This is the LoginID Privacy Statement for consumer, customer, supplier and business partner data, where this information relates to an individual. This Privacy Statement provides information on the processing of personal data by LoginID, hereafter LoginID, we or us.

In this Privacy Statement we describe who we are, how and for which purposes we process your personal data, how you can exercise your privacy rights and all other information that may be relevant to you.

We did our best to provide you with all information in a clear and readable format. However, if you have any questions about our use of your personal data after reading this Privacy Statement, you can of course always contact us through the contact details provided below.

This Privacy Statement may be changed over time. The most up-to-date Privacy Statement is published on our website. This Privacy Statement applies from September 1, 2020. The last modifications to this Privacy Statement were made on September 1, 2020.

This Privacy Statement is applicable to the processing by LoginID of all personal data of business clients and their end-users. LoginID’s Business Clients are our affiliated partners (merchants, applications, and websites), resellers, and agents that have integrated with the LoginID service. This Privacy Statement does not address the processing of personal data of applicants or employees in the context of their employment relationship with LoginID.

It is LoginID ’s policy to comply with the privacy legislation within each jurisdiction in which we operate. Sometimes the privacy legislation and/or an individual’s right to privacy are different from one jurisdiction to another. This Privacy Policy has a limited scope and application. Consequently, the rights and obligations contained in this Privacy Policy may not be available to all individuals or in all jurisdictions. If you are unsure if or how this Privacy Policy applies to you, please contact our Privacy Officer for more information.

LoginID is either a data controller or a data processor for the processing of all personal data that fall within the scope of this Privacy Statement. More information on what our specific data protection role is in relation to our processing activities can be found below, under Section 4 “For which purposes do we process your personal 2 data?”. This Privacy Statement provides information on what personal data are collected and used (processed) by LoginID and for what purpose, and to which persons or entities the data will or may be provided. LoginID will not share your personal data with external parties, unless specifically requested by the responsible business client or the data subject, or otherwise to comply with a legal obligation.

4.1 When you make use of the LoginID service

When you use the LoginID service, whether as a developer or as an end-user of one of our business clients, we will process your personal data. Through our authentication process, we process your personal data to create your credentials, so that you can always authenticate yourself on the LoginID service. Once verified, we store and manage your personal data so that it is secure and readily accessible, and retrieved at your request or at request of our business clients.

When you use the LoginID service, whether as a developer or as an end-user of one of our business clients, we will process your personal data. Through our authentication process, we process your personal data to create your credentials, so that you can always authenticate yourself on the LoginID service. Once verified, we store and manage your personal data so that it is secure and readily accessible, and retrieved at your request or at request of our business clients. As part of our continuing efforts to manage and maintain our business operations including investigating and resolving incidents, and securing the integrity of the LoginID service, we may monitor, and log the interactions of developers and administrators.

(a) Client device verification and authentication

In order for you to use the LoginID service, we process your personal data to verify your device. The one-time verification process creates the credentials through which you and our customers authenticate themselves when using the platform(s) and/or service(s) of our business clients who have integrated with the LoginID service. For these processing activities, our business clients are the data controller and LoginID is the data processor.

Client device verification and authentication relies on Strong Customer Authentication (SCA), based on the FIDO protocols, which uses standard public key cryptography technologies to provide stronger and more effective authentication. When using the LoginID service for the first time, we need you to register your device with the online service that you want to log in to and unlock the FIDO authenticator by presenting your local device with a biometric (such as your fingerprint, facial recognition, or iris scanning). The device will create a public/private key pair that is unique to (i) your device, (ii) the business client’s online service and (iii) your account (with that service). The public key is stored with LoginID while your private key (including any biometric information) never leaves your device.

For these purposes, we process your username, e-mail address, IP-address and FIDO public key. For administrators and developers of our business clients, LoginID processes the same categories of personal data in addition to e-mail address and country of business.

The legal basis for this processing activity is the performance of a contract.

(b) Data management, storage, and collection

We manage and store your personal data on behalf of and according to the instructions of our business clients. LoginID ensures that your personal data is both accessible, reliable, and can be retrieved at your request or at request of our business clients.

For these purposes, we process the personal data provided to us by you and those personal data provided by our business clients. This processing is limited to your username, e-mail address, IP-address, and FIDO public key.

The legal basis for this processing activity is the performance of a contract.

(c) Monitoring and logging

To ensure the security of your personal data and compliance the Terms and Conditions of our service, we monitor the behaviour of developers and administrators of our partnered business clients. The log data that we collect works as a forensic trail and allows us to respond to incidents quickly and resolve them effectively. This processing activity allows us to monitor administrator interactions around dashboard-related activities.

For this purpose, we may process personal data such as the administrator username, activity timestamp, user roles, and generated errors (if any). The legal basis for this processing activity is our legitimate interest.

(d) To manage, maintain and develop the LoginID service and business operations

We process your personal data in order to assess, analyse and improve the LoginID service. We use aggregated personal data to analyse how users interact with the service and the features it provides, so that we may adjust and improve our products and services accordingly. By analysing this aggregated personal data, we can calculate certain values such as the percentage of end-users authenticating themselves with biometrics versus username and password, or the percentage of end-users use their desktop versus device.

For this purpose, we may process personal data such as IP-address, particular authentication factors used (such as SMS, biometric, username and password), browser, device information, and geolocation of your network.

The legal basis for this processing activity is legitimate interest.

4.2 When you interact with LoginID (online or offline)

If you get in touch with us via info@loginid.io on the LoginID website, we will use your personal data in order to reply to and answer your question. For this purpose, we process your name, contact details, your correspondence with us your question and all other personal data which are necessary to answer your question.

We are active on social media platforms like LinkedIn and Telegram. When you contact us through these channels, we will assume your consent to the collection, use and disclosure of your personal information for the purposes related to answering your questions and responding to your messages. We process your personal data accordingly, including your (user)name, email address, and the personal data you have included in your message.

The legal basis for this processing activity is consent.

4.3 For the management and improvement of our internal business operations

LoginID collects personal information to enable us to manage, maintain and develop our business and operations, including:
● to establish, maintain and manage our relationship with you so that we may provide you with, or receive from you, the products and services that have been requested (for example, we will use your personal information to establish your identity and credentials so that we may provide you with the products and services that you have requested);
● to review the products and services that we provide to you so that we may understand your requirements for our products and services and so that we may work to improve our products and services;
● to review the products and services that we obtain from you so that we may work with you and so that you may understand our requirements for such products and services;
● to comply with your requests (for example, if you prefer to be contacted at a business or residential telephone number and advise us of your preference, we will use this information to contact you at that number);
● to protect us against error, fraud, theft and damage to our goods and property;
● to enable us to undertake our environmental, health and safety activities, including incident planning, response and investigation;
● and any other reasonable purpose to which you consent.

4.4 To comply with the law

In some cases, we process your personal data to comply with laws and regulations. This could, for example, be the case where tax or business conduct related obligations apply. In order to comply with relevant laws and regulations, we may need to disclose your personal data to government institutions or supervisory authorities.

The categories of personal data processed for this purpose depends on the legal obligation and we will limit the processing of the personal data to what is strictly necessary to comply with that obligation.

We also collect information through the use of cookies. Cookies are small files of information which save and retrieve information about your visit to this website – for example, how you entered our site, how you navigated through the site, and what information was of interest to you.

6.1 Access to your personal data within LoginID

As a global organisation, data we collect may be transferred internationally throughout our worldwide organisation. Our employees are authorised to access personal data only to the extent necessary to serve the applicable purpose and to perform their jobs.

6.2 Access to your personal data by third parties

The following third parties might have access to your personal data for the purpose of provisioning of their products or services to us:
● Amazon Web Services (AWS) – hosting and storage services
● Pipedrive – customer relationship management
● Mailchimp – integrated marketing platform for small businesses
● Google Analytics - statistics and analytics service
● Crisp - customer messaging platform

When third parties are given access to your personal data, we will take the required contractual, technical and organisational measures to ensure that your personal data are only processed to the extent that such processing is necessary. The third parties will only process your personal data in accordance with applicable law.

If your personal data are transferred to a recipient in a country that does not provide an adequate level of protection for personal data, we will take measures to ensure that your personal data are adequately protected, such as entering into EU Standard Contractual Clauses with these recipients.

In other cases, your personal data will not be supplied to third parties, except where required by law.

6.3 The use of your personal data by data (sub-)processors

When a third party processes your personal data solely following LoginID instructions, it acts as a data (sub-)processor. We enter into an agreement with such a data processor for the processing of personal data. In this agreement we include obligations to ensure that your personal data are processed by the data processor solely to provide services to us.

LoginID has taken adequate safeguards to ensure the confidentiality and security of your personal data. We have implemented appropriate technical, physical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorised disclosure or access as well as all other forms of unlawful processing (including, but not limited to, unnecessary collection) or further processing. Examples are IT security policies, staff training and secure servers.

Your personal data will be removed or made anonymous when your personal data is no longer necessary for the purposes for which these personal data are processed. However, LoginID’s role as a processor means that the applicable retention periods are determined by our business clients.

You have the right to request access to an overview of your personal data, and, under certain conditions, rectification and/or erasure of personal data. In addition, you may also have the right of restriction of processing concerning your personal data, the right to object to processing as well as the right to data portability.

To invoke your right of access, rectification, and/or erasure of personal data, your right of restriction of processing, and/or your right to object to processing as well as to invoke your right to data portability please:
● If you are one of our clients’ end-users: please contact our client directly.
● If you are one of our client developers or admins: please contact us at privacy@loginid.io.

If you have given your consent to a certain purpose, you can withdraw your consent at any time. Please keep in mind that withdrawal does not have retrospective effect. You can contact us by using the contact details at the bottom of this Privacy Statement.

If you have any further questions about the way we process your personal data, please contact us at privacy@loginid.io.

Should you still be of the opinion that your request or complaint was not handled satisfactorily by us, you have the right to lodge a complaint with your local data

protection supervisory authority. Please contact your local data protection supervisory authority through the contact details on their website.