Purpose

365id handles large amounts of personal data, primarily on behalf of our customers who scan identity documents in 365id’s system.

The overall purpose of handling personal data is to create a safer society by reducing ID fraud.

Objective

Our goal is for you to feel confident that your personal privacy is respected and that your personal data is processed correctly.

We take responsibility for ensuring that personal data processed by 365id is only used for intended purposes and is protected against unauthorized access.

All processing of personal data within 365id takes place in accordance with applicable personal data legislations, i.e. the General Data Protection Regulation (EU) 2016/679 (GDPR).

Parties

In this policy, 365id’s customers are referred to as the “customer “, the private individuals whose personal data we process in our systems are referred to as the ” data subject ” and 365id AB, with corporate registration number 559006-1957, Karlsrovägen 77, SE-302 41 Halmstad, Sweden is referred to as ” 365id “.

365id’s processing of personal data – in the role of Data Controller

365id is the data controller for the processing of personal data relating to our employees, customers, suppliers and other partners, who in some form provide 365id with their personal data for normal business relationships.

When you act as a contact person for a customer, supplier or other actor

To handle and administer our business relationship, deliver products and services, and make and receive payments, we process personal data about you in your role as a contact person. This includes your name, contact details, information about your organization and position, and other personal data that you or your organization have provided to us. 

The legal basis for this processing is our legitimate interest in fulfilling our contractual obligations towards your organization and maintaining and developing the business relationship. 

We retain this information for as long as you are registered as the contact person for a company doing business with us, and up to a maximum of one year thereafter. However, if your personal data is included in documents that qualify as accounting records, we retain them for seven years in accordance with the Swedish Accounting Act. If your data is part of an agreement, it will be stored for ten years after the agreement expires or is terminated, in line with the Swedish statute of limitation. 

Additional personal data we may process includes:

  • Contact details listed in customer agreements
  • Information provided during order placements
  • Details provided in support cases
  • Data from business interactions (e.g., business cards)
  • Employee information shared with us for business purposes

This data is stored in our systems for the duration of the business relationship and up to one year thereafter, unless a longer or shorter retention period is required by law or requested by the data subject. We process this information to ensure good customer service, accurate invoice handling, and to comply with regulatory requirements. 

The personal data is stored and processed in systems we use to manage our operations, including Microsoft Outlook and SharePoint (part of Microsoft 365), Zendesk (Customer support platform), Upsales (CRM), and Fortnox (invoicing and accounting). These systems are primarily cloud-based and hosted within the EU/EEA, unless otherwise stated by the provider. In some cases, data may also be stored physically at our office in Sweden, such as business cards or printed documents. All systems and service providers we engage are required to comply with applicable data protection regulations, including the GDPR.

 When you use our services including the 365id Portal

As a customer to us, your organization will be able to use our services for scanning identification documents through our app and/or our scanners. We will provide a user platform to enable your organization to overview scanned ID documents, create reports and see the list of passports, ID cards and driving licenses that we validate. For such purpose, we will process the personal data of you as a user, including your name, contact details and password, to give you access to this platform. Our app will also be available to use as a guest user.

The legal basis for the processing is fulfilment of our contract with you to provide the platform if you log in as a guest user. If you log in as a user appointed by a customer of ours, we process your data based on our legitimate interest to fulfil our obligations set out in the agreement between us and the customer. 

We will store your personal data related to your account as long as your organization is a customer to us and up to one year thereafter, unless a longer or shorter retention period is required by law or requested by the data subject. 

All processing and storage of personal data is carried out either in Ireland or in Arizona, United States, as specified in the customer contract. Personal data never leaves the selected region (EU or US).

 When you visit and browse our website

For information regarding processing of personal through cookies, please see below under “Cookies – what are cookies and how do we use them?”.

In addition to our use of cookies, you have the option to sign up for our newsletter through the website to receive news of our products and other information related to our services. The legal basis for processing of your e-mail submitted is your consent, and we will send the newsletters until you have withdrawn your consent.

Furthermore, you can contact us by sending a message through our contact form, calling us, or sending us an e-mail. We will process your personal data submitted (such as name, contact details and other information contained in the message) based on our legitimate interest to handle your question, during the time necessary in order to assist you. 

Personal data submitted via our website is stored in a data center located in Sweden. If you contact us via e-mail, your message and contact details will be processed in Microsoft Outlook (part of Microsoft 365), which is hosted in data centers within the EU/EEA. All personal data is processed in accordance with applicable data protection laws and with appropriate safeguards in place to ensure its security.

When you apply for a job

If you apply for a job, we store your application, including cover letters, resumé, photos (if applicable), and other personal data you submit. We may also complement this information with information from other sources, e.g. from references provided by you. The legal basis for the processing is our legitimate interest to carry through the recruitment
process.

We will save your application and related information for two years after ending the recruitment process in order to protect our rights under the Swedish Discrimination Act. If you provide your consent, we will save your resumé for future recruitment processes until your consent is with drawn or the resumé is out of date.

Your application may be stored either in our website’s data center, located in Sweden, or in Microsoft SharePoint (part of Microsoft 365), which is hosted within the EU/EEA. All systems used for storing recruitment data meet applicable security and data protection standards, including compliance with the GDPR.

Who do we share personal data with?

365id never discloses your personal data for marketing or advertising purposes.

Below we list transfers to parties acting on our behalf as data processors that
may occur:

  •  Third-party service providers: Some companies provide services on our behalf. These services include, inter alia, IT-supplier (such as hosting services), providers of communication tools and platforms, and accounting. These companies will get access to your personal data to the extent necessary for them to fulfil their obligations, but they may not use or share the information for any other purposes.

Below we list transfers to parties acting as data controllers that may occur:

  • Legal obligations: Your personal data may be disclosed for the purpose
    of our compliance with certain legal obligations, and it may be transferred to the e.g. the Swedish Tax Agency, the Police and other relevant
    public authorities, when permitted and required by law.
  •  Business transactions: If all or part of our operations are sold or integrated with any other business, operation or company, your personal data may be disclosed to our advisors, potential buyers and their advisors, and be transferred to the new owners of the operation.
365id’s processing of personal data – in the role of Data Processor

365id processes personal data in the role of data processor for customers who use 365id Scanners. The processing is carried out in accordance with written agreements and instructions between 365id and the customer. When our customers use 365id Scanners, they are data controllers towards their customers (the data subject), whose ID documents are scanned in 365id Scanners.

For the following services 365id acts as data processor:

365id ID verification software, is an online service that certifies authenticity and reveals fake ID documents. If our customers want, we can store an image of the scanned ID document, which can then be used in case of any complaints or criminal investigations.

365id Scanner, 365id Flatbed Scanner, 365id App and 365id SDK, are products that take pictures of passports, driver’s licenses and ID cards. Data from the biometric chip in i.e. passports can be collected. In the 365id App and SDK a liveness video with a following face match can be included. A few seconds after the ID document is scanned, the result is displayed on the 365id Scanner.

365id Rest API, a service that transfer data from scanned documents to the customers business system. First name, last name, personal identification number, validity, image of document and ID document number are examples of information that can be sent to the business system.

Who do we share personal data with?

365id never discloses your personal data to any third party, for example for marketing or advertising purposes.

Personal data processed in the “365id ID verification software” service is handled by 365id according to the agreement with our customer’s.

365id can, but only on request and behalf of our customers, use the data subject’s personal data when searching other ID card registers, such as the Swedish Transport Agency’s driver’s license register. The purpose of these searches is to verify the validity of the ID document and ensure that it has not been reported as invalid, revoked or otherwise restricted. This further minimizes the risk that the data subject’s ID document or personal data is used for improper purposes.

When using the 365id App, we use a sub-processor for the liveness check and face match process. Your facial data is sent to the sub-processors’ servers located in EU/EEA and UK. Data is retained by the sub-processor 30 days with the purpose of operating and improving the services to protect users and businesses against rapidly evolving threats. All personal data in transfer and rest is encrypted.

Why do we process personal data?

The fundamental purpose of the ” 365id ID verification software” service is to protect the privacy of the data subject, reduce the risk of ID fraud in society and restore trust in the system of ID documents that have been used for a long time.

We process personal data concerning the data subject to verify the authenticity of an ID document, notify the customer whether the ID document is deemed authentic or not, and assist the customer with information in a fraud investigation or similar. Data from scans can be sent to the customers business system.

 What types of personal data do we process?

In our ID verification service, we process all personal data that is on the data subject’s ID document or driving licenses. 

How long do we store personal data?

It is our customers who decide whether we store images of scanned ID documents and how long we store them. This is regulated in the respective customer agreement.

Where do we store and process personal data

The data storage and processing region is stipulated in the contract between 365id and the customer. 365id support storage and data processing either within the European Union (specifically Ireland) or in the United States (specifically Arizona). Personal data never leaves the selected region (EU or US).

Cookies – what are cookies and how do we use them?

We use cookies on our website to analyse trends, administer the website, track user’s movement patterns and gather demographic information about our website users.

Cookies are small text files that are placed on your computer by a web server. Cookies allow our website to remember information that will make your visit to the website more comfortable. As with most other websites, we use cookies primarily to improve your service and experience of our website. If you don’t want cookies, then you can disable the feature in your web browser.

There are different types of cookies. We use so called permanent cookies, and “session” cookies, which are temporary. Persistent cookies last until they expire on a pre-set date or are manually deleted by you on your device and are used, for example, to remember user specific settings between visits on a website. Session cookies last until you stop browsing and are used, for example, to log statistics when the user moves from one page to the next.
By giving your consent in the cookie banner presented to you when entering the website, either to some or to all types of cookies, you consent to our use of the cookies described in this policy. You may deactivate or restrict the transmission of cookies that are not strictly necessary (which according to applicable law does not require any consent from you) for the functioning of our website, by opting out on this website or by changing the settings of your web browser. Web browser settings are often found in the “Tools” or “Preferences” menu (please refer to your web browser’s help section). Should you visit our website with cookies deactivated, you might not be able to use all of the functions on our website to the full extent.

The following type of cookies are used on our website [and in our app]:

Necessary

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Functional

Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.

Performance

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

Analytics

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

Advertisment

Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.

Other

Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.

What rights do you have?

You as the data subject has the right to:

  • Request information about the personal data of yours that we are processing and how it is being used by us.
  • Request correction of incorrect, incomplete or ambiguous personal data.
  • Erasure (“Right to be forgotten”) – Request the deletion of personal data
    when it is no longer necessary for the purpose for which it was collected, if consent has been withdrawn, or if processing is unlawful.
  • Request that processing of personal data is limited under certain conditions.
  • Object to the processing of your personal data, e.g. if the legal basis is our
    legitimate interest.

In the cases where we act as data processor for our customer who is the data controller, all requests for access, correction, deletion, or other data subject rights must be submitted to the data controller.

For the protection of your privacy and your personal data, we may require that you identify yourself in connection with our assistance.
You can also file a complaint with the Swedish Authority for Privacy Protection (Sw.Integritetsskyddsmyndigheten) at www.imy.se, if you think our processing of personal data is not carried out in accordance with applicable laws.

Changes to this privacy policy

Please note that the terms of this privacy policy may be changed or amended. Any new version will be published on our website.

Contact information

If you have any questions regarding how 365id handles your personal data, please contact us.

By e-mail: info@365id.com 

Or by post:
365id AB
To: Data Protection Officer
Karlsrovägen 77
302 41 Halmstad