.ee. You may also lodge a complaint with the supervisory authority in your EU member state of habitual residence, place of work, or place of the alleged infringement.

11. Security of Your Data

We implement comprehensive technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• Secure, access-controlled data centers within the European Union
• Role-based access controls and principle of least privilege
• Regular security assessments and vulnerability management
• Employee security training and confidentiality obligations
• Incident response and data breach notification procedures
• Business continuity and disaster recovery planning

We continuously review and improve our security practices to ensure the highest level of protection for your personal data.

12. Data Breach Notification

In the event of a personal data breach:

• We will notify the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR;
• Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with Article 34 of the GDPR, providing details of the nature of the breach, the likely consequences, and the measures taken or proposed;
• We maintain an internal register of all data breaches, including their effects and the remedial actions taken.

13. Data Protection Impact Assessment

Given the nature of our services, which involve the processing of biometric data (special category data under Article 9 GDPR) and automated decision-making (Article 22 GDPR), we have conducted a Data Protection Impact Assessment (DPIA) in accordance with Article 35 of the GDPR.

The DPIA evaluates the necessity and proportionality of biometric data processing, identifies potential risks to data subjects, and documents the safeguards and measures implemented to mitigate those risks. The DPIA is reviewed and updated periodically and whenever material changes are made to our processing activities.

A summary of the DPIA findings is available upon request by contacting dpo@identigate.com.

14. Cookies and Similar Technologies

Our websites use cookies and similar technologies to ensure functionality, enhance user experience, and analyze usage patterns. This section applies to our websites and web-based services, in compliance with the ePrivacy Directive (2002/58/EC) as transposed into Estonian law.

Types of Cookies We Use

• Strictly necessary cookies: Essential for website operation, including authentication, security, and session management. These cannot be disabled.
• Functional cookies: Remember your preferences and settings to enhance your experience.
• Analytics cookies: Help us understand how visitors interact with our website so we can improve our services.

A detailed list of all cookies used on our website, including their names, purposes, providers, and expiry periods, is available through the cookie settings panel accessible from our website footer. This list is updated periodically as our website evolves.

Managing Cookies

Where required by law, we obtain your consent before placing non-essential cookies. You can manage your cookie preferences at any time through the cookie settings link in our website footer or through your browser settings. Please note that disabling certain cookies may affect the functionality of our services.

15. Children’s Privacy

Our services are available to individuals of all ages who hold a valid NFC-enabled travel document. We recognize the importance of protecting children’s personal data and comply fully with GDPR provisions regarding the processing of minors’ data.

For users under the age of 18 (or the applicable age of majority in your jurisdiction):

• We require verifiable parental or legal guardian consent before collecting and processing any personal data, including biometric data;
• The parent or legal guardian may exercise all data subject rights on the minor’s behalf;
• We reserve the right to request proof of parental consent at any time and to suspend or terminate the account if adequate consent cannot be verified;
• We apply enhanced data protection safeguards for minors’ personal data.

If we become aware that we have collected personal data from a child without appropriate parental or guardian consent, we will take steps to delete that information promptly.

16. Changes to This Policy

We may update this Privacy & Cookie Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

When we make material changes, we will:

• Provide at least 30 days’ prior notice via email and/or through the App;
• Post the updated Policy on our website with a new “Effective Date”;
• Where the changes relate to biometric data processing or other sensitive processing activities, we will seek renewed consent where required by law.

We encourage you to review this Policy periodically to stay informed about how we protect your personal data.

17. Document Hierarchy

This Privacy & Cookie Policy forms part of the contractual framework between you and IdentiGate, together with the Terms and Conditions, the User Consent for Data Processing, and the User Agreement. In the event of any conflict between these documents, this Privacy & Cookie Policy prevails on all matters relating to the collection, processing, and protection of personal data. On all other matters, the Terms and Conditions prevail.

18. Contact Us

If you have any questions, concerns, or requests regarding this Privacy & Cookie Policy or our data practices, please contact us:

We are committed to resolving any concerns you may have about our collection and use of your personal data. We will endeavor to respond to all inquiries within the timeframes required by applicable law.