Kvalifika is trademark of JSC Identity and Trust Solutions, company code (hereinafter – the Company or we), registered address at 10 G. Kartozia street, Tbilisi, Georgia.
To continually innovate and improve our software, Kvalifika may collect User data and usage statistics from any app or webpage using the Kvalifika solution or Kvalifika Software Development Kit (SDK) with a developer License Key, including the Kvalifika Demo Apps and webpages.
When a production token is used in the Kvalifika Testing API, no user biometric data is used in the software improvement process whatsoever nor shall User biometric data be used for any purpose other than verifying the identity of the User and confirming liveness. With a production token, any data that is transferred to Kvalifika’s servers via Kvalifika’s secure API is encrypted, siloed and is never stored with any additional personally identifiable information (PII). With a production token, any data that is transferred to the server via Kvalifika’s secure API is anonymized, including device unique hardware identifier (UUID).
Kvalifika will not disclose End User data to any third party without explicit approval from said User unless required by law, such as to comply with a court ordered subpoena, or similar legal process, when we believe disclosure is necessary to protect our rights, investigate fraud, or respond to a government request, we will disclose biometric data and personally identifiable information to the requesting governing agency.
In a Private Client Cloud instance, Kvalifika does not provide services directly to End Users, and Clients are solely responsible for providing all notices, and obtaining all consents, as required by applicable law in connection with the collection, use and disclosure of end user data. Kvalifika may use anonymized End User statistics collected via the Kvalifika API for billing purposes and to provide the services.
The anonymous data collected is only used to operate our business, provide our products and services, improve existing products and services, develop new products and services, and to improve and personalize experiences interacting with the software. Kvalifika has the right to use and disclose usage data and anonymized User data for Kvalifika’s legitimate business purposes; provided, however, that Kvalifika will not use or disclose usage data or anonymized User data in a manner that would enable a third party to reasonably determine that such usage data or anonymized User data originated from our Client’s use of the services or any individual End User’s use of an integrated application.
EU General Data Protection Regulation (GDPR) Compliance (For EU residents)
When writing ‘you’, we mean you as – a potential, existing and/or former client, our client’s employee or other parties, such as beneficial owners, authorised representatives, business partners, other associated parties and/or person contacting us using e–mail or other communication measures.
Please note that in case you provide us with the information about any person other than yourself, your employees, counterparties, advisers or suppliers, you must ensure that they understand how their information will be used.
Principles of processing Personal Data
The principles we follow in order to comply with the need to protect your Personal Data are as follows:
- principle of legality, fairness and transparency – which means that the Personal Data with respect to you is processed in a lawful, honest and transparent way;
- purpose limitation principle – which means that the Personal Data is collected for specified, clearly defined and legitimate purposes and shall not be further processed in a way that is incompatible with those purposes;
- data reduction principle – which means that the Personal Data must be adequate, appropriate and is only necessary for the purposes for which it is processed;
- accuracy principle – which means that the Personal Data must be accurate and, if necessary, updated. All reasonable steps must be taken to ensure that Personal Data which is not accurate in relation to the purposes for which it is processed shall be immediately erased or corrected;
- the principle of limitation of the length of the storage – which means that the Personal Data shall be kept in such a way that your identity can be determined for no longer than is necessary for the purposes for which the Personal Data is processed;
- integrity and confidentiality principle – which means that the Personal Data shall be managed by applying appropriate technical or organizational measures in a way, which would ensure the proper security of the Personal Data, including the protection from an unauthorized processing or processing of an unauthorized data against accidental loss, destruction or damage.
Categories of Personal Data being processed
To provide our Identity Services, we need to collect certain information about our clients' users. The exact information needed depends on the check that’s being carried out on behalf of our client. The Personal Data of client's users we collect can be grouped into the following categories:
Type of information
|Basic Personal Data||
name, surname, etc.
|Identification information and other background verification data (your or your representative’s, ultimate beneficiary owner’s of legal entities)||
name, surname, personal identity code, date of birth, address, nationality, gender, passport or ID card copy, evidence of beneficial ownership or the source of funds, number of shares held, voting rights or share capital part, title, visually scanned or photographed image of your face or image that you provide through a mobile application or camera, video and audio recordings for identification, telephone conversations to comply with client due diligence/”know your client”/anti-money laundering laws and collected as part of our client acceptance and ongoing monitoring procedures.
|Information related to legal requirements||
data resulting from enquiries made by the authorities, data that enables us to perform anti-money laundering requirements and ensure the compliance with international sanctions, including the purpose of the business relationship and whether you are a politically exposed person and other data that is required to be processed by us in order to comply with the legal obligation to “know your client”
registered/actual place of residence, phone number, e–mail address etc.
|Any other Personal Data related to you that you may provide|
Purposes and legal basis for Personal Data processing
|Purpose||Legal basis||Categories of Personal Data|
|Conclusion of the contract or for performance of measures at your request prior to the conclusion of the contract (to get to know, identify and verify our clients)||1. to take the necessary steps before the conclusion of the contract; 2. legitimate interests; 3. complying with regulations applicable to us.||Basic Personal Data; Identification and other background verification data; Contact Data; Other Personal Data needed (in order to identify the possibility of providing services).|
|For the fulfilment of a contract concluded with you||1. contract performance; 2. legitimate interests; 3. complying with regulations applicable to us;||Basic Personal Data; Identification and other background verification data; Financial data; Information related to legal requirements; Contact Data; Other Personal Data provided to us by or on behalf of you or generated by us in the course of providing services.|
|To comply with legal obligations (e.g. implementation of the obligations under the Law on Money Laundering and Terrorist Financing Prevention of Georgia and other fraud and crime prevention purposes) and risk management obligations)||1. complying with regulations applicable to us; 2. legitimate interests.||Basic Personal Data; Identification and other background verification data; Financial data; Information related to legal requirements; Contact Data; Other Personal Data provided to us by or on behalf of you or generated by us in the course of providing our services.|
|To provide an answer when you contact us through our website or other communication measures||1. your consent; 2. legitimate interests.||Basic Personal Data; Contact Data; Other Personal Data provided to us by you.|
What do we mean when we say:
Legitimate Interest: the interest of ours as a business in conducting and managing our services to enable us to provide to you and offer the most secure experience.
Contract performance: processing your Personal Data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Legal Obligation: processing your Personal Data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.
Comparison Facial Similarity
In order to make your identity verification, we are using solution that match photo image or video records of your face point that you provide through a mobile app or camera with your ID document.
The solution is used for comparing live photographic data or video record of yourself and your ID card/passport, to comply with legal obligations (e.g. implementation of the obligations under the Law on Money Laundering and Terrorist Financing Prevention of Georgia and other fraud and crime prevention purposes) and risk management obligations.
The result of the face similarity (match or mismatch) will be retained for as long as it is necessary to carry out verification and for the period required by anti-money laundering laws.
We ensure that your face similarity check is a process of comparing data acquired at the time of the verification, i.e. this is a one-time user authorization by comparing two person's photos to each other. Your facial template is not created, recorded and stored. It is not possible to regenerate the raw data from retained information.
This process shall allow us to verify you more precisely and will make the process quicker and easier to carry out.
We may use our existing clients’ e–mail for our similar goods or services marketing. In case you do not object to the use of your e-mail for the marketing of our similar goods and services and you are granted with clear, free of charge and easily realisable possibility to object or withdraw from such use of your contact details by sending each message.
We may also provide the information to you being our client about our products or services by sending the messages in the application and such messages may be viewed in the notification center, in case you do not choose the “opt-out” function in our application.
In other cases, we may use your Personal Data for the purpose of direct marketing, if you give us your prior consent regarding such use of data.
We are entitled to offer the services provided by our business partners or other third parties to you or find out your opinion on different issues in relation to our business partners or other third parties on the legal basis for this, i.e. on the basis of a prior consent.
In case you do not agree to receive these marketing messages and/or calls offered by us, our business partners or third parties, this will not have any impact on the provision of services to you as the client.
We provide a clear, free-of-charge and easily realisable possibility for you at any time not to give your consent or to withdraw your given consent for sending proposals put forward by us. We shall state in each notification sent by e-mail that you are entitled to object to the processing of the Personal Data or refuse to receive notifications from us. You shall be entitled to refuse to receive notifications from us by clicking on the respective link in each e-mail notification.
How do we obtain your Personal Data?
Kvalifika does not provide services directly to End Users. We collect information you provide directly to us by using Kvalifika demo.
We do not collect Personal Data from third parties.
Who do we share your Personal Data with?
We may transfer your Personal Data in accordance with the principles of confidentiality to the following categories of recipients:
- our business partners, agents or intermediaries who are a necessary part of the provision of our products and services, as well as, card organizations (such as VISA or MasterCard) – in connection with our payment services;
- governmental bodies and/or supervisory authorities (in accordance with the requirements and obligations under the provisions of legal acts concerning anti-money laundering, fraud prevention, counter terrorist financing), credit, financial, payment and/or other electronic money institutions;
- pre-trial investigation institutions, the State Tax Inspectorate;
- lawyers, bailiffs, auditors etc.;
- service providers, who make your identity verification by using their IT solutions;
- companies providing services for money laundering, politically exposed persons and terrorist financing check-up and other fraud and crime prevention purposes and/ or companies providing similar services;
- external service providers (that provide such services as, for example, system development and/or improvement, audit services);
- beneficiaries of transaction funds receiving the information in payment statements together with the funds of the transaction;
other entities that have a legitimate interest or the Personal Data may be shared with them under the contract which is concluded between you and us;
- other entities under an agreement with us.
International transfer of Personal Data
As we provide international services your Personal Data may be transferred and processed outside the European Union (hereinafter – the EU) and the European Economic Area (hereinafter – the EEA).
The transfer of Personal Data may be considered as needed in such situations as, e.g.:
in order to conclude the contract between you and us and/or to fulfill the obligations under such contract;
in cases indicated in laws and regulations for protection of our lawful interests, e.g. in order to bring proceedings in court/other governmental bodies;
in order to fulfill legal requirements or in order to realize public interest.
This can be done in a number of different ways, for example:
the country to which we send the Personal Data, a territory or one or more specified sectors within that third country, or the international organization is approved by the European Commission as having an adequate level of protection;
the recipient has signed standard data protection clauses which are approved by the European Commission;
if the recipient is located in the US, it may be a certified member of the EU–US Privacy Shield scheme;
special permission has been obtained from a supervisory authority.
We may transfer Personal Data to a third country by taking other measures if it ensures appropriate safeguards as indicated in the GDPR.
In some cases, we may use automated decision-making which refers to a decision taken solely on the basis of automated processing of your Personal Data.
Automated decision-making refers to the processing using, for example, a software code or an algorithm, which does not require human intervention.
We may use forms of automated decision making on processing your Personal Data for some services and products. You can request a manual review of the accuracy of an automated decision in case you are not satisfied with it.
How do we protect your Personal Data?
We ensure the implementation of appropriate technical and organizational and administrative security measures required to ensure the security of your Personal Data processing, in order to protect your Personal Data from loss, misuse, accidental or unlawful destruction, modification, disclosure, unauthorized access or any other unlawful handling.
The Company and any third-party service providers that may engage in the processing of Personal Data on our behalf (for the purposes indicated above) are also contractually obligated to respect the confidentiality of the Personal Data.
Retention terms of Personal Data processing
We will keep your Personal Data for as long as it is needed for the purposes for which your data was collected and processed but no longer than it is required by the applicable laws and regulations. This means that we store your data for as long as it is necessary for providing services and as required by retention requirements in laws and regulations.
In the cases when the terms of data keeping are indicated in the legislative regulations, the legislative regulations are applied.
Your Personal Data might be stored longer if:
it is necessary in order for us to defend ourselves against claims, demands or action and exercise our rights;
there is a reasonable suspicion of an unlawful act that is being investigated;
your Personal Data is necessary for the proper resolution of a dispute/ complaint;
under other statutory grounds.
What rights do you have in relation to your Personal Data?
You as a data subject have rights in respect of Personal Data, we hold on you. Under certain circumstances and in accordance with EU or other applicable data protection laws, you may have the right to:
- get familiar with your Personal Data and how it is processed – you have the right to obtain information about which Personal Data about you that we process. Your right to access may, however, be restricted by legislation, protection of other persons’ privacy and consideration for the Company’s business concept and business practices. The Company’s know-how, business secrets as well as internal assessments and material may restrict your right of access;
- demand rectifying incorrect or incomplete data – if it turns out that we process Personal Data about you that is inaccurate, you have the right to request a rectification of the Personal Data. You can also request to have incomplete Personal Data about you completed;
- erasing your Personal Data – you have the right to have any or all of your Personal Data erased. In certain cases, we cannot erase all of your Personal Data. In such case this would be due to the fact that we need to store your Personal Data due to a contractual relationship or law;
- restricting the processing of your Personal Data – you have the right to demand that our processing of your Personal Data be restricted for a period of time. This can pertain, for example, to a situation where you believe data about you is inaccurate and we need to verify it. It can also pertain to a situation where you object to processing that we base on a legitimate interest. In such case we must verify if our grounds override yours;
- transfer your Personal Data to another data controller or provide directly to you in a convenient format (NOTE: applicable to Personal Data which is provided by you and which is processed by automated means on the basis of consent or on the basis of conclusion and performance of the contract);
- object to any processing based on the legitimate interests ground unless our reasons for undertaking that processing outweigh any prejudice to your data protection rights;
- to withdraw your consent so that we stop that particular processing, when the processing is based on consent. However, such consent withdrawal does not affect the lawfulness of processing based on consent before its withdrawal;
- not to be subject to a decision based solely on automated processing;
- lodge an appeal to the State Data Protection Inspectorate – if you have an objection about how we have processed your Personal Data, you can turn to the supervisory authority concerned.
We will exercise your rights only after we receive your written request to exercise a particular right indicated above and only after confirming the validity of your identity. The written request shall be submitted to us by personally appearing at the registered office address of the Company, by ordinary mail or by e-mail: email@example.com.
Your requests shall be fulfilled or fulfilment of your requests shall be refused by specifying the reasons for such refusal within 30 (thirty) calendar days from the date of submission of the request meeting our internal rules and GDPR. The afore-mentioned time frame may be extended for 30 (thirty) calendar days by giving a prior notice to you if the request is related to a great scope of Personal Data or other simultaneously examined requests. A response to you will be provided in a form of your choosing as the requester.
The right to lodge a complaint
You can file a complaint regarding the Personal Data in the same manner as specified above the section.
You can also address the State Data Protection Inspectorate with a claim regarding the processing of your Personal Data if you believe that the Personal Data is processed in a way that violates your rights and legitimate interests stipulated by applicable legislation. You may apply in accordance with the procedures for handling complaints that are established by the State Data Protection Inspectorate and which may be found by this link https://personaldata.ge/ka/contact.
For more information on how to control your Cookie settings and browser settings or how to delete Cookies on your hard drive, please read the Cookies Policy available on our website
You can contact us by writing to us at firstname.lastname@example.org or post us at JSC Identity and Trust Solutions, 10 G. Kartozia street, Tbilisi, Georgia.
You can also contact our Data Protection Officer by sending an e-mail to the address: email@example.com