GDPR Compliance

Last updated: January 1, 2025

Xident Technologies Inc. is committed to protecting the privacy and security of personal data in compliance with the General Data Protection Regulation (GDPR). This page explains how we comply with GDPR requirements.

1. Our Role Under GDPR

Depending on the context, Xident acts as either a data controller or data processor:

  • Data Controller: When we collect data directly from end users who create a Xident ID, we are the data controller responsible for determining how that data is processed.
  • Data Processor: When we process data on behalf of our business customers (who integrate our verification services), we act as a data processor under their instructions.

2. Legal Bases for Processing

We process personal data based on the following legal bases under Article 6 of GDPR:

  • Consent (Article 6(1)(a)): For biometric data processing, we obtain explicit consent before collecting facial images or creating face embeddings.
  • Contract (Article 6(1)(b)): Processing necessary to provide our verification services as agreed in our terms.
  • Legal Obligation (Article 6(1)(c)): Processing required to comply with applicable laws, such as anti-money laundering regulations.
  • Legitimate Interests (Article 6(1)(f)): Processing for fraud prevention, security, and service improvement, where our interests don't override your rights.

3. Special Category Data

Biometric data used to uniquely identify individuals is considered "special category" data under GDPR Article 9. We process this data only with your explicit consent (Article 9(2)(a)) for the specific purpose of identity verification.

4. Your Rights Under GDPR

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights:

Right to Access (Article 15)

You can request a copy of the personal data we hold about you, including information about how we process it and who we share it with.

Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data.

Right to Erasure (Article 17)

You can request deletion of your personal data in certain circumstances, such as when the data is no longer necessary or you withdraw consent.

Right to Restrict Processing (Article 18)

You can request that we limit how we use your data while we verify its accuracy or consider your objection.

Right to Data Portability (Article 20)

You can request your data in a structured, commonly used, machine-readable format and have it transferred to another controller.

Right to Object (Article 21)

You can object to processing based on legitimate interests. We will stop processing unless we have compelling legitimate grounds.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Our verification process includes human review options.

Right to Withdraw Consent

Where we rely on consent, you can withdraw it at any time. This won't affect the lawfulness of processing before withdrawal.

5. Exercising Your Rights

To exercise any of these rights, you can:

  • Email us at privacy@xident.io
  • Use the data management features in your Xident ID account settings
  • Contact our Data Protection Officer (details below)

We will respond to your request within 30 days. In complex cases, we may extend this by up to 60 days, but we'll inform you of any extension.

6. Data Transfers

When we transfer personal data outside the EEA, we use appropriate safeguards:

  • Standard Contractual Clauses (SCCs): EU Commission-approved contracts that ensure adequate protection.
  • Adequacy Decisions: Transfers to countries the EU has determined provide adequate protection.
  • Supplementary Measures: Additional technical and organizational measures where required.

7. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in high risk to individuals, including our biometric verification services. These assessments evaluate risks and identify measures to mitigate them.

8. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours
  • Notify affected individuals without undue delay if there is high risk
  • Document the breach and our response

9. Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected, or as required by law. For specific retention periods, please see our Privacy Policy.

10. Sub-processors

When acting as a data processor, we may use sub-processors to help deliver our services. Our customers can view and approve our list of sub-processors through our Data Processing Agreement.

11. Data Processing Agreement

Business customers who need a formal Data Processing Agreement (DPA) compliant with Article 28 of GDPR can access our standard DPA on our DPA page or request a custom agreement by contacting us.

12. Data Protection Officer

We have appointed a Data Protection Officer who can be contacted at:

Data Protection Officer
Xident Technologies Inc.
Email: dpo@xident.io

13. Supervisory Authority

If you are not satisfied with how we handle your request or believe we are processing your data unlawfully, you have the right to lodge a complaint with a supervisory authority. In the EU, you can find your local authority at edpb.europa.eu.

14. EU Representative

As required by Article 27 of GDPR, we have appointed an EU representative who can be contacted at:

Email: eu-representative@xident.io

15. Contact Us

For any questions about our GDPR compliance or data protection practices, please contact us at:

Xident Technologies Inc.
548 Market St, Suite 95234
San Francisco, CA 94104
Email: privacy@xident.io