idclear is the trading name of Dolya Solutions Limited (“we”, “us” and “our”), a limited company registered in Gibraltar with company incorporation number 120437 and a registered office at 6.20 World Trade Center, 6 Bayside Road, Gibraltar, GX11 1AA. We’ve drafted this Privacy Notice in order to provide you with information and understanding of how we treat your Personal Data which we gather through your use of our website www.idclear.com (“Site”) and on behalf of our clients as part of our due diligence support services. Personal Data means any information relating to you as an identified or identifiable natural person (known also as a “Data Subject”).
This Privacy Notice sets out what Personal Data we collect and how we utilise/process it in accordance with data laws, including the General Data Protection Regulations (“GDPR”), The California Consumer Privacy Act (“CCPA”), the Gibraltar implementation of the GDPR and the Data Protection Act 2004.
We may make changes to this Privacy Notice but a current version will always be available on our Site.
1. WHAT DATA WE COLLECT
We may collect the following data when you browse or otherwise use our Site or when communicating with us over email:
- Your name
- Your email address
- Any Personal Data you may choose to provide us in correspondence with us
For the above data we act as a Data Controller. This means that we determine the purpose and means of processing your Personal Data.
If we contact you on behalf of one of our clients whom we are helping conduct their customer due diligence, we may collect and process the following:
- Your name and any aliases
- Your email address
- Your phone number
- Your physical address
- Your physical location
- Your IP address
- Copies of your identity documents (such as a passport, ID card or driving license)
- Information about your financial status, funds and wealth
- Information about your employment
- Publicly available information about you (such as information from social media and news outlets)
- Any Personal Data you may choose to provide us in correspondence with us
We may also conduct sanctions and terrorist watchlist checks against your personal information.
For the above data we act as a Data Processor. This means we process the data on behalf of our clients who are data controllers. We only ever process your Personal Data in this situation according to the instructions of the client with whom you have, or are looking to start, a business relationship.
We do not currently knowingly process Personal Data of anyone under the age of majority in their country of citizenship or residence.
2. HOW WE COLLECT AND STORE YOUR PERSONAL DATA
We only process Personal Data that you provide to us through filling out our contact fo
As a Data Controller, we only process Personal Data that you provide to us through filling out our contact form, communicating with us over email or when asking to be informed of updates on our business. We always store Personal Data securely on our cloud based document management system and within our cloud based proprietary data store.
As a Data Processor, we process Personal Data that you may provide to us directly through email, a data sharing platform (such as SharePoint or Drobox) or through our idclear Onboarding Widget. We may also process Personal Data that has been provided to us by a client who is the Data Controller for that Personal Data.
Our Data Protection Office (“DPO”) oversees the storage and maintenance of your Personal Data. We have physical, technical and administrative security measures in place, which will ensure the confidentiality of the information contained including, but not limited to:
- the encryption of electronic communications
- encryption of Personal Data during transmission
- Data access controls
- employee training
- use of technological means, such as firewalls, to prevent unauthorised access
- disaster recovery measures
- appropriate insurance
These measures will be reviewed over time and upgraded in line with technological developments and legal requirements.
3. HOW AND WHY WE PROCESS YOUR PERSONAL DATA
As a Data Controller, we will only collect and process your Personal Data through our Site where we are legally allowed to do so and namely (but not exclusively) in situations where you give us consent or where the processing of your Personal Data is necessary for us to develop our business. The table below shows the purpose for which we will process your Personal Data and our lawful basis for doing so in these situations.
Purpose | Type of data | Lawful basis for processing |
To keep you informed of developments with our business. | Your name and contact information, such as email. | Your consent and our legitimate interest to keep you informed of developments you have shown interest in. We will always stop updating you if you tell us to do so. |
To communicate with you. | Your name, contact information, such as email, and any other data you may choose to share with us over correspondence. | Your consent and our legitimate interest to interact with actual and potential customers and manage our business. |
We process the above data only by storing it, viewing it and utilising it for the purpose provided.
As a Data Processor, we will only collect and process your Personal Data when instructed to do so by our client, the Data Controller. The table below shows the purpose for which we will process your Personal Data and our lawful basis for doing so in these situations.
Purpose | Type of data | Lawful basis for processing |
To conduct customer due diligence on behalf of our client | Your personal identifiers, including: · Your name and any aliases · Your email address · Your phone number · Your physical address · Your physical location · Your IP address · Copies of your identity documents (such as a passport, ID card or driving license) · Information about your financial status, funds and wealth · Information about your employment · Publicly available information about you (such as information from social media and news outlets) · Any Personal Data you may choose to provide us in correspondence with us | As Data Processors we rely on the legal basis of the Data Controller when processing these categorise of Personal Data. The most common legal bases are: · Necessity to comply with legal obligations to conduct due diligence · Necessity in order to perform a task in the public interest · Consent |
In order to conduct due diligence using your Personal Data, we may subject aspects of your Personal Data, including photos or scanned copies of documents to automated reading, verification of authenticity, and other types of automated processing, such as cross-checks against multiple databases such as PEP lists and global and country-specific sanctions lists.
We will never sell your Personal Data.
Change of purpose
We will only ever process your Personal Data for a purpose which is either listed in the table above or compatible with those already listed. Should we have a legal basis to process your Personal Data for any other reason, we will always inform you directly of the processing and explain why we are allowed to do so.
4. KEEPING YOUR PERSONAL DATA CURRENT
To keep the Personal Data we hold about you accurate and current, please keep us informed of any changes to your information. From time to time we may also ask you to review and update your Personal Data.
5. SPECIAL CATEGORY PERSONAL DATA
We do not gather or process any sensitive or special category data through our Site. As Data Processors we may process social category Personal Data in the form of biometric data as part of conducting customer due diligence on behalf of our clients.
6. WHO MAY RECEIVE YOUR PERSONAL DATA
Sometimes, we may share some aspects of your Personal Data with the following:
As Data Controller:
- Third party service providers (including contractors): such as providers that assist us in our due diligence processes, secure document storage, client work, marketing and website hosting and development. More details on these parties can be provided to you upon request.
- Agents, advisors and business partners: such as providers that assist us with legal and financial aspects of our business and other companies or individuals that we may partner up with to enable us to provide our clients with our services and to improve our service offering. More details on these parties can be provided to you upon request.
- Public agencies: such as law enforcement agencies, government entities, regulators, courts and other third parties who may request your personal data under a legal requirement or court order. We will always take your interests into account when responding to such requests.
- Group companies: such as companies who are in the same group of companies as idclear, for example Dolya Consulting.
As Data Processor:
- Our clients and third parties authorised by them. As Data Processors, we will only share your Personal Data with such parties as authorised by the Data Controller.
Where possible, we do not allow our third-party service providers, agents, advisors, business partners or contractors to use your Personal Data for their own purposes and only permit them to process your Personal Data in accordance with our instructions. Where any third-parties to whom we provide your Personal Data act themselves as Data Controllers, they are responsible for the treatment of your Personal Data.
Should we ever choose to sell, transfer or merge parts (or the entirety) of the idclear business to or with another company, the new entity may also use your Personal Data in accordance with this Privacy Notice.
7. TRANSFER OUTSIDE OF THE EEA
Should we need to transfer your Personal Data outside of Gibraltar, the UK and/or the European Economic Area (EEA), we will comply with at least one of the following requirements:
- When dealing with international third parties, we will ensure that your Personal Data is covered by contractual clauses, approved by the Gibraltar Regulatory Authority, which will extend local data protection standards to your Personal Data.
- We will ensure that the country to which your Personal Data is being transferred is regarded as a jurisdiction offering adequate protection to Personal Data.
8. HOW LONG WE KEEP YOUR PERSONAL DATA
As a Data Controller we will only keep your Personal Data for as long as it is necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, reporting or regulatory requirements. For more information please contact our DPO using the email at the end of this Notice.
For Personal Data processed on behalf of our clients, we will follow the retention periods established by the Data Controller and will always delete all Personal Data within 30 days of being requested to do so by the Data Controller.
We may retain anonymised and/or aggregate data indefinitely as long as it is no longer considered Personal Data.
9. YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA
You have the right to:
- Request access to your Personal Data. We will provide you with a copy of the Personal Data we hold about you upon request.
- Request correction of any Personal Data that we hold about you. We will correct any incomplete or inaccurate Personal Data we hold about you upon request.
- Request erasure of your Personal Data. We will delete or remove Personal Data provided that (i) we do not have a lawful basis to retain the data; or (ii) you have successfully objected to our processing of your data; or (iii) we have processed your information unlawfully; or (iv) we are required to erase your Personal Data to comply with an applicable local law.
- Object to processing of your Personal Data. We will stop processing your Personal Data if we have been unfairly relying on a legitimate interest (our or of a third party) for processing causing an undue impact on your fundamental rights and freedoms.
- Request restriction of processing of your Personal Data. We will suspend the processing of your Personal Data if (i) you ask us to check the data’s accuracy; or (ii) our use of the data is unlawful but you do not want us to erase it; or (iii) you need us to retain the data past our retention period in order to establish, exercise or defend a legal claim; or (iv) you have objected to our processing and your objection is being investigated.
- Request the transfer of your Personal Data. We will provide to you, or a third party you have chosen, with your Personal Data in a structured, commonly used, machine-readable format. This right only applies to automated data which we process under your consent or where such Personal Data is used to perform our employment contract with you.
- Withdraw consent. We will stop processing any Personal Data which we are using under your consent. Remember that any processing done before consent is withdrawn remains lawful.
- Raising a complain. We will always investigate thoroughly any concerns you may have about our use of your Personal Data. Please use the contact details below to reach out to the idclear DPO with any worries, questions or problems.
If you have any questions or wish to exercise any of the rights specified above, please contact the idclear DPO on [email protected].
As a Data Processor, we can only assist in the exercise of your rights under the CCPA upon the written instruction of the Data Controller.
Fees and confirming your identity
You will not have to pay a fee to exercise any of your rights in relation to your Personal Data, but we may charge a reasonable fee or refuse to comply with your request if it is clearly unfounded, repetitive or excessive.
We will ask you for information and documents to confirm your identity prior to you exercising your rights in relation to your personal data.
10. COOKIE POLICY
We may use cookies – small files that are downloaded to your computer, to improve your experience. For general information on cookies see the Wikipedia article on HTTP Cookies:
https://en.wikipedia.org/wiki/HTTP_cookie
Cookies we may set:
- If we offer newsletter or email subscriptions, we will use cookies to remember if you are already registered with us.
- From time to time we may ask you to participate in a survey or questionnaire to provide you and us with relevant insights and to understand our user base more accurately. These may use cookies to remember who has already taken part in a survey or to provide you with accurate results after you change pages.
- When you submit data through a contact or comment form such, cookies may be set to remember your user details for future communication.
- We may also use third party service provider(s), such as Google Analytics, to assist us in better understanding the use of our website. Google Analytics is one of the most widespread and trusted analytics solution on the web for helping us to understand how you use the site and ways that we can improve your experience. These cookies may track things such as how long you spend on the site and the pages that you visit so we can continue to produce engaging content. For more information on Google Analytics cookies, see the official Google Analytics page: https://en.wikipedia.org/wiki/HTTP_cookie. Our service provider(s) analyse(s) this information and provide(s) us with aggregate reports. Our service provider(s) is/are contractually restricted from using information they receive from our site other than to assist us.
Your continued use of this website, as well as any subsequent usage, will be interpreted as your consent to cookies being stored on your device.
Disabling Cookies:
You can disable cookies by adjusting the settings on your browser (see your browser Help for how to do this). Be aware that disabling cookies may affect the functionality of this and many other websites that you visit.
11. CCPA Notification
This notification is only relevant to those individuals who are residents of the State of California and whose Personal Data we process.
As a business collecting and processing your Personal Data, we guarantee the following rights:
- Right to know: the categories, and specific pieces, of Personal Data we collect, the purpose for collecting, the categories of third parties we share your Data with.
- Right to delete: any of your Personal Data, subject to certain exceptions.
You may exercise the above mentioned rights by contacting us using the contact details below.
As a Data Processor, we can only assist in the exercise of your rights under the CCPA upon the written instruction of the Data Controller.
We will never decimate against you when exercising your rights, unless such discrimination is permitted by the CCPA.
12. NOTICE TO RESIDENTS OF THE STATE OF ILLINOIS, WASHINGTON OR TEXAS (USA)
Personal Data that we process may include certain ‘biometric identifiers’, such as scans of facial features, and ‘biometric information’, meaning data extracted from and based on biometric identifiers. Biometric information is used to verify your identity when conducting due diligence on behalf of our clients.
As a Data Processor, we will only process such data on the instruction of the Data Controller and will delete it when:
- the Data Controller instructs us to do so;
- following the termination of our commercial relationship with the Data Controller; or
- three years following our last interaction with you;
whichever is earlier. However we may keep the data if we (or the Data Controller) are legally obliged to retain it.
13. CONTACT, QUESTIONS AND COMPLAINTS
We are committed to robust standards of privacy protection, but if you become concerned about our management of your Personal Data or have any questions about our use of cookies, please contact the idclear DPO at [email protected].
You also have the right to make a complaint at any time to the Information Commissioner under the Data Protection Act – currently the Gibraltar Regulatory Authority (“GRA”). However, we would appreciate an opportunity to resolve your concerns in the first instance.
The contact details for the GRA are:
Gibraltar Information Commissioner
Gibraltar Regulatory Authority
2nd Floor, Eurotowers 4
1 Europort Road
Gibraltar
Email: [email protected]
Phone: (+350) 200 74636
Fax: (+350) 200 72166