Belarus ID — Privacy policy
Privacy Information for the Identity Management Application Belarus ID
REGISTERING WITH, ACCESSING, DOWNLOADING OR OTHERWISE USING OUR SERVICES (AS DEFINED BELOW) INDICATES THAT YOU HAVE READ AND ACKNOWLEDGE THE NOTICES AND PRACTICES SET FORTH IN THIS PRIVACY POLICY. IF YOU DO NOT WANT TO US TO COLLECT AND USE YOUR PERSONAL INFORMATION AS SET FORTH IN THIS PRIVACY POLICY, DO NOT ACCESS, DOWNLOAD OR OTHERWISE USE THE OFFERINGS.
1. Responsible for Data Processing
Stichting(de) Lokale
Fluwelen Burgwal 58,
2511CJ, Hague, Netherlands
Jey Rojo
2. Data Protection Officer
Stichting(de) Lokale
Fluwelen Burgwal 58,
2511CJ, Hague, Netherlands
Jey Rojo - CIO
3. Information on the Processing of Personal Data
When using the app, no data is processed by the controllers in principle. All data are stored only on your end device, and the controllers have no access to this data.
We store only hashes of some documents held by the app e.g. hash of unique citizenship number, Telegram Id, and New Belarus Voting Id, for purposes of deduplication of some actions that can be performed using the App.
We also use third party service Veriff by Veriff OÜ as a mean to digitalize important documents as Passports. When you use it to digitalize your identity documents you automatically agree with their Privacy Notice [https://www.veriff.com/privacy-notice]
We use Vocdoni Blockchain for Web 3 voting service purposes by Vocdoni, Inc. No personal data (except technical) like your IP address and Voting ID can be shared with them.
To improve the user experience, the app automatically creates crash reports in case of errors or crashes of the application, which contain a bug report specifying the reason for the crash, as well as additional data such as the date and time of the crash, the model name of the device used, the installed operating system version, the language set, and the country of the user. The app uses services from Google Firebase service (represented by Google LLC and related parties) to process this data. It is not possible for the responsible party and Google LLT to identify the user from this data.
The app uses Google Firebase Analytics, which collects anonymized data based on the use of the app, enabling a statistical evaluation of the following characteristics: number of users in certain periods, distribution of models on which the app was installed, daily usage of the application per user, country of installation, pre-selected language of the user, and the version of the app used. These data cannot be attributed to individual users either.
3.1 What user information is collected
“User Information” as used in this document shall include the information identified in Section 3.1.
| 3.1.1 Digital Credentials | Digital identity technology and digital wallets offer a secure way for individuals and companies to manage and share identity information, known as "Digital Credentials." These can be kept on the user's device, where they are inaccessible to Trinsic, or in the cloud. For cloud storage, third-party providers may host the Digital Credentials, with Trinsic retaining the encryption keys. |
| 3.1.2 Personally Identifiable Information | The Company may collect personal information you provide related to our Services, including but not limited to: your name, email, postal address, phone number, photo, birthdate, passport, driver's license, government IDs, and information regarding your business or its personnel, such as historical, contact, and demographic details. This data can be collected by 3rd party services like Veriff on our behalf, and then deleted during no longer than 24 hours. We do not store such information directly on our severs, but we can store secured hashes of document numbers for deduplication purposes. Secured hashes means that if they are got to the hands of malicious party - they can’t be guessed even if they have original numbers at hand for further correlation purposes. Your IP address and Voting ID can be shared with Vocdoni voting service. |
| 3.1.3 Device Information. | The Company may obtain, gather, observe, and/or remotely save details about your device when using any Services. This includes the device's hardware model, operating system and version, unique device identifiers, mobile network data, and how the device interacts with the Services. |
| 3.1.4 Payment Information. | The Company may use a third-party service to handle payment processing for the Service. This involves collecting data related to your payment activities, such as payment card and bank account details, transaction dates and locations, parties involved, transaction descriptions, amounts, billing and shipping details, and the devices and payment methods used for transactions. |
| 3.1.5 Usage Information. | The Company may gather data on your usage of the Services, such as when you access them, which services you use, your browser's type and language, your IP address, the webpages and applications you visit and use, how long you spend on these pages and apps, which links you click on, and conversion details like completed transactions. |
| 3.1.6 Aggregated Data. | The Company may compile aggregated information related to your use of the Services or other summarized forms of User Information mentioned previously. This aggregated data cannot be directly linked to you as an individual. |
| 3.1.7 Data from Clients | In providing data hosting services to our clients, we handle encrypted data concerning our clients and their customers. This data aids our clients in recognizing and engaging with their customers through our Services or Apps. The encrypted data can include any types of User Information described earlier. |
| 3.1.8 Hashed data | The service may collect secured cryptographic representations, known as hashes, of your personal data such as government ID numbers and identifiers from other services (e.g., Telegram ID). These hashes cannot be directly linked to your government IDs through brute-force methods. We employ these hashes exclusively for the purpose of deduplication. When referencing these hashes, we maintain the anonymity of your actions between your instance of the application and our server through the use of blinded cryptographic signatures. This method prevents any association or correlation of your ID hashes with subsequent actions by you or any potentially malevolent third parties in the event of a hash leak. Furthermore, we have implemented sophisticated protective measures to safeguard our data storage and prevent any such leakage. |
| 3.1.9 Do Not Submit Sensitive Personal Information. | Please refrain from providing sensitive personal information (like racial/ethnic origin, political views, religious beliefs, health data, biometrics, or criminal background) via our Service. If you do, you must agree to our handling and use of such data as per our Privacy Policy. If you disagree, do not submit sensitive information. |
3.2. How user information is collected
| 3.2.1 Given by You. | You provide information when you create credentials like your passport digital version. The information may be provided to our partner Veriff first. After the information is provided it will be automatically deleted from our or Veriff servers in 24 hours after cryptographic version of credential is created and shared with you. On the other hand we may store your contact data as email or phone number for further contacts after your explicit consent. |
| 3.2.2 Automatic Collection. | Information about the user can be documented and gathered automatically by software or procedures that operate on your computer or device, or on the company's servers while you utilize the services. E.g. your app installation Id or telegram Id can be collected for purpose of further contacting you for the purpose of normal use of the service. |
| 3.2.3 Analytics information. | We utilize third-party analytics tools, including Mixpanel, to gather, assess, and understand traffic patterns and user behavior on our website and other services. These tools allow us to determine who is using our services, how they are interacting with them, identify any issues they encounter, and find ways to enhance the user experience. These third-party services may employ cookies and persistent device identifiers to gather and retain data such as the duration of visits, pages visited, time spent on each page, IP addresses, unique device IDs, advertising tags, and the type of operating system used. |
| 3.2.4 From Third Parties. | We may receive User Information from third parties, including verification services and public sources. User Information might also stem from third-party services connected to our Services. This policy does not oversee third-party tracking technologies, for which their own privacy policies apply. We regularly review analytics services and may update this policy to reflect changes. Veriff will provide us personal information from your passport for purposes of issuing its digital version. |
| 3.2.5 Google Analytics & Google Firebase Analytics | We use Google Analytics and Google Firebase analytics to analyze user interaction with our site and services. It collects data like your IP address and visit time, but doesn't personally identify you. The data is stored by Google and is subject to their privacy policies [https://policies.google.com/privacy?hl=en]. |
3.3 How user information is used
| 3.3.1 Providing Services. | User Information is collected and used to verify your identity and personalize your experience across our Services, including account creation and usage. |
| 3.3.2 Improving Services. | User Information is also utilized to innovate new products and Services, enable optimization, carry out statistical analysis, enhance existing Services, and better the design and functionality of our website. |
| 3.3.3 Communication Purposes. | User Information is utilized for sending technical and security alerts, service-related messages, news, software compatibility updates, surveys, and feedback requests. It's also used to inform you about products, services, and promotional offers based on your preferences and legal regulations. |
| 3.3.4 Facilitate Payments. | It's essential for us to use and store your User and Payment Information to carry out or document payment transactions or fund transfers. |
| 3.3.5 Legal Compliance. | We store User Information to ensure compliance with relevant laws and regulations, including those related to privacy and anti-money laundering. |
| 3.3.6 Aggregated Data Collection. | We collect and aggregate user information to observe overall usage patterns and web traffic across all users of our services. This information also helps us to create aggregated statistics about the purchasing habits of various demographic groups and populations. |
| 3.3.7 Dispute Resolution; Contract Enforcement. | User Information may be used to resolve issues, collect fees, provide service assistance, protect company and service integrity, enforce terms of use, and prevent illegal activities. |
| 3.3.8 Use for New Purposes. | There might be scenarios where we use your personal information for purposes not explicitly outlined in this Privacy Policy. This is permissible if it aligns with the law and the new purpose is compatible with the original purpose for which we collected the information. If we have to use your personal information for a purpose unrelated to the original one, we will inform you and clarify the legal basis for this action. |
3.4 How user information is protected
| 3.4.1 Protective Measures. | The company implements commercially viable measures, including administrative, technical, and physical safeguards, to (i) shield User Information from unauthorized access, misuse, alterations, destruction, and loss or theft, (ii) maintain the security, integrity, and confidentiality of the User Information, (iii) safeguard against any anticipated security threats or risks to the User Information, (iv) prevent unauthorized disclosure or use of, or unauthorized access to, the User Information, and (v) comply with the security measures mandated by any relevant privacy laws. |
| 3.4.2 Third Party Partners and Employees. | The company, either directly or through third-party service providers, can manage, process, and store User Information in various locations including the United States, Japan, the European Union, and others. The company strictly limits the access to User Information only to its employees, contractors, and agents who need this information to perform their duties to the company or to you, and who are bound by confidentiality agreements. Violation of these agreements can result in disciplinary action or termination. The company's third-party service providers follow suitable confidentiality and security measures when storing and transmitting User Information. |
| 3.4.3 Security Breach. | We use practical technological measures to preserve the security, integrity, and privacy of your User Information. However, it's important to note that no internet transmission or electronic storage method is entirely secure or without errors, hence, absolute security cannot be assured. If the law requires it, the Company will promptly notify you about any unauthorized access to your User Information and will promptly start a comprehensive investigation into such occurrences. |
| 3.4.4 Company Not Liable for Breach. | The company bears no responsibility for any damages, allegations, liabilities, or legal actions resulting from unauthorized access or use of your personal information. |
4. Legal Basis for Processing
The application installation ID (that is generated by Google LLC or Apple Inc) is processed for contractual purposes (Art. 6 Para. 1 lit. b GDPR). It is automatically provided to the controllers by the end device. Without processing the installation ID, the controllers cannot assign and deliver incoming messages to individual users. The purpose of the contract (exchange of identity information) would not be achieved.
The error analysis and other analyses are carried out in the legitimate interest of the controllers (Art. 6 Para. 1 lit. f GDPR). These analyses serve the functionality or improvement of the app.
No automated decision-making takes place.
5. Recipients and Categories of Recipients
Regarding the transfer of data to third parties (recipients outside the controllers), it is first necessary to note that a transfer does not generally take place and is not planned. However, a transfer may occur in individual cases if we are legally obligated to do so or if the user has given their consent. This may be the case in the following instances:
- Public bodies and institutions (e.g., tax authorities, law enforcement agencies, family courts, land registries) in the presence of a legal or regulatory obligation (except sanctioned countries under EU and US laws, e.g. Russia or Belarus governments),
- Auditors,
- Service providers that we engage within the framework of order processing agreements.
5.1 How user information is shared
| 5.1.1 Facilitate Third Party Services. | We sometimes hire third parties to help with business tasks and share necessary User Information with them. These tasks include analytics, payment processing, order fulfillment, and database maintenance. We ensure these third parties keep the shared User Information confidential. |
| 5.1.2 For Legal and Safety Purposes. | User Information can be disclosed for the purposes of legal safeguards and safety, which include adhering to laws, responding to legal requests and procedures, defending the property and rights of the Company from competitors or claimants, and implementing our agreements, policies, and usage terms. |
| 5.3 Business Transfers. | As our business evolves, we might engage in buying or selling businesses or assets. If a corporate event such as a sale, merger, reorganization, or dissolution occurs, User Information could be included in the assets transferred. |
| 5.4 Affiliated Entities. | We may also share your User Information with our affiliated entities for purposes consistent with this Policy. |
6. Transfer to Third Countries
There is no transfer to third countries.
Stichting(de) Lokale is located in the Netherlands, as such, your Personal Data may be processed by us or our service providers in the European Union. In such case, we have endeavored to establish and provide appropriate safeguards for EEA residents, and provide EEA residents the ability to enforce their data subject rights and provide EEA residents effective legal remedies as set forth in GDPR Article 46.
For any transfer of Personal Data from the EEA, Switzerland, or the United Kingdom that we make, we use appropriate safeguards to ensure for the lawful processing and transfer of the Personal Data. When appropriate, we may use standard contractual clauses approved by the European Commission. Please contact us through one of the methods provided in the “Contact Us” section below and put “Safeguards” in the subject line to receive more information on the safeguards we have put in place.
7. Duration of Storage
We process and store your personal data as long as it is necessary for the fulfillment of our contractual obligations and the exercise of our rights.
The installation ID is deleted from the user's device upon uninstallation of the app.
8. Information on the Rights of the Data Subjects
As a data subject, the user has the following rights regarding the processing of their personal data:
- Right of access (Article 15 GDPR)
- Right to rectification (Article 16 GDPR)
- Right to erasure (“right to be forgotten”) (Article 17 GDPR)
- Right to restriction of processing (Article 18 GDPR)
- Right to data portability (Article 20 GDPR)
- Right to object (Article 21 GDPR)
- Right to withdraw consent (Article 7(3) GDPR)
- Right to lodge a complaint with a supervisory authority (Article 77 GDPR)
To exercise these rights, the user can contact us using the contact information provided in section 1.
8.1 Right of Access
The right of access means in particular that the user has the right to obtain confirmation from the controller as to whether or not personal data concerning the user are being processed. If that is the case, the user also has the right to access this personal data and to the information listed in Article 15(1) GDPR.
8.2 Right to Rectification
The right to rectification means in particular that the user has the right to obtain from the controller the rectification of inaccurate personal data concerning the user without undue delay and to have incomplete personal data completed.
8.3 Right to Erasure ("Right to be Forgotten")
The right to erasure means that the user has the right to obtain from the controller the erasure of personal data concerning the user without undue delay, and the controller is obligated to erase personal data without undue delay where one of the grounds listed in Article 17(1) GDPR applies. This may be the case, for example, if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed (Art. 17(1) lit. a GDPR).
To the extent that we have made the personal data public and are obliged to erase it, we are also obliged to take reasonable steps, including technical measures, taking into account available technology and the cost of implementation, to inform other controllers processing the personal data that the data subject has requested the erasure of any links to, or copy or replication of, those personal data.
The right to erasure ("right to be forgotten") does not apply where processing is necessary for reasons listed in Article 17(3) GDPR. This may be the case, for example, where processing is necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims (Art. 17(3) lit. a and e GDPR).
8.4 Right to Restriction of Processing
The right to restriction means that the user has the right to obtain from the controller restriction of processing if one of the conditions listed in Article 18(1) GDPR applies. This may be the case, for example, if the user contests the accuracy of the personal data. The restriction of processing shall be for a period enabling the controller to verify the accuracy of the personal data.
8.5 Right to Data Portability
The right to data portability means that the user has the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format, and has the right to transmit those data to another controller without hindrance from us, provided the processing is based on consent or on a contract and the processing is carried out by automated means.
In exercising their right to data portability, the user shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
8.6 Right to Object
We explicitly inform the user of the right to object at the latest at the time of the first communication. The right to object exists in the following cases:
8.6.1 Right to object on grounds relating to the particular situation of the data subject
The user has the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on legitimate or public interest; this also applies to profiling based on these provisions.
In the event of an objection on grounds relating to a particular situation, we shall no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the user, or for the establishment, exercise or defense of legal claims.
8.6.2 Right to object to direct marketing
If personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing; this includes profiling to the extent that it is related to such direct marketing.
In the case of objection to processing for direct marketing purposes, we shall no longer process the personal data for these purposes.
8.7 Right to Withdraw Consent
If the processing is based on consent, the user has the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The user is informed of the right to withdraw at the time of giving the consent.
8.8 Right to Lodge a Complaint with a Supervisory Authority
The user has the right to lodge a complaint with a supervisory authority. The supervisory authority responsible for us is:
[some responsible authority legal details and contacts]
9. Exclusions
This policy does not cover (i) details shared by you in any public sections of the Services, like forums, chat rooms, community pages, or comment sections, (ii) suggestions for new products or changes to existing ones, and (iii) any other unrequested submissions (collectively, "Unsolicited Information"). Unsolicited Information is not regarded as User Information, and by providing Unsolicited Information to us, you are granting us a license to use, disclose, reproduce, and distribute such Unsolicited Information to others without restriction or need for credit.
10. Notice to residents of California, Nevada, and Utah (US)
10.1 Notice to California
We never share your personal information with third parties for their direct marketing objectives. Therefore, per California Civil Code Sections 1798.80-1798.84, there's no need for us to provide additional information upon your request. Any questions about this Privacy Policy can be directed to the contact listed below.
10.2 Notice to Nevada Residents
Under Nevada law, residents have the right to opt out of the selling of specific types of personal information. Although there are some exceptions, the term "sale" is generally defined by Nevada law as the exchange of certain types of personal information for monetary consideration, which is then licensed or sold to additional entities. Currently, we do not engage in the sale of personal information as defined by this Nevada law. However, if you are a resident of Nevada, you can still submit a verified request to opt out of sales, and we will document your request and act accordingly if our policy changes in the future. To submit an opt-out request, please contact us through one of the methods provided in the "Contact Us" section, and include "Nevada Opt-Out" in the subject line.
10.3 Notice to Utah residents
We don't share your personal data with any third parties for their own direct marketing purposes.
11. Status and Modification of this Privacy Information
This privacy information is current as of March 2024.
Due to technical advancements, changes in the app's functionality, and/or changes in legal and/or regulatory requirements, it may become necessary to adjust this privacy information. The most current privacy information can be accessed at any time within the app.