This Privacy Policy applies to personal data processed by Dataspike in connection with the provision of its identity verification, AML screening, document verification, and related compliance services (the "Services"). It covers both processing carried out on behalf of Clients and processing carried out by Dataspike as a Data Controller for its own legitimate purposes. This Policy does not cover the personal data practices of Dataspike's Clients. Clients are independently responsible for their own privacy notices and compliance obligations. For information about how we use cookies and tracking technologies on our Site, please refer to our Cookie Policy, available at https://dataspike.io/privacy-policy.

Agreement — the Terms of Service and any additional agreements concluded between Dataspike and a Client, including annexes and appendices.

Applicant / User — any individual in respect of whom an identity verification procedure is performed as part of the Services.

Applicant ID — a Dataspike feature that allows Applicants to store their verified identity data and share it with multiple Clients at their own request.

AML/CFT — Anti-Money Laundering / Combating the Financing of Terrorism, as defined by FATF recommendations, EU regulations, and applicable national law.

BIPA — the Biometric Information Privacy Act (Illinois, USA).

Client — the legal entity that has entered into an Agreement with Dataspike and acts as Data Controller in respect of its Users' personal data.

Consent — a freely given, specific, informed, and unambiguous indication of the Data Subject's wishes, as defined in Article 4(11) of the EU GDPR.

Data Controller / Controller — the entity that determines the purposes and means of processing personal data. For most Services, the Client is the Controller. Dataspike acts as Controller only for its own processing purposes.

Data Processor / Processor — an entity that processes personal data on behalf of a Controller. Dataspike acts as Processor when carrying out verification on behalf of Clients.

Data Provider — a third-party service provider or public authority used by Dataspike to obtain additional information necessary for the provision of Services (e.g., sanctions databases, identity registries).

Data Subject — the individual whose personal data is being processed (i.e., the Applicant / User).

EEA — the European Economic Area (EU Member States, Norway, Iceland, and Liechtenstein).

EU GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council.

Personal Data — any information relating to an identified or identifiable natural person.

Personal Data Breach — a breach of security leading to the unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

PEP — Politically Exposed Person, as defined under applicable AML/CFT regulations.

Processing — any operation or set of operations performed on personal data, as defined in Article 4(2) of the EU GDPR.

Special Categories of Personal Data — data as defined under Article 9 of the EU GDPR, including biometric data, data revealing racial or ethnic origin, and health data.

Standard Contractual Clauses (SCCs) — contractual terms adopted by the European Commission (or UK-designated authorities) ensuring appropriate safeguards for international data transfers.

UK GDPR — the EU GDPR as implemented in UK domestic law under the Data Protection Act 2018.

Website — https://dataspike.io

Dataspike adheres to the data protection principles set out in the EU GDPR and UK GDPR. Personal data is:

• processed lawfully, fairly, and transparently;
• collected for specified, explicit, and legitimate purposes only;
• adequate, relevant, and limited to what is necessary;
• kept accurate and, where necessary, up to date;
• retained no longer than necessary for the relevant purpose;
• processed with appropriate technical and organisational security;
• not transferred outside the EEA or UK without adequate safeguards.

(a) Processing on Behalf of Clients (Processor role)

Dataspike processes personal data on documented instructions from Clients to perform identity verification, document checks, AML/CFT screening, and related compliance Services. This includes collection, storage, analysis, transmission, and deletion of data as required by the Client. Once data is no longer needed for the relevant purpose, Dataspike deletes it or transfers it to the Client in accordance with their instructions and applicable law.

(b) Dataspike's Own Purposes (Controller role)

Where Clients have granted permission and applicable law allows, Dataspike may process personal data for its own legitimate purposes, including:

• Service development and improvement: training and improving algorithms for fraud detection, liveness verification, and identity verification accuracy via machine learning, where Clients have authorised such use.
• Fraud and AML detection: identifying patterns associated with fraud, money laundering, or other illicit activity and alerting Clients accordingly.
• Profiling and analytics: aggregating data for statistical analysis and risk scoring to assist Clients in compliance decisions.
• User identification for DSR handling: identifying Users or Client representatives when processing data subject access requests.
• Legal claims: retaining or processing data as necessary for the establishment, exercise, or defence of legal claims.
• Compliance record-keeping: maintaining records demonstrating that appropriate measures have been taken.

(c) Applicant ID

The Applicant ID feature allows Applicants to store verified personal data and share it with multiple participating Clients at their own request. For the purposes of operating Applicant ID, Dataspike acts as a Data Controller. After the Applicant shares their data with a specific Client, Dataspike reverts to its Processor role for that verification. Processing under Applicant ID also includes service development and fraud detection purposes as described in section (b).

Depending on the Services selected by a Client, Dataspike may process the following categories of personal data:

Category	Examples
General personal data	Full name, date of birth, sex, nationality, personal identification number, address
Identity document data	Document type, number, issuing country, expiry date, MRZ, barcodes, security features
Facial image data	Photographs, selfies, scans from identity documents, videos, audio recordings
Biometric data	Facial geometry / facial features extracted for verification purposes
Banking details	Cardholder name, card expiry date, first 6 and last 4 digits of card number
Contact details	Email address, phone number, postal address
Transaction data	Names and addresses of sender and recipient, unique transaction identifiers
Technical / device data	IP address, device type, operating system, camera model, date/time of activity, browser data
Device behavioural data	Device fingerprint, screen resolution, session language, mouse/touch events, battery usage
Geolocation data	Derived from IP address
PEP / sanctions data	Publicly available information on PEP status or sanctions list appearances
Unique identifiers	Applicant ID assigned within the Dataspike system
Additional data	Any data provided voluntarily by the User in communications with Dataspike

Dataspike carries out multiple types of processing, which may include:

Document verification: Automated reading and authenticity checks on identity documents, including completeness checks, cross-referencing of data fields, and analysis of security features (MRZ, barcodes, embedded chips, QR codes).

Biometric verification: Extraction of facial features from identity documents and selfie images to verify that the document belongs to the person presenting it. This includes liveness checks (prompting users to blink, smile, or move their device) to detect presentation attacks, static images, deepfakes, or emulators. Duplicate identity checks may also be performed by comparing facial images against those of Users previously verified for the same Client.

Video identification: Where required by Clients (e.g., for AML/CFT regulatory compliance), Dataspike provides video interview functionality. Interviews may be conducted by Dataspike operators or by Client personnel, depending on the Client's preference.

Data validation: Cross-referencing User data against third-party databases, including identity registries, sanctions lists, PEP lists, adverse media sources, credit agencies, and other relevant sources, depending on the Client's requirements and the User's jurisdiction.

Know Your Transaction (KYT): Analysis of transaction data to detect unusual behaviour or patterns associated with money laundering, terrorist financing, or fraud.

Know Your Business (KYB): Verification of a legal entity's existence, details, ownership, and control structure, including identification of ultimate beneficial owners, through corporate document analysis and registry checks.

Fraud detection: Assessment of User attributes (geolocation, device signature, email, phone number) against known fraud patterns and risk indicators to generate risk scores and flag potentially fraudulent activity.

Authentication: Where instructed by Clients, Dataspike performs authentication by comparing a new liveness image to previously obtained biometric records for a specific User.

Dataspike may process personal data of individuals under the age of majority as defined by the law of the Client's jurisdiction, where the Client has confirmed that appropriate parental or guardian consent has been obtained, or where the child may consent independently under applicable law. Clients are responsible, as Data Controllers, for determining when parental consent is required and for obtaining it. If Dataspike becomes aware that a child's personal data has been submitted without the required consent, it will delete that data without undue delay.

8.1 Processing on behalf of Clients

When Dataspike processes personal data as a Processor, it relies on the legal basis established by the Client. Clients typically rely on one or more of the following:

• Article 6(1)(c) GDPR — compliance with a legal obligation
• Article 6(1)(e) GDPR — performance of a task in the public interest
• Article 6(1)(a) GDPR — consent of the Data Subject

For Special Categories of personal data (including biometric data), Clients typically rely on:

• Article 9(2)(g) GDPR — substantial public interest
• Article 9(2)(a) GDPR — explicit consent

For the specific legal basis applicable to your verification, please refer to the privacy policy of the Client whose services you are using.

8.2 Dataspike's own processing purposes

Where Dataspike processes personal data as a Controller for its own purposes (section 4(b)), it relies on Article 6(1)(f) GDPR (legitimate interests). Dataspike's legitimate interests arise from the necessity of developing and improving fraud detection and AML compliance tools, which serve a substantial public interest. For Special Categories of data processed for these purposes, Dataspike relies on Article 9(2)(g) GDPR (substantial public interest).

8.3 Applicant ID

For Applicant ID, Dataspike relies on Article 6(1)(b) GDPR (performance of a contract with the Applicant) for standard personal data, and on Article 9(2)(a) GDPR (explicit consent) for biometric data. Where Dataspike is subject to a legal obligation or litigation hold, processing is carried out under Article 6(1)(c) GDPR.

8.4 South Africa — PoPIA Compliance

Where Dataspike provides Services on behalf of Clients operating in South Africa, it ensures compliance with the Protection of Personal Information Act (PoPIA). In particular, any credit check or verification against an alternative database on a natural person will only be performed where the Client, as responsible party, has confirmed that the individual's explicit consent has been obtained.

Dataspike acts as an Identity Service Provider (IDSP) and carries out Right to Work (RTW) and Right to Rent (RTR) checks in accordance with the UK Digital Identity and Attributes Trust Framework (UKDIATF) at Medium and High confidence levels. RTW and RTR checks include document verification, biometric identity verification, and identity fraud checks. Where required, Dataspike may also carry out an activity history check (verification of an individual's interaction history with third-party organisations such as financial institutions, educational bodies, travel companies, and utility providers). Data collected for RTW and RTR checks includes: full name (including middle names), date of birth, identity document image (including photograph, nationality, and expiry date), and biometric data (facial scan). All other provisions of this Privacy Policy apply to RTW and RTR processing in the ordinary course. Note: If Dataspike reasonably suspects identity fraud or criminal activity during a verification, it reserves the right to retain relevant records and assign a risk score accessible to other Clients.

Retention periods are primarily determined by Clients, in accordance with their legal obligations. Under AML/CFT regulations, regulated entities are typically required to retain User data for five (5) years following the termination of the business relationship or the date of an occasional transaction. Longer periods may apply in certain jurisdictions. Where Dataspike independently determines a compatible purpose or is subject to a legal obligation, personal data (including biometric data) is retained for no longer than five (5) years from the date it was submitted to the Dataspike system, or until Dataspike's processing purpose has been satisfied — whichever occurs first. Jurisdiction-specific retention periods:

• Illinois (USA): biometric data is retained for no longer than three (3) years from the date of collection.
• Texas (USA): biometric data is retained for no longer than one (1) year from the date the original processing purpose expires.

Deletion: All personal data deletion requests are completed within thirty (30) days. Data is deleted using secure methods that render it non-recoverable. Storage media containing sensitive data is physically destroyed where required. Personal data submitted for verification is transferred to the Client and permanently erased from Dataspike's systems following the Client's instructions upon expiry of the applicable retention period. Pseudonymised data: Where data is retained for service development, fraud detection model training, or compliance record-keeping, it may be held in pseudonymised form for only as long as necessary for that purpose. Litigation hold: Where data is subject to an active legal claim or legal obligation, it is retained for the duration of those proceedings only. If you wish to request deletion of your personal data, please contact the Client that initiated your verification, as the Client is the Data Controller responsible for that data. You may also submit a request directly to Dataspike at dataspike.io/contact-us or via [email protected].

Under applicable data protection law, you have the right to:

• Access — obtain confirmation of whether your personal data is being processed and receive a copy.
• Rectification — correct inaccurate or incomplete personal data.
• Erasure ("right to be forgotten") — request deletion of your personal data where it is no longer necessary, where processing was unlawful, or where you have successfully objected to processing. This right is not absolute and may be subject to legal retention obligations.
• Restriction — request that processing be limited in certain circumstances (e.g., while accuracy is contested, or where you have objected to processing pending verification of legitimate grounds).
• Data portability — receive your personal data in a structured, commonly used, machine-readable format, and transmit it to another controller where technically feasible.
• Objection — object to processing based on legitimate interests or public interest grounds. Objections will be assessed against Dataspike's compelling legitimate grounds.
• Not to be subject to solely automated decisions that produce legal or similarly significant effects, except where such decisions are necessary for a contract, required by law, or based on your explicit consent.

To exercise any of the above rights, please contact us at [email protected] or via dataspike.io/contact-us. We will respond within one (1) month of receipt. Where requests are complex or numerous, this period may be extended by a further two (2) months; we will notify you of any extension within the initial one-month period.

Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal. Where processing is based on legitimate interests, you have the right to object. Please note that, given the nature of fraud prevention and AML compliance as matters of substantial public interest, Dataspike will in most cases have compelling legitimate grounds that override individual objections. We will assess each objection on its merits. Because Dataspike processes data primarily on behalf of Clients, requests to withdraw consent or object to processing will generally be forwarded to the relevant Client. Dataspike does not independently make decisions on such requests unless acting as a Controller in its own right. To submit a withdrawal or objection request, please contact us at [email protected] or via dataspike.io/contact-us.

Personal Data is stored on servers located within the EEA by default. Where Clients require processing in specific locations to comply with local data residency requirements, Dataspike can accommodate such requests. Certain sub-processors engaged by Dataspike (such as those providing AML data analysis and enrichment) may process Personal Data outside the EEA or UK. Where any such transfer occurs, Dataspike ensures that appropriate safeguards are in place, including:

• an adequacy decision by the European Commission or UK Government; or
• Standard Contractual Clauses (SCCs) as adopted by the European Commission; or
• UK International Data Transfer Agreements (IDTAs), where applicable.

Cross-border transfers from the UK to the EU/EEA are permitted under UK adequacy regulations. For transfers in connection with Services provided to Clients outside Europe, Dataspike relies on adequacy decisions or appropriate contractual safeguards as applicable under local law. A current list of sub-processors and applicable transfer mechanisms is available at dataspike.io/subprocessors.

Subprocessors

Dataspike engages third-party subprocessors to support the provision of its Services, including cloud infrastructure, content delivery, and data analysis providers. All subprocessors are bound by data protection obligations consistent with this Policy and the EU GDPR / UK GDPR. Dataspike provides at least thirty (30) days' advance written notice of any intended addition or replacement of a subprocessor. A current list of subprocessors is published at dataspike.io/subprocessor-policy.

Other third-party disclosure

Dataspike may share personal data with:

• Data Providers — third-party databases used to perform identity checks, AML screening, sanctions screening, and fraud detection, as required by the Client's Service configuration.
• Regulatory and governmental authorities — where required by applicable law, court order, or regulatory obligation. Such disclosures are made in strict compliance with applicable law, and prior notice will be given where legally permitted.

Dataspike does not disclose personal data to other third parties except as described in this Policy or as instructed by the relevant Client.

In the event of a confirmed or suspected personal data breach, Dataspike will:

• notify the affected Client without undue delay and, where feasible, within 72 hours of becoming aware;
• provide sufficient information to enable the Client to fulfil its own notification obligations to supervisory authorities and Data Subjects;
• cooperate fully with the Client to investigate, mitigate, and remediate the breach.

Breach notifications are sent to the contact details provided by the Client at registration or as otherwise agreed. The Data Protection Officer (DPO) oversees breach response procedures and can be contacted at [email protected].

Dataspike implements appropriate technical and organisational measures to ensure the security of personal data, including:

• Access controls: role-based access, mandatory multi-factor authentication (2FA), and the principle of least privilege.
• Encryption: personal data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
• Infrastructure: data is stored in Tier 3+ data centres within the EEA; regular vulnerability assessments and penetration testing are conducted.
• Monitoring and logging: continuous monitoring of systems and infrastructure, including automated alerting for anomalous activity and audit trails.
• Change management: a formal change management process governs all modifications to infrastructure, software, and configurations prior to deployment.
• Processing integrity: controls are in place to ensure personal data is processed completely, accurately, and in a timely manner; anomalies are logged and resolved.
• Certifications: ISO/IEC 27001, SOC 2 Type 2.
• Personnel: background checks where required by law; mandatory data protection training; confidentiality obligations for all staff with access to personal data.
• Secure deletion: biometric and personal data is deleted using methods that render it non-recoverable; physical destruction of storage media is carried out where required.
• Business continuity: Dataspike maintains and tests a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) at least annually.

Special protection measures apply to certain categories of sensitive national identifiers (e.g., Dutch BSN, Korean RRN, Japanese My Number, Singaporean NRIC). Unless the Client has a legal basis to process such data, Dataspike will take appropriate technical measures (such as redaction or blurring) to prevent its processing.

United States — Biometric Data (Illinois, Washington, Texas)

Personal data processed by Dataspike may include biometric identifiers (such as facial geometry scans) and biometric information derived from those identifiers, used to verify User identity. Such data is processed on behalf of Clients and permanently deleted in accordance with Section 10 of this Policy.

• Illinois: Dataspike complies with the Biometric Information Privacy Act (BIPA). Biometric data is retained for no longer than three (3) years from collection.
• Texas / Washington: Biometric data is retained for no longer than one (1) year from the date the original processing purpose expires.

Dataspike maintains a publicly available retention and deletion schedule in accordance with applicable biometric privacy laws.

South Africa — PoPIA

See Section 8.4 above.

Dataspike does not sell personal data. Dataspike complies with the California Consumer Privacy Act (CCPA) and equivalent restrictions under the EU GDPR and UK GDPR.

Dataspike reviews and updates this Privacy Policy on a regular basis to reflect changes in applicable law, our Services, or our processing activities. Updated versions are published on our Website and take effect upon publication. Where changes are material, Dataspike will provide reasonable advance notice to active Clients. We encourage Users to review this Policy periodically. Previous versions of this Policy are available upon request at [email protected].

This Privacy Policy is governed by the laws of the Republic of Cyprus, consistent with the governing law of the Terms of Service and Data Processing Agreement. Where mandatory provisions of applicable data protection law (including EU GDPR, UK GDPR, or local law) conflict with this choice of law, those mandatory provisions shall prevail.