Privacy Policy

1. Introduction

NoxVerify Ltd. ("NoxVerify," "we," "us," or "our") is an identity verification platform registered in the Turkish Republic of Northern Cyprus (TRNC). We provide Know Your Customer (KYC), Know Your Business (KYB), and Know Your Merchant (KYM) verification services to organizations worldwide.

This Privacy Policy describes how we collect, use, share, and protect personal data when you use our platform, visit our website, or interact with our services. This policy applies to all users of the NoxVerify platform, including Tenant administrators, analysts, and the individuals who are the subjects of verification processes ("Applicants").

Data Protection Officer: dpo@noxverify.com

2. Data We Collect

We collect the following categories of personal data depending on how you interact with our services:

Identity Data

Full name, date of birth, nationality, government-issued identification numbers (passport number, national ID number, tax identification number), gender, and place of birth.

Contact Data

Email address, phone number, postal address, and business contact information.

Document Data

Images of identity documents (passport, national ID card, driver's license, residence permit), business registration documents, articles of incorporation, and other supporting documentation submitted during verification.

Biometric Data

Selfie photographs, liveness detection video frames, and derived facial feature vectors used for biometric comparison. See Section 9 for detailed information about biometric data processing.

Screening Data

Results from anti-money laundering (AML) screening, sanctions list checks, politically exposed persons (PEP) database searches, and adverse media screening.

Device Data

IP address, browser user agent string, operating system, device type, screen resolution, and device fingerprint data collected during verification sessions.

Usage Data

Actions performed on the platform (page views, button clicks, API calls), timestamps, session duration, and feature usage patterns.

3. Legal Bases for Processing

We process personal data based on the following legal bases under applicable data protection legislation:

4. How We Use Data

We use the personal data we collect for the following purposes:

• Identity verification: processing identity documents and biometric data to verify the identity of Applicants.
• Document authenticity: assessing the genuineness and integrity of submitted identity documents through OCR extraction and document analysis.
• Biometric comparison: performing liveness detection and face matching to confirm that the person presenting the document is the same person depicted on it.
• Sanctions and PEP screening: checking Applicants against global sanctions lists, PEP databases, and adverse media sources.
• Fraud detection: analyzing device data, behavioral patterns, and document characteristics to detect and prevent fraudulent verification attempts.
• Compliance reporting: generating audit trails, case records, and compliance reports for Tenants and regulatory authorities.
• Service improvement: analyzing aggregated usage patterns to improve platform performance, reliability, and user experience.

5. Data Sharing

We share personal data with the following categories of recipients:

Sub-processors

We engage trusted sub-processors to assist in providing our services. These include cloud infrastructure providers, document verification providers, biometric matching providers, and screening data providers. All sub-processors are bound by data processing agreements that require them to protect personal data to at least the same standard as this policy.

Regulatory Authorities

We may disclose personal data to regulatory authorities when required by applicable law or regulation, including AML/CTF reporting obligations and responses to regulatory inquiries or examinations.

Law Enforcement

We will only disclose personal data to law enforcement agencies when compelled by a valid legal process (court order, subpoena, or equivalent legal instrument). We will notify affected parties where legally permitted to do so.

We do not sell personal data to third parties. We do not share personal data with advertisers or marketing companies.

6. International Transfers

As a global platform, personal data may be transferred between jurisdictions in order to provide our services. We implement appropriate safeguards for all international data transfers, including:

• Standard Contractual Clauses (SCCs) as adopted by the European Commission (Commission Implementing Decision (EU) 2021/914).
• Adequacy decisions: we rely on adequacy decisions where they have been issued by the relevant data protection authority.
• Certification mechanisms and binding corporate rules where applicable.
• Data residency options: Tenants on Enterprise plans can configure jurisdiction-locked storage to ensure that specific categories of data remain within designated geographic regions.

7. Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected, subject to the following guidelines:

• KYC/AML verification records: retained in accordance with the applicable jurisdiction's requirements, typically 5 to 10 years from the date of the verification or the end of the business relationship.
• Biometric data: deleted after verification completion. Maximum retention period is 3 years where required for dispute resolution or legal claims.
• Account data: retained for the duration of the Tenant's account plus 1 year after account closure.
• Audit logs: retained for 10 years to support regulatory examination and compliance auditing.
• Usage and analytics data: retained in aggregated, anonymized form. Individual-level usage data is deleted after 2 years.

Tenants may configure custom retention policies within the bounds of applicable legal requirements. Legal holds may override standard retention schedules when required by law or pending litigation.

8. Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

• Right of access: to obtain confirmation of whether we process your personal data and to receive a copy of that data.
• Right to rectification: to have inaccurate personal data corrected.
• Right to erasure ("right to be forgotten"): to have your personal data deleted, subject to legal retention obligations.
• Right to restriction of processing: to restrict the processing of your personal data in certain circumstances.
• Right to data portability: to receive your personal data in a structured, commonly used, machine-readable format.
• Right to object: to object to processing based on legitimate interests, including profiling.
• Right to withdraw consent: where processing is based on consent, to withdraw that consent at any time.

To exercise your rights, contact us at dsr@noxverify.com. We will respond to your request within 30 days (or the shorter period required by your jurisdiction's data protection legislation).

If you are an Applicant whose data was submitted by a Tenant, please contact the Tenant in the first instance, as they are the data controller for your verification data.

9. Biometric Data

Biometric data is a special category of personal data that receives additional protections under our policy:

• Collection: biometric data (selfie photographs and liveness video frames) is collected only with the explicit, informed consent of the Applicant.
• Purpose limitation: biometric data is used exclusively for liveness detection and face matching against identity document photographs. It is not used for surveillance, marketing, or any other purpose.
• Sharing restrictions: biometric data is not shared with third parties for advertising or marketing purposes. It is shared only with our biometric matching sub-processor for the purpose of performing the verification.
• Retention: biometric data is deleted after the verification is complete. In jurisdictions where extended retention is legally required for dispute resolution, the maximum retention period is 3 years.
• Derived data: facial feature vectors (mathematical representations) are deleted on the same schedule as the source biometric data.

10. Cookies

We use cookies and similar technologies to operate and improve our platform. For detailed information about the cookies we use and how to manage your preferences, please refer to our Cookie Policy.

11. Children

NoxVerify does not knowingly collect or process personal data from individuals under the age of 18. Our KYC verification services are designed for adult identity verification only. If we become aware that we have inadvertently collected personal data from a minor, we will take immediate steps to delete such data.

12. Security

We implement robust technical and organizational security measures to protect personal data, including:

• AES-256 encryption for data at rest.
• TLS 1.3 encryption for data in transit.
• SOC 2 Type II-aligned security practices and controls.
• Regular penetration testing by independent security assessors.
• Role-based access controls with principle of least privilege.
• Comprehensive audit logging of all data access and processing activities.
• Incident response procedures with defined escalation paths and notification timelines.

13. Changes

We may update this Privacy Policy from time to time. For material changes, we will provide at least thirty (30) days advance notice via email to registered Tenant administrators and by posting the updated policy on our website. The "Last Updated" date at the top of this policy will be revised accordingly.

14. Jurisdiction-Specific Rights

European Union (GDPR)

If you are located in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (EU) 2016/679. Our legal bases for processing are set out in Section 3 above. You have the right to lodge a complaint with your local supervisory authority.

Turkey (KVKK)

If you are located in Turkey, your personal data is processed in accordance with the Turkish Personal Data Protection Law No. 6698 (KVKK). You have the right to apply to the Personal Data Protection Board (KVKK Board) if your request to us is not satisfactorily resolved within 30 days.

California (CCPA / CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act (as amended by the CPRA). We do not sell your personal information. You have the right to know what personal information we collect, the right to delete your personal information, the right to opt-out of the sale of personal information (though we do not sell data), and the right to non-discrimination.

Brazil (LGPD)

If you are located in Brazil, your personal data is processed in accordance with the Lei Geral de Protecao de Dados (LGPD). You have rights including confirmation of processing, access to data, correction, anonymization, data portability, deletion, and information about shared data. Contact the ANPD (National Data Protection Authority) if your rights are not satisfactorily addressed.

China (PIPL)

If you are located in the People's Republic of China, your personal information is processed in accordance with the Personal Information Protection Law (PIPL). You have rights to know, decide, restrict, refuse, access, copy, correct, and delete your personal information. Cross-border transfers are subject to security assessments, standard contracts, or certifications as required by the Cyberspace Administration of China.

South Korea (PIPA)

If you are located in South Korea, your personal data is processed in accordance with the Personal Information Protection Act (PIPA). You have rights to access, correct, delete, and suspend the processing of your personal data. We appoint a privacy officer as required by PIPA.

15. Contact

For privacy-related inquiries, please contact us: