Privacy Policy

Depending on how AvalKYC is used, we may process:

• Account data — name, work email, organization, and role for dashboard users.
• Verification data — identity-document images and extracted fields (name, date of birth, document number), a selfie, and the resulting checks and decision.
• Biometric data — a numeric face representation (embedding) derived from the selfie and document, used solely to confirm they match.
• Technical data — a salted hash of the submitter's IP (never the raw IP), coarse network signals, and capture-integrity metadata.

Personal data is used to perform the verification, AML screening, and fraud checks the customer requests; to return a decision and audit record; to secure the service against abuse; and to operate and support accounts. We do not sell personal data, and we do not use verification data to train models for unrelated purposes.

Where the GDPR applies, processing relies on: performance of a contract; compliance with the controller's legal obligations (such as KYC/AML duties); legitimate interests in preventing fraud and securing the service; and, for biometric data, the explicit consent obtained by the controller from the data subject.

Face data is treated as a special category of personal data. The embedding is stored separately from the verification record, is excluded from every API response, and is used only for 1:1 matching and duplicate detection. It is deleted on erasure and at the end of the configured retention window.

Controllers configure a retention window appropriate to their legal obligations. When it elapses, applicant personal data and biometrics are automatically erased, leaving only a PII-free tombstone (reference, decision, and audit trail). Erasure can also be triggered on demand at any time.

AvalKYC screens against open, public data sources (for example government sanctions lists, the GLEIF business register, and Wikidata). When self-hosted, personal data stays within the customer's own infrastructure and is not shared with AvalKYC. Any optional sub-processors used in a managed deployment are disclosed to the customer and bound by equivalent obligations.

Because AvalKYC can be deployed in a region of the customer's choosing, data residency is determined by where the customer runs it. Where transfers occur, they are made under an appropriate safeguard such as Standard Contractual Clauses.

Subject to applicable law, data subjects may request access, correction, deletion, restriction, portability, or object to processing, and may withdraw consent. As we usually act as a processor, please direct requests to the business that verified you; we will assist that business in fulfilling them. Requests concerning our own account holders can be sent to us directly.

We protect personal data with encryption in transit, biometric isolation, hashed identifiers, least-privilege access, and an append-only audit trail. See our Security page for details.

We use a single, strictly necessary session cookie to keep you signed in to the dashboard, and a preference cookie to remember your language. We do not use advertising or cross-site tracking cookies.

AvalKYC is a business tool and is not directed to children. We do not knowingly collect data from children except where an end-user's age is itself the subject of a verification requested by a controller under its own legal basis.

We may update this policy as the product evolves. Material changes will be reflected by the “last updated” date above.

Questions about this policy or a privacy request can be sent to privacy@avalkyc.com.