ID-Pal
Data Protection Notice

1. Who are we?

We are ID-Pal Limited, a company incorporated under the laws of Ireland with company registration number 578727, whose registered office is at 145 Pearse Street, Dublin, 2, D02 CP08, Ireland (“we”, “us” and “our”).

We know your privacy is important to you and we are fully committed to the principles of data protection, as set out in the General Data Protection Regulation (EU 2016/679) (GDPR).

This Data Protection Information Notice explains how we and our authorised business partners, affiliates and agents process information, particularly Personal Data that we receive from you and others. Please read the following carefully to understand our approach and practices regarding your personal data and other information and how we treat it.

We refer to the term “app” multiple times throughout this document. The term “app” refers to the ID-Pal Native Application, SDKs, and Web Application.

Please do not use our website, app, products or services if you do not agree with the ways in which we will process your Personal Data and other information.

Personal Data is defined in the GDPR as any information relating to an identified or identifiable natural person. In jurisdictions outside the EU/EEA, this is sometimes referred to as Personally Identifiable Information (PII) or Personal Information.

We have a separate Cookie Information Notice that provides you with information on the cookies which we or third parties may place on your computer, when you visit our website. Certain categories of cookies can only be placed if you consent to them. Further information is found here.

For the avoidance of doubt, we do not place cookies or other tracking technologies on your device when you use our app, that are capable of identifying you.

We have separate Data Protection Information Notices for employees, candidates and those using our services for Right to Work /Right to Rent schemes in the United Kingdom.

2. What is our role?

We provide client due diligence services to organisations (our Customers) who are required, under certain legal obligations, or who choose to verify the identity of their clients. Our Customers may request their clients (the End Clients) to use our app to provide their identification documents to the Customer.

3. What legal basis do we rely on for the processing of your personal data?

When we process the information of End Clients we do so in accordance with the instructions of our Customer. We are the Data Processor. If you are an End Client, our Customer is the Data Controller of your information. Our Customer will determine why, what and how your information is collected, used, shared, retained and under what lawful basis it is processed. For more details. please contact them or view their Data Protection Information Notice on their website.

When we process the business information of our Customer, we do so as Data Controller. The purpose for collecting Personal Data is to provide our product and services to you and it is necessary for the performance of our legal contract with you or it is necessary for compliance with a legal obligation to which we are subject to.

We also love to hear from prospective Customers, so we provide a facility on our website for you to request information about our product and services and you enter your contact details for the purpose of us contacting you. We process your personal data here on the basis of your consent, which can be withdrawn at any time by using our opt-out mechanism on all marketing emails.

4. What information do we collect about you?

End Clients

Information that you provide to us, or to our Customer such as;

• photographic and video images of you, when you provide us with a “selfie” photo, video-clip;
• pictures of your passport and national identification card or driving licence;
• biometric data, when we compare your “selfie” photo against your photographic ID;
• details from your passport, such as your name, gender, date of birth, nationality, passport number and MRZ code;
• details from your national identification card or driving licence, such as your name, address, date of birth and driving licence number;
• details from your proof of address documentation, such as your name, address and account number, if visible on documentation;
• additional information that you provide to us at the request of our Customers such as confirmation of your name, gender, address, date of birth, email address, mobile telephone number, PPSN, marital status
• the details of your device or the device used to make a submission such as manufacturer, model, and operating system version. This information cannot be used to identify you as an individual; and
• IP address, if our Customers wish to process this information in an effort to detect fraud

Customers

• information that you, or someone in your organisation, provide to us during registration, including your name and business name, email address, telephone number, username, and password;
• financial details including your bank details such as the sort code and account number, to the extent that you supply these to us for the purpose of making payments and you are a sole trader rather than a corporate entity; and
• information from our logs which indicates activity on the app and the portal.

Web-site visitors

• information that you submit on the contact pages of our website, or if you request us to send you a particular document, such as your name and email address; and
• information collected from cookies which may include your IP address, please see separate Cookie Information Notice.

5. How and why do we collect your information?

All information will be obtained fairly. The information we collect will be adequate, relevant and not excessive in relation to the purposes for which it is requested.

For End Clients that purpose will be determined by our Customer, the Data Controller. For more information, please contact them.

For our Customers that purpose is to enable us to deliver our product and services to you.

For website visitors that purpose is to respond to your query or provide you with requested information.

We may collect and process information about you in a number of ways, including:

End Clients

• directly from you; when you submit your information through our app, or if you contact us directly for any reason, for example calling us or emailing us. Calls to us and from us may be recorded for training, monitoring and quality purposes. You may also decide to provide us feedback on our product and services.
• from our Customer, when they provide us with your email address or phone number to connect you to our services, or if they submit your information on your behalf, for example, if they complete your checks in person;
• from third party service providers or public sources, to conduct verification checks on the information you have provided to us; or

Customers

• directly from you; when you submit your information through our website, portal, or if you contact us directly for any reason. Calls to us and from us may be recorded for training, monitoring and quality purposes;
• from your employer or another person in your organisation, for example, when they provide us with your details to facilitate configuration of our system or to create a user account for you;
• from third parties, such as, resellers, service providers or your nominated representatives; or
• from our records of how you use our products or services, for example when you access and use our web portal;

Website visitors

• directly from you, when you visit our website and request us to contact you.
• from your computer or device.

6. What do we use your information for?

End Clients

• we will only use the information that you submit to us through our app to conduct identification and other verification checks on behalf of our Customers who have instructed us to do so;
• we will use the information generated when you use our website and app to promote the safety and security of our products and services, to investigate problems, suspicious activity or violations of our policies and to improve our product and services based on your feedback;
• if you contact us directly for any reason, we will use the information to respond to you, to assist with any enquiries you have and to maintain our records; and
• as permitted or required by any law applicable to us or arising from your interaction with us.

Customers

• providing our products and services to you;
• determining your suitability for our products and services;
• administering and managing the products and services we provide to you, to charge you for them, to process payment and collect any amounts you may owe us and to deliver them;
• promoting the safety and security of our products and services and investigating suspicious activity or violations of our policies;
• assisting you with enquiries and to provide you with better customer service;
• providing you with information that you request from us about our products and services and products and services that we feel may interest you;
• conducting market research and analysis to further enhance and improve the quality of the products and services we offer;
• sending you communications such as news updates in our newsletter, where you have opted to receive these;
• notifying you about changes to our products and services; or
• as permitted or required by any law applicable to us or arising from your interaction with us.

Website visitors

• responding to your request to contact you; and
• sending you communications such as news updates in our newsletter for as long as you wish to receive it.

7. Who do we share your information with?

The information we collect from our Customers, whether that is their information or End Client information, may be transferred to third parties in connection with our business model. It may also be processed by these companies and/or by our and their respective employees and service providers. These third parties are processors, when we are acting as a data controller, and as sub- processors when we are acting as a processor, and we remain liable to you for their performance of obligations. We will take steps to ensure that these third parties will:

• only process personal data in accordance with our instructions;
• take appropriate security measures to protect your personal data;
• commit themselves and their employees to confidentiality;
• provide assistance to us in the discharge of our obligations to you; and
• report all data breaches to us without undue delay.

In particular we may disclose your information to the following third parties:

• our professional advisers in order for them to provide us with advice;
• third party service providers, such as our payment processors, verification service providers and database hosts where necessary for them to provide us with services or to provide services that you have requested;
• our technology providers, including those which host your data on our behalf and provide certain IT software, support, and/or professional services to us; or
• if you are a Customer, to business partners and/or possible acquirers or investors (and our and/or their advisors) in the context of a facilitating or implementing a business re-organisation or a transfer/sale of all or part of our assets or business;
• if you are a Customer, to our debt collection agency in the unlikely event your invoice is not paid on time.

If you are an End Client, we will provide our Customer with the results of our identity and verification checks on you.

We may also have to share information with third parties to meet any applicable law, regulation or lawful request from a law enforcement agency. When we believe we have been given false or misleading information, or we suspect criminal activity we have an obligation to record this and report to law enforcement agencies, which may be either in or outside Ireland.

Other than as outlined above, we will not disclose your Personal Data.

8. International Data Transfers

Personal Data may be transferred to third parties who are our processors/sub processors as part of our business model as described in sections 5 and 6 above. This may include the transfer of data to other jurisdictions for processing at a destination outside the European Economic Area (“EEA”). Such transfers only occur either on the basis of an adequacy decision made by the European Commission as permitted by Article 45 of the GDPR or approved safeguard measures pursuant to Article 46 of GDPR.

9. For how long do we retain your personal data?

End Clients:

We retain your Personal Data for as long as we are instructed to do so by our Customer, the Data Controller. For more information, please contact them.

Customers:

We retain your Personal Data for no longer than is necessary with regard to the purposes for which it was collected or lawfully further processed. We will retain your Personal Data for the duration of our relationship and seven years thereafter as required by our legal obligation to the Revenue Commissioners.

Website visitors

We will retain your Personal Data on our contact database for as long as you are our business contact and wish to receive information about us.

10. Am I subject to a decision based solely on automated processing?

End Clients:

Our product conducts identification and verification checks by automated technical means. The results of these checks will verify your identity and in turn this may contribute to an overall decision made by our Customer.

11. How do we keep your information safe?

All information including Personal Data is encrypted at rest and in transit. We use AWS in Europe, for storage. We have firewalls on our application and database servers. Personal Data is logically segmented to the extent that we in ID-Pal do not have access to the Personal Data stored. Only a Customer, who has been authenticated, has access to this information. Our Customer may provide your Personal Data to us for the purpose of troubleshooting or technical support.

While we take these steps to maintain the security of your information, you should be aware of the many information security risks that exist and take appropriate care to help safeguard your information. The nature of the internet is such that we cannot guarantee the security of the information you transmit to us electronically, and any transmission is at your own risk.

12. Third party sites and services

Our website, web portal and app may contain links to third party websites. When using our services, you may be redirected to third party websites, for example, to our payment processor’s website to complete your payment. Your use of these websites and services will be subject to these third parties’ terms of use privacy/data protection policies and cookie policies. Please review the privacy/data protection policy and terms of conditions of these websites, as we are not responsible for them.

13. What are your rights?

You have rights under the Data Protection Acts 1988 to 2018, and, the General Data Protection Regulation (2016/679) (“Data Protection Legislation”) which can be summarised as follows:

• You have the right to request information about whether we hold your personal data, and, if so, what that personal data is and why we are holding/using it.
• You have the right to request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
• You have the right to request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate personal data we hold about you corrected.
• You have the right to request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
• You have the right to object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
• You have the right to object to automated decision-making including profiling, that is not to be the subject of any automated decision-making by us using your personal information or profiling of you. ID-Pal does not make decisions based solely on automated processing.
• You have the right to request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
• You have the right to request transfer of your personal information in an electronic and structured form to you or to another party (commonly known as a right to “data portability”).

You have the right to make a complaint to the Data Protection Commission, the ICO in the UK or your local data protection supervisory authority.

Further information on your Data Protection rights is available on the website of the Irish Data Protection Commissioner at http://www.dataprotection.ie

If you are in the United Kingdom, you also have the right to complain directly to us where you believe we have infringed UK GDPR, the Data Protection Act, 2018 as amended by the Data (Use and Access) Act 2025. Please contact sinead@id-pal.com in this regard.

End Clients

When we process End Clients’ Personal Data, we do this in accordance with the instructions of our Customer. If you are an End Client, our Customer will be the Data Controller. Our Customer will determine the purpose of and the legal basis for processing your Personal Data and how your information is collected, used, shared and retained by them.

For more information, or to exercise your rights under Data Protection Legislation, please contact our Customer, the Data Controller.

Customers

You can exercise your Data Protection rights by contacting our Data Protection Officer by sending an email to sinead@id-pal.com or by writing to us at 145 Pearse Street, Dublin, 2, D02 CP08. You can update your contact preferences, regarding direct marketing through your ‘my account’ section on our website.

If you choose not to provide certain information to us, we may not be able to continue to provide you with the products or services you require and/or it may impact our ability to better respond to your needs.

14. Definitions

Any terms not defined in this Data Protection Information Notice have the meanings given to such terms in the Data Protection Legislation.

15. Changes to our Data Protection Statement

From time to time, we may need to change this Data Protection Information Notice. If we do so, we will post an updated version of our Data Protection Information Notice on this page and it will apply to all of your information held by us at the time. We may choose to notify you of any material changes via email or posting on our website

Contacting us

If you have any questions, comments and requests regarding this Data Protection Information Notice or our processing of your Personal Data and you should address all correspondence to our Data Protection Officer at sinead@id-pal.com or ID-Pal Limited, 145 Pearse Street, Dublin, 2, D02 CP08, Ireland.