GDPR Compliance Statement

Effective Date: December 2025
Last Updated: December 2025

At KYsee.io (“we”, “us”, “our”), we are committed to processing personal data in a way that respects privacy rights and complies with data protection laws, including the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and applicable UK GDPR requirements.

This statement explains how we support GDPR compliance in the delivery of our identity verification, AML/PEP screening, and related Services.

1. Data Protection Principles

We adhere to the core principles of the GDPR when processing personal data:

• Lawfulness, fairness, and transparency
  Personal data is processed only where we have a lawful basis and in a clear, transparent manner.
• Purpose limitation
  Data is collected only for specified, explicit purposes related to our Services.
• Data minimisation
  We collect and process only what is necessary to deliver the Services.
• Accuracy
  We implement measures to ensure data remains accurate and up to date.
• Storage limitation
  We retain personal data only as long as needed to fulfil contractual and legal obligations.
• Integrity and confidentiality
  We protect personal data using appropriate technical and organisational security measures.

2. Roles & Responsibilities

Data Controller vs Data Processor

Depending on the context in which personal data is processed:

• Client as Controller:
  When you (our Client) upload or submit personal data for identity verification, you act as the data controller — determining the purposes and means of processing.
• KYsee.io as Processor:
  We act as a data processor for Client Data, processing personal data on your behalf solely to provide the Services as defined in your contract and the Data Processing Addendum (DPA).

Where KYsee collects personal data directly (for support, account management, or marketing), KYsee acts as the data controller for that data.

3. Lawful Bases for Processing (Controller & Processor)

For GDPR compliance, personal data processed by KYsee is supported by one or more of the following lawful bases:

• Contractual necessity: to fulfil our contractual obligations to our Clients.
• Legitimate interests: for service delivery, security, fraud detection, and product improvement.
• Consent: where an individual has explicitly consented to specific processing activities.
• Legal obligations: to comply with applicable laws or regulatory requirements.

4. Data Security & Safeguards

We implement appropriate technical and organisational measures to protect personal data, including:

✔ Encryption of data in transit and at rest
✔ Access controls and authentication mechanisms
✔ Vulnerability management and penetration testing
✔ Logging, monitoring, and anomaly detection
✔ Secure infrastructure hosted on trusted cloud platforms
✔ Periodic security reviews and audits

These measures are designed to ensure confidentiality, integrity, and availability of personal data.

5. Subprocessors & Third Parties

We may engage trusted third-party subprocessors to support the delivery of our Services (e.g., cloud hosting, analytics, identity data providers).
We ensure that:

• Subprocessors provide adequate safeguards
• Data processing agreements are executed
• We remain fully responsible for their performance

A current list of subprocessors can be provided on request or published where appropriate.

6. Data Subject Rights

Under the GDPR, individuals (data subjects) whose personal data we process may have the following rights:

• Right of access – Obtain confirmation of processing and a copy of personal data.
• Right to rectification – Correct inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”) – Request deletion of personal data in certain circumstances.
• Right to restriction of processing – Restrict how data is processed.
• Right to data portability – Receive personal data in a structured, commonly used format.
• Right to object – Object to certain processing based on legitimate interests.
• Right to withdraw consent – Where processing is based on consent.

To exercise these rights in relation to the Services, please contact your Client Administrator or email privacy@kysee.io. We will respond in accordance with applicable law.

7. Cross-Border Data Transfers

KYsee may process and store personal data in multiple jurisdictions.
Where personal data is transferred outside the European Economic Area (EEA) or the UK, we will ensure adequate safeguards are in place, such as:

• Standard Contractual Clauses (SCCs)
• Other authorized transfer mechanisms under GDPR

This ensures that data remains protected in accordance with EU/UK data protection standards.

8. Data Retention

We retain personal data only as long as necessary to provide the Services or to comply with legal obligations. Retention periods may vary based on:

✔ Contractual requirements
✔ Legal or regulatory retention mandates
✔ Nature of the personal data

9. Incident Response & Breach Notification

KYsee maintains an incident response program to detect and respond to security events.
In the event of a personal data breach affecting Client Data, we will:

• Notify the affected Client without undue delay
• Provide relevant details to support regulatory reporting
• Cooperate with investigations and remediation

10. Training & Accountability

We maintain internal policies, training, and governance to ensure that:

• Staff understand GDPR obligations
• Processing activities are logged and monitored
• Compliance is maintained throughout product and operational lifecycles

11. Updates to This Statement

We may update this GDPR Compliance Statement to reflect changes in law, technology, or our Services.
The Effective Date at the top will be updated accordingly.

12. Contact Information

For GDPR, privacy rights, or data protection inquiries:

📧 privacy@KYsee.io
📍 Archiepiskopou Makariou III, 59 MOUYIAS TOWER, 3rd floor, Larnaca, Cyprus.