App Privacy Statement

For the use of Authenteq’s identity verification service (the “Service”), Authenteq (in the following “Authenteq” or “we”) provides the user (the “User” or “you”) with a mobile app (the “App”) which you may download to your mobile phone. When using our Service by means of the App, we collect and process a few personal data. The protection and confidentiality of your personal data is of particular importance to us. We treat your personal data confidentially and in accordance with the applicable legal data protection laws, in particular with the EU General Data Protection Regulation (the „GDPR“). We process your personal data according to the data processing purposes as listed below.

According to GDPR, personal data means any information relating to an identified or identifiable natural person. An identifiable person is one who can be directly or indirectly identified by reference to an identifier such as a name, identification number, location data, etc.

The unique design and concept of our Service and the App allow to process as little personal data as possible. On principle, we only store personal data that are essential to provide our Service to you. In particular, we do not need to store your name, your date of birth or address. We collect and process your personal data on the basis of your express consent or where processing of personal data is permitted by applicable data protection laws. At any rate, we will inform you on the legal basis for the processing of personal data.

We will delete your personal data as soon as the purpose of the storage no longer applies. In addition, data may also be stored if applicable European or national legislature has provided for storage in Union regulations, laws or other provisions which Authenteq is subject to. In particular, Authenteq may be obliged by applicable European or national laws to retain data.

In the following, we inform you on which personal data are collected in connection with the use of the App, the legal basis for the processing of personal data, the data processing purposes and how your personal data are processed, the duration of data storage and your rights in connection with data processing carried out by us.


1. Name and contact details of the responsible body

The responsible body (the “Controller”) for processing of your personal data is:

Authenteq ehf, Borgartun 27, IS105 Reykjavik, Iceland
You can reach the Controller and the data protection officer via email at:


2. Download of the App

When downloading the App, necessary information is transferred to the respective app store, in particular the user name, the e-mail address and your account number, the point of time of the download, and the individual device number. We do not have any influence on such data processing and are therefore not responsible for it.


3. Data processing in connection with the signup for our Service

The purpose of data processing described in this section is the preparation and performance of the contract we conclude with Users in order to provide our Service. The legal basis of the data processing is Article 6 paragraph 1 lit. b) GDPR unless stated otherwise. Without the data processing described in this section, Authenteq cannot conclude and execute the contract.

For signup, we ask you to take a selfie and scan your passport and to upload both through the App. we use your selfie to compare it with your passport photo. For identification purposes, the passport photo is stored for 7 days in our system and is then deleted permanently. The legal basis for identification by the described photo comparison is your express consent in accordance with Article 6 paragraph 1 lit. a), 9 paragraph 2 lit. a) GDPR.

Further, we identify the data fields of your passport (such as your full name, date of birth, nationality, and passport number) and hash it (the “Hashes”). We store your passport number, nationality, expiration date, issuing country and your selfie together with an encrypted user ID that is created and allocated to you during signup in a database (the “Database”). For such storage, the data are transferred to servers located in Frankfurt a. M., Germany operated by Amazon Web Services (AWS). Further, we carry out a transaction on a blockchain, by which the Hashes are transmitted and written to the blockchain. We use the BigchainDB blockchain for the described transaction, a public permissionless blockchain (the “Blockchain”). Data are written to the Blockchain according to the Blockchain-specific protocol which arranges data to be written on the Blockchain into blocks, validates such blocks and distributes them for storage by the nodes participating in the Blockchain. The transaction is represented by a transaction ID which is both stored by Authenteq in the Database and on the Blockchain.

If you want to use the App for services requiring AML (anti-money laundering) screening, data relevant for such screening (name, surname, date of birth) are disclosed to the third party ALM provider IVXS UK Ltd (ComplyAdvantage), Newcombe House, 43-45 Notting Hill Gate, London W11 3LQ, United Kingdom. Any information on the outcome of AML screening are kept no more than 30 days in the Database and are then automatically deleted.

The selfie is used to train the underlying algorithm of the liveness detection feature of the App. The legal basis of processing your data for this purpose is Article 6 paragraph 1 lit. f) GDPR. Our legitimate interest of processing is the interest in improvement of our Service, user experience and of the satisfaction of our Users with the App.

Personal data stored in the Database are stored for the duration of the contract and if no legal retention obligations according to applicable laws exists obliging us to keep on storing after termination of the contract.

Data stored on the Blockchain cannot be deleted due to the specifics of data processing and storage using blockchain technology. In general, any data stored on a blockchain cannot be removed. At any rate, we and anyone else cannot link back to you any data relating to you stored on the Blockchain from the point of time when your personal data is deleted from the Database. The deletion of your personal data from the Database Page 3 of 4 turns the data stored on the Blockchain into anonymous data for anyone including Authenteq.


4. Data processing during use of the App

The purpose of data processing described in this section is the performance of the contract we conclude with Users in order to provide our Service. The legal basis of the data processing is Article 6 paragraph 1 lit. b) GDPR. Without the data processing described in this section, Authenteq cannot execute the contract. You may verify your identity on websites of third parties through the App if such websites require verification of personal data of individuals wishing to use services provided on or through third party websites. The respective third-party website sends a verification request to Authenteq. The verification request is the starting point of the verification process (the “Session”) represented by a Session ID temporarily created by Authenteq which is used and stored for the duration of the Session by Authenteq. You confirm the Session by scanning a QR code of the Session we send you following the verification request by the respective third party website. Authenteq retrieves the Hashes corresponding to your dataset in the Database and stores them temporarily in order to verify the personal data requested by the third party website and transmitted to us during the Session for verification. Session is closed as soon as Authenteq informs the third party website concerned on the result of verification.Session ID, Hashes and the transmitted personal data for verification are deleted from Authenteq’s temporary memory as soon as the respective Session is closed.


5. Your rights in connection with processing of personal data

In the following, we inform you on your rights that you have in connection with the processing of personal data by us and may exercise according to applicable data protection laws, in particular to the GDPR.


5.1 Right of access

You have the right at any time to demand information on if we process your personal data. In the event of such processing, you may request the following information from us: (i) the purposes for which personal data are processed; (ii) the categories of personal data which are processed; (iii) the recipients or categories of recipients to whom your personal data have been or will be disclosed; (iv) the planned duration of the storage of your personal data or, if specific information is not possible, criteria for determining the storage duration; (v) the existence of a right to correct or delete your personal data, a right to restrict the processing by us or a right of objection to such processing; (vi) the existence of a right of appeal to a supervisory authority; (vii) all available information on the origin of the data if the personal data are not collected directly from you; (viii) the existence of automated decision-making, including profiling in accordance with Article 22 paragraph 1 and 4 GDPR and, at least in these cases, meaningful information on the logic involved and the scope and intended impact of such processing on you.

You have the right to request information on whether your personal data are transferred to a third country or to an international organisation. In this context, you may request to be informed on the appropriate guarantees in connection with the transfer of data.


5.2 Right to rectification

You have the right to demand us to correct and/or complete your personal data if your personal data processed is incorrect or incomplete.


5.3 Right to erasure

You may demand your personal data to be deleted if (i) the personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed; (ii) you revoke your consent to the processing and there is no other legal basis for the processing; (iii) your personal data have been processed illegally; (iv) the deletion of your personal data is necessary to fulfil a legal obligation under Union law or the law of the Member States to which we are subject.


5.4 Right to restriction of processing

You may request to restrict the processing of your personal data if (i) you deny the accuracy of the personal data for a period of time that enables us to verify the accuracy of the personal data; (ii) the processing is unlawful and you refuse to delete the personal data and instead request the restriction of the use of the personal data; (iii) we no longer need your personal data for the purposes of processing, but you need them to assert, exercise or defend legal claims.


5.5 Right to data portability

You have the right to obtain your personal data in a structured, commonly used and machine-readable format. You have the right to transmit your data to another Controller. Where technically feasible, you have the right to have your data transmitted directly from us to another Controller.


5.6 Right to object

On grounds relating to your particular situation, you have the right to object at any time to the processing of your personal data which is carried out on the basis of Article 6 paragraph 1 lit. f) GDPR. Such grounds exist, in particular, if they underline your interests and outweigh our interest in the respective data processing. If your personal data are processed in order to carry out direct advertising, you have the right to object at any time to the processing of personal data for the purpose of such advertising; this also applies to profiling, insofar as it is associated with such direct advertising.


5.7 Right to revoke the declaration of consent under data protection law

If you give us the consent to process your personal data, you have the right to revoke your consent at any time. The revocation of the consent does not affect the legality of the processing carried out on the basis of the consent until the revocation.

5.8 Right to lodge a complaint with the supervisory authority

You have the right to address the supervisory authority for any questions or complaints. The supervisory authority is The Icelandic Data Protection Authority,