Privacy Policy

Effective date: May 27, 2026Last updated: May 27, 2026

This Privacy Policy ("Policy") describes how Management-Ware Solutions Inc. ("Certivant", "we", "us" or "our") collects, uses, shares and protects personal information in connection with the Certivant identity-verification platform (the "Service").

Certivant is a business-to-business ("B2B") service. Other companies — banks, insurers, real-estate agencies, mortgage brokers, marketplaces and similar regulated or risk-sensitive businesses — subscribe to Certivant to verify the identity of their own customers, applicants, members, employees and counterparties. Throughout this Policy we call those subscribing companies our Subscribers and we call the individuals whose identity they verify, End Users.

If you are an End User who was asked to verify your identity through Certivant, the Subscriber that requested the verification is your primary point of contact for questions about why your data is being collected and how the Subscriber will use the result. This Policy explains what Certivant does with your data after we receive it on the Subscriber's behalf.

1. Our role and your relationships

Certivant has two distinct privacy roles, and which one applies depends on which interaction is happening:

  • When a Subscriber uses Certivant to verify an End User's identity, Certivant acts as a service provider (also called a processor under the GDPR, agent under California law, and a service provider under Québec Law 25 / Act respecting the protection of personal information in the private sector). The Subscriber is the controller of the End User's personal information. Certivant processes that information only on the Subscriber's documented instructions, in accordance with our agreement with that Subscriber.
  • When you visit our public website (certivant.com), evaluate the Service, sign up for a Subscriber account, attend our events, or contact our team, Certivant acts as a controller for the limited personal information you provide. Section 8 below covers those interactions.

This distinction matters because End Users who want to exercise their privacy rights (access, correction, deletion, etc.) generally must address those requests to the Subscriber, not to Certivant directly. Certivant will of course support and respond to the Subscriber's instructions in fulfilling any such request — see Section 7.

2. Personal information we process about End Users

When a Subscriber initiates a verification of an End User, Certivant processes the personal information the Subscriber, you (the End User), or our automated checks generate. Depending on the verification configuration the Subscriber selected, that information may include:

Identity attributes provided by the Subscriber

  • Full legal name
  • Date of birth
  • Nationality
  • Email address
  • Mobile telephone number
  • External reference identifiers chosen by the Subscriber (e.g. order ID, customer ID)
  • For business verifications (KYB): company name, registration number, country of incorporation, names and roles of directors and ultimate beneficial owners

Identity documents and biometric data submitted by you

  • Government-issued identity documents (passport, national ID card, driver's licence, residence permit) — front and back where applicable
  • Selfie photographs and short selfie videos for face-match and liveness detection
  • Proof-of-address documents (utility bill, bank statement, government letter)
  • Source-of-funds or source-of-wealth documents where the verification flow includes them
  • Company registration certificates and ownership-structure documents for KYB

Data extracted from documents and biometrics

  • Information optically read from your document (OCR): name, date of birth, document number, issuing country, expiry date, machine-readable-zone data
  • Document-authenticity signals derived from the image (security-feature checks, tampering detection)
  • Face-match confidence score between your selfie and the photograph on your document
  • Liveness-detection signals confirming a live human is present

Verification result and risk data

  • Pass / fail / escalate decision for the verification
  • Risk score and individual factor scores
  • Sanctions-screening, politically-exposed-person (PEP), and adverse-media match results from the third-party data providers our Subscriber elected to use
  • Registry-lookup results for KYB (e.g. Companies House in the United Kingdom, OpenCorporates and equivalent national registries)

Technical and device data

  • IP address and approximate geolocation derived from it
  • Device fingerprint (browser, operating system, device model)
  • Network metadata (ASN, whether a VPN, proxy, or anonymising network is detected)
  • Behavioural signals collected during the verification session (timing, retry counts, navigation patterns) used for fraud-detection only

We do not knowingly collect personal information from children. If a Subscriber configures a verification flow that targets minors (for example, age-verification for a regulated product), the Subscriber is responsible for ensuring it has the appropriate legal basis under applicable law, including parental consent where required.

3. How and why we process End-User personal information

Certivant processes End-User personal information only for the purposes set out in our agreement with the relevant Subscriber, which fall into the following categories:

| Purpose | Why we process | |—|—| | Verifying identity | Running the OCR, authenticity, face-match, liveness, sanctions-screening, PEP, adverse-media and registry-lookup checks the Subscriber requested | | Returning the result | Delivering the decision, score and supporting data back to the Subscriber so the Subscriber can decide whether to onboard you, approve your transaction, or take other action | | Fraud prevention | Detecting and preventing identity fraud, account take-over, document tampering, impersonation and other abuse — including in some cases comparing signals across multiple verification attempts on behalf of the Subscriber | | Service operation | Maintaining, monitoring, debugging, securing and improving the Service, including aggregate-level analytics that do not single out individuals | | Legal obligations | Complying with anti-money-laundering, counter-terrorism-financing, sanctions, "know-your-customer" and similar laws applicable to us or our Subscribers, and responding to lawful requests from competent authorities | | Model improvement (when permitted) | Improving the accuracy and fairness of our verification algorithms, only where our agreement with the Subscriber expressly permits it and only with data appropriately minimised and pseudonymised |

We do not sell End-User personal information. We do not use End-User personal information for advertising, marketing, or any purpose unrelated to the verification the Subscriber requested.

4. Legal bases (EEA, UK, Switzerland)

Where the General Data Protection Regulation, UK GDPR or Swiss Federal Act on Data Protection applies, the legal bases on which Certivant relies as a processor are determined by the controller (the Subscriber). Typical bases the Subscriber may rely on include:

  • Contract (Article 6(1)(b) GDPR) — verifying you is necessary to take steps at your request before entering into a contract with you, or to perform a contract you have with the Subscriber.
  • Legal obligation (Article 6(1)(c) GDPR) — the Subscriber is required by anti-money-laundering, "know-your-customer", financial-services, gambling, age-restriction or similar law to verify your identity.
  • Legitimate interests (Article 6(1)(f) GDPR) — the Subscriber, or a third party, has a legitimate interest in verifying you is not who they say they are (for example, to prevent fraud), which is not overridden by your interests, rights and freedoms.
  • Consent (Article 6(1)(a) GDPR) — for special-category data such as biometric data used for unique identification of a natural person, the Subscriber will typically rely on your explicit consent, collected through the verification interface, in addition to the underlying basis above.

If you want to know which legal basis applies to your verification, please ask the Subscriber.

5. Who we share End-User personal information with

We share End-User personal information only with the following categories of recipients, and only as necessary:

5.1 The Subscriber that requested the verification

By design, the Subscriber receives the verification result, the data fields extracted from your documents, the supporting documents themselves (subject to the Subscriber's configuration), and the relevant risk and check results. This is the entire purpose of the Service.

The Subscriber's use of that information is governed by the Subscriber's own privacy policy and the legal basis on which the Subscriber operates. Certivant has no control over what the Subscriber does with the data once we have delivered it. If you have questions about the Subscriber's downstream use, please contact the Subscriber directly.

5.2 Sub-processors that help us deliver the Service

We use carefully-vetted third-party service providers ("sub-processors") to operate parts of the Service. Each sub-processor is bound by a written contract that imposes confidentiality, security, and data-protection obligations at least as strict as ours, and uses your data only to perform the service we have contracted them for. Our current categories of sub-processors include:

  • Cloud hosting and storage — for storing your documents, biometric samples and verification records securely
  • Optical character recognition and document-authenticity providers — for analysing identity documents
  • Liveness-detection and face-match providers — for confirming a live human matches the document photo
  • Sanctions, PEP and adverse-media data providers — for screening against global watchlists
  • Commercial-registry data providers — for KYB lookups against company registries
  • Communications providers — for sending the verification invitation by email or SMS, where the Subscriber selected that delivery method
  • Customer-support tooling — for the Subscriber's support requests (no End-User data is volunteered to support unless strictly necessary to resolve a Subscriber's case)
  • Analytics and observability — for monitoring Service health (aggregated, no End-User personal information)

A current list of sub-processors is available from your Subscriber upon request.

5.3 Regulators and law-enforcement

We may disclose personal information to a competent regulator, court, or law-enforcement authority when we are compelled to do so by a binding legal process, where we have a good-faith belief that disclosure is required to comply with applicable law, or where it is necessary to protect Certivant, our Subscribers, our personnel, or the public from fraud, harm or illegal activity. We will notify the relevant Subscriber of such requests where doing so is lawful and reasonably practicable.

5.4 Corporate transactions

If Certivant is involved in a merger, acquisition, financing, reorganisation, bankruptcy or sale of all or part of its assets, personal information may be transferred to the involved parties, subject to obligations of confidentiality and the continued protection of that information consistent with this Policy. We will notify Subscribers and, where required, End Users, of any change in the controller of the information.

6. International transfers

Certivant's primary processing infrastructure is located in Canada. Some of our sub-processors operate from the United States, the European Economic Area, the United Kingdom, and other jurisdictions. When personal information is transferred outside of its country of origin, we rely on appropriate legal-transfer mechanisms, including:

  • The European Commission's Standard Contractual Clauses (2021) for transfers from the EEA, supplemented where necessary by additional technical and organisational measures
  • The UK International Data Transfer Addendum for transfers from the United Kingdom
  • The Government of Canada's recognition of equivalence and the contractual safeguards required under PIPEDA and Québec Law 25 for cross-border transfers

You may request a copy of the relevant transfer mechanism by contacting us using the details in Section 14.

7. Your rights as an End User

Depending on the law that applies to your verification, you have one or more of the following rights regarding your personal information:

  • Right of access — to obtain confirmation of whether we process information about you, and a copy of that information
  • Right of rectification / correction — to have inaccurate or incomplete information corrected
  • Right of erasure / deletion — to have your information deleted where applicable conditions are met
  • Right to restrict processing — to limit how we process your information in certain circumstances
  • Right to data portability — to receive your information in a structured, commonly-used and machine-readable format
  • Right to object — to object to processing based on legitimate interests
  • Right to withdraw consent — where processing is based on your consent
  • Right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you — your verification typically involves automated decisioning, but the Subscriber decides whether and how that decision affects you; you should address such concerns to the Subscriber
  • Right to lodge a complaint with a supervisory authority (see Section 14)

Because Certivant is a service provider, the Subscriber that requested your verification is the right place to send most rights requests. The Subscriber may then instruct us to take the corresponding action on its behalf. If you cannot reach the Subscriber, contact us at privacy@certivant.comand we will route your request appropriately.

Québec-specific rights (Law 25)

If your verification is governed by the laws of Québec, you have the additional rights set out in the Act respecting the protection of personal information in the private sector (Law 25), including the right to receive an explanation of any decision rendered exclusively on the basis of automated processing of your personal information, and the right to ask that the decision be reviewed by a human. You may also lodge a complaint with the Commission d'accès à l'information du Québec (Québec Information Access Commission).

Identify the Subscriber that requested your verification (the company whose name appeared on the verification invitation).Send your rights request to that Subscriber's privacy contact.If you cannot identify or reach the Subscriber, email privacy@certivant.com with as much context as you have. We will respond within thirty (30) days, or such shorter period as the applicable law requires.

8. Personal information we collect as a controller

When you visit certivant.com, request a demo, evaluate the Service, sign up for a Subscriber account, attend an event, subscribe to our communications, or contact our team, we collect personal information directly from you as a controller. This includes:

  • Your name, work email, employer name, job title, and telephone number
  • Account-creation data and login credentials (we never store passwords in clear text)
  • Billing and payment information, processed through our payment-gateway sub-processors
  • Communications between you and us, including email, support tickets, sales-call notes, and our event interactions
  • Website and product usage data — page visits, session duration, feature usage, referrer, IP, user-agent — collected via cookies and similar technologies (see Section 9)
  • Information you choose to share when you respond to a survey, post a comment, or participate in a community forum

We use this information to provide the Service to you and your organisation, to administer your account, to process payments, to respond to your inquiries, to send you Service-related communications, to send you marketing communications where you have given your consent or where we may otherwise lawfully do so (with an opt-out in every message), and to comply with applicable law.

9. Cookies and similar technologies

Our website and the verification flows use cookies and similar technologies (local storage, session storage, pixel tags) for a limited set of purposes:

  • Strictly-necessary — keeping you signed in, maintaining the verification session, preventing CSRF, balancing load
  • Performance — measuring page-load times, error rates, and aggregate usage so we can improve the Service
  • Functional — remembering your language and theme preferences
  • Analytics — understanding how users find and interact with our website (when consented, where required by law)

We do not use cookies for cross-site behavioural advertising. Where required by law (notably under the e-Privacy Directive and equivalent rules), we obtain your consent before setting non-essential cookies, and you can withdraw that consent at any time using the cookie-preferences control on our website.

10. Retention

We retain personal information only as long as is necessary for the purposes set out in this Policy:

  • End-User verification data — retained for the period instructed by the Subscriber in our agreement with them, typically aligned with the Subscriber's regulatory record-keeping obligations (often five (5) to seven (7) years for "know-your-customer" purposes). After that period, the data is deleted or anonymised. The Subscriber may instruct earlier deletion in response to a valid right-to-erasure request, subject to overriding legal obligations.
  • Subscriber account and billing data — retained for the duration of the Subscriber's account plus the period required by applicable tax, accounting and corporate law (typically seven (7) years in Québec).
  • Website usage data — retained for up to twenty-six (26) months in aggregate form.
  • Marketing-list contact data — retained until you unsubscribe, plus a short period to honour your unsubscribe choice.
  • Audit logs and security records — retained for up to seven (7) years to support security investigations, incident response and regulatory inquiries.

11. Security

We implement administrative, technical and physical safeguards designed to protect personal information against loss, theft, unauthorised access, disclosure, alteration and destruction. These include encryption in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent), strict access controls based on the principle of least privilege, multi-factor authentication for all production access, segregated environments, comprehensive audit logging, regular vulnerability scanning and penetration testing, and a written incident-response programme. A summary of our security and compliance posture is available at our Security and Compliance page.

No security control is perfect. While we take security very seriously, we cannot guarantee absolute security of any information transmitted to or stored on the Service. You can help by keeping your account credentials confidential, enabling multi-factor authentication, and reporting any suspected security incident to security@certivant.com.

12. Children

The Service is not directed at children, and we do not knowingly collect personal information from children below the age at which they may lawfully consent to processing in their jurisdiction. If you believe a child has provided personal information through the Service in circumstances that require parental consent, please contact us and we will take appropriate action.

13. Changes to this Policy

We may update this Policy from time to time to reflect changes in our practices, the Service, applicable law, or any other operational, legal or regulatory reason. When we make material changes, we will provide notice — for End Users, through the Subscriber that initiated your verification; for Subscribers and website users, by email and via a prominent notice on the website — and update the "Last updated" date at the top of the Policy.

14. Contact us

If you have questions, comments, or requests regarding this Policy or our privacy practices, please contact us at:

Management-Ware Solutions Inc.Privacy Office — Certivant Montréal, Québec, Canada Email: privacy@certivant.com

For complaints, you may also contact the supervisory authority in your jurisdiction:

  • Québec, Canada — Commission d'accès à l'information du Québec (cai.gouv.qc.ca)
  • Rest of Canada — Office of the Privacy Commissioner of Canada (priv.gc.ca)
  • European Economic Area — your local data-protection authority (edpb.europa.eu)
  • United Kingdom — Information Commissioner's Office (ico.org.uk)

We encourage you to contact us first so we have an opportunity to resolve your concerns.