Privacy Policy

Preamble

At Compellio, we operate in strict compliance with the General Data Protection Regulation (GDPR) to protect the privacy of our users. This Privacy Policy describes how we work to secure the Personal Data of users of the www.compellio.com website and the COMPELLIO DIGITAL DATA WALLET mobile application. It provides a comprehensive understanding of how data is collected, processed, and protected.

Definitions

To ensure clarity, here are some definitions of key terms used throughout this Privacy Policy:

• Service/s: Refers to the website www.compellio.com (the “Website”), a backend platform and client applications (collectively, “Compellio Platform”), a mobile application called COMPELLIO DIGITAL DATA WALLET (the “Wallet”), and any other online products and services provided by Compellio.
• Cookie: A small file associated with a web domain that is stored on your device for subsequent interactions with the same domain.
• Personal Data: Information, whether on its own or combined with other data, that identifies or is identifiable to an individual.
• Retention Period: The duration for which data is held, either mandated by law or determined by the data controller, after which it may be securely disposed of.
• Purpose: The specific objective behind the processing of Personal Data.
• Verifiable Credential: Standardized digital certificates issued to verify specific properties about an individual.
• DIDs (Decentralized IDentifiers): New types of identifiers that enable verifiable, decentralized digital identity. The Wallet and the Platform create DIDs on your behalf.
• Cryptographic Keys: Key pairs created by the Wallet, consisting of one public key and one private key. Public keys are linked to your DIDs and published on a designated blockchain network.
• Secrets: Any private key or security code chosen by you or automatically generated by the Service.
• Data Subject (or User): An individual whose Personal Data is being processed. Compellio users are considered Data Subjects in this policy.
• Data Controller: The entity responsible for determining the why and how of data processing.
• Data Processor (or Service Provider): A party that processes data on behalf of the Data Controller.
• Processing of Personal Data: Encompasses all operations, automated or not, related to Personal Data.
• Transfer of Personal Data: Any action involving the transmission, communication, copying, transmission, broadcasting, or provision of remote access to Personal Data, regardless of the medium or method of communication.
• Personal Data Breach: Any unauthorized or accidental incident leading to the destruction, loss, alteration, unauthorized disclosure, or unauthorized access to Personal Data.

Categories of Data Subjects Affected by the Processing

The individuals affected by the processing of Personal Data are the users of the Compellio mobile application and service.

Data Controller

1. Compellio Mobile Application

Compellio is the provider of the COMPELLIO DIGITAL DATA WALLET mobile application, which empowers users to create and manage digital credentials for verification purposes.

2. Compellio Service

When using Compellio, the entity employing the service acts as the Data Controller, as they define the purpose and methods of data processing, in line with Article 4(7) of the GDPR.

Any inquiries or requests related to data collected via the Compellio service should be directed to the respective website using the Wallet to verify users. It is the Data Controller's responsibility to inform its users about the regulatory requirements outlined in Articles 13 and 14 of the GDPR, including the authorized Purposes of Processing under the Compellio service. Furthermore, the Data Controller must ensure the legality of their data collection methods in relation to their operations and the information provided by Compellio.

Data Processor (or Service Providers)

COMPELLIO SA, a private company, with registration number Bl50297 (RCS), with its registered office at 21 Rue Glesener, L-1631 Luxembourg, is responsible for processing your data.

Consent

COMPELLIO DIGITAL DATA WALLET is a decentralized identity wallet designed to empower users to manage verifiable credentials and digital assets securely. By providing your personal information to Compellio or its agents, you acknowledge and agree to the collection, usage, and disclosure of your personal data as outlined in this Privacy Policy and in accordance with your confidentiality preferences, as permitted or required by law. You retain the right to refuse or withdraw your consent for specific purposes, subject to legal and contractual obligations. Refusing or withdrawing consent may impact our ability to provide certain services or information.

Information Collection and Use

By reading and accepting this Policy, you are informed of the circumstances in which your Personal Data will be processed in relation to the Service. Your free, informed, specific, and unambiguous consent will be requested for the processing of Personal Data provided through the Service. The data requested through the Service are generally mandatory (unless otherwise specified) to fulfill the purposes for which they are collected.

What Personal Data Does Compellio Access About You?

We may collect your Personal Data from different sources:

Data That You Provide to Us:

• Identity Data (optional data provision, only for issuance of ID credentials): Your first name, last name, date of birth, nationality, and postal address.
• Contact Data: Email address.
• Correspondence Data: Feedback, problems with the Service, received customer support, or otherwise corresponded with us.
• Payment Data (optional data provision, only for buying digital assets): Your credit card number, bank account number, and any other payment-related information, blockchain crypto addresses.

Data That We May Collect Automatically:

• Technical Data: Depending on the services your Decentralized Identifiers (DIDs), public keys, and your unique device identifier.
• Browsing Data: The Service may automatically detect your IP address, domain name, unique device identifier, device and browser type, operating system, demographic information, the pages of our Sites you browsed, the time spent on those pages or features, the frequency with which the Sites are used by you, search terms, the links on our Sites that you clicked on, and other statistics. We use this information to administer the Service and analyze it with the purpose of improving the Service.

Information We Will Never Collect

We will never ask you to share your Secrets as private keys, PIN code or other code.

Scope of Privacy Policy

This Privacy Policy governs the collection, usage, and disclosure of personal information for users of the Compellio website, mobile application, and service.

Purpose of Data Processing

The compellio.com website and Compellio mobile application enable visitors and users to perform various types of verifications, including:

• Email Validation: Compellio validates users' email addresses by sending secret codes via email.

Purposes of Collecting Personal Information

We collect your personal information with the primary objective of providing the product, service, or information you have requested.

For example:

• We collect email addresses to issue certificates verifying the validity of users' email addresses.
• Identity data may be collected to issue certificates that provide verification of identity, age, and other relevant information.

Please note that the information collected for certificate issuance is not retained; it is only kept during the process of verifiable credential issuance.

Storage of Personal Information

Your personal information is securely stored on your smartphone in the form of signed files. Compellio does not retain personal data used to issue identity credentials.

Data Retention

At Compellio, we prioritize the protection of your data and practice minimal data collection. We only retain essential user information, specifically email addresses, which allow us to maintain contact with our users for the purpose of enhancing the quality of our services. We do not store any other personal information unless explicitly provided by the user for identity verification purposes. Face data is destroyed after a few seconds when provided to Yoti (AI age detection) and 48h when provided to ID360.

Our data retention policy is designed with your privacy in mind:

• Email Addresses: We retain email addresses for communication purposes and to provide updates about our services. You have the right to request the removal of your email address from our records at any time.

We do not retain personal data used for identity verification, and there is no data retention associated with the identity verification process. Your privacy and data security are of utmost importance to us, and we adhere to strict policies to ensure your information is protected.

International Transfer of Data

Personal Data that Compellio processes may be transferred to third parties based in countries outside the European Economic Area (EEA). These transfers will be performed according to the appropriate safeguards to ensure an equivalent degree of protection as set out in the GDPR, which may include the relevant Standard Contractual Clauses. In this regard, Compellio undertakes to take all necessary measures to ensure the compliance of the Transfer of Personal Data, including conducting an impact assessment of the Transfer, signing the European Commission's Standard Contractual Clauses as of June 4, 2021 (Implementing Decision 2021/914), and implementing all additional safeguards necessary for this purpose. Compellio undertakes to ensure compliance with these obligations by its Processors with respect to their own Sub-Processors.

Security of Personal Data

Your Personal Data is stored under appropriate security and confidentiality conditions, with Compellio having implemented a security policy providing for organizational and technical measures in line with the state of the art and applicable references. We employ reasonable measures to protect personal information from loss, misuse, and alteration. Our security policies are regularly reviewed and enhanced. Only authorized employees and suppliers have access to your personal information.

Disclosure of Personal Data

Compellio may disclose personal data to government agencies when required by law or when we have reasonable grounds to believe that such information could aid in the investigation of illegal activities. We may also disclose personal information to comply with subpoenas, warrants, court orders, or legal counsel.

Your Data Protection Rights with Compellio

At Compellio, we are committed to ensuring your data protection rights are upheld in accordance with the General Data Protection Regulation (GDPR). You have several important rights under the GDPR, and we are here to assist you in exercising them:

• The Right to Access, Update, or Delete: You can access, update, or request the deletion of your Personal Data directly within your account settings on our platform. If you need assistance with these actions, please don't hesitate to contact us for support.
• The Right of Rectification: If you believe your Personal Data is inaccurate or incomplete, you have the right to request corrections.
• The Right to Object: You can object to the processing of your Personal Data.
• The Right of Restriction: Request the restriction of the processing of your Personal Data when necessary.
• The Right to Data Portability: Obtain a copy of your Personal Data in a structured, machine-readable format.
• The Right to Withdraw Consent: If we rely on your consent to process your Personal Data, you have the right to withdraw it at any time.

Underpinning these rights is the legal basis of Compellio's data processing – our legitimate interest in providing you with our service. We want you to be aware of your rights, and if you wish to exercise any of them or have questions related to your data, you can contact the Data Controller or reach out to us directly at hello@compellio.com.

We take your data privacy seriously and strive to ensure that your data is handled with the utmost care and protection.

Right to Lodge a Complaint

We remind you that you have the right to lodge a complaint with the Luxembourg National Commission for Data Protection (https://cnpd.public.lu/en.html) or the relevant supervisory authority in Luxembourg.

What Third Party Services do we use to collect and process your Data?

We use cookies to collect Usage Data through the Website. You can control the use of cookies in your browser. Please refer to Compellio’s website privacy policy to know more: https://compellio.com/legal/privacy-policy

Cookies

A cookie is present to ensure the operation of the compellio.com website. This cookie is of a functional nature and is essential for the use of the compellio.com website. It is notably used in network communications to identify a session to allow users to be recognized on the Compellio service. This "session" cookie is required for the basic functionality of the website and is therefore always active. The data generated by the activation of this cookie is retained only for the duration of the user's session. If you are required to block this type of cookie in your browser, the website may not function correctly, and you may not be able to use all the features of the service.

Duration of Retention: For the session.

Changes to this Privacy Policy

Compellio reserves the right to modify or supplement this Privacy Policy at any time. Changes will be posted on our websites and made available upon request. If we seek to collect, use, or disclose personal information for purposes other than those consented to, we will obtain the necessary consents as required by applicable law.

How to Contact Us

Compellio has designated a Privacy Officer responsible for ensuring compliance with this Privacy Policy and relevant data protection laws.

Contact Information for Compellio's Privacy Officer: privacy@compellio.com

Thank you for entrusting Compellio with your data. We are committed to safeguarding your privacy and ensuring the security of your information.