LEGAL

Privacy Policy

Version 2.0 — Effective date: 15 June 2026

This Privacy Policy explains how Fidify AB, company registration number 559431-3800, registered office at Tulegatan 53, Stockholm, Sweden (“Fidify,” “we,” “our” or “us”), processes personal data. We process personal data in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) and Swedish data-protection law.

Fidify AB is the entity responsible for the relationships described in this policy. Fidify also operates in Mauritius; the role of our Mauritius operation in the processing of personal data is described in the section “International transfers” below.

1. Our role: controller and processor

For some processing we act as a controller (we decide why and how personal data is processed). For other processing we act as a processor (we process personal data on behalf of, and on the documented instructions of, our customers).

  • As processor: when our customers use the Services to carry out their own KYC and AML processes, the customer is the controller of the personal data of its users and end-customers, decides what data to collect, and is responsible for the lawful basis. We process that data only on the customer’s instructions, under our Data Processing Agreement.
  • As controller: we act as controller for our own customer-administration, billing, marketing, website, recruitment, supplier-management and internal-operations processing, as described below.

2. Processing where we act as processor (customer use of the platform)

When our customers use the Services towards their end-customers, we process, on the customer’s instructions:

  • Data collected: names, contact information, personal data submitted via the in-tool chat function, identity documents (such as passport or ID-card images), other personal data contained in documents requested by the customer, and audit-trail data relating to the submission of such documents or messages. Biometric data may also be processed in the identity-verification flow described below.
  • Purpose and instructions: to provide the Services to the customer. We do not determine the purposes of this processing and do not use this data for our own purposes, except where it has first been irreversibly anonymised.
  • Lawful basis: determined by the customer as controller.
  • Retention: as instructed by the customer; on termination, data is returned or deleted in accordance with the Data Processing Agreement.
  • Shared with: our sub-processors (see our sub-processor list) and, where required, authorities under a valid legal request.

Individuals whose data is processed in this context should contact the relevant customer (the controller) to exercise their rights. We will refer such requests to the customer and assist the customer as required under the Data Processing Agreement.

Identity verification and biometric data

Where the customer’s onboarding flow requires it, we process, as processor on the customer’s documented instructions, an image of an identity document (such as a passport or ID card) together with a facial image of the person presenting it. The facial image is processed to generate a biometric comparison against the photograph in the identity document, to support confirmation that the person is the genuine holder of the document.

  • Special category data: this biometric comparison is the processing of biometric data for the purpose of uniquely identifying a natural person, a special category of personal data under Article 9 GDPR.
  • Role and lawful basis: we act solely as processor, on behalf of and on the documented instructions of the customer (the controller). The verification decision is made by the customer’s authorised agent in the portal; we perform no automated approval or rejection. In addition to Articles 6(1)(b) and 6(1)(f) GDPR, the processing of this special-category data relies on the data subject’s explicit consent under Article 9(2)(a) GDPR. The controller is responsible for establishing and documenting a valid Article 9 condition and for obtaining any required consent.
  • Retention: the facial image is stored together with the associated identity document as part of the verification record, for the period determined by the controller in line with its record-keeping obligations.
  • Access and security: the verification record, including the biometric image, is stored in encrypted form. Fidify does not have access to its content; access is limited to the controlling customer through the portal and to the data subject in respect of their own data.

3. Processing where we act as controller

3.1 Customer administration, billing and marketing

  • Data collected: names, titles, phone numbers, email addresses, and billing and payment information.
  • Purpose and lawful basis: to provide and bill for the Services and to provide support (Article 6(1)(b) GDPR, performance of a contract); to send service-related communications and to carry out direct marketing to existing customers, and to analyse and improve the Services (Article 6(1)(f) GDPR, legitimate interests). You may object to direct marketing at any time, and marketing emails include an unsubscribe link.
  • Retention: for the duration of the customer relationship and thereafter as required to comply with legal obligations (for example, accounting records under the Swedish Bookkeeping Act, generally seven years).

3.2 Website visitors

  • Data collected: IP address, browser type, device information, and cookie data (see the “Cookies” section).
  • Purpose and lawful basis: to analyse website usage, maintain security, and improve the user experience (Article 6(1)(f) GDPR, legitimate interests), and, for non-essential cookies, on the basis of your consent.
  • Retention: server logs are retained for a maximum of 30 days; cookie lifetimes are set out in our cookie information.

3.3 Contact form

  • Data collected: the information you submit through the contact form. Mandatory fields are marked; other fields are optional.
  • Purpose and lawful basis: to handle your enquiry. Where your enquiry relates to a potential or existing contract, the basis is Article 6(1)(b) GDPR; otherwise it is our legitimate interest in responding to enquiries (Article 6(1)(f) GDPR). Data submitted through the contact form is encrypted in transit.

3.4 Job applicants

  • Data collected: names, contact details, CVs and other personal data submitted in applications.
  • Purpose and lawful basis: to evaluate applications and communicate with applicants (Article 6(1)(b) GDPR, steps prior to entering a contract, and Article 6(1)(f) GDPR, legitimate interest in recruitment).
  • Retention: applicant data is retained for a maximum of six (6) months after the end of the recruitment process, unless you consent to a longer period or a legal claim requires longer retention.

3.5 Suppliers and contractors

  • Data collected: contact details, contract information and payment details.
  • Purpose and lawful basis: to manage the relationship and fulfil the contract (Article 6(1)(b) GDPR), and for related legitimate business interests (Article 6(1)(f) GDPR).
  • Retention: for the duration of the contract and as required by law.

3.6 Internal developer-activity monitoring

We process internal developer-activity data (for example merge requests, commits, code reviews and related metadata) to structure teams, support individual growth and maintain software quality. This is used only for team optimisation and coaching, identifying training needs, and supporting performance discussions. We do not process customer or end-user data for this purpose, and no decision producing legal or similarly significant effects is based solely on automated processing of this data. The lawful basis is our legitimate interest in managing and developing our engineering teams responsibly (Article 6(1)(f) GDPR); a balancing assessment is documented and available to employees.

4. Cookies

Our website uses cookies and similar technologies. Strictly necessary cookies are used to operate the site and do not require consent. Analytics and other non-essential cookies (including those set through Google Tag Manager) are used only with your consent, which you give or refuse through our cookie banner and can withdraw at any time through the cookie settings. For details of the cookies we use and their lifetimes, see our Cookie Policy.

5. International transfers

Our production infrastructure is hosted in the European Union. Some of our sub-processors are located in, or transfer personal data to, countries outside the European Economic Area (“EEA”). In addition, our operations in Mauritius involve remote access to personal data hosted in the EEA by Fidify personnel located in Mauritius, for customer-support and operational purposes. This access is treated as a transfer to a third country and is covered by the safeguards described below.

Where personal data is transferred outside the EEA, we ensure an appropriate safeguard under Chapter V GDPR, in particular:

  • the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), supplemented by additional technical and organisational measures and a transfer impact assessment where required; or
  • an adequacy decision of the European Commission, where applicable.

A current list of our sub-processors and their processing locations, together with the transfer mechanism for each, is available at our sub-processor list. You may request a copy of the relevant safeguards by contacting us at dpofidify.se.

6. Sharing of personal data

We share personal data only with: sub-processors and vendors with whom we have a written data-processing agreement; employees and consultants on a need-to-know basis subject to confidentiality; and authorities or other parties where required to comply with a legal obligation, legal proceedings or a court order. We do not disclose personal data to third parties for their own advertising purposes.

7. We do not sell personal data

We do not sell any personal data that we collect as controller or process as processor.

8. Your rights

Subject to the conditions in the GDPR, you have the right to: request access to your personal data; request rectification of inaccurate data; request erasure; request restriction of processing; object to processing based on legitimate interests, including direct marketing; request data portability; and, where processing is based on consent, withdraw your consent at any time without affecting prior processing.

To exercise these rights in respect of processing where we are the controller, contact us at dpofidify.se. Where we act as processor, please contact the relevant customer (the controller); we will assist them as required. For security, we may need to verify your identity before acting on a request, using measures proportionate to the sensitivity of the data.

You also have the right to lodge a complaint with a supervisory authority. In Sweden, this is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY, imy.se). You may also complain to the supervisory authority in your country of residence or work.

9. Retention and erasure

We delete or restrict the processing of personal data in accordance with Articles 17 and 18 GDPR. Personal data is deleted once it is no longer necessary for the purpose for which it was collected, unless a statutory retention requirement or an overriding legitimate interest applies. Where data is not deleted, its processing is restricted.

10. Automated processing and AI

Some Services are AI-assisted. Where we process personal data using AI as part of providing the Services, we do so as processor on the customer’s instructions; the customer, as controller, is responsible for any decision based on the output and for any transparency obligations towards individuals. Our AI sub-processors do not use customer content to train their models (see our sub-processor list).

11. Contact and changes

Controller: Fidify AB, Tulegatan 53, Stockholm, Sweden.

Data Protection Officer: dpofidify.se

General enquiries: supportfidify.se

We may update this Privacy Policy to reflect changes in law, our organisation, our Services, our processing practices, or technology. Material changes will be notified by posting an updated version on this page and, where appropriate, by other means. The version effective at the time of processing governs that processing.

© 2026 Fidify AB. All rights reserved.