Privacy Policy & Terms of Service

Contents

• Privacy Policy
• Data Collection
• How We Use Data
• Data Storage & Security
• GDPR & PIPEDA Rights
• Terms of Service
• Service Terms
• Liability & Warranties
• Termination

Privacy Policy

Certivant Inc. (“Certivant”, “we”, “us”, “our”) is committed to protecting the privacy of individuals whose identity information is processed through our platform. This Privacy Policy describes how we collect, use, store, and protect personal data in accordance with the General Data Protection Regulation (GDPR), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and applicable Anti-Money Laundering (AML) regulations.

Data We Collect

When processing KYC/KYB verifications, Certivant processes the following categories of data on behalf of our customers (who act as data controllers):

• Identity Documents: Passports, national IDs, driver’s licenses, and business registration documents
• Biometric Data: Facial images for liveness verification (where enabled)
• Business Data: Company registration numbers, beneficial owner information, director details
• Verification Metadata: Timestamps, IP addresses, device information, and verification outcomes

How We Use Data

Data processed through Certivant is used exclusively for:

• Performing identity and business verification as instructed by our customers
• AML screening against international sanctions and PEP watchlists
• Fraud detection and prevention
• Generating audit-ready compliance records for our customers
• Improving verification accuracy through aggregate, anonymized model training

We never sell personal data to third parties. We never use verification data for advertising or marketing purposes.

Data Storage & Security

All identity documents and verification data are stored with the following security controls:

• AES-256 encryption at rest on Azure Blob Storage or AWS S3 (customer’s choice)
• TLS 1.3 encryption in transit
• Zero-knowledge key management — Certivant staff cannot decrypt customer data
• Retention periods aligned with customer plan and applicable regulations
• Right-to-erasure requests processed within 30 days

GDPR & PIPEDA Rights

Under GDPR and PIPEDA, individuals have the right to: access their data, correct inaccurate data, request deletion (“right to be forgotten”), object to processing, and data portability. To exercise these rights, contact compliance@certivant.com.

Terms of Service

By accessing or using Certivant’s services, you agree to be bound by these Terms of Service. If you are using Certivant on behalf of a company or other legal entity, you represent that you have the authority to bind that entity.

Service Terms

Certivant provides identity verification infrastructure as a service. Customers are responsible for: ensuring their use of the service complies with applicable laws; obtaining proper consent from end users before submitting data for verification; maintaining accurate account information; and protecting their API credentials.

Certivant reserves the right to suspend accounts that violate these terms, engage in fraudulent activity, or use the service in ways that create legal or reputational risk.

Liability & Warranties

Certivant’s verification results are provided as a decision-support tool and do not constitute legal compliance advice. Customers retain full responsibility for their compliance obligations. Certivant’s liability is limited to the fees paid in the 12 months preceding any claim. THE SERVICE IS PROVIDED “AS IS” WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED.

Termination

Either party may terminate this agreement with 30 days written notice. Upon termination, customer data will be retained for the regulatory minimum period required by applicable law, then securely deleted. Customers may request data export before termination.