My-K
/

Privacy Policy

MY-K Platform – MyBioPass FZ-LLC
Last updated: 03-03-2026

1. Introduction

This Privacy Policy describes how MyBioPass FZ-LLC (“MBP”, “we”, “us”, “our”) processes personal data in connection with:

  • the MY-K website;
  • business communications;
  • requests for information or demonstrations of our services.

The MY-K website is intended for business use only.

Identity verification services are delivered exclusively through the MY-K application and SDK environment. Privacy information relating to the use of the application is provided within the application interface or by the relevant business customer acting as Data Controller.

Identity verification processing activities are governed by separate contractual agreements and Data Processing Agreements entered into with our business customers.

2. IDENTITY AND CONTACT DETAILS OF THE CONTROLLER

For personal data collected directly through the MY-K website, MBP acts as Data Controller.

MyBioPass FZ-LLC
License No. 47011270
Compass Building, Al Shohada Road
Al Hamra Industrial Zone – FZ
Ras Al Khaimah, United Arab Emirates

Email: info@mybiopass.com

For data protection inquiries, you may contact us at the above email address.

3. CATEGORIES OF PERSONAL DATA WE COLLECT

3.1 Data Collected Through the Website

When you visit our website or contact us, we may collect:

  • identification data such as name, surname;
  • company name and professional role;
  • business email address;
  • phone number;
  • information submitted through contact forms or demo requests;
  • technical data such as IP address, browser type, device information;
  • cookie-related data as described in the Cookie Policy.

3.2 Data Processed Through the MY-K Platform

When our identity verification services are used by our business customers, we process personal data strictly on behalf of such customers.

These data may include:

  • identification data;
  • identity document data;
  • data extracted via OCR or NFC;
  • biometric data used for real-time comparison;
  • email address;
  • mobile phone number;
  • technical authentication data.

In this context, MBP acts exclusively as Data Processor pursuant to Article 28 GDPR. The business customer acts as Data Controller.

4. PURPOSES AND LEGAL BASIS OF PROCESSING

4.1 Website and Business Communications

We process personal data for:

  • responding to inquiries and demo requests;
  • managing business relationships;
  • providing information about our services;
  • ensuring website security and performance;
  • complying with legal obligations.

Legal bases may include:

  • performance of pre-contractual measures;
  • legitimate interests in managing our business;
  • compliance with legal obligations;
  • consent, where required.

4.2 Identity Verification Services

For identity verification data processed through MY-K:

  • MBP processes data solely on documented instructions of its business customers;
  • MBP does not determine the purposes or legal basis of such processing;
  • the applicable legal basis is determined by the relevant Data Controller.

5. BIOMETRIC DATA PROCESSING

Biometric data processed through the MY-K platform:

  • are used exclusively for real-time technical comparison;
  • are not persistently stored;
  • are not used for profiling, scoring or AI model training;
  • are not reused for independent analytics;
  • are automatically deleted within twenty-four (24) hours following generation of the verification output.

MBP does not retain biometric templates.

6. DATA RETENTION

6.1 Website Data

Personal data collected through the website are retained only for as long as necessary to:

  • respond to inquiries;
  • manage business relationships;
  • comply with legal obligations.

6.2 Identity Verification Data

Identity verification data processed on behalf of customers:

  • are retained only for the time strictly necessary to generate and transmit the verification output;
  • are automatically deleted within twenty-four (24) hours;
  • do not include persistent storage of biometric templates.

Limited technical logs may be retained for security and audit purposes, provided that they do not contain biometric templates or full identity documents.

7. DATA SHARING AND RECIPIENTS

7.1 Website Data

We may share website-related data with:

  • IT service providers;
  • hosting providers;
  • analytics providers;
  • professional advisors where required.

7.2 Identity Verification Data

For identity verification services, MBP may engage authorized sub-processors for specific components of the service.
A current list of sub-processors is made available on the website (see Sub-Processors).
MBP ensures that sub-processors are bound by contractual obligations consistent with Article 28 GDPR and implement appropriate technical and organizational safeguards.

8. INTERNATIONAL DATA TRANSFER

Where personal data are transferred outside the European Union or European Economic Area, such transfers are governed by appropriate safeguards pursuant to Article 46 GDPR, including Standard Contractual Clauses where applicable.
Hosting for core identity verification services is performed within secure infrastructure environments primarily located within the European Union.

9. SECURITY MEASURES

MBP implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • encryption in transit using TLS;
  • encryption at rest using industry standards;
  • logical tenant isolation;
  • access control with multi-factor authentication;
  • monitoring and logging of security events;
  • segregation of roles and least privilege access.

Detailed measures are described in the Technical and Organizational Measures referenced in our Data Processing Agreements.

10. DATA SUBJECT RIGHTS

Where MBP acts as Data Controller for website-related data, data subjects may exercise the following rights, subject to applicable law:

  • right of access;
  • right to rectification;
  • right to erasure;
  • right to restriction of processing;
  • right to data portability;
  • right to object;
  • right to withdraw consent where applicable.

Requests may be submitted to the contact details above.
Where MBP acts as Data Processor for identity verification services, data subject requests must be addressed to the relevant Data Controller. MBP will assist its customers in responding to such requests in accordance with applicable law.

11. AUTOMATED DECISION-MAKING

MBP does not perform automated decision-making producing legal or similarly significant effects.
The MY-K platform generates a technical verification output only. All onboarding, risk and compliance decisions remain under the sole responsibility of the business customer.

12. SANCTIONS AND COMPLIANCE SCREENING

MBP may conduct compliance screening procedures in connection with business relationships to ensure compliance with applicable sanctions and regulatory obligations.

13. CHILDREN’S DATA

The MY-K website and services are intended for business use. MBP does not knowingly collect personal data directly from children.

14. CHANGES TO THIS PRIVACY POLICY

MBP may update this Privacy Policy from time to time. The updated version will be published on this page with a revised “Last updated” date.

15. CONTACT AND COMPLAINTS

If you believe that your personal data have been processed unlawfully, you may contact us using the details provided above.
Where applicable, you also have the right to lodge a complaint with a competent supervisory authority within the European Union.