This is our privacy policy

Privacy Policy
Effective Date: 1 November 2019

This is the Privacy Policy of Trust Fractal (“We”, “Us”, or “Fractal”). It governs your personal data which is processed in the context of an agreement entered into between you and us on
the use of the services of Fractal, including the use of our website and software. In terms of this policy, 'processing' means any operation or set of operations which is performed on your personal data. This personal data may include personal details, details about the way you access our website and software, and details about which Fractal partners you access, among
others and is described below in more detail.

This remainder of the policy shall provides information on the processing, the legal basis upon which the Personal data is processed by us and how you may exercise your rights over your Personal Data. Where this Policy refers to provisions contained in the General Data Protection Regulation (GDPR), these provisions shall apply. In case of any conflict between the GDPR and the terms of the Privacy Policy , the provisions of the GDPR shall prevail.

Purpose and Legal basis for the processing

In order to use our Fractal ID software you must register with us. Your use of Fractal ID requires submission of certain necessary information, particularly your e-mail address among other data. You may not use Fractal ID without submitting the information stated as necessary at registration. Therefore, the processing of your personal data is required to carry out our services to which the legal basis is Art. 6 (1) (b) of the GDPR.

After registration, you are able to voluntarily provide further personal data and store these with us so that you may use certain services or software. You may also provide this personal data and provide consent to transfer such personal data to third parties for the purpose of registering and maintaining a business relationship with such third parties. The legal basis for the processing of personal data is your consent pursuant to Art. 6 (1) (a) of the GDPR.

While providing personal data for the purposes of registering and maintaining a business relationship with third parties, you may also voluntarily verify yourself and your personal data through Fractal so that you may use your personal data in relation to third parties. The legal basis for the processing of such personal data is your consent pursuant to Art. 6 (1) (a) of the GDPR.

Similarly, your personal data and its verification may be collected, processed and stored for the purposes of satisfying a legal obligation that a third party must meet to enter into and maintain a business relationship with you. In such an event, the legal basis for the processing and storage of such personal data is your consent pursuant to Art. 6(1) (c) of the GDPR. During any verification process you decide to undergo, you may be asked to voluntarily provide biometric data for the purposes of uniquely identifying yourself as a natural person. In these cases, you give explicit consent for the processing for the purpose of identifying yourself as a natural person The legal basis for the processing of such personal data is your consent pursuant to Art. 9(2)(a) of the GDPR.

We also process your personal data in order to show you the third parties you have authorized us to send personal data to previously and also to make corresponding suggestions of other third parties who you may want to register with using our services. Without being able to process your personal data for this purpose, we would not be able to perform the services we have agreed to with you. The legal basis for the processing of such personal data is your consent pursuant to Art. 6 (1)(b) of the GDPR.

We may use your personal data in order to send you marketing information or emails if you have agreed to receive such. If you have agreed to such, then may also use the personal data that we collect in order to send you information on the products and services offered by Fractal or its third-party partners. The legal basis for the processing of such personal data is your consent pursuant to Art. 6 (1) (a) of the GDPR.

If you voluntarily submit a customer support request via an email, chat or other correspondence system we will also process your personal data for the purpose of fulfilling such request. The legal basis for the processing of such personal data is your consent pursuant to Art. 6 (1)(a) of the GDPR. Further, while providing information to us, we may need to contact you to be able to provide our services correctly. The legal basis for the processing of such personal data is your consent pursuant to Art. 6 (1)(b) of the GDPR.

Finally, we also process your personal data for the purposes of the legitimate interests, in order to ensure the integrity, security and availability of our system, services software and your personal data to you, us and the third parties you have authorized. The legal basis for the processing of such data is Art. 6 (1) (f) of the GDPR.

Transfer to third countries

We may use processors that process your data in countries outside of the EU. In case we transfer Personal Data outside the territorial scope of the GDPR, we ensure that there is either an adequacy decision by the European Commission or that a similar level of data protection compared to the GDPR is guaranteed by the use of the contractual clauses at least as
protective as those provided by the EU Commission. We do this by entering into appropriate data transfer agreements based on Standard Contractual Clauses (2010/87/EC). (https://eurlex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32010D0087&from=en).

Recipients of Data

To conduct our Services, we use third party service providers to provide us with necessary services. We may transfer your personal data to these service providers for further processing based on your consent with this privacy policy or on the basis of your agreement to use our services. All transfer of data is undertaken by way of secure connections to these service providers. These service providers only receive your personal data that is adequate, relevant and limited to what is necessary in relation to the purposes for which your personal data are processed. These include the following categories of service providers: identification service providers, identity verification providers, monitoring services, server hosting providers, newsletter senders, customer relationship or support services, website hosting services, email sending services, web traffic analysis providers.

Additionally, through our services your data may be transferred to third parties so that you may register and maintain an account and/or business relationship with those services. You will be asked to consent to the transfer and continual transfer of your personal data to those individual third-party services upon the first transfer of your personal data. You may revoke your consent to their access to your personal data on our servers at any time. We may however be required to store your personal data on their behalf and send personal data to them again if there is a legal obligation to do so.

The categories of personal data we process

As described above, we require that you provide us with your email address to register for our services. In addition to collecting your email address, we may collect and process information about the device you use, location settings of the device, and your IP address. During the use of our services we may require you to provide the following categories of personal data to access certain third parties or even our own services. Your provision of this personal data is always voluntary, but if certain personal data is not provided you may not be able to utilize all services:

name, nationality, country of residence, address, phone number, place of birth, date of
birth, identification document information, personal photo, biometric face scans, financial
details, and company/workplace details.

Your rights when your Personal Data are being processed

We guarantee you the applicable rights of the German data protection laws. Please note that we will require you to provide us with proof of identity before we respond to any requests for the exercise of your rights.
To exercise any of your rights, please contact us at:
Trust Fractal GmbH
Wiener Straße 10
10999 Berlin, Germany
Email: privacy@fractal.id

As soon as personal data is being processed, you have the following rights:

(a) Right of access
Pursuant to Art. 15 GDPR, you have the right to obtain confirmation as to whether or not your personal data is processed.

(b) Right to rectification
In accordance with Art. 16 GDPR, you are entitled to demand that we rectify your personal data if they are inaccurate or erroneous.

(c) Right to restriction of processing
In accordance with Art. 18 GDPR, you have the right to demand a restriction of processing for your personal data. This may result in us being able to longer offer you services. However, if we stop processing the Personal Data, we may use it again if there are valid grounds under data protection law for us to do so (e.g. to comply with regulatory obligations, for the defence of legal claims or for the protection of another natural or legal persons or for reasons of important public interest of the EU or a Member State).

(d) Right to erasure (‘right to be forgotten’)
In accordance with Art. 17 GDPR, you have the right to have your personal data erased without undue delay. This does not include your personal data that has to be stored due to statutory provisions or in order to assert, execute or defend legal claims. Please note that after deleting the Personal Data, we may not be able to provide the same level of servicing to you as we will not be aware of your preferences.

(e) Right to data portability
Pursuant to Art. 20 GDPR, you have the right to receive your personal data provided to us in a structured, commonly used and machine-readable format. You also have the right to transfer this data to a third party without hindrance from Fractal, if
● The processing is based on consent pursuant to Article 6 (1)(a) GDPR or on a
contract pursuant to Article 6 (1)(b) GDPR; and
● The processing is carried out by automated means.
The relevant subset of Personal Data is data that you provide us with your consent or for the purposes of performing our contract with you.

(f) Right to object
Pursuant to Art. 21 GDPR, you have the right to object at any time, on grounds relating to your particular situation, to processing of your personal data which is based on Article 6 (1) lit. e) or lit. f) GDPR, including profiling based on those provisions. The Controller shall no longer process your personal data unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing is for the establishment, exercise or defence of legal claims.

(g) Right to withdraw your consent
You have the right to withdraw your consent under the data protection law at any time. Withdrawing your consent does not affect the lawfulness of processing based on consent before its withdrawal. The withdrawal of your consent regarding your personal data may lead to the termination of your contract as the whole contractual relationship between Fractal and You is dependant on personal data.

(h) Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes the GDPR. You have the right to address the supervisory authority for any questions or complaints. The supervisory authority of Fractal is the data protection supervisory authority in Berlin (‘Berliner Beautragte für Datenschutz und Informationsfreiheit’) https://datenschutzberlin.de/.

Automated individual decision-making

Our software conducts automated screening of personal data to issue a decision on your eligibility to participate in third party services. This decision may negatively impact your ability to participate in those third-party services. Pursuant to Art. 22 GDPR, you have the right not to be subject to a decision based solely on automated processing of your biometric data and which produces legal effects concerning you. You have the right to elect to have your data reviewed by a natural person assigned by Fractal. In case you do not agree with the automated decision, or its review, you may not be able to use our services.

Data Retention

We will not retain your personal data for longer than is necessary for the purpose it was collected. Thus, we store your data for as long as you have an account with Fractal. You may cancel your account with Fractal at any time, in which case we will delete your data once all outstanding transactions are settled and once we confirm there are no legal retention obligations to continue storing the data. Should we have a legal obligation to continue storing your personal data, either on our own behalf, or on behalf of a third party, we will delete the data as soon as that legal obligation ends.

Controller Details

Your personal data will be processed and controlled by us. Fractal is your data controller in the context of our software and services and your account with us. Our full address is:

Trust Fractal GmbH
Wiener Straße 10
10999 Berlin, Germany
E-mail: privacy@fractal.id

You may also contact our data protection officer at the above e-mail address or:

DGD Deutsche Gesellschaft für Datenschutz GmbH
Fraunhoferring 3
85238 Petershausen

In case you provide your consent to process your personal data with Fractal in order to participate in third party services who have legal obligations to collect and process your personal data to be eligible to participate in those third party services, then Fractal is a data processor on behalf of those third parties regarding the personal data process required for that eligibility. Information on such third parties is provided in our software or contact us via the e-mail address provided.

Changes to the privacy policy or the purpose of processing
This Policy was last updated on the effective date noted above. This Policy may be amended or updated from time to time to reflect changes in our privacy practices with respect to the processing of personal data or changes in the applicable law. We encourage you to save this Privacy Policy locally on your computer and to regularly check this page so that you may
review any changes we might make. If we make a material change to the Privacy Policy, you will be provided with appropriate notice.

Question about your verification?

Contact support at support@fractal.id

Email support