Sehaci Privacy Policy
This document describes how we collect, use, and disclose information about you. This Privacy Policy applies to information we collect from Data Subjects when you access or use our Services or otherwise interact with us, such as by using our mobile app, or visiting our Website or office.
Sehaci is specialized in providing online identification services. We mainly process End-User Personal Data as a Data Processor for the benefit of the Client in order to provide our Services to our Clients. Therefore, you should always read both this Privacy Policy and the information about data processing according to the Client’s Privacy Policy (i.e., the Privacy Policy of the company for whom you identify yourself).
1. Definitions
Here you can find the meanings of the most important terms in this Privacy Policy to help you understand how and for what we are processing your Personal Data.
Agreement – the service agreement entered into between Sehaci and Clients, including service agreements for trials and partnership agreements.
Client – the legal entity to whom we intend to provide or already provide our Services under the Agreement, including Sehaci’s partners under a partnership agreement.
Client Representative – natural person representing the Client, including any natural person with whom we communicate (i) as the representative of a potential Client prior to conclusion of the Agreement, (ii) during the Agreement term as the representative of our Client, and (iii) after the Agreement term as a representative of former Client, as relevant.
Data Controller – a legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. Except as otherwise provided in this Privacy Policy, Clients are Data Controllers for End-User Personal Data and give instructions regarding processing to Sehaci.
Data Processor – a legal person, public authority, agency, or other body which processes personal data on behalf of a Data Controller. Except as otherwise provided in this Privacy Policy, Sehaci processes End-User Personal Data as a Data Processor on behalf of Clients who are the Data Controllers. For all other Data Subjects, Sehaci is acting as the Data Controller.
Data Providers – these are entities, such as public authorities or our Data Processors, from whom we may collect Personal Data for verification purposes. For example, we may check the End-User-provided information against the official public registry or other fraud prevention services.
Data Subject / you – a natural person or individual about whom we have Personal Data, including Client Representatives, End-Users, Visitors, Office Visitors, natural persons who provide us feedback (including research and inquiry-related data) and other natural persons whose Personal Data we may process.
Personal Data or Personal Information – any information relating to an identified or identifiable natural person (the Data Subject), subject to applicable data protection laws; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Anonymized data is de-identified and not Personal Data.
Privacy Policy – this Privacy Policy, made available at https://www.sehaci.com/legal/privacy-policy
Service(s) – personal identity verification service and connected services (such as any ongoing authentication services, assisting services, fraud prevention and other similar services) provided by Sehaci to Clients.
Visitor – is any person visiting Sehaci’s Website.
Website or Sehaci’s Website – https://www.sehaci.com/, including its subpages and subdomains, operated by Sehaci.
2. Our main privacy principles
The privacy principles we follow when processing Personal Data.
2.1. We strive to process Personal Data in a reliable and confidential way.
2.2. Data protection is an integral part of our Service. We care about developing and deploying services that take into account privacy by design and privacy by default principles.
2.3. We process Personal Data lawfully and purposefully. We set clear goals for the processing of Personal Data and process Personal Data for these purposes only.
2.4. We process Personal Data in a transparent and fair way.
2.5. We store Personal Data only for as long as the retention of data is required by law, a contract or is necessary for the provision of our Services or required for protecting us against legal claims.
2.6. We do our best to make sure that the Personal Data we process is accurate and limited to what is necessary for the purpose for which it was collected.
3. The content of Personal Data we process
Personal Data we process about End-Users
3.1. We provide personal identity verification services to Clients. This means we verify End-Users, i.e., you. For that you have acknowledged data processing according to the Client’s Privacy Policy and data processing by us in accordance with this Privacy Policy. We may collect and process, among other data, the following Personal Data collected either directly from you or from the Client:
(1) personal information concerning the End-User, which mainly consists of information on the End-User’s document and/or extracted from the document (including digital Identity card or mobile Driver's License), for example name, sex, personal identification number or national equivalent, date of birth, age, legal capacity, nationality, citizenship, organ donor status, eye color, weight and height, as well as the historic data of that End-User that may have been stored with us during previous interactions within the retention periods;
(2) document details, such as the name of the document, issuing country or state, number, expiration date, information embedded to document barcodes (may vary depending on the document) and security features;
(3) identity verification data, such as photographs taken from you and your document, and video and sound recording of the verification process (of the whole session, if such recording is enabled by the Client), the checks results;
(4) contact details, such as address, e-mail address, telephone numbers, IP address and, if relevant, presented document type (e.g. utility bill);
(5) technical data (Device Signature), including but not limited to information about the date, time and your activity in the Services, your IP address and domain name, your software and hardware attributes as well as your general geographic location (e.g. city, state, country);
(6) machine-readable data, metadata and device and network information;
(7) photos and videos as well as data, such as face scans and other measurements, extracted from the same which are used to authenticate the End-User or compare the End-User’s face to identity document photos - some of this extracted data may be considered biometric data and/or sensitive Personal Data (also "special category of personal data", hereinafter referred to as “sensitive Personal Data”) under applicable data protection laws in certain jurisdictions;
(8) publicly available relevant data and data from external registries, e.g. information about being a politically exposed person (PEP), checks in public sanction lists and other information from such registries, as determined by the Client;
(9) personal information provided by the End-User, e.g. data from communications with us, feedback data;
(10) personal information provided by natural persons who have participated in our product and market research initiatives;
(11) personal information that we have received from the Client, e.g. contact details;
(12) evidence and records of legal basis (including consents), for example in cases where we are required or have elected to obtain a consent or a written release or another legal basis prior to processing certain Personal Data.
3.2. Clients may have access to your Personal Data. We may share your Personal Data including identity verification data with the Client through which you used our identity verification service.
3.3. Please note that providing your Personal Data is voluntary. However, the decision not to do so may mean that you are not able to verify your identity via our Service.
Other Personal Data we process on our Website and/or End-Users of our Service
3.4. When you visit our Website and/ or Service, we may use cookies and similar technologies (collectively “Cookies”), including those provided by third parties, to collect information about your use of our Website and/or Service and other websites and mobile apps, including:
(1) your IP address, and time, and approximate location inferred from your IP address;
(2) usage of the Website and/or Service and other web log data, such as the pages you visit on the Website, the date and time of your visit, the files that you download and the URLs from the websites you visit before and after navigating to the Website;
(3) technical data (Device Signature), including but not limited to information about your IP address and domain name, your software and hardware attributes (including device IDs) and your general geographic location (e.g. city, country);
(4) e-mail addresses, when you subscribe to Sehaci’s newsletters or download Sehaci’s content.
3.5. Purpose of processing with the help of Cookies. We use the data collected to improve our Service and make use of our Service more convenient. For example, Cookies help to enable Website and Service features, to analyze and track Website usage and activity, including for quality assurance and to determine the popularity of certain content, and to personalize your experience, such as by remembering your customized choices. We also use Cookies for our marketing efforts, including to ensure we deliver to you the most relevant content, to deliver advertising targeted to your interests on other companies’ sites or mobile apps and to make our marketing efforts more efficient subject to applicable laws.
4. Legal grounds and Purposes of processing
Why and on what grounds we process your Personal Data.
4.1 We process Personal Data for the provision of our Services. Regarding Personal Data about End-Users, Sehaci's main purpose for processing is to provide our Services to our Clients.
(1) Generally, the main purpose of the Service is to verify your identity.
(2) In some cases, we may also further check whether we have previously verified an End-User on behalf of the same or a different Client by comparing the session with the previous session.
(3) We mainly process End-User Personal Data as a Data Processor for the benefit of the Client in order to fulfill the Agreement entered into with the Client for (i) performance of the Agreement (including for the provision of the Service, and performance of any obligations or realization of any rights arising from the Agreement; (ii) the purpose of realization of rights and fulfillment of obligations deriving from legal acts; and (iii) processing your inquiries and requests.
(4) The legal basis for the processing depends on the Client as the use cases and related legal requirements vary from Client to Client. The legal basis is selected and ensured by the Client. In some cases we or our Client may ask you to grant us consent for processing. Sehaci may, as determined and as appropriate, choose to collect the consent itself, however, the relationship between the End-User and the Client remains unaffected for such collection of consent by Sehaci.
(5) To the extent permitted by law and the Agreement, Sehaci may also use Personal Data for other reasonably necessary operational purposes as part of provision of the Service, or rely on its legitimate interest for such processing as described in the next section.
4.2 We also may process Personal Data of Data Subjects, including End-Users, as a Controller if processing is necessary in our legitimate interests in compliance with applicable data protection laws, meaning our interest in the management and direction of our business in order to be able to offer the best possible services on the market. For our legitimate interest, we may process data for the following purposes:
(1) for analyzing the use of our Service, and using research and analysis results, among other methods, for carrying out satisfaction surveys, feedback questionnaires and developing our products and services, including development of autonomous and automated decision-making processes;
(2) for sending out newsletters, for marketing and developing and promoting our Services, for organization of campaigns, including personalized and targeted campaigns, and measuring the effectiveness of the performed marketing activities, as noted above, we will only rely on our legitimate interest to the extent this is permitted by law and the Agreement. Please note that for sending out newsletters, we only process your contact details;
(3) for ensuring a trust-based relationship with Clients and End-Users, this includes for example, identity verification of Client Representative, determining the ultimate beneficiaries and PEP status, as well as other activities necessary to prevent fraud, including checks in public sanction lists or our own Service history;
(4) for administration and analysis of the Client base to improve the availability, selection and quality of Services and products, and to make our Services more personalized and the best possible;
(5) for building and managing of our Client relationships;
(6) for analysis of identifiers and Personal Data collected upon the visit of websites, mobile applications and other Services. We may use the collected data for web analysis or for the analysis of mobile and information society services, for ensuring and improving functioning, for statistical purposes and for providing better and more personalized Services;
(7) for monitoring the Services. We may record the messages and instructions given on our premises or by means of communication (e-mail, telephone, etc.), as well as information and other operations carried out by us, and shall use those recordings as needed to evidence instructions or other operations;
(8) for network, information and cyber security considerations, for example, for fighting against piracy and for ensuring the security of the Websites and Service, as well as for the measures taken for making and storing backup copies;
(9) for the establishment, exercise or defense of legal claims; and ensuring compliance with applicable regulations, including retaining proof of evidence of such for compliance with our legal obligations;
(10) for conducting product and market research for purposes of quality assurance, product improvements, developments and assessing its market fit, this includes contacting and communication, interviews, making conclusions, recording of such communications for a limited period of time, etc. with End-Users, Client Representatives and other relevant data subjects. Please note that Sehaci processes, maintains, and uses aggregated or de-identified information only in a de-identified fashion and will not attempt to re-identify such information, except as permitted by law;
(11) for satisfying our legal obligations with respect to the processing and retention of Personal Data, including for obtaining the relevant legal basis for processing certain Personal Data concerning certain End-Users. Obtaining and maintaining records that such legal basis has been obtained by us is important for us to be able to prove that we comply and adhere to our legal obligations in the jurisdiction we operate in;
(12) for fraud prevention and detection purposes, to identify signs of fraud based on our internal fraud framework and advanced fraud prevention and detection techniques and to conduct certain checks against third party sites, e.g., checks against authority databases
(13) for developing, testing, improving and altering the functionality of the Service, including for machine learning (as specified in section 6 below), data annotation, testing and training, and producing anonymised or anonymised and aggregated statistical reports and research
(14) for reasons of substantial public interest on the basis of law, including but not limited to activities relating to fraud prevention and non-discrimination (e.g., bias mitigation).
4.3. Processing for a new purpose. When Personal Data processing is carried out for a new purpose different from those for which the Personal Data was originally collected or is not based on the consent given by the Data Subject, we shall carefully assess the permissibility of such new processing under applicable laws. In order to determine whether the processing for the new purpose follows the purpose for which the Personal Data was originally collected, Sehaci shall take into consideration, inter alia, the following:
(1) any link between the old and new purposes for which the Personal Data was collected and the intended further purposes of processing;
(2) the context of collecting the Personal Data, in particular regarding the relationship between the Data Subject and us;
(3) the nature of the Personal Data, in particular whether sensitive Personal Data are processed;
(4) possible consequences of the intended further processing for the Data Subjects;
(5) existence of appropriate protection measures which may consist in, for example, encryption and pseudonymization.
5. Data Subject’s rights in relation to Personal Data
Your data protection rights.
5.1 Depending on where you reside, you may have the right to (1) request to know more about and access your personal information, (2) request deletion of your personal information, (3) request correction of inaccurate personal information; (4) object to certain processing, (5) withdraw your consent where we process your information on that basis, and (6) request we restrict certain processing. More detailed information about each right is provided below.
5.2 If you wish to exercise any of your rights regarding Personal Data or ask questions about the Privacy Policy, please submit a corresponding request to us at info@sehaci.com. We will respond to your request by email as a rule no later than within one month or sooner if required by applicable law.
5.3 Please note that before we can provide you with the requested information regarding your Personal Data, we may need to verify your identity. Please also note that if your request concerns data we have processed as a Data Processor (i.e. in the course of Service provision), you must submit your request to the Client who is the Data Controller. The Data Controller can fulfill your request, as relevant. We will inform you if this is the case.
5.4 Depending on where you reside, you as a Data Subject may have the following rights in relation to your Personal Data:
(1) The right to know: The right to get confirmation whether we are processing Personal Data about you and to obtain certain personalized details about the Personal Data we have collected about you, including:
the categories of Personal Data collected;
the categories of sources of the Personal Data;
the purposes for which the Personal Data were collected;
the categories of Personal Data disclosed to third parties (if any), and the categories of recipients to whom the Personal Data were disclosed;
information about automated decision-making (if any);
the categories of Personal Data shared for cross-context behavioral advertising purposes (if any), and the categories of recipients to whom the Personal Data were disclosed for those purposes; and the categories of Personal Data sold (if any), and the categories of third parties to whom the Personal Data were sold. Please note that as stated in section 5.4(10) below, we generally do not sell your data that we collect in the course of providing identity verification services nor share it for cross-context behavioral advertising purposes.
(2) The right to access & portability: The right to obtain access to the Personal Data we have collected about you and the right to obtain a copy of the Personal Data in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the data to another entity without hindrance.
(3) The right to correction: The right to correct inaccuracies in your personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data.
(4) The right to delete: The right to have us delete the personal data we maintain about you.
(5) The right to non-discrimination: The right to not receive retaliatory or discriminatory treatment in connection with a request to exercise the above rights. However, please note that if you exercise these rights it limits our ability to process Personal Data, we may no longer be able to engage with you in the same manner.
(6) The right to withdraw the consent: The right to take back the consent you have given to us for the processing of Personal Data. Please note that withdrawal of your consent shall not affect the legality of the processing that was made on the basis of consent before the withdrawal.
(7) The right to object: The Right to file an objection if your Personal Data processing takes place on the basis of our legitimate interest or public interest.
(8) The right to restriction of processing: The right which in certain cases allows you to direct us to limit the processing of your Personal Data for a certain period of time (e.g., if you have filed an objection to Personal Data processing).
(9) The right to submit a complaint and make appeals: If you find that applicable data protection laws have not been complied with, we would appreciate it if you contact us at info@sehaci.com (including for any appeals of our decisions). However, you also have the right to complain directly to a data protection authority about our collection, use or other processing of your Personal Data. For more information, please contact your local data protection authority. If you are in the United States and have concerns about the results of an appeal, you may contact the attorney general in the state where you reside.
(10) Opting out of targeted advertising, sharing, and sales. Our “sale,” “sharing” and “targeted advertising” activities do not apply to personal information that we collect in the course of providing identity verification services to our Clients. In the US, some of the activities described above may be considered “sales” or “sharing” of your personal data or use of your data for “targeted advertising” under the law that applies to you. Depending on where you reside, you may opt out of cookie-based ad targeting on our website by clicking the “Opt-out” button from within our “Your Privacy Choices” page. You may need to renew your opt-out choice if you use a different browser or device to access our Websites or Services, or if you clear your cookies. In addition to cookie-based ad targeting, we may disclose your identifiers, such as your email address, to our advertising partners and other third parties for marketing and advertising purposes. You may have the right to opt out of having your identifiers disclosed for these purposes by contacting us to info@sehaci.com. You can also opt out of certain targeted advertising, sharing and sales by visiting our Services with a legally-recognized universal choice signal enabled (such as the Global Privacy Control). If you are not logged into your account with us, our processing of the signal will be limited to cookie-based sales, sharing, and targeted advertising for the specific browser or device that you are using.
6. Disclosure and transfer of Personal Data
In this section you will find information about possible disclosure and transfer of your Personal Data.
6.1 Disclosure of Personal Data to authorities. Please note that due to legal requirements, we may be obliged to disclose or grant access to your Personal Data to the authorities and the supervisory authority (e.g. a court or a government agency).
6.2 Disclosure to Data Controllers, Data Processors and authorized recipients. Unless stated otherwise in this Privacy Policy or noted otherwise to you separately, we may disclose your Personal Data to Data Controllers for whom we are Data Processors (e.g. Clients), to our authorized Data Processors (sub-processors) and authorized third party sites (e.g. external registries), as well as to persons who are legally entitled to receive your Personal Data. List of authorized Data Processors (sub-processors) engaged for the Service is available here. List of authorized third party sites engaged for the Service is available here. For example, a End-User’s Personal Data, including biometric data, can be processed by authorized sub-processors that provide identity verification core services to Sehaci; Client Representative’s Personal Data can be shared with our advertising and marketing partners, companies carrying out satisfaction surveys, debt collection agencies, credit registers, authorities and organizations intermediating or providing (electronic) mail, compliance or payment services and the like, Office Visitors Personal Data can be shared with IT and security partners, provided that:
(1) the respective purpose and the processing are lawful;
(2) we have diligently assessed that the authorized Data Processors or sub-processor will comply with the data protection requirements;
(3) the Personal Data processing is carried out in accordance with our guidelines and on the basis of a valid agreement.
(4) If you have questions about our authorized Data Processors or sub-processors, please contact us at info@sehaci.com.
6.3 Please note that End-User’s Personal Data can only be shared with Sehaci's sub-processors as well as to persons who are legally entitled to receive your Personal Data, if there is a valid legal basis.
6.4 Transfer of Personal Data. We process your Personal Data within the US. In the event that we need to transmit your Personal Data outside the US (e.g. for utilizing the sub-processors’ services and technical infrastructure), the transmission shall be in accordance with the requirements, principles and safeguards as stated in the applicable data protection laws, or the compliance with applicable data transfer accountability requirements. While such Personal Data is outside of your country or province of residence, it may be subject to the laws of the country, province or state in which it is held, and may be subject to disclosure to the governments, courts or law enforcement or regulatory agencies of such other country, province or state pursuant to the laws of such territory. In cases where Sehaci acts as the Data Controller, we make available further information on the safeguards applied (if relevant) or the extent of the transfer of Personal Data upon your request.
7. Security of Personal Data
Security is of utmost importance to us. We do our best to protect Personal Data in our hands.
7.1 We apply various commercially reasonable measures (physical, technical, organizational) to protect your Personal Data from unauthorized or arbitrary modifications, disclosure, acquisition, destruction, loss, theft, misuse, alteration or unauthorized access.
7.2 However, please note that electronic transmission or storage of information is not always 100% secure. Therefore, despite the security measures that we have put in place to protect Personal Data about you, we cannot guarantee that loss, misuse, or alteration of data will never occur. If you have any information about an actual or suspected data breach, please inform us immediately at info@sehaci.com. We will deal with the issue immediately and inform our lead data protection supervisory authority (if applicable).
8. Retention of Personal Data
Data retention principles that is the length of the period for which we keep Personal Data.
8.1 To determine the appropriate retention period, we consider the amount, nature and sensitivity of the Personal Data and the purposes for which we process it. We must also consider periods for which we may need to retain Personal Data in order to meet our legal obligations or to deal with complaints or queries and to protect our legal rights in the event of claims being made.
8.2 We shall store your Personal Data for as long as necessary to carry out the purposes for which we originally collected it and for other business purposes explained in this Privacy Policy or as long as required by law or in accordance with the law, or for the purposes stated in this Privacy Policy. For example, there is often a statutory retention period for accounting documentation.
8.3 We store the data of End-Users during the period set forth in the Agreement (we may have different data retention periods agreed upon with the Client) or as long as it is necessary for possible establishment, exercise or defense of legal claims of End-Users, Clients or ourselves, or for anti-fraud purposes. For more information about the data retention period, you should read the Privacy Policy provided to you by the Client.
8.4 We may store your Personal Data, for a longer period than the Agreement duration if we have a lawful basis do to so, e.g. you have given us consent to use your Personal Data for the development of our Services or we have assessed that we have legitimate aim to do so, e.g., in pseudonymized form or for the purpose of the Service history log.
8.5 After the expiration of the Personal Data storage period, we shall anonymize or permanently erase your Personal Data. Please note that Sehaci processes, maintains, and uses aggregated or de-identified information only in a de-identified fashion and will not attempt to re-identify such information, except as permitted by law.
9. Children’s Personal Data
Here you can find information on how we deal with children’s Personal Data.
We may process the Personal Data of children (i.e., persons under 16* years of age; *depending on jurisdiction), the Data Controller shall take steps to ensure that there is a legal basis for such processing (e.g., a consent from a guardian of that child). If we learn that we have collected the Personal Data of a child without the guardian’s consent, we will take steps to delete the information as soon as possible.
10. Jurisdiction specific notices
You may have different rights depending on in which State of the USA you reside. Read about them in this section.
Should there be any inconsistency or ambiguity between the terms of this section and any other part of this document, these terms shall prevail.
Residents of the state of Arizona have rights as per Arizona Breach Notification Law.
Residents of the state of Colorado have rights as per Colorado Privacy Act (CPA).
Residents of the state of Maryland have rights as per Maryland Online Data Privacy Act.
Residents of the state of Georgia have rights as per Law of Georgia on Personal Data Protection.
11. Contact details and information
Our contact details.
Please review this Privacy Policy carefully and contact our Data Protection Officer (DPO) at info@sehaci.com if you have any comments, questions or concerns. You can also contact us via an online form on our website.
12. Availability of and changes to the Privacy Policy
Information about changes made to the Privacy Policy and how we inform you about the changes.
12.1 This Privacy Policy is available on our Website.
12.2 Kindly note that we may modify the Privacy Policy from time to time. If we make changes, we will notify you of such as by revising the date of this Privacy Policy. If we make material changes, we may provide you with additional notice (such as by adding a statement to the Services or sending you a notification).
12.3 You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.
Valid from: January 1, 2025
Last update: March 1, 2025
