Zyphe Inc. Privacy Policy

Effective Date: February 04, 2025

Zyphe Inc. (“Zyphe,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and protect personal data in our decentralized KYC (Know Your Customer) identity verification services. We comply with applicable privacy laws, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), to ensure your personal information is handled lawfully and transparently.

Scope

This Privacy Policy applies to all users of Zyphe’s services, including our business clients (B2B customers) and the individuals who undergo identity verification through our platform. It covers the personal data submitted when using Zyphe’s decentralized KYC solution and any related services. By using our services or providing your information for verification, you acknowledge that you have read and understood this Policy. This Policy does not apply to any third-party websites or services that integrate with Zyphe; those parties are responsible for their own privacy practices.

Personal Data We Collect

We only collect personal data necessary to perform identity verification and compliance checks. The types of personal data we may collect include:

• Contact Information: Your email address and possibly other basic contact details.
• Identity Documents: Government-issued identification documents such as passports, driver’s licenses, national ID cards, or other forms of ID you provide. These documents typically include personal details (e.g. full name, date of birth, photograph, document number).
• Biometric Data: Biometric identifiers used for verification, such as a facial image or selfie (for face match with your ID) or other biometric information. This is used to confirm that you are the legitimate holder of the provided identity document.

We obtain this information directly from you when you (or your organization) use our platform to verify your identity. We do not collect personal data that is not relevant to the KYC process, and we do not collect any sensitive personal data beyond what is needed for identification purposes. We also do not knowingly collect any personal data from children, as our services are intended for adult use in business contexts.

Data Processing and Storage

Zyphe’s platform processes your personal data solely for the purpose of identity verification and compliance with KYC requirements. Uniquely, Zyphe does not retain your personal data on centralized servers. Instead, all personal data is stored in a decentralized manner, meaning your information is encrypted, split into fragments, and distributed across a secure network that the final user controls.

In other words, you (the end user) retain ownership of and access to your identity data at all times. Zyphe’s systems facilitate verification by accessing the necessary data fragments

with your authorization

during the KYC process, but we do not maintain a complete personal dataset in any single location on our side.

Because of this decentralized, user-centric storage design, Zyphe only processes your data as a transient intermediary to perform the verification and then does not store your complete personal information afterwards. Any personal data processed through our service remains under your ownership and control. We do not create copies of your identity documents or biometrics for our own records. In practice, this means that once your verification is complete, your data stays with you (or on the decentralized network nodes you authorize) rather than in Zyphe’s possession. We will retain minimal information only as necessary to log that a verification was completed (for audit and compliance evidence), but these logs do not contain the sensitive personal data itself, or they are stored in a privacy-preserving manner (e.g. cryptographic proofs of verification).

All processing of personal data through Zyphe is done in accordance with applicable law and with your consent (or another valid legal basis, such as fulfilling a contract with our business client on your behalf). We do not use your personal information for any purpose unrelated to KYC/identity verification. We never use your data for marketing or profiling, and we do not make any automated decisions about you that could significantly affect you, outside of the verification result.

Third-Party Sharing

Zyphe does not share, sell, or disclose your personal data to unrelated third parties. We value your privacy and have built our business model around not exploiting personal data. In particular:

• No Sale of Data: We do not and will not sell your personal information to data brokers or marketers. This includes not selling information as defined under the CCPA.
• No Unnecessary Disclosure: We do not provide your personal data to third parties for their own independent use. For example, we won’t give or rent your email or biometric data to other companies for advertising or any other purpose.
• Service Provision: The only parties that may receive some of your personal data are the business or service provider that requested your KYC verification (for example, the company with whom you are trying to open an account, which is using Zyphe to verify you). In such cases, that company is not a random third party but rather the party you have a direct relationship with, and your data is provided to them at your direction to fulfill the KYC requirement. Even in these cases, the data exchange is under your control via the decentralized platform – your information is shared with that specific company only with your consent and for the intended purpose.
• Legal Compliance: We would only disclose personal data to outside parties if required by law or a valid legal process (for instance, a court order or regulatory requirement). If we ever are compelled to disclose data in this way, we will, when possible, inform you and only share the minimum necessary information.

Aside from providing verification results back to the organization you are signing up with, we treat your personal data as strictly confidential. Zyphe acts as a secure conduit between you and the requesting business. We do not allow any third-party access to your information, and we do not even have full access to your data ourselves outside of the verification transaction. In summary, your personal data is never shared with third parties for their own use, and it remains private within the verification ecosystem.

Data Security Measures

We take data security extremely seriously. Zyphe follows the highest industry standards for data protection and security to safeguard personal information during processing. Our security measures include:

• Encryption: All personal data handled by Zyphe is protected using strong cryptographic encryption. Identity data is encrypted both in transit (when data is moving through our system or network) and at rest (when stored in the decentralized nodes). In fact, we utilize advanced encryption methods (such as AES-256 encryption) to fragment and secure your data. This means that even in the unlikely event that someone gained unauthorized access to the storage nodes, the data fragments would be unintelligible without the proper cryptographic keys.
• zyphe.com
• Decentralized Architecture: By decentralizing data storage, we eliminate any single point of failure or attractive target for attackers. No single database contains all of your personal information, greatly reducing the risk of large-scale data breaches. Zyphe does not hold a master key or “backdoor” to decrypt and access your full data – access is only possible with your consent and participation. This architecture inherently enhances security and privacy.
• zyphe.com
• Access Controls: We implement granular access controls and strict authentication measures for all system interactions. Only authorized processes and personnel can initiate the verification workflow, and even then, they can only access data in a limited, as-needed manner. Our employees and contractors do not have direct access to your sensitive personal data. Internally, access to any system components is restricted by role and subject to regular monitoring.
• zyphe.com
• Industry Standards Compliance: Zyphe’s security program adheres to internationally recognized standards and frameworks. We are compliant with standards such as ISO 27001 for information security management and maintain GDPR-compliant data handling practices. We undergo routine security audits and assessments to ensure our controls remain effective.
• zyphe.com
• Additional Safeguards: We employ firewalls, intrusion detection systems, and continuous network monitoring to protect our infrastructure. We also utilize secure coding practices and regular penetration testing to identify and fix vulnerabilities. In the unlikely event of a security incident, we have a response plan to mitigate any harm and will notify affected parties as required by law.

These measures are designed to protect the integrity, confidentiality, and availability of your data. We strive to not only meet but exceed the security standards required by law. By using multi-layered defenses and cutting-edge privacy technology, Zyphe aims to ensure that your personal information remains secure at every step of the verification process.

User Rights and Data Management

Because of Zyphe’s user-centric approach, you have full control over your personal data. Our platform is built to empower you to manage your information independently. This means you can determine what data to share, who can access it, and you can update or revoke that access as needed. In practical terms, you are able to:

• Access and Review: You can view the personal data you have provided for verification at any time through our interface or your decentralized identity wallet. Transparency is a key principle – you have the right to know what data of yours is in the system and how it’s being used.
• Correction: If any of your personal data changes or is inaccurate (for example, you get a new ID or need to correct a typo in your email), you can update it. Because you maintain your data, updating your information in the platform will update it for any future verifications.
• Deletion (Right to be Forgotten): You may remove your personal data from the Zyphe platform whenever you wish. Since data is under your control, you can delete or revoke the data stored in the decentralized network. Once removed, Zyphe no longer has any access to your information. Additionally, if Zyphe does happen to hold any minimal residual data (such as encrypted log identifiers), you can request that we erase any such data, and we will promptly do so to the extent we are able.
• Data Portability: You can export or retrieve a copy of your verified credentials or personal data in a portable format. Our solution is designed so that you can reuse your verified identity across multiple services. This aligns with your right to data portability under GDPR – you have the ability to obtain and reuse your personal data for your own purposes across different services.
• Consent Management: Where we rely on your consent to process data (such as using your biometrics for verification), you have the right to withdraw that consent at any time. With Zyphe, withdrawing consent could be as simple as revoking the access permissions you granted for a particular service to view your data. If consent is withdrawn, we will stop processing your data for that purpose and will not have further access.

In addition to the above capabilities, you are entitled to all rights provided under applicable data protection laws. This includes, for individuals in the European Economic Area (EEA) under the GDPR, rights such as the right to be informed, the right to object to or restrict processing, and the right to lodge a complaint with a Data Protection Authority. For California residents, the CCPA provides you the right to know what categories of personal information we collect about you, to request that we delete any personal information we have collected (subject to certain exceptions), and to not be subject to discriminatory treatment for exercising your privacy rights. Note that Zyphe does not sell personal information, so the CCPA right to opt-out of sale is not applicable – we automatically respect that by our business model.

If you need assistance with accessing, correcting, or deleting your data, or if you wish to exercise any privacy rights that our platform does not enable you to do directly, please contact us (see Contact Information below). We will respond to your request in accordance with applicable law (generally within 30 days for GDPR requests, and 45 days for CCPA requests, with the possibility of extension if necessary). We may need to verify your identity before fulfilling certain requests to ensure security.

International Operations and Data Transfers

Zyphe is based in Delaware, USA, but we operate globally to serve clients and users around the world. Regardless of where you are located, we are committed to protecting your data in line with this Privacy Policy and applicable regulations. One of the advantages of our decentralized approach is that we do not generally need to transfer your personal data across international borders. In traditional systems, if a company operates globally, personal data might be transferred to servers in different countries (which can raise compliance challenges under GDPR for EU data, for example). Zyphe’s platform avoids this by keeping data regionalized: personal data remains stored within your region or locale.For example, if you are an EU-based user, the fragments of your identity data will reside on secure nodes within the EU (or EEA) to satisfy data residency requirements.If you are in another jurisdiction, we ensure your data stays within appropriate geographic boundaries as required.

Because of this design, using Zyphe does not typically involve the “international transfer” of your personal data in the way that other services might. We do not move your information from one country to another, and thus your data enjoys the protection of local privacy laws without needing complex cross-border transfer mechanisms. In rare cases where an international data transfer might be necessary (for instance, if you explicitly choose to share your data with a service provider in another country), we will ensure that proper safeguards are in place. Such safeguards could include the use of Standard Contractual Clauses or other approved transfer mechanisms under GDPR, or compliance with any applicable requirements under other regional laws.

Zyphe also ensures that all our operations, whether in the United States, Europe, or elsewhere, follow a consistent level of data protection. We train our staff on global privacy requirements and implement internal policies to maintain compliance. So, no matter where you use our service from, you can be confident that your privacy is respected and protected.

Cookies and Tracking

Our website (and related online services) uses cookies and similar tracking technologies to provide and improve the user experience. Cookies are small text files placed on your device when you visit our site. They help us remember your preferences, understand how you use our site, and customize your experience. For example, cookies may keep you logged in during your session or recall your chosen language settings. We may also use cookies (or similar tools like pixel tags) to collect analytics information about site traffic and interactions, which helps us improve our website’s performance and content.

Here are the categories of cookies we may use:

• Essential Cookies: These are necessary for the website to function correctly. They enable core features such as security, network management, and accessibility. You can set your browser to block these cookies, but some parts of the site may not work properly without them.
• Analytics and Performance Cookies: We use these to gather data on how visitors navigate our site, which pages are viewed most often, and whether users encounter errors. This information is aggregated and does not directly identify individuals. It helps us optimize the site’s functioning. (For instance, we might use a third-party analytics service that sets its own cookies, but only to the extent permitted and with appropriate safeguards.)
• Preference Cookies: These remember your choices (like region or language) to personalize your experience.

By using our website, you consent to the use of cookies as described in this Policy (unless you utilize opt-out features). When you first visit, you will see a cookie notice or banner that lets you know we use cookies; where required by law, we will obtain your consent before using non-essential cookies. You have the option to manage or disable cookies at any time through your web browser settings. Please note that if you disable certain cookies, some functionalities of our services may be limited. Our site may also honor any applicable “Do Not Track” settings on your browser, though currently, there is no universal standard for DNT signals. We do not use cookies to serve targeted advertising, and any tracking is solely for our internal usage and to provide the service effectively.

Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or how your personal data is handled, please contact us at privacy@zyphe.com. You can also reach out to this email address to exercise your data protection rights or to request further information about our privacy practices. We are here to help and will respond as promptly as possible.

Zyphe Inc. is a Delaware-based company, and you can also contact us by mail at our corporate headquarters:

Zyphe Inc.

Attention: Privacy Team

(Delaware, United States – 2140 S Dupont Hwy, Camden, DE 19934, USA)

We will endeavor to resolve any issues or questions you have about your personal data to your satisfaction. If you are an EU/EEA resident and you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your country’s supervisory authority (data protection regulator). If you are a California resident and have a complaint, you may contact the California Attorney General or the California Privacy Protection Agency. We encourage you to contact us first so we can try to address your concerns directly.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our technology, operational practices, or legal obligations. If we make material changes, we will notify users through our website or via email (if you have provided one for contact) prior to the change becoming effective, in accordance with applicable laws. The “Effective Date” at the top of this Policy indicates when the latest revisions were made. We encourage you to review this Policy periodically to stay informed about how we are protecting your information. Your continued use of Zyphe’s services after any changes to this Policy constitutes acceptance of the updated terms.

‍