Privacy Policy

1. Introduction

NEBI ("NEBI," "we," "us," or "our") is committed to protecting the privacy and security of the personal data we process. This Data Privacy Policy outlines how we collect, use, disclose, and safeguard personal data when you access or use our websites, products, services, platforms, or otherwise interact with us (collectively, the "Services").

The Privacy Policy forms an integral part of NEBI's Terms of Service and should be read together with them.

NEBI processes personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable laws.

Capitalised terms used but not defined in this Privacy Policy shall have the meaning given to them in the Terms of Service.

2. Data Controller and Data Processor Roles

NEBI provides technology-based services, including identity verification, compliance, fraud prevention, and other related solutions. We process personal data received from our Customers in connection with the provision of the Services, as well as, where applicable, from third-party sources such as government authorities, official registers, or trusted third-party providers supporting verification, screening, and related checks.

Depending on the context in which personal data is processed, NEBI acts either as a Data Controller or as a Data Processor.

Under GDPR, NEBI operates as a Data Processor when processing personal data on behalf of its Customers (the Data Controllers) in connection with the Services, strictly in accordance with the Customer's documented instructions and any applicable Data Processing Agreement ("DPA").

NEBI acts as a Data Controller when processing personal data of website visitors, prospective customers, business contacts, and other individuals who interact directly with NEBI through the Websites or other channels.

For the purposes of this Privacy Policy, "Data Controller" means the entity that determines the purposes and means of processing personal data, and "Data Processor" means the entity that processes personal data on behalf of a Data Controller, as defined under the GDPR.

3. Personal Data We Process

NEBI may process the following categories of personal data as required to provide identity verification and other services:

  • identification and general personal data (e.g. name, date of birth, nationality, address, personal identification numbers);
  • contact and account data (e.g. email address, phone number, login credentials, profile information);
  • identity document data (e.g. copies of passports or ID cards, issuing authority, expiry date, MRZ and security features);
  • biometric and liveness data (e.g. facial images, videos, and biometric features), processed solely where permitted by law and not retained beyond what is required;
  • transaction and financial data (e.g. payment details, verification identifiers, and, where applicable, crypto-related transaction data);
  • technical, usage, and device data (e.g. IP address, logs, device attributes, and geolocation data);
  • compliance-related and publicly available data (e.g. sanctions and PEP information);
  • comments, feedback, and other information you provide to us, including search query data and questions or information you send to customer support;
  • interests and communication preferences, including preferred language;
  • end-user personal data processed on behalf of Customers, which may include identification documents, biometric data, and other information submitted for verification purposes.

4. Purpose and Legal Basis of Processing

Depending on how you interact with us and the Services, we process personal data for the following purposes and legal bases, as applicable:

  • to provide, activate, and manage your access to and use of the Services;
  • to process and fulfill your requests, orders, or other transactions;
  • to provide technical, product, and other support and to maintain the security, availability, and functionality of the Services;
  • to improve the Services and our other products and events, and develop new products and services;
  • to respond to your requests, inquiries, comments, and concerns;
  • to notify you about changes, updates, and other announcements related to the Services and our other products and services;
  • to deliver promotional communications, marketing messages, and information about NEBI's products and Services, and, where applicable, those of our affiliates or partners, subject to applicable law and your communication preferences;
  • to invite you to participate in user testing and surveys or similar feedback initiatives;
  • to develop data analysis, including for research, audit, reporting, measuring service effectiveness and other business operations;
  • to comply with our legal and regulatory obligations, resolve disputes, and enforce our agreements.

Where NEBI processes personal data subject to applicable data protection laws, it does so on one or more of the following legal bases:

  • performance of a contract or steps taken at the request of the data subject prior to entering into a contract;
  • compliance with a legal obligation;
  • legitimate interests pursued by NEBI or its Customers, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject;
  • consent, where required by applicable law.

5. Security of Personal Data

We implement industry-standard technical and organizational measures to ensure the security and confidentiality of personal data, including:

  • data encryption during transmission;
  • access controls limited to authorized personnel with strict authentication;
  • anonymization or pseudonymization where feasible and applicable;
  • regular audits and assessments of security measures.

6. Data Sharing and Disclosure

NEBI does not share personal data with third parties except in the following circumstances:

  • with authorised sub-processors, service providers, contractors, and professional advisors engaged to support the provision, operation, security, and improvement of the Services, subject to contractual confidentiality and data protection obligations;
  • with NEBI's affiliates or group companies, where necessary to provide shared services such as IT, security, customer support, billing, analytics, or compliance functions, in accordance with this Privacy Policy;
  • where required to comply with applicable law, court order, or a lawful request from a regulatory or governmental authority;
  • where necessary to protect the rights, property, or security of NEBI, its Customers, users, employees, or others;
  • in connection with a corporate transaction, such as a merger, acquisition, reorganisation, or sale of assets, subject to appropriate confidentiality and data protection safeguards.

7. International Data Transfers

Where personal data is transferred outside the European Economic Area ("EEA"), NEBI ensures that appropriate safeguards are in place, such as Standard Contractual Clauses or other lawful transfer mechanisms recognised under applicable data protection laws.

8. Data Retention

We retain your personal information only for as long as necessary to provide the Services and to fulfil the purposes for which it was collected, including completing the transactions you have requested, or for other essential purposes such as complying with our legal obligations, maintaining business and financial records, resolving disputes, maintaining security, detecting and preventing fraud and abuse, and enforcing our agreements.

Retention periods are determined based on legal, regulatory, contractual, and operational requirements.

9. Data Subject Rights

Where NEBI acts as a Data Controller, data subjects may have the following rights under GDPR, including:

  • access and rectification of personal data;
  • erasure (Right to be Forgotten);
  • restriction of processing and the right to object under certain conditions;
  • data portability in a commonly used format;
  • right to lodge a complaint with a competent supervisory authority.

Where NEBI acts as a Data Processor on behalf of its Customers, data subject rights requests should generally be addressed to the relevant Customer acting as the Data Controller. NEBI will support such requests in accordance with applicable law and contractual obligations.

Requests relating to personal data processed by NEBI as a Data Controller may be submitted to NEBI's Data Protection Officer (DPO).

10. Sub-Processing and Onward Transfers

NEBI uses select sub-processors for cloud storage and system operations. We ensure these providers meet GDPR standards, including for data transfers outside the EEA and other appropriate security standards.

11. Incident Notification

In the event of a personal data breach, NEBI will notify affected Customers and, as required, the relevant supervisory authorities without undue delay.

12. Updates to this Privacy Policy

NEBI may update this Privacy Policy to reflect operational, legal, or regulatory changes.

Updates will be on NEBI's website and will become effective upon publication, unless otherwise required by applicable law.

13. Contact Information

For privacy-related inquiries, requests, or concerns, you may contact NEBI at [email protected].