Legal
Privacy Policy
Effective 5 May 2026 · legal@kycfile.com
This Privacy Policy explains how KYC File ("we", "us", "our") collects, uses, discloses, and protects personal data in connection with the KYC File platform — the website at kycfile.com and the application at app.kycfile.com (together, the "Service").
KYC File is built for regulated businesses (banks, payment processors, insurers, brokers, fiduciaries — each an "Operator") to collect and review Know Your Customer documentation from their end clients ("Client Users"). Our role under data-protection laws depends on context, summarised below.
1. Roles under data-protection law
- Operator data and Operator staff accounts — when an Operator and its staff use the Service to administer their organisation and review files, we act as controller in respect of the Operator's account, billing, and usage data.
- Client User documents and verification results — when a Client User uploads documents or completes an identity verification at an Operator's request, the Operator is the controller of that data; we act as a processor on the Operator's behalf, governed by these terms and any data-processing addendum signed with the Operator.
- Marketing-site visitors — when you visit kycfile.com without signing in, we collect minimal technical data described below as controller.
2. What we collect
From Operator staff and Client Users with accounts
- Identity and contact data — full name, email address, organisation, role, and (optionally) phone number.
- Authentication data — hashed passwords (Argon2id), multi-factor authentication seeds, session tokens, sign-in IP address, user agent.
- Activity data — actions taken in the Service (uploads, reviews, decisions, configuration changes) recorded in the audit log.
- Documents and verification results — the substantive content uploaded by Client Users in response to an Operator's request, and the verification reports produced by our identity-verification provider.
From marketing-site visitors
- Technical data — IP address, user agent, referrer, and the page or asset requested. This data is processed in server logs for security and operational purposes only; we do not perform behavioural advertising.
- Email correspondence — if you contact us at hello@kycfile.com or any other listed address.
The marketing site does not deploy advertising cookies, social-media trackers, analytics cookies, or session replays.
3. Why we use the data and the lawful basis
| Purpose | Lawful basis (GDPR Art. 6) |
|---|---|
| Operating the Service for Operators and their Client Users | Performance of a contract |
| Authenticating users and securing the Service (incl. abuse prevention) | Legitimate interests; legal obligation |
| Maintaining the audit log required for our customers' compliance | Legal obligation (of the Operator); legitimate interests |
| Backups and disaster recovery | Legitimate interests; legal obligation |
| Responding to security disclosures and abuse reports | Legitimate interests |
| Communicating with you about your account or our service | Performance of a contract; legitimate interests |
4. Subprocessors
We use a small set of third-party processors to operate the Service. The current list:
| Processor | Purpose | Data location |
|---|---|---|
| Hostinger International Ltd. | VPS hosting for the application and its primary database / object storage | Germany |
| Cloudflare, Inc. | DNS, CDN, and edge protection for the marketing site | Global edge; configuration data in EU and US |
| Backblaze, Inc. | Encrypted off-site backups | United States |
| Resend, Inc. | Transactional email delivery | United States; EU/Frankfurt for European recipients |
| Hostinger Email | Mailbox hosting for KYC File staff inbound and outbound email | European Union |
| Didit | Identity verification (document, liveness, face match, AML screening) | European Union |
Where personal data is transferred outside the European Union or the United Kingdom, we and our subprocessors rely on Standard Contractual Clauses or other lawful transfer mechanisms. A current list of subprocessors is available to Operators on request and we provide notice of material changes.
5. How long we keep data
- Customer Data uploaded by Client Users is retained for as long as the relevant Operator's account is active, plus the period required by the Operator's regulatory retention policy. The Operator may request deletion or export at any time subject to that retention obligation.
- Audit log entries are retained for the lifetime of the account because they are required for our customers' regulatory compliance and may be required for dispute resolution. They cannot be deleted without deleting the related account.
- Backups are retained on a rolling 90-day cycle in encrypted form. Data remains in backups for that period after primary deletion.
- Server logs for the marketing site are retained for 30 days for operational and security purposes, then deleted.
6. Security
We protect personal data with the controls summarised in our Platform Security Overview, including tenant isolation, multi-factor authentication for staff, encryption of data at rest and in transit, anti-virus scanning of every upload, an append-only audit log, and off-site encrypted backups. A more detailed description is available to Operators on request.
7. Your rights
Subject to applicable law, you may have rights to access, rectify, erase, restrict the processing of, or port your personal data, and to object to certain processing. The most convenient way to exercise these rights:
- If you are a Client User, contact the Operator who invited you. The Operator is the controller of your documents and verification results and is best positioned to respond. We will support the Operator in fulfilling your request.
- If you are an Operator staff user, or a marketing-site visitor, contact us at privacy@kycfile.com.
You have the right to lodge a complaint with a supervisory authority if you believe your personal data has been mishandled.
8. Children
The Service is not directed to children under sixteen. We do not knowingly collect personal data from a child. If you believe a child has provided personal data through the Service, contact us at privacy@kycfile.com and we will delete it.
9. Cookies
The marketing site does not set cookies of its own and does not deploy third-party advertising or analytics cookies. The application uses essential session cookies for authentication; these are HttpOnly, Secure, and SameSite=Lax, and cannot be disabled without losing the ability to sign in.
10. Changes to this policy
We may update this Privacy Policy from time to time. We will post the updated policy on this page and update the effective date. For material changes affecting Operators we will provide written notice through the Service or by email.
11. Contact
Privacy enquiries can be sent to privacy@kycfile.com. Security disclosures should be sent to security@kycfile.com. Postal contact can be arranged on request.