1.3 In order to fully understand how Personal Data is Processed, Data Subjects should review privacy notices shared with the Users by Recary Ltd and privacy policies of those Clients', for whose services they are getting KYC check for.
Our full details are as follows:
Full name of legal entity: Recary Ltd
Email address: firstname.lastname@example.org
Telephone number: +44 02070961300
Principal place of business: Eighth floor, Capital Tower, 91 Waterloo Road, Bishop's, London, SE1 8RT.
Registered office address: 40 Gracechurch Street, London, EC3V 0BT
Company number: 06984177
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk
). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.
1.5.3 Our main privacy principles
1.5.4 The content of Personal Data we Process
1.5.5 Purpose of processing and legal ground of processing for provision of our Services
1.5.6 Service process (automated processing)
1.5.7 Data Subject's rights in relation to Personal Data
1.5.8 Disclosure and transfer of Personal Data
1.5.9 Security of Personal Data
1.5.10 Retention of Personal Data
1.5.11 Children's Personal Data
1.5.12 Links to third party websites
Agreement - service agreement concluded with the Client.
Data Providers – these are third-party service providers or public authorities who we use to collect additional information for KYC check. For example, we may check the User-provided info against official public registry.
Data Controller - a legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data and gives instructions regarding processing activities to Recary Ltd.
Data Processor – Recary Ltd Processes Personal Data on behalf of the Data Controller.
Data Subject / you – a natural person about whom we have information or data enabling the identification of the natural person. Data Subjects are our Client's representatives, Users, our (potential) employees and Visitors.
EEA - European Economic Area (the European Union Member States, Norway, Iceland and Liechtenstein).
GDPR - EU General Data Protection Regulation no 2016/679.
Client - the legal entity to whom we provide our Services under the Agreement.
Personal Data - any information relating to an identified or identifiable natural person (the Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing - any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing may be done manually or using automated systems.
Processor / our / us / we - Recary Ltd incorporated in England and Wales with registered number 06984177 whose registered office address is at 40 Gracechurch Street, London, EC3V 0BT, United Kingdom and principal place of business is at Eighth floor, Capital Tower, 91 Waterloo Road, Bishop's, London, SE1 8RT.
Service(s) - KYC (or know your customer) check services and connected services provided by us.
User - the natural person regarding whom we provide the Service at the request of the Client and natural person who contacts us as the representative of Client prior to conclusion of the Agreement.
Visitor - is any person using the Recary Ltd Website.
Politically exposed person (PEP) – politically exposed person including their family members and close associates in accordance with the applicable legal acts regards to prevention of money laundering or terrorist financing (such as a natural person who is or who has been entrusted with prominent public functions, e.g member of parliament or of a similar legislative body, a member of a governing body of a political party, a member of a supreme court).
Website - https://recary.co.uk
3. Our main privacy principles Here you can find the privacy principles we follow when Processing Personal Data.
We follow what we call the "Fundamental Six", that is, six principles regarding Recary Ltd's data Processing activities:
(1) First, we Process Personal Data in a reliable and confidential way. We respect each person's right to the protection of their Personal Data and we shall do our best to ensure that Personal Data collected by us is well protected. We regularly evaluate the risks associated with the Processing of Personal Data and shall apply appropriate mitigation strategies to hedge risks.
(3) Third, we Process Personal Data lawfully and purposefully. We set clear goals for the Processing of Personal Data and Process Personal Data for these purposes only. We do not collect or Process the data that we do not need. Recary Ltd has the right to delete/blur or make other ways unreadable data/documents presented in the session that are not necessary for Recary Ltd's Service provision. This also means we never sell Personal Data – all transfers of Personal Data must have a valid legal basis.
(4) Fourth, we Process Personal Data in a transparent and fair way. We ensure an appropriate secure, honest and lawful manner of processing the Personal Data to prevent the unauthorized disclosure or inappropriate use of Personal Data. We also work to eliminate the possibility of discrimination or bias in our Service.
(5) Fifth, we shall store Personal Data only for as long as the retention of data is required by law or a contract or is necessary for the provision of our Services. At the end of the retention period, we shall permanently erase the Personal Data or anonymize it.
(6) Sixth, we do our best to make sure that the Personal Data we Process is accurate and limited to what is necessary.
4. The content of Personal Data we process Here you can find what Personal Data we Process about Users, Client's representatives and Visitors.
(1) personal information of User, such as name, sex, personal identification code, date of birth, place of birth, legal capacity, nationality, citizenship, financial details, as well as the historic data of that User that may have been stored with us during previous interactions within the retention periods;
(2) document details, such as the name of the document, issuing country, number, expiry date, information embedded to document barcodes (may vary depending on the document) and security features;
(3) facial recognition data, such as photos, videos and sound recording, photographs taken from you and your document and video and sound recording of the verification process;
(4) contact details, such as address, e-mail address, telephone numbers, IP address;
(5) technical data (Device Signature), including but not limited to information about the date, time and your activity in the Services, your IP address and domain name, your software and hardware attributes as well as your general geographic location (e.g. city, country);
(6) biometrical data, such as facial identifiers;
(7) publicly available relevant data, e.g. information about being politically exposed person (PEP) and checks in public sanction lists.
4.2 How we obtain User's Personal Data. We may obtain Personal Data directly from you as well as from the Client. We also collect your Personal Data independently from Data Providers, e.g. to offer our Services within a trust-based relationship and to prevent fraud. For example, if we need to verify the validity of your identification document, we may inquire for additional information from the appropriate registrar.
4.3 Client may have access to your Personal Data. We may share your Personal Data with the Client through which you used our KYC check.
4.4 Please note that providing your Personal Data is voluntary. However, the decision not to do so may mean that we are not able to perform KYC check.
4.5 Personal Data we Process about the representative of the Client. To enter into the Agreement, to provide our Service, to communicate with the representative of our Client and for other lawful reasons we need to Process the data of Client's representative. This means we may Process, among other information, the following Personal Data of the representative of the Client:
(1) personal information of the representative of the Client, such as name, job title, position, and contact information;
(2) personal information in connection of provision of the Service, such as data from communication with us;
(3) technical data (Device Signature), including but not limited to information about, the date, time and your activity in the Services, your IP address and domain name, and your software and hardware attributes as well as your general geographic location (e.g. city, country);
(4) publicly available relevant data.
4.6 How we obtain Client's representative's Personal Data. We collect this data either from you directly when you communicate with us directly, e.g. by sending us an email, providing us with your Personal Data on the phone or through our customer support tools. We may also collect some of your Personal Data in the course of provision of the Service to your employer. We also check information about the Client (incl. about relevant representatives of the Client) from publicly available sources. We only gather relevant and necessary data in order to validate the right of representation e.g. this may include verification of your identity, Processing of your Personal Data for introducing the Service (demo) etc.
4.7 Please note, the provision of Personal Data is voluntary. However, if you do not provide your Personal Data, the Client may not be able to make use of the full range of our Services.
4.8 Personal Data we Process about Visitors to our Website and/ or Users of our Service. We may collect data when you visit our Websites and/ or Service by using Cookies or other similar technologies (e.g. IP address, equipment information, location information, beacons) and Process the data gathered by them. This data, among other information, may be as follows:
(1) personal information, such as IP address, time, and location;
(2) information on usage of the Website and/or Service and other web log data, such as the pages you visit on the Website, the date and time of your visit, the files that you download and the URLs from the websites you visit before and after navigating to the Website;
(3) technical data (Device Signature), including but not limited to information about your IP address and domain name, your software and hardware attributes (including device IDs) and your general geographic location (e.g. city, country).
5. Purpose of processing and legal ground for provision of Services Here you may read why and on what grounds we Process your Personal Data.
5.1 Regarding the User information we have aim for processing – to provide our Services to the Client.
5.2 We or our Client may ask you to grant us consent for Processing. Please note that we cannot provide the Service in respect of an anonymous User, and therefore the use of our Service is subject to the disclosure of Personal Data to us and consenting to the Processing of Personal Data by the Client and us. However, giving consent is voluntary, but failure to do so may mean that we may not be able to provide you with the Service. For example, we will not be able to perform your KYC check. In some circumstances, e.g. for purpose of automated decision-making, you may be asked to provide us with explicit consent. If you have granted the Client and/or us a consent to Process Personal Data, the details of such processes and purposes thereof will be outlined in the consent itself.
5.3 Your consent is the legal basis for processing Personal Data when You share Your findings related to responsible disclosure. Please note that giving consent is voluntary and you have the opportunity to withdraw your consent at any time.
5.4 We mainly Process your Personal Data as a Processor for the benefit of the Client in order to fulfil the Agreement concluded with the Client for:
(1) performance of the Agreement (including for the provision of the Service);
(2) for performance of the obligations arising from the Agreement (including the realization of rights arising from the provision of the Service).
(3) we also Process your Personal Data if Processing is necessary for compliance with our legal obligation and provision of our Service for realization of rights arising from the Agreement;
(4) for the purpose of realization of rights and fulfilment of obligations deriving from legal acts;
(5) for processing your inquiries and requests.
5.5 We also Process your Personal Data if Processing is necessary in our legitimate interests, meaning our interest in the management and direction of our business in order to be able to offer the best possible services on the market. For our legitimate interest, we may Process data for the following purposes:
(1) for analysing the use of our Service, and using research and analysis results, among other methods, for carrying out satisfaction surveys, feedback questionnaires and developing our products and services, including development of autonomous and automated decision-making processes;
(2) for the transmission of information about our Service;
(3) for sending out newsletters, for marketing and developing and promoting our Services, for organisation of campaigns, including personalised and targeted campaigns, and measuring the effectiveness of the performed marketing activities. Please note that for sending out newsletters, we only Process your contact details;
(4) for ensuring a trust-based relationship with Clients and Users, for example, Personal Data Processing that is strictly necessary to determine the ultimate beneficiaries, being PEP and/or to prevent fraud, e.g. and checks in public sanction lists or our own Service history;
(5) for administration and analysing of the client base to improve the availability, selection and quality of Services and products, and to make more personalised and the best Services;
(6) for the analysis of identifiers and Personal Data collected upon the use of websites, mobile applications and other Services. We shall use the collected data for web analysis or for the analysis of mobile and information society services, for ensuring and improving functioning, for statistical purposes and for analysing the behaviour and using the experience of Visitors and Client representative's and for providing better and more personalised Services;
(7) for monitoring the Services. We may record the messages and instructions given in our premises or by means of communication (e-mail, telephone, etc.), as well as information and other operations carried out by us, and shall use those recordings as needed to evidence instructions or other operations;
(8) for network, information and cyber security considerations, for example, for fighting against piracy and for ensuring the security of the Websites and Service, as well as for the measures taken for making and storing backup copies;
(9) for the establishment, exercise or defence of legal claims.
5.6 In addition, we may provide status information on our web pages and the Service with the help of a third-party service provider.
5.7 Pursuant to our "Fundamental Six" principles for data Processing, we only Process Personal Data on this legal basis (legitimate interest) after careful assessment in order to ascertain that the legitimate interest is in compliance with the interests and rights of a Data Subject (after carrying out the so-called three-step test).
5.8 Processing for a new purpose. When Personal Data Processing is carried out for a new purpose different from those for which the Personal Data were originally collected or is not based on the consent given by the Data Subject, we shall carefully assess the permissibility of such new Processing. In order to determine whether the Processing for the new purpose follows the purpose for which the Personal Data were originally collected, Recary Ltd shall take into consideration, inter alia, the following:
(1) any link between the old and new purposes for which the Personal Data were collected and the intended further purposes of Processing;
(2) the context of collecting the Personal Data, in particular regarding the relationship between the Data Subject and us;
(3) the nature of the Personal Data, in particular whether any special categories of Personal Data are processed;
(4) possible consequences of the intended further Processing for the Data Subjects;
(5) existence of appropriate protection measures which may consist in, for example, encryption and pseudonymization.
6. Service Process (Automated processing) To perform KYC check in a secure and less error-prone way, we use automatic algorithms in our Service. Read about it in this section.
6.1 The KYC check process is either automated, semi-automated or done by a human:
(1) Semi-automated KYC check process. A human will be involved if the automated tool is not able to reach a decision on its own. This could happen, when the automated tool runs into some difficulty in analysing the KYC check session. We hope that together with the combined power of the automated tool and humans, we can make your KYC check process as easy and safe as possible.
(2) In the case of fully automated decision-making, where the decision has a significant effect on you, we will be transparent about such processing. Meaning our Client asks for your explicit consent and informs you of automated processing. In some cases, where Client has other legal grounds for such Processing e.g. obligation under applicable law – consent may not be needed. You have the right to ask for information and explanation regarding the logic behind the decision the automated tool has made; at any time, you will have the right to request human intervention or object to the decision made on grounds relating to your particular situation.
(3) We may have different solutions of Processing with different Clients, e.g. in some cases the KYC check session will only be analysed by a human.
6.2 We would like to point out that the decision on whether Client provides its service to the User is made by the Client. Meaning, usually, even if the KYC check flow has been fully automated, the KYC check result will be taken into account by the Client for the decision on whether to provide its service or not. The KYC check results themselves are not a decision deciding the outcome regards the service applied for the User.
7. Data Subject's rights in relation to Personal Data Here you can find read about your rights under GDPR.
7.2 You as a Data Subject have the following rights in relation to your Personal Data:
(1) Right of access to Personal Data - you have the right to know which of your Personal Data we store and how we Process it, including the right to know the purpose of the Processing, the persons to whom we will disclose your Personal Data, information about automated decision-making and the right to receive copies of Personal Data.
(2) Right to rectification of Personal Data - you have the right to request the rectification of inadequate, incomplete and/or misleading Personal Data.
(3) Right to withdraw the consent given for the Processing of Personal Data - you have the right at any time to withdraw the consent given to us for the Processing of Personal Data. Please note that withdrawal of your consent shall not affect the legality of the Processing that was made on the basis of consent before the withdrawal.
(4) Right to erasure of Personal Data ("right to be forgotten") - you have the right to request that we erase your Personal Data (for example, if you take back consent for the Processing of Personal Data, or if Personal Data is no longer needed for the purpose for which it was collected). We have the right to refuse the erasure of Personal Data if the Processing of Personal Data is necessary for the fulfilment of our legal obligation, to exercise the right to freedom of expression and information, for the preparation, presentation and protection of legal claims, or in the public interest.
(5) Right to restriction of Processing - in certain cases, you have the right to prohibit or restrict Processing of your Personal Data for a certain period of time (e.g., if you have filed an objection to Personal Data Processing).
(6) Right to object - you have the right to file an objection if your Personal Data Processing takes place on the basis of our legitimate interest or public interest. You shall have the right to object at any time to Processing of Personal Data for direct marketing purposes, and we shall respond immediately. If we perform automated decision-making (including profiling) that will produce legal effects for you or have a significant effect on you, then you may file an objection and require human intervention in the decision-making process.
(7) Right to data portability - If your Personal Data Processing is based on your consent and Personal Data is Processed automatically, you shall be entitled to receive Personal Data about you that you submitted to us as the Data Controller, in a structured, commonly used and machine-readable format, and you shall have the right to transmit or request us to transfer this Personal Data to another Data Controller, where technically feasible and the personal data has not been deleted by that time.
(8) Submission of complaint - If you find that your rights have been breached, you have the right to complain to a Data Protection Authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority.
8. Disclosure and transfer of Personal Data
In this section you will find information about possible disclosure of your Personal Data and / or transfer of Personal Data outside EEA.
8.1 Disclosure of Personal Data to authorities. Please note that due to legal requirements, we may be obliged to disclose or grant access to your Personal Data to the authorities and the supervisory authority (e.g. a court or a government agency).
8.2 Disclosure to Data Controllers and Data Processors. We may disclose your Personal Data to Data Controllers for whom we are Data Processors (e.g. Clients) and to our authorized processors (sub-processors), as well as to persons who are legally entitled to receive your Personal Data. For example, such authorized processors may be our affiliates, our IT partners, companies that provide us an identity and corporate verification services, our advertising and marketing partners, companies carrying out satisfaction surveys, debt collection agencies, professional recruiting partners, credit registers, authorities and organisations intermediating or providing (electronic) mail, compliance or payment services and the like, provided that:
(1) the respective purpose and the Processing are lawful;
(2) we have diligently assessed that the authorized processor will comply with the data protection requirements;
(3) the Personal Data Processing is carried out in accordance with our guidelines and on the basis of a valid agreement.
If you have questions about our authorized processors, please contact us at email@example.com.
8.3 Transfer of Personal Data. We Process your Personal Data within the EEA. In the event that we need to transmit your Personal Data outside the EEA, the transmission shall be in accordance with the requirements of the GDPR.
9. Security of Personal Data Security is of utmost importance to us. We do our best to protect Personal Data in our hands.
9.1 We apply various measures (physical, technical, organizational) to protect your Personal Data from unauthorized or arbitrary modifications, disclosure, acquisition, destruction, loss or unauthorized access.
9.2 However, please note that electronic transmission or storage of information is not always 100% secure. Therefore, despite the security measures that we have put in place to protect Personal Data about you, we cannot guarantee that loss, misuse, or alteration of data will never occur. If you have any information about an actual or suspected data breach, please inform us immediately at firstname.lastname@example.org. We will deal with the issue immediately and inform the local data protection authority (if applicable).
10. Retention of Personal Data Here you can find our data retention principles that is the length of period for which we keep Personal Data.
10.1 To determine the appropriate retention period, we consider the amount, nature and sensitivity of the Personal Data and the purposes for which we Process it. We must also consider periods for which we may need to retain Personal Data in order to meet our legal obligations or to deal with complaints or queries and to protect our legal rights in the event of claims being made.
10.3 We store the data of Users during the period set forth in the Agreement (we may have different data retention periods agreed upon with the Client) or as long as it is necessary for possible establishment, exercise or defence of legal claims of Users, Clients or ourselves.
10.4 We may store your Personal Data, for a longer period than the Agreement duration if we have a lawful basis do to so, e.g. you have given us consent to use your Personal Data for the development of our Services or we have assessed that we have legitimate aim to do so, e.g. in pseudonymized form or for the purpose of the Service history log.
10.5 After the expiration of the Personal Data storage period, we shall anonymize or permanently erase your Personal Data.
11. Children's Personal Data Here you can find information about children's Personal Data.
We do not knowingly Process the Personal Data of children or other persons who are under 18 years old. If you are under 18 years old, you may not submit any Personal Data to us or subscribe for the Services. If you believe we might have any personal information from or about a person under the age of 18, please contact the Data Protection Officer.
12. Links to third party websites Here you can find information about links to and from other websites.
Our website, newsletters, email updates and other communications may, from time to time, contain links to and from the websites of others including our Clients, authorized processors (sub-processors), partner networks, advertisers, suppliers, other companies and/or social networks.
By using our website, you agree that we can place these types of Cookies on your device.
When you accessed this website, our Cookies were sent to your web browser and stored on your computer. If you wish to remove them, you can manage this via the settings on your browser but note that this may impact your ability to utilise this and other web sites. The way to clear Cookies varies from one browser to another. You should look in the "help" menu of your web browser for full instructions.
For general information about Cookies please visit www.allaboutcookies.org.
14.3 You are advised to review this Policy periodically for any changes. Changes to this Policy are effective when they are posted on this page.
This version was last updated on 8th January 2021. Historic versions can be obtained by contacting us.