Privacy Policy
This privacy policy aims to give you information on how Notabene ID GmbH collects and processes your personal data through your use of our services via the website https://idiss.notabene.id/ or a mobile application.

Your trust is important to us, which is why we take the protection of data seriously and ensure appropriate security. We observe the statutory provisions of the Federal Act on Data Protection (“FADP”), the Ordinance to the Federal Act on Data Protection (“OFADP”), the Telecommunications Act (“TCA”) and other applicable data protection provisions of Swiss and international law.

In this privacy policy, we inform you about what personal data we collect from you and for what purposes we use it. You can at any time check our privacy policy on our website or our mobile application when accessing the Privacy Policy page.

If you have any questions regarding data protection, you can get in touch with us at idiss-privacy@notabene.id.


WHAT DATA DO WE COLLECT ABOUT YOU

1. When you use our services
We collect, use, store and transfer different kinds of personal data about you when you use our services to verify your identity and issue you an identity on the Concordium blockchain, which we have grouped together as follows:
- Identity Data includes first name, last name, date of birth, cryptographic identifiers, and blockchain addresses.
- Contact Data includes address, proof of address (bank statement, credit card statement or utility bill), phone number, messenger ID, and email.
- Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
- Profile Data includes your username and password.
- Usage Data includes information about how you use our website and the mobile application.
- Communication Data includes messages and other communication that you submit to us.The processing of this voluntarily provided personal data is necessary for the implementation of pre-contractual and contractual measures and to offer the services to you in the best possible way. In addition, we also use the technical data and other data collected in the event of attacks on the network infrastructure or other unauthorised or abusive use of our services to identify offenders in connection with civil or criminal proceedings, which is in our legitimate interest. 

2. When you subscribe to your newsletterWe offer you our newsletter to inform you about updates of our services. When you subscribe to your newsletters, we need the following personal data:
- Marketing and Communications Data
includes your identity data such as your name, last name and Contact Data such as your e-mail address as well as your preferences in receiving marketing from us and our third parties and your communication preferences.

In order for you to get subscribed to our newsletter, we use "double-opt-in" in order to ensure you are the owner of the email address entered. We only use this data for the delivery of our newsletter if you have agreed to receive it. You can unsubscribe from our newsletter at any time via a link in each respective e-mail. You can also send us a message to idiss@notabene.id. so that we can delete you from our mailing list. We will send you our newsletter based on your consent.

To send you our newsletter in a professional manner, we use the software and the services of HubSpot.

3. When you contact us
When you contact us, we ask you to provide the following personal data:
- Identity Data includes first name, last name.
- Contact Data includes your e-mail address.
- Communication Data includes your message.

We only use these data as well as any additional information voluntarily provided by you in order to answer your contact enquiry in the best possible and personalised way. The processing of this data is therefore in our legitimate interest to answer your questions in a personalised manner.

DATA PROCESSING SPECIFICALLY FOR THE MOBILE APPLICATION

4. When you download the mobile application
When you download a mobile application including our services, we collect the following personal data:
- Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.

The collection and processing of such technical data are carried out for the purpose of enabling the use of our services (establishing a connection), ensuring system security and stability over the long term and optimising our services as well as for internal statistical purposes. It is within our legitimate interest to process such data for these purposes and to offer you a well-functioning access to our services through mobile applications.

The data collected may also be used in the event of attacks on the network infrastructure respectively other unauthorised or abusive use of our services to identify offenders in connection with civil or criminal proceedings. The processing of this information is in our legitimate interest to secure and improve our services accordingly.

5. Is personal data automatically collected?
When using our services through a mobile application, we automatically collect the following personal data:
- Technical Data includes public key and other data provided by your Concordium wallet to allow us to issue credentials to you.

The collection and processing of this data is carried out for the purpose of enabling the use of our services (establishing a connection), ensuring system security and stability over the long term and ensuring a customer friendly use of our services as well as internal statistical purposes. The processing of this personal data is within our legitimate interest to process such data for these purposes and to offer you a well-functioning service through mobile applications.

The internal ID of your device may also be evaluated together with other data in the event of attacks on the network infrastructure or other unauthorised or abusive use of our website for the purpose of clarification and defence and, if necessary, used within the framework of criminal proceedings for identification and for civil and criminal action against the users concerned. The processing of this information is in our legitimate interest to secure and improve our services accordingly.

6. What personal data is collected when you are using our services through mobile applications?When using our services through a mobile application, you can enter, manage and edit various information, tasks and activities. In particular, this information includes personal data that we receive directly from you (such as name, company) as well as additional information that we may receive via interfaces.The use of our services through mobile applications also requires access to connect you with our servers and camera access to take photos of you and your documents for the ID verification and the issuance of an ID.

The processing of this data is necessary for the fulfilment of pre-contractual and contractual obligations as well as for the use of the services.

DATA PROCESSING IN CONNECTION OUR SERVICES RELEVANT FOR ACCESS THROUGH THE WEBSITE AND 
MOBILE APPLICATIONS

7. Do we track your activities?
We may use tracking tools for the purpose of designing and continuously optimising our services to meet your needs. In this context, cookies are used. The information generated by the cookies about your use or our services is transferred to the servers of the provider of these services, stored there and processed for us. In addition to the data listed above, we may receive the following information:
- Identity Data includes the country, region or city from which you access the services.
- Technical Data includes navigation path of you, time spent with our services, the device (type, version, colour depth, resolution, width and height of the browser window) through which you access our services.
- Usage Data includes information about whether you are a recurring user of your services.The information is used to evaluate the use of our services, to compile reports about engagements with our services, and for market research and need-based design to improve our services. In addition, this information may be transferred to third parties if this is required by law or if third parties process this data on our behalf.

8. What are cookies? Do we need cookies?
Cookies help in many ways to make your visit to our services easier, more enjoyable and more meaningful. Cookies are information files that your web browser automatically saves when you visit our website or App. In particular, we use the following type of cookies:
- technically necessary cookies;

We use these cookies, for example, to temporarily store your entries when filling out a form, so that you do not have to repeat the entry when calling up another subpage. Cookies may also be used to identify you as a registered user after you register without services, without you having to log in again.

Most browsers automatically accept cookies. However, you can configure your browser so that no cookies are stored on your device or a message always appears when you receive a new cookie.

Disabling cookies may prevent you from using all features of our services.

STORAGE AND EXCHANGE OF DARA WITH THIRD PARTIES

9. Is this data stored or linked?
We store the data collected with our server host. The processing of this data is based on our legitimate interest in customer-friendly and efficient customer data management.

10. How long will my data be kept?
We only store personal data for as long as is necessary for the above described uses and further processing in the context of our legitimate interest. Contract data is stored by us for a longer period of time, as this is prescribed by statutory obligations. Obligations to store data may arise out of accounting law, civil law and tax law. According to these laws, business communication, concluded contracts and accounting vouchers must be stored for up to 10 years. If we no longer need this data to carry out the services for you, the data will be blocked. This means that the data may then only be used for accounting and tax purposes.

11. Which data are disclosed to third parties when using our services?
If you purchase our services or if you make use of tools that have our services integrated, we will only process the data necessary for the compliance check. As a rule, this concerns the data in section 1 of this privacy policy. The lawfulness of the data processing for this purpose lies in the fulfilment of a contract. As our services may be integrated into the products, software or application of a third-party, you should expect that such a third-party processes additional data, which is not necessary for the compliance check. We cannot influence what data these third parties process. Therefore, we recommend that you check their respective privacy policies before using their services.

Furthermore, we reserve the right to disclose the data processed as part of the compliance services to authorities if we are requested to do so by an official order.

12. Will my data be disclosed to other third parties?
Other than explicitly explained in this privacy policy, we only disclose your personal data to other third parties if you have expressly consented, if there is a legal obligation (including an order by an authority) to do so or if this is necessary to enforce our rights, in particular, to enforce claims arising from the contractual relationship. In addition, we disclose your data to third parties insofar as this is necessary for the use of our services and the execution of contracts (also outside our services).

13. Do we transfer personal data abroad?
We are entitled to transfer your personal data to third parties (contracted service providers) abroad for the purpose of the data processing described in this privacy policy. These are bound to protect data to the same extent as we are. If the level of data protection in a country does not correspond to that in Switzerland or the rest of Europe, we will contractually ensure that the protection of your personal data always corresponds to that in Switzerland or the rest of Europe.Specifically, this applies to data transfers to the USA, which from the point of view of the European Union and Switzerland does not have an adequate level of data protection. We will make sure that we implement guarantees to ensure an appropriate level of data protection. To do so we will make use of the guarantees recognised as sufficient to ensure an adequate level of data protection in the EEA and / or Switzerland.

ANYTHING ELSE YOU NEED TO KNOW?

14. You have a right of access, rectification, deletion and limitation of the processing as well as of data transferability
You have a right to request information about the personal data that we store about you. In addition, you have a right to correct incorrect data and a right to request deletion of your personal data, insofar as there is no legal obligation to retain such data and no legal basis for further processing the existing data.

You also have a right to request the data that you have provided to us (right to data portability). Upon request, we will transfer your data to a third party of your choice. You have a right to receive the data in a common file format.

You can contact us for the aforementioned purposes at idiss-privacy@notabene.id.

In order to process your requests, we may request proof of your identity.In many countries, you also have the right to file a complaint with the relevant data protection authority if you have concerns about how we process your data.

These rights depend on the applicable data protection legislation and may be either more limited or more comprehensive.

15. Is your data safe with us?
We use suitable technical and organisational security measures to protect your personal data stored with us against manipulation, partial or complete loss and against unauthorised access by third parties. Our security measures are continuously improved in line with technological developments.

You should always treat your access data confidentially and close the browser window when you have finished communicating with us, especially if you share your computer, tablet or smartphone with others.We also care about data protection internally. Our employees and the service providers are contractually obliged to ensure confidentiality of personal data and compliance with applicable data protection laws.

16. Can you complain about us?
You have the right to complain to a data protection supervisory authority at any time.

17. Which law do we apply? And where does the law apply?
This privacy policy and the contracts concluded on the basis of or in connection with this privacy policy are subject to Swiss law, unless the law of another country is mandatory. The place of jurisdiction shall be Zug, unless another place of jurisdiction is mandatory.

18. Can this policy be amended?
Should individual parts of this privacy policy be invalid, this shall not affect the validity of the rest of the privacy policy. The invalid part of this privacy policy shall be replaced in such a way that it comes as close as possible to the economically intended purpose of the invalid part.Due to the further development of our services and offers or changes to the statutory requirements, it may become necessary to amend this privacy policy. The most current privacy policy is published on our website and the mobile applications

19. Questions about data protection? Please, contact us!This page was last modified on [July 8th, 2021]. If you have any questions or comments about our legal notices or data protection, please contact us at idiss-privacy@notabene.id.

Notabene ID GmbH