Privacy Policy — hightrust.id

PRIVACY NOTICE

hightrust.id by MEGICAL

Last updated 7.12.2023

Megical Oy (business I.D. 2401362-3, later “Megical”, “we”, “us”) provides a platform to authenticate person using contactless smartcard (e.g. in Finland national identity card and SOTE card). The platform, hereinafter referred to as the “Service” is designed to be used by the a professional at work or a citizen (“User” or “you”) through a mobile application. This Privacy Notice applies to our Service and describes how we process data that you provide to us in and through the Service (“Data”), and personal data that you may provide us through other means in relation to the Service.

As a service provider, we provide the Service under an agreement with, and pursuant to the instructions of a customer that has entered into a service agreement with us (“Customer”). The current functionalities of the Service do not store your personal Data except your email address. The Data is forwarded to the relying party owned by the Customer you are operating with and through whose subscription you use the Service, but not to you directly. The email address is used only to revoke your hightrust.id authentication method and remove all your data from the hightrust.id system when needed.

While the Data is forwarded by us, please note that the Customer you are operating with may be able to connect the Data directly to you with the use of additional information available to the Customer. Therefore, the Data that you provide in and through the Service may become personal data when processed by the Customer. As the Customer you are operating with is the controller (as defined in the applicable data protection laws) for this personal data, you should primarily consult the Customer in the event of any questions or concerns related to the processing your personal data by the Customer.

We wish to remind you that this Privacy Notice applies to Data that we process when you use the Service, and personal data that you may provide us in the context of your use of additional services directly related to the Service, such as user support. This Privacy Notice does not cover or apply to the processing of personal data that the Customer as a controller may undertake independently or together with third parties. Neither does this Privacy Notice apply to any links to third parties’ websites and/or services, such as third-party applications or websites, which you may encounter when you use the Service. We encourage you to carefully familiarize yourself with privacy policies provided by the Customer or applicable to any websites and/or services operated by third parties. Please be aware that we are not responsible for the privacy and data processing practices of any third parties, including the Customer.

1. TYPES OF DATA WE PROCESS

1.1. Data provided by you in and through the Service

The current functionality of the Service collects some of your personal attributes as a Data. In particular, it collects information relating to identify you with your personal attributes. The Data we process consist of your first name, last name, anonymized personal identifier, email as well as technical data collected automatically, such as IP address, operating system and timestamps from activities performed in the Service. All the data collected is used only to identify you to authorize your access to the system used by the Customer.

Customer combines the Data to such additional information resources available to the Customer. In such cases, the relevant Customer is the controller (as defined in the applicable data protection laws) for such personal data.

1.2. Personal data provided by you through other means

We also may obtain your personal data through other means, such as in cases when you contact our user support and provide your name and/or other personal data for us to solve technical problems or other problems you may encounter when you are using the Service. In these cases, we only process your personal data to the extent you provide your personal data to us in connection of a service request or other such communications with us. In such cases the personal data we process is mainly your name, contact details and information related to the Customer which you are operating with, as well as details related to the technical issue. This is mostly information that relates to your role at the Customer and does not concern you as a private person or as an individual consumer customer.

In cases where you contact our user support, or otherwise contact us directly, and provide us your personal data, we process your personal data as the controller.

2. PURPOSES OF PROCESSING AND LAWFUL BASES

As a service provider of the Customer, we process the Data and your personal data for the purposes of performing the agreement we have signed with the relevant Customer, i.e. to provide the Service, user support and other such additional services directly related to the Service.

We have committed towards the Customers to ensure secure operation of the Service, and therefore we process the Data and your personal data for the purposes of ensuring the technical functionality and security of the Service as well as to detect fraud and other misuse of the Service. In addition, we have committed towards the Customers to develop the Service constantly, and therefore we process the Data and your personal data to enhance the Service and the use thereof.

We process your personal data where necessary to pursue our legitimate interest to run, maintain and develop the Service, including user support and other such additional services directly related to the Service, and our business. In some cases, the processing of your personal data is necessary for us to comply with our legal obligations.

3. TRANSFERS AND DISCLOSURES OF DATA

We use partners to provide and to operate the Service, and therefore we transfer the Data and your personal data to such partners to the extent necessary in order for them to provide the services agreed. Such partners act on our behalf, and we ensure through contractual and other measures that they agree to perform pursuant to our instructions and/or the instructions of the relevant Customer (if any) and in compliance with this Privacy Notice.

We may disclose the Data and/or your personal data without notice only if we are required to do so by law or if we in good faith believe that such action is necessary to conform to the provisions of the law, to comply with legal process served on us, or to protect and defend our rights or property.

In case we sell our business or part of it or otherwise reorganize our business, we may disclose the Data or personal data processed by us as the controller to buyers and their advisors in accordance with applicable legislation.

Currently the Service is operated within the European Economic Area (“EEA”), and we do not transfer the Data nor your personal data to locations outside the EEA.

Please note that the Customer you are operating with has access to all Data provided by you in and through the Service. The relevant Customer may combine the Data to other information available to the Customer in a way that the Data becomes personal data and may further process and disclose such personal data for purposes other than mentioned in this Privacy Notice.

4. STORAGE TIME OF DATA

We retain your personal data as long as they are needed for the execution of your identification. We also gather logs required by the prevailing laws and Customer’s requirements and store them Securely and with limited and authorized access only for purpose of traceability in the case of required by the legal person or to show indisputability when abuse is suspected. The storage time is tied to the prevailing laws and the term of the agreement with Customer.

Where we act as the controller and the Data or your personal data is processed on the basis of an obligation based on applicable law, the retention period may also be subject to explicit statutory requirement. We may also retain certain Data or personal data after the termination of the initial processing purpose, should such retention be necessary to comply with other applicable laws or to establish, exercise or defend a legal claim.

Please note that the relevant Customer may be required (by law or otherwise) to retain the Data and/or your personal data either permanently or for a certain predefined period of time.

5. YOUR RIGHTS

The applicable data protection laws provide you several rights based on which you can yourself decide on the processing of your personal data. Where we act as a controller to your personal data, you may, pursuant to the applicable data protection laws, have the following rights:

- Right of access: You have the right to obtain from the controller confirmation as to whether or not your personal data is processed, and, where that is the case, to request access to such personal data.

- Right to rectification: You have the right to obtain from the controller the rectification of inaccurate personal data relating to you.

- Right to be forgotten: You have the right to request from the controller the erasure of your personal data, and in certain circumstances defined in the applicable data protection laws, the controller is obliged to erase your personal data.

- Right to restriction of processing: Under certain circumstances, you may have the right to obtain from the controller restriction of processing of your personal data. Should the restriction of processing apply, the respective personal data will be marked as restricted and may only be processed by the controller for certain limited purposes defined in the applicable data protection laws.

- Right to object: Under certain circumstances, you may have the right to object, on grounds relating to the particular situation of you, to the processing of your personal data by the controller and the controller may be required to no longer process such personal data.

In case you wish to exercise your aforementioned rights, please contact us at support@megical.com.

Please note that it is the task of the controller to make sure that your rights will be fully executed. In most of the cases, the controller of your personal data is the relevant Customer, and we thus encourage you to consult with the relevant Customer if you wish to exercise any rights granted to you under applicable data protection laws. Where the Customer is the controller, you may also have more rights than the ones mentioned above.

We are committed to ensure a high level of protection of your personal data and thus we cooperate with the Customer to ensure that you can exercise your rights under applicable data protection laws, and if you address your request to us, we will pass your request to the relevant Customer if needed.

6. CHANGES TO THIS PRIVACY NOTICE

We are constantly developing the Service and adding new functionalities to it, and thus we may have to amend or update this Privacy Notice from time to time. You can tell when changes have been made by referring to the “Last Updated” legend on top of this Privacy Notice. We encourage you to familiarize yourself with this Privacy Notice regularly for any amendments. If we materially change the ways in which we process personal data, we will post a notice on the Service.

7. IN CASE OF ANY QUESTIONS...

Should you have any questions regarding this Privacy Notice, your privacy as it relates to the use of the Service, or the protection of the Data or your personal data, please contact the relevant Customer, or us at support@megical.com.