Signicat ReadID Privacy Statement

Signicat’s core business is providing the ReadID identity verification technology based on chips in government-issued identity documents. ReadID is in most cases provided as a cloud (software-as-a-service or SaaS) service in which we process users’ personal data as instructed by our customers. In this case, our customers are the controllers who determine the purpose of the processing of the users’ personal data and, accordingly, Signicat is a processor of user information with respect to those services. In order to fully understand how personal data is processed, data subjects should also review the privacy policy of our customers for whose services they are actually getting verified for.

Besides offering ReadID as a cloud service, we also have a so-called client-only version, where the verification of the chip happens solely in the user’s phone and therefore there is no processing of personal data by Signicat on its servers. Our publicly available ReadID Me app for example uses the client-only version of ReadID.

In other cases, Signicat is a data controller of personal data, for instance regarding visitors of our website and representatives of customers asking for support. We may also process certain anonymised information of ReadID users for the development and improvement of our services and in other forms and purposes.

Naturally, in all cases we handle the data with care. 

Here you can find the meaning of the most important terms in this Privacy Statement to help you understand how and for what we are processing your personal data.

Data controller: a legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data and gives instructions regarding processing activities to Signicat, unless Signicat is acting as the data controller.

Data processor: Signicat processes personal data on behalf of the data controller, unless Signicat is acting as the data controller. Signicat may use sub-processors who, under the authority of the controller, are authorised to process personal data.

Data subject / you: a natural person about whom we have information or data enabling the identification of the natural person. Data subjects include our customers’ representatives, users that make use of our identity verification services, visitors of our website, job applicants, and other natural persons whose personal data we may process.

Customer: the legal entity to whom we provide our services under a contractual agreement.

Personal data: information that directly or indirectly identifies you as a person (i.e., the data subject),  such as your name and address, email address or telephone number. Information about a legal entity is not personal data, but information about a contact person or representative of a legal entity is.

Processing: any operation which is performed on personal data, such as the collection, storage, use, provision, transmission, and deletion of it.

ReadID SaaS user: a natural person regarding whom we provide the ReadID service at the request of the customer. This could be via the Signicat ready-to-use ReadID Ready app or via the ReadID SaaS Software Development Kit (SDK) that the customer can integrate in its own mobile application. Both the Ready app and SDK communicate with a SaaS Server provided by a public cloud provider and that does all the actual data processing and verifications. 

ReadID Me user: a natural person that uses our personal and client-only ReadID Me application.

ReadID Client-Only user: a user of the client-only version of ReadID provided by a customer. 

Representative of the customer: a natural person who interacts with Signicat as the representative of a customer prior to the conclusion of the contractual agreement and under the agreement. 

Visitor: any person who shows an interest in Signicat or in our ReadID products and services, e.g., visitors of our website, readers of our newsletter, attendees of our webinars, explorers of vulnerabilities in our systems, or potential new employees. 

Signicat processes the personal data of:

• ReadID SaaS users, as a processor for our customers, for instance the data controllers.
• Representatives of customers, as a data controller.
• Visitors, as a data controller.

We do not process personal data of ReadID Me users as all personal data remains on the mobile phone running the ReadID Me application. The same applies to customers that make use of the client-only version of ReadID, since Signicat does not receive any personal data. In these cases, the customer is fully responsible for the privacy of the personal data being processed. For transparency reasons, however, we have included the client-only use of ReadID in the Privacy Statement

This Privacy Policy covers the processing of personal data by Signicat. Apart from ReadID SaaS data, personal data may be shared between these legal entities to the extent that this is permitted by law. 

For the ReadID SaaS services, Signicat is processing personal data on behalf of a customer. The customer in that case is the data controller and Signicat the data processor. 

Personal data we process about ReadID SaaS users: Signicat ReadID provides identity verification services to its customers. This means we verify your identity. For that you (i.e., the ReadID SaaS user) have acknowledged data processing according to the customer’s privacy policy and subsequent data processing by us in accordance with this Privacy Statement. We may collect and process the following personal data:

• Personal data present in the chip of a supported identity document presented by the user, e.g., a passport, identity card or driving license.
• Personal data present on the holder page (back and front) of the presented identity document.
• A face biometric scan (to verify that a User is the right person by matching it with the face image from the identity document).
• IP-address of the user.

This dataset or part of it, combined with non-personal data such as the outcomes of the various verifications we conduct, is shared with the customer conform a data processing agreement. 

For ReadID SaaS performance improvement purposes we need to collect anonymous usage information, for example, to detect problems with identity documents from certain countries. This usage information does not contain personal data. Moreover, Signicat cannot directly or indirectly relate the usage information to a specific person. Usage information will only be used for improving the quality of ReadID and not for other purposes. Signicat will only retain the information for as long as is necessary to fulfil the specified purpose.

Specifically, Signicat collects the following usage information via the ReadID SaaS SDK:

• Phone details, including phone type, Android version, iOS version, memory size. We do not collect information that is unique for a certain phone.
• What type of identity document was scanned and read, whether or not the scan was successful, the chip was read successfully, what country issued the identity document, the document signing certificate as stored on the chip, and the date of expiry. We collect the date of expiry since this allows us to determine the version of the scanned identity document.
• Usability information: how long the different steps take if a user managed to go through all steps and usage frequency.

Signicat uses servers under its own control and specific usage analytics data is hosted by a third party.

Personal data we process about representatives of customers: To enter into an agreement with Signicat, to provide our service, to communicate with the representative of our customer and for other lawful reasons we need to process the data of customer’s representatives. This means we may process, among other information, the following personal data of Representatives of the customer:

• personal information of the representative of the customer, such as name, job title, position, and contact information;
• personal information in connection with provision of the service, such as the representative’s login information to the ReadID management portal including username, email address, and mobile phone number.

Personal data we process about visitors: We may collect data when you visit for instance our website (e.g., by using cookies), receive our newsletter (e.g., upon subscription), attend a Signicat webinar (e.g., upon registration) and/or apply for a job position at Signicat. This personal data, among other information, may be as follows:

• personal information, such as IP address, time and location;
• information on usage of the website, such as the pages you visit, the date and time of your visit, the files that you download and the URLs from the websites you visit before and after navigating to the website;
• e-mail addresses, when you subscribe to Signicat’s newsletters, download Signicat’s content or register for a Signicat webinar;
• identification and contact data  if you decide to  report an issue mentioned in our Coordinated Vulnerability Disclosure Policy.
• curriculum vitae and motivation letters for job applicants.

Personal data we process about ReadID Me users: Signicat provides the ReadID Me application through the Play Store and the App Store. ReadID Me is for your personal use and publicly available free of charge. We provide this app so Users can see what is in the chip of their identity document. In addition, the analytics and feedback we get helps us to improve the underlying ReadID software. The ReadID Me app runs client-only. This means that the app processes the data to access the chip and the personal data read from it locally on the smartphone of the ReadID Me user and does not share them with Signicat, that is, the app does not send personal data to a server for processing by Signicat. Moreover, the personal information that is processed is not stored on the smartphone. Signicat thus does not collect personal information. We do not know nor want to know who the ReadID Me users are and whose identity documents are scanned. 

Similar as for ReadID SaaS, ReadID Me collects anonymous usage information that will be used by Signicat to improve our ReadID services (see section above for ReadID SaaS users). 

Personal data we process about ReadID Client-Only users: In this case, Signicat does not process any personal data about the user. The customer may process personal data and is fully responsible for the privacy of any personal data being processed. Moreover, Signicat also does not collect any anonymised usage data. 

How we obtain personal data of a ReadID SaaS user: We receive your personal data through an identity verification we conduct for a customer service that you use. The customer has contractually authorised us to process your data on behalf of them in the context of a certain service. 

How we obtain personal data of a customer’s representative: We collect this data either from you directly when you communicate with us directly, for example, by sending us an email, providing us with your personal data on the phone or through our customer support tools. We may also collect some of your personal data during the provision of our service to your employer. We also check information about the customer (including about relevant representatives of the customer) from publicly available sources. We only gather relevant and necessary data in order to validate the right of representation e.g., this may include verification of your identity, processing of your personal data for operating our service and more

How we obtain personal data about visitors: When you visit our website, we use cookies to collect information. The purpose of these cookies is to improve the user experience of your visit to our website and to provide Signicat with information that can be used for future optimisations. For more information about cookies we refer to the Signicat Privacy and Cookie Policy. 

For our newsletter, the downloading of content, attending webinars or apply for a job at Signicat, you provide your personal data yourself.

How we obtain personal data of ReadID Me users: Personal data is not collected via the use of our ReadID Me app. This app is for personal use only. Non-personal metadata (see above) is collected during the usage of the app. 

How we obtain personal data of ReadID Client-Only users: In this case, Signicat does not obtain any personal or other data from the app. 

We may only process your personal data if there is a so-called 'lawful basis' for doing so. 

Grounds for the processing of personal data of a ReadID SaaS user: We process your personal data as a processor for the benefit of the customer in order to fulfil the agreement we have with the customer. The lawful basis for the processing of the data thus stems from the customer and the service it is providing to you. So, please consult the privacy policy or statement of the customer as well for this purpose. There may also be a legitimate interest for the processing to be able to offer the best possible service on the market. This includes troubleshooting, data analysis, testing, fraud prevention and detection, system maintenance, support, reporting and hosting of data.

Grounds for the processing of personal data of customer representatives: We mainly process your personal data in the establishment and execution of the contractual agreement with our customer, for instance., your employer. There may also be a legitimate interest for ensuring a trust-based relationship with customers. For example, the processing of personal data that is strictly necessary to determine the ultimate beneficiaries in order to prevent, for example., fraud. Or, for conducting product and market research for purposes of quality assurance, product improvements, developments and assessing its market fit. This may include contacting and communication, interviews, recording of such communications for a limited period of time, and more. with existing and potential new customer representatives. 

Grounds for the processing of personal data of a visitor: Data processing of visitors is typically based on consent given by you. Consent may be asked for the cookies that we use on our website or when you subscribe to our free newsletter by providing your e-mail address. In case we rely on your consent for the processing of your data, you have the right to revoke your consent at any time. Please note that any processing Signicat carried out before the withdrawal of your consent remains lawful. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case when you withdraw your consent. When you apply for a job, we have legitimate interest in the processing of your data.

Grounds for processing of data of ReadID Me users: Signicat does not process any personal data in the context of ReadID Me, so there is no lawful basis required. Only non-personal data is processed in order to improve our ReadID identity verification product. 

Grounds for processing of data of ReadID Client-Only user: Signicat is not involved in any processing of personal data as a processor or controller. The customer in this case is the controller of the personal data and has its own ground for the processing of it.

Besides these grounds, there may also be legal obligations with respect to the processing of personal data in general. Signicat processes personal data in compliance to legal obligations such as tax obligations, court orders or police investigations.

We do not use your personal data for marketing, advertising or profiling purposes. You can be confident that fairness, transparency and security are built into every stage of our data processing processes.

When personal data processing is carried out for a new purpose different from that for which it was originally collected or is not based on the consent given by the data subject, for instance., you, we shall carefully assess the permissibility of such new processing. 

We do not keep your data longer than is necessary to serve the purposes for which we collected the data or the purposes for which data is reused and to comply with laws and regulations. 

Retention periods for ReadID SaaS user data: A hard-coded maximum retention period of 50 days is enforced for all ReadID SaaS sessions that contain personal data. The customer, however, is advised to set a smaller retention period, for example., no more than a few days, and/or to immediately request us to delete the data after having received the sessions results. When a ReadID session is deleted, it is removed permanently from the database, but not from backups of the database. The retention time of the backup is maximum 14 days and can be made shorter at customer request. These backups are required to be able to recover from a serious incident. 

In case we make use of sub-processors for performing face biometrics for identity document holder verification purposes or for doing optical processing of document images, we require them to keep any collected personal only as long as they need to achieve the purpose for which the data was collected. This is also set forth in the data processing annex of the contractual agreement with the customer. 

In case there are reasonable grounds to believe that certain identity claims are fraudulent, the retention period may be extended for a certain period or until there are no reasonable grounds anymore. 

Non-personal data that is collected during the ReadID Ready and SDK with SaaS sessions will be retained as long as needed to improve our services. 

Retention periods for customer representative data: Personal data processed in the context of the establishment of the agreement with the customer will be archived for seven (7) years after the ending of the contract. Personal data of representatives that require access to our ReadID management portal or related services will be removed immediately by Signicat after removal of the account. 

Retention periods for visitor data: This data is typically obtained with your consent. We will stop processing the data when you withdraw your consent (for instance by unsubscribing from our newsletter).. For job applicants that have submitted a CV and/or motivation letter and are not hired, their personal data will be removed after one (1) month. 

Retention periods for ReadID Me user data: Since this is non-personal data we keep it as long as we need it for improving our services. 

Retention periods for ReadID Client-Only user data: Since we do not process any personal data in this context, retention is not applicable. Please consult the privacy policy of the customer offering the client-only version of ReadID. 

In general, if we no longer need the data for the purposes described above, the personal data will be permanently erased or anonymised. Where we have a legitimate legal reason, we may store personal information for longer than described above, for example, where we are under a binding legal order not to destroy information.

Unless stated otherwise in this Privacy Statement or noted otherwise to you separately, we may disclose your personal data to data controllers for whom we are data processors (for example., our customers) and to our authorised service providers (sub-processors), as well as to persons who are legally entitled to receive your personal data. Signicat also uses external IT-suppliers and cookie service providers. We have diligently assessed that these external parties will comply with the data protection requirements.

Transfer of ReadID SaaS user data: Signicat uses external service providers (sub-processors) to optically verify identity documents and to perform liveness detection and face comparison. We only share the necessary personal data which is necessary for these providers to perform their tasks. 

The current authorised sub-processors engaged for the ReadID service are listed below. Each of these sub-processors have their own privacy policy, the link to that policy is also listed below. 

• Public cloud provider:
  • Amazon Web Services (AWS), Inc. We use various AWS regions depending on the location of our Customers. Current locations are Ireland, Frankfurt, London, and Sydney. The generic AWS privacy policy can be found here: https://aws.amazon.com/privacy/. Amazon Web Services EMEA SARL is the authorized representative of AWS, Inc. in the European Economic Area (EEA). Relevant to consult in this context are the AWS data processing annexes: https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf and https://d1.awsstatic.com/Supplementary_Addendum_to_the_AWS_GDPR_DPA.pdf
  • Open Telekom Cloud, T-Systems International GmbH, for data processing addendum see https://open-telekom-cloud.com/_Resources/Persistent/d/8/0/d/d80d17f63186334ba36afcc6924a0e2b4575f3ef/open-telekom-cloud-supplementary-conditions-commissioned-processing-personal-data.pdf.
  • Microsoft Azure, as a cold standby for continuity purposes. We have an agreement with Microsoft Ireland Operations Limited for the hosting of ReadID servers in Ireland as prime location. For a customer that is based in the EEA, processing of personal data shall always take place in EEA as well. The Azure privacy policy can be found here: https://azure.microsoft.com/en-us/explore/trusted-cloud/privacy#:~:text=We%20do%20not%20share%20your,the%20services%20you%20have%20chosen. The most recent data processing annex is here: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA.
• Biometric verification provider:
  • iProov Ltd, www.iproov.com, for privacy policy see https://www.iproov.com/biometric-data-retention-schedule.
• Optical verification provider:
  • Veriff ÖU,  http://www.veriff.com , for privacy policy see https://www.veriff.com/privacy-notice.
  • Onfido Ltd, www.onfido.com, for privacy policy see https://onfido.com/privacy/. 

Please note that these sub-processors may also make use of sub-processors themselves.

Signicat only shares your personal data with external parties when this is allowed as per applicable privacy and data protection law. Signicat may provide personal data to external parties because:

• it is necessary to execute the contract with you;
• you consented to this;
• Signicat has a legitimate interest;
• Signicat is legally obliged to do so.

All our data is hosted and processed in the European Economic Area (EEA), except for personal data we process for ReadID customers that are located outside the EEA or that require us to perform optical or biometric verification by sub-processors. In the latter case the processing is done in the United Kingdom. Personal data can legally be transferred to the United Kingdom based on a decision of the European Commission on the adequacy of data protection. Please also refer to the privacy policy of the customer for further motivation of your personal data processing in this context.

Transfer of customer representatives’ data: Customer representative’s personal data can be shared with our advertising and marketing partners, companies carrying out satisfaction surveys, debt collection agencies, credit registers, authorities and organisations intermediating or providing (electronic) mail, compliance, or payment services and the like. Personal data required for accessing ReadID session data may be shared with the public cloud providers mentioned above. 

Transfer of visitor data: Visitor data may be transferred to external IT-suppliers and cookie service providers. We have diligently assessed that these external parties will comply with the data protection requirements.

Transfer of ReadID Me user data: Personal data is not processed by Signicat in this context. Metadata only is transferred to the above-mentioned public cloud providers for further processing.

Transfer of ReadID Client-Only data: A transfer policy is not required since we do not process any personal data in this context. Please consult the privacy policy of the customer offering the client-only version of ReadID.

Signicat has taken the necessary organisational, technical, and contractual security measures to protect your personal data against accidental loss, unauthorised access, modification, or disclosure. Examples of organisational controls are: security policies regarding the processing of data, our security certifications and code of conduct. Technical controls involve encryption of personal data at rest and in transit and access controls including strong authentication. Contractually, these controls are laid down. Part of our contract with the customer is a Data Processing Annex which purpose is to protect ReadID users and customer representatives by setting out clear expectations regarding the handling of their personal data. 

We have set up procedures to deal with any suspected personal data breaches, and we will notify our customer, any relevant data protection authority and even you directly of a breach where we are legally required to do so.

Within Signicat, people only have access to your personal data if this is necessary for their job function. All these persons also have a duty of confidentiality and are periodically screened. 

We have a certified Management System for Information Security (ISO27001:2022) and Privacy Information (ISO27701:2019). As part of our certification, our security measures to protect your personal data are annually evaluated by an independent external auditor. All our sub-processors are at least ISO27001 certified as well.

You have the right to:

• request information on personal data we process and what we do with the personal data;
• request access to your personal data;
• request correction of your personal data;
• request erasure of your personal data;
• request to transfer your personal data (if technically and/or legally possible);
• object to specific processing of the personal data;
• revoke your consent.

To exercise these rights please send an email to dataprotectionofficer@signicat.com. 

Please note that if your request concerns data we have processed as a processor (for instance., in the course of our service provision) you must submit your request to the customer who is the data controller of the processing of your personal data. We will inform you about this. 

When you make use of your rights, we may need to request specific information from you to help us confirm your identity and ensure your right to access the relevant personal data (or to exercise any of your other legal rights). This is a security measure we take to help avoid your personal data being disclosed to a person who has no right to receive it.

We may also contact you to ask you for further information in relation to your request to help speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Signicat has appointed a DPO. The DPO monitors the application and compliance with data protection laws such as the General Data Protection Regulation (GDPR). If you are not satisfied with the way a question or complaint has been handled, you can contact the DPO via dataprotectionofficer@signicat.com. In addition, you can ask a question or file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). Be aware that in most cases Signicat acts as a processor of personal data for its customers, for instance., the controllers. We may redirect you to the controller that is responsible for the processing of your personal data. 

Yes, our Privacy Statement may change from time to time. You will always find the most up-to-date version of our Privacy Statement at: Signicat Privacy and Cookie Policy. 

The current statement has been updated per November 2025.