Privacy Notice

Last Updated: 1 January, 2025

Introduction

Bynn Intelligence Inc. (“Bynn”, “we”, “us” or “our”) provides identity verification and compliance solutions – including Know Your Customer (KYC), Know Your Business (KYB), and Anti-Money Laundering (AML) screening services – to help businesses verify identities and prevent fraud. This Privacy Notice explains how we collect, use, share, and protect personal information when you (the “Data Subject” or “you”) use our identity verification services or otherwise interact with us. It also outlines your rights under applicable privacy laws (such as the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)), and limits our liabilities related to privacy and data security. By proceeding with Bynn’s identity verification process or using our services, you acknowledge that you have read and agree to the practices described in this Privacy Notice. If you do not agree, please do not use the services.

Our Role (Controller or Processor): In many cases, Bynn is a service provider acting on behalf of a client business (“Client”) that has asked you to verify your identity. In those situations, the Client is generally the data controller (or “business” under CCPA) determining why and how your personal data is processed, and Bynn acts as a data processor (or “service provider”) following the Client’s instructions. For example, if you are verifying your identity to register for a financial service, that company is the controller, and Bynn processes your data solely to perform the verification for them. However, in certain cases Bynn may process some of your data for our own purposes – such as improving our verification technology or fulfilling our legal obligations – and in those cases Bynn may act as an independent controller as permitted by law.

If you have any questions or concerns about this Privacy Notice or your personal data, please contact us at privacy@bynn.com.

Personal Data We Collect

We only collect personal data necessary to verify identity, confirm business information, prevent fraud, and comply with KYC/AML regulations. The types of information we may collect include:

Identifiers and Contact Information: Your full name, date of birth, nationality, email address, physical address, phone number, and other basic identifiers. We may also collect government-issued identification numbers (such as driver’s license number, passport number, Social Security or national ID number) as shown on your documents.

Identity Documents: Scans or photographs of government-issued IDs or documents you provide (e.g. passport, driver’s license, identity card, residence permit). This includes all information visible on those documents, such as your photo, name, document number, expiration date, date of birth, gender, nationality, signature, and address if included. We process the images of these documents and extract the data to verify their authenticity and your identity.
‍
Biometric Information: Biometric identifiers or information derived from your physiological characteristics. In particular, we collect facial images and facial geometry data. For example, we may ask you to take a selfie or live video and use facial recognition technology to compare it with the photo on your ID document. This process generates biometric data (such as a facial template or facial measurements) used to confirm you are the true document holder. We treat biometric data as sensitive personal data and handle it with a high level of security and care (see “Biometric Data” section below for more details). We do not collect other biometrics like fingerprints or DNA – only facial recognition data for identity verification purposes.

Photographs, Videos, and Audio (Liveness Data): As part of verification, we may collect a live selfie photograph or a short video clip of you (which may include audio) to ensure “liveness” (that you are physically present and not using a fake image). This media may capture your voice if audio is recorded, and your likeness. The content is used solely to verify identity and prevent fraud (for example, detecting deepfakes or edited images). We also collect the still images (frames) or selfies you submit.
‍
Know Your Business (KYB) Data: If you are verifying a business or your association with a business, we collect information about the company and its personnel. This may include business name, registration number, corporate address, country of incorporation, ownership structure, and corporate documents. We may also collect personal identifiers of the business’s directors, officers, or beneficial owners (such as their names, titles, and identification documents) as required to perform KYB due diligence and AML checks.
‍
Compliance and AML Information: In order to comply with AML, counter-terrorist financing, sanctions, and other legal requirements, we may collect additional data about you from third-party sources. This includes checking your information against politically exposed persons (PEP) lists, sanctions watchlists, law enforcement databases, or public records. The information gathered may indicate if you are on any restricted lists or have adverse media. We only gather what is necessary to fulfill our Client’s compliance obligations (for example, confirming you are not on a sanctions list). If relevant, we also note the results of these checks (e.g., a flag that you are a PEP or that no issues were found). We do not collect sensitive personal data such as your racial or ethnic origin, religious or philosophical beliefs, or health information, except if appearing incidentally on an identity document (and we do not use that incidental information).

Device and Technical Information: When you use our verification link or application, we automatically collect certain technical data about your device and network for fraud prevention and security. This includes online identifiers like your IP address and device identifiers, device type and model, operating system version, browser type and language, and usage data such as timestamps of access and pages or screens visited. We may also capture geolocation data (approximate location based on your IP or GPS, with your consent if required). Additionally, we collect data about how you interact with our verification process (such as mouse movements, keystrokes, or touch events) to detect automated bots and ensure the session’s integrity.

Inferences and Risk Assessments: We may generate internal scores or flags based on the information collected to assess the likelihood of fraud or to verify authenticity. For example, our system might evaluate whether the device or network you use has been associated with fraud in the past, or whether the combination of your identity details passes certain validation rules. These inferences help our Clients make informed decisions (e.g., approving an account opening) and are considered derived data. We do not use these profiles for marketing; they are used strictly for security and verification.
‍
Cookies and Similar Technologies: (If applicable) We may use cookies or similar tracking technologies in the identity verification interface to enable the service (for example, to keep the session active or remember your progress). These are not used for advertising purposes. Any cookies we set are strictly necessary for security or functionality.

Sources of Personal Data: Most of the personal data we collect comes directly from you, the user undergoing verification (for example, you provide data by filling out a form or uploading photos/documents). In many cases, our Client (the business requesting the verification) also provides us certain information about you that they have already collected (such as your name, contact details, or user ID in their system) to facilitate the process. Additionally, we may obtain data from: (i) public records or databases (e.g. government registries for KYB, sanctions/PEP lists for AML checks); (ii) third-party identity verification services or vendors (for document authenticity checks or liveness detection); and (iii) fraud prevention agencies or consumer reporting agencies (for device reputation or identity fraud signals). All such collection is done only as needed to verify identity or comply with law.

How We Use Personal Data

We use the collected personal data strictly for the following purposes:

Identity Verification: To verify your identity or the authenticity of your documents as requested by our Client. This includes using your information and biometrics to confirm that you are who you claim to be, and that your ID documents are legitimate. For example, we compare your live selfie to the photo on your ID and check the document security features. This step is fundamental to KYC and KYB processes.

Compliance with KYC/AML Laws: To help our Clients meet their legal obligations under “Know Your Customer,” “Know Your Business,” anti-money laundering, counter-terrorist financing, and related regulations. For instance, financial institutions are required by law to verify identities and retain certain information. We use your data to generate a verification report and outcome that our Client (e.g., a bank or fintech company) uses to satisfy these regulatory requirements. We may also use your data to screen against sanctions or watchlists as required by law. Your personal information collected through the verification process will be used solely for these compliance and verification purposes.

Fraud Prevention and Security: To detect and prevent fraud, identity theft, or other malicious activity. We analyze the data (including device information, biometric cues, and behavioral signals) to identify potential fraud patterns or inconsistencies. For example, we may detect if an ID has been tampered with or if the same device is attempting multiple verifications under different names. By analyzing verification data in aggregate, we can flag suspicious activities (such as commonly used fake IDs or known fraud rings). This helps protect both you and our Clients from fraud losses.

Service Delivery: To perform the service our Client has engaged us for, which includes processing your data to generate a verification result and sharing that result with the Client. We use your data to produce outputs like a verified identity confirmation, a score or recommendation, and an audit trail of the verification. We also may use your contact data to communicate with you during the process (for example, sending you a verification link or status updates, or notifying you of any issues with the documents you submitted).
‍
Service Improvement and Development: To develop, train, and improve Bynn’s identity verification and fraud detection technologies. We may use some personal data (including biometric data) to refine our algorithms, for quality assurance, and to enhance the accuracy and speed of our Services. For instance, we might use a collection of anonymized or pseudonymized facial images to improve our face recognition software’s ability to distinguish live persons from photos. Any such processing is done in accordance with applicable law (for example, under GDPR, we rely on legitimate interest or a substantial public interest in fraud prevention, and under certain laws we obtain consent as needed for biometrics). Whenever possible, we use aggregated or de-identified data for these improvement purposes to minimize privacy impact.

Legal Obligations and Protection: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests. For example, we may retain and use certain data to fulfill financial regulations that require record-keeping of verifications for a minimum time. We may also disclose data as required to respond to subpoenas or similar legal processes. Additionally, we may use and preserve data as necessary to investigate or resolve disputes, enforce our terms and agreements, establish or exercise our legal rights, or defend against legal claims. This includes using data to investigate illegal activities or violations (e.g., misuse of our services, or providing fraudulent information) and cooperating with law enforcement when legally obligated.
‍
Communication and Support: To communicate with you or our Client about the verification process or provide support. For instance, if you reach out with a question or exercise your privacy rights, we will use your contact info to respond. We may also send confirmations once your identity has been verified or request additional info if needed to complete the process. We do not send marketing communications to end-users whose data we obtained purely for verification, and you will not be subscribed to any marketing lists by Bynn as a result of undergoing identity verification (unless you separately opt-in).
‍
Anonymized Analytics: We may use data in an aggregated and anonymized form to generate useful insights about our services. For example, we might compile statistics on how many verifications result in approved vs. denied outcomes, or trends in fraud attempts, and use these reports for internal analysis or industry reporting. These analytics will not identify any individual and are used to understand and improve our business operations.

We will not use your personal information for purposes that are incompatible with those above without notifying you and obtaining any necessary consent. Importantly, we do not use or share your personal data for third-party marketing or advertising purposes. We also do not engage in any “selling” of personal data as defined under applicable law (see “California Privacy Rights” below).

Legal Bases for Processing (GDPR and UK GDPR)

For individuals in the European Economic Area (EEA), United Kingdom, or other jurisdictions with similar laws, we process your personal data only when we have a valid legal basis to do so. Depending on the context, the legal bases we rely on include:

Performance of a Contract: Processing is necessary to fulfill a contract you have entered, or to take steps at your request before entering a contract (GDPR Art. 6(1)(b)). For example, when you actively sign up for a service that uses Bynn for identity verification, verifying your identity might be part of that service’s user agreement or terms. In such cases, we process your data to deliver the verification service you requested as part of fulfilling that contract.
‍
Compliance with a Legal Obligation: Processing is necessary for us or our Client to comply with laws and regulations (GDPR Art. 6(1)(c)). This is a primary basis for KYC/AML data processing. Our Clients (such as financial institutions) often have legal obligations to verify customer identities and monitor for fraud or crime. Bynn assists in meeting these obligations; for instance, collecting and retaining certain personal data to comply with anti-money laundering laws. Similarly, if we are required by law to retain data or disclose it to authorities, we rely on this basis.

Legitimate Interests: Processing is necessary for our or a third party’s legitimate interests, except where overridden by your data protection rights (GDPR Art. 6(1)(f)). We process certain data for the legitimate interests of fraud prevention, security, and improving our services. For example, it’s in our legitimate interest (and that of our Clients and the public) to verify identities to prevent fraud and illicit activities. We also have a legitimate interest in improving our verification technology by analyzing data (in a privacy-conscious way) to make our services more effective. When we rely on this basis, we consider and balance any potential impact on your rights – for instance, we implement measures to protect your privacy, like data minimization and strict access controls, to ensure our interests do not unfairly impact you.

Consent: In some cases, we will ask for your consent to process personal data (GDPR Art. 6(1)(a), and Art. 9(2)(a) for special categories like biometric data). For example, certain jurisdictions (including several U.S. states) require that we obtain your explicit consent to collect or use your biometric identifiers (like your facial scan) – we will present a consent request or notice in those cases, and proceed only if you consent. Additionally, if you are not legally obligated to undergo verification but choose to, that action may be considered consent to process your data for the verification purpose. Where we rely on consent, you have the right to withdraw it at any time (see “Your Rights” below), and we will stop the processing going forward. Note that if you withdraw consent for a processing that is essential to providing our service (e.g. biometric comparison), it may prevent us from completing the verification.

Substantial Public Interest: In certain instances of processing special categories of data (like biometric data or criminal check information) for purposes such as preventing fraud or complying with AML laws, we may rely on provisions of law that deem such processing in the substantial public interest (GDPR Art. 9(2)(g)). For example, European member state laws implementing AML directives consider identity verification and fraud prevention as tasks carried out in the public interest. This legal basis might apply in lieu of consent for processing biometrics strictly to prevent fraud or verify identity in regulated sectors. Where applicable, we ensure all conditions required by law for this basis are met.

Vital Interests: It is highly unlikely, but if processing your data were necessary to protect someone’s life or prevent serious harm (GDPR Art. 6(1)(d)), we could rely on this basis. This would only apply in extreme emergency situations (for example, if we received information during verification that indicates an immediate threat to someone’s safety).

We will always identify the appropriate basis before processing your data. If you have questions about the legal basis for a particular processing activity, you can contact us at privacy@bynn.com for more information. In cases where Bynn acts as a processor for a Client, the Client is responsible for ensuring a valid legal basis exists (we assist them in that compliance). Bynn’s processing in those cases is governed by our contract with the Client (the data processing agreement), which ensures we only process data under the Client’s lawful instructions.

How We Share Personal Data

We do not sell your personal information to anyone. However, in order to fulfill the purposes described, we may share or disclose your data to the following categories of recipients:

Client (Business Requesting Verification): We share the results and details of your verification with the company or organization that requested it, since they have a direct relationship with you. For example, if you are verifying your identity to open an account with a bank, that bank will receive the outcome of the verification (e.g., verified or not, and relevant data points or documents). We may transmit to the Client the data you provided and our analysis (such as the verified identity data, copies of your documents, and any fraud flags or scores). The Client will use this information in accordance with their own privacy policy to onboard you or comply with law. Important: Our Clients are generally independent data controllers of the information we share with them, meaning they have their own legal responsibilities to protect your data. If you have questions about how a particular Client uses your data, you should review that Client’s privacy policy.

Service Providers and Sub-Processors: We use trusted third-party service providers to help us deliver, support, and improve our Services. These include:
- Cloud Hosting and Storage: We host our platform and store data on third-party cloud services such as Amazon Web Services (AWS). For instance, personal data (including your documents and videos) may be stored in AWS data centers. AWS acts under our instructions and implements stringent security measures; it cannot access or use your data except as needed to store and retrieve it for us.
  ‍
- Biometric and Identity Verification Partners: We may rely on specialized vendors for tasks like document authenticity checks, liveness detection, or biometric matching algorithms. For example, a third-party AI service might assist in verifying that your ID is genuine by analyzing security features, or confirm that a selfie is live. These parties process data on our behalf and are bound by strict confidentiality and data protection obligations.
  ‍
- Communication and Support Tools: We may use email delivery services or SMS gateways to send verification links or codes to you, or customer support software to manage inquiries. These tools might incidentally process your contact info or message content in the course of providing their service to us.
  ‍
- Analytics and Monitoring: Services that help us monitor the reliability and security of our platform (e.g., services detecting anomalies or outages) may process some technical data from user interactions.
  In all cases, service providers are only given the minimum data necessary and are contractually prohibited from using your information for anything other than the specified purpose. We perform due diligence to ensure our vendors meet high data protection standards.
Business Partners or Contractors: In certain cases, we may share data with partner companies or independent contractors that are directly involved in performing the verification services. For instance, if a verification requires a manual review by trained reviewers, those reviewers (who might be contractor personnel) will access your data for that purpose. They operate under Bynn’s control and only as authorized. We might also share information with a partner if we jointly provide a service (for example, if Bynn’s technology is integrated into a partner’s identity platform, data might flow between us and that partner to complete the process). Such sharing will be disclosed to you at the time of verification if applicable.
‍
Affiliates: If Bynn Intelligence Inc. has affiliate or subsidiary companies (under common ownership or control), we may share your data with them to support the verification services or for corporate compliance. For example, if Bynn establishes a data center or support team in another country under a local subsidiary, your data might be accessed or processed by that entity on behalf of Bynn. Any affiliate will uphold the same privacy commitments as Bynn.
‍
Fraud Prevention Agencies and Databases: To the extent permitted by law, we may share certain information with fraud prevention services or receive information from them. For example, once your identity is verified, we might report a “verified identity” token or anonymized hash to a consortium database to help others know that an ID was verified (or to flag if it was associated with fraud). Conversely, if fraud is detected (e.g., someone attempted identity theft), we could share identifying elements (like a device fingerprint or phone number) with fraud monitoring networks to prevent future abuse. Any such sharing is done in the interest of preventing fraud and only with reputable industry partners, and in compliance with applicable law (for instance, under GDPR this might occur under legitimate interest for fraud prevention).

Law Enforcement and Regulatory Authorities: We may disclose personal data to courts, law enforcement, regulators, government agencies or other competent authorities when we have a good-faith belief that such disclosure is required by law or is reasonably necessary to: (i) comply with a legal obligation, process, or request (such as a subpoena, court order, or examination by a financial regulator); (ii) enforce our terms and investigate potential violations; or (iii) detect, prevent, or address fraud, security, or technical issues; or (iv) protect our rights, property, or safety or those of our users, Clients, or the public. We will only disclose the minimum amount of information necessary and, when feasible, will inform you of such disclosures if legally allowed.
‍
Professional Advisors: We may share data with our professional advisors (lawyers, accountants, auditors, insurance providers) on a need-to-know basis. For example, our auditors may review how we handle personal data as part of a security audit, or our legal counsel might review specific data in case of litigation or regulatory inquiries. These parties are bound to confidentiality and will only use the information to provide their services to us.
‍
Business Transfers: If Bynn is involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your personal data may be transferred to a successor or affiliate as part of that transaction. For example, if another company acquires Bynn or its assets, personal data held by Bynn may be one of the transferred assets so that the service can continue. In such a case, we will ensure the recipient agrees to handle your personal data in accordance with this Privacy Notice or notify you and obtain consent if required by law.
‍
Aggregated or Anonymized Data: We may share information that has been anonymized or aggregated (so you are not identifiable) for any legitimate business purpose. For instance, we might publish reports or insights about identity verification trends, fraud rates, or verification success rates using aggregated data from many users. This data does not identify any individual and is not considered personal data.

No Selling of Personal Data: We do not sell your personal information to third parties for monetary or other valuable consideration. We also do not “share” your personal information for cross-context behavioral advertising as defined under California law. Any data transfers we engage in are solely for the purposes stated above (verification, compliance, fraud prevention, service provision, etc.), not for others’ marketing use. If this ever changes, we will update this Notice and provide required opt-out mechanisms, but currently, your data is only used to provide and improve our Services, not to target you with ads.

Service Providers’ Locations: Some of the third parties with whom we share data (including our own servers) may be located outside of your country (see “International Data Transfers” below for details on how we safeguard such transfers). Notably, our primary data hosting (AWS) may be in the United States or other regions depending on the service architecture, which means your data might be transferred to or accessed from those locations.

Except as outlined above, Bynn will not disclose your personal data to any third party without your consent, unless we believe in good faith that it’s legally required or permitted. If we ever need to share your data in a manner not covered by this Notice, we will seek your consent when required by law.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable laws and regulations, or as otherwise instructed by our Clients. Once the retention period expires, we will securely delete or anonymize your data.

Our retention practices consider the following: the volume, nature, and sensitivity of the data; the potential risk of harm from unauthorized use or disclosure; the purposes of processing; our ability to achieve those purposes through other means; and the applicable legal requirements for retention.

General Retention Periods: In many identity verification scenarios, we adhere to industry-standard retention timelines. Typically, for end-user verification data processed on behalf of our Clients, we retain personal data in our active systems for a short period (e.g., up to 90 days) after the verification is completed, to allow our Client to retrieve results and address any immediate follow-up. After this active period, data may be moved to secure archival storage for a limited number of years (commonly up to 5 years). Bynn follows industry practice in line with regulatory guidance. Archival retention helps our Clients meet obligations (such as audit requirements) and allows us to refer back in case of disputes or repeat verifications. After the archival period (e.g., 5 years), personal data is permanently deleted from our systems unless a longer retention is required by law or explicitly authorized.

Legal and Compliance Requirements: Certain laws mandate minimum retention periods for KYC/AML data. For instance, financial institutions in many jurisdictions must retain identity verification records for 5 years or more after an account is closed or a transaction is made, to comply with anti-money laundering regulations. In such cases, our Clients may require that we hold the data available for that duration. We will retain the data to satisfy these legal obligations on their behalf. Additionally, if a law enforcement inquiry, litigation, or investigation is ongoing, we may preserve relevant data until it is resolved, even if this extends beyond our standard period. We also retain records as needed to demonstrate compliance with privacy laws (e.g., proofs of consent or processing activities) or other laws. Once those obligations lapse, we proceed with deletion.

Biometric Data Retention: We limit the retention of biometric identifiers (such as facial recognition data) in accordance with applicable biometric privacy laws. By default, Bynn will permanently delete or anonymize biometric data once the initial purpose for collecting it has been satisfied and verification is complete. In no case will we retain biometric data longer than five (5) years from your last interaction with our service, whichever comes first, unless a shorter period is required by law. For example, the Illinois Biometric Information Privacy Act (BIPA) requires destruction of biometrics when the purpose is fulfilled or within 3 years of the individual’s last interaction, and we abide by this. If you are a Texas resident, Texas law may require a shorter retention (currently, Texas law mandates deletion of biometric identifiers within a reasonable time, not to exceed 1 year after purpose is fulfilled), and we will comply with that stricter timeline for Texas residents. We maintain internal schedules to ensure biometric data is purged in a timely manner. (Note: In many cases, biometric templates we create are deleted much sooner, once verification decision is made, retaining only non-biometric evidence like the ID document copy for regulatory reasons.)

Client-Directed Deletion: When Bynn acts as a data processor, we are guided by our Client’s instructions regarding retention. Our Clients may instruct us to delete your data from our systems at a specific time (for example, once they have downloaded the verification results). Upon such instruction or upon termination of our contract with a Client, we will delete the personal data we process on that Client’s behalf, as required. If a Client requests deletion of an individual’s data, we will honor that promptly. We also offer our enterprise Clients configurable retention settings; if a Client chooses a shorter retention period for their data in our service, we will apply that (prospectively) to their verification data. We confirm deletion by removing the data from our databases and storage (including backups, following the backup retention schedule). Bynn employs a robust deletion process upon client instruction, to ensure data is fully expunged when required.

Anonymized Data: In some cases, rather than deleting data entirely, we may anonymize it (irreversibly strip personal identifiers) so that it no longer constitutes personal data. We might do this to retain certain verification statistics or to improve our algorithms without retaining any personally identifiable information. Once anonymized, we may retain such data indefinitely since it bears no relation to an identifiable individual.

After the applicable retention period has ended, and absent any ongoing legitimate need (like a legal hold), we will securely erase or destroy your personal data. This may involve permanent deletion from our servers and instructing any third parties who are processing data on our behalf to do the same. We take care to prevent any unauthorized access or use of data during the deletion process.

If you believe we are retaining your personal information longer than necessary, or if you have specific requests regarding deletion, you have the right to request erasure (see “Your Rights” below). We will review such requests in line with our legal obligations. Keep in mind that if your data is held on behalf of a Client, we may refer your deletion request to the relevant Client or obtain their authorization, as we cannot delete data that the Client is required to keep.

International Data Transfers

Bynn is a company that may process data globally. The personal data we collect from you may be transferred to, stored in, or accessed from servers and facilities located in countries different from your own. In particular, if you are located outside the United States, be aware that we may transfer or store your personal data in the United States (where Bynn is headquartered) or other jurisdictions. Likewise, if you are in the EU or UK, your data might be processed in the US or other countries outside the European Economic Area (EEA).

For example, our primary infrastructure is based on Amazon Web Services (AWS), and while we strive to use regional data centers closest to our users or Clients (e.g., EU data may be stored in AWS Europe region), it’s possible that some data will be transferred to the U.S. for processing. Additionally, some of our support or engineering team may access data remotely from different countries (strictly on a need-to-know basis).

Data Protection Abroad: Different countries have different data protection laws, some providing more protection than others. When we transfer personal data internationally, we take steps to ensure that an adequate level of protection travels with your data. If you are in the EEA, UK, or Switzerland, we will rely on appropriate legal mechanisms for data transfers. These may include:

Adequacy Decisions: Where applicable, we may transfer data to countries that have been officially recognized by the European Commission or UK authorities as providing an adequate level of data protection equivalent to EU/UK law. (For example, if using an AWS data center in a country deemed “adequate”).
‍
Standard Contractual Clauses (SCCs): For transfers to our service providers or Bynn affiliates in countries without an adequacy finding (such as the US), we use the European Commission’s approved Standard Contractual Clauses (and the UK’s International Data Transfer Addendum, as needed) in our contracts. These clauses contractually bind the recipient to protect the personal data to EU GDPR standards. Bynn has entered into Data Processing Agreements including SCCs with our relevant vendors (like AWS) to cover onward transfers.
‍
Additional Safeguards: In some cases, we implement supplementary measures on top of SCCs, such as encryption of data in transit and at rest, strict access controls, and policies to handle government data requests, to further protect the data when it’s overseas. We also continuously monitor developments in law and guidance (e.g., after the Schrems II decision) to ensure our transfer practices remain compliant.
‍
Binding Corporate Rules or Certifications: While Bynn does not currently have Binding Corporate Rules, we may consider such mechanisms as our company grows internationally. We also note that our major subprocessors like AWS comply with various international standards and frameworks.

If you would like to know more about our international transfer safeguards or obtain a copy of the SCCs, you can contact us at privacy@bynn.com. In any case, we ensure that your personal data will be protected in line with this Privacy Notice no matter where it is processed. We have a global data protection program and train our employees to handle data securely across borders.

Keep in mind that your participation in the identity verification process typically involves a transfer of your data to us (since we operate in the US). By providing your information or using our services, where allowed by law, you acknowledge that your data may be transferred to and processed in the US and other jurisdictions as described. We will request any required consent for international transfers if mandated by your local law.

Data Security Measures

We take the security of personal data very seriously. Bynn has implemented a variety of technical and organizational security measures to protect your information from unauthorized access, disclosure, alteration, and destruction. These measures include:

Encryption: Personal data is encrypted during transmission over networks (using HTTPS/TLS encryption) and at rest in our databases or cloud storage. For example, documents and biometric data are stored in encrypted form on AWS servers.
‍
Access Controls: Access to personal data is restricted on a least-privileged basis. Only authorized personnel with a legitimate need (for example, a support engineer investigating an issue, or a verification specialist reviewing documents) can access your data, and even then, only the minimum necessary. All staff handling sensitive data are bound by confidentiality obligations. We use authentication, role-based access, and monitoring to prevent unauthorized access.
‍
Network & Application Security: We maintain firewalls and intrusion detection systems to guard our network. We perform regular security testing, including vulnerability assessments and penetration tests on our applications, to identify and fix potential weaknesses. Our software development follows secure coding practices.
‍
Audit Logging: Actions taken with personal data (like viewing or modifying a record) are logged. This accountability helps us detect any inappropriate access and provides a trail for forensic analysis if needed.
‍
Physical Security: Our cloud data centers (such as AWS) employ robust physical security controls (e.g., 24/7 surveillance, biometric access controls, secured perimeters). Within our offices, if any personal data is stored or accessible, we secure our devices and premises to prevent unauthorized viewing or theft (though as a practice, we avoid local storage of personal data on employee devices).
‍
Training and Policies: We regularly train our employees and contractors on data privacy and security best practices. We have internal policies regarding how to handle personal data, report security incidents, and ensure privacy compliance.
‍
Third-Party Security: We carefully vet our service providers for strong security practices. We require them to implement appropriate security measures and we monitor their compliance, requesting certifications or audit reports (like SOC 2, ISO 27001) where relevant.
‍
Incident Response: We have an incident response plan for handling potential data breaches or security incidents. In the unlikely event of a data breach affecting your personal data, we will promptly notify the affected Clients and individuals as required by law, and take necessary steps to mitigate the damage.

While we strive to protect your information, it’s important to note that no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data. For example, there is always some risk that an unauthorized third party could find a way to thwart our security (perhaps through a zero-day vulnerability). You should also play a role in keeping your data secure: protect any verification links or one-time codes we send you, and be mindful of using secure networks when uploading sensitive documents.

Limitation of Security Liability: Bynn uses commercially reasonable efforts and industry best practices to safeguard personal data. However, except where prohibited by law, we will not be liable for any unauthorized access or loss of personal data that is beyond our control. For instance, we are not responsible if you provide your verification link to others or if a vulnerability in your own device or network (such as malware) compromises your data. We also cannot guarantee against force majeure events (extreme events outside our control, like major cyberattacks by state actors). We maintain liability insurance and will honor all legal responsibilities, but we ask you to understand the inherent risks of digital services.

If you believe your data may have been compromised or have any security-related questions, please contact us immediately at privacy@bynn.com. We will work with you and, if needed, law enforcement to address any issue.

Biometric Data

Scope of Biometric Data: Bynn’s identity verification service may involve the collection and processing of biometric identifiers or biometric information as defined under certain laws (for example, Illinois’ BIPA defines “biometric identifiers” to include scans of face geometry). In our context, biometric data primarily refers to the unique measurements and templates derived from your facial images. We obtain this data by analyzing the photograph on your government ID and the live selfie or video you provide. The facial recognition algorithm creates a mathematical representation of your face (a biometric template) to compare the two images and confirm a match. We may also capture other biometric indicators during liveness detection (e.g., eye blink patterns, reflections) solely to ensure the person is real. We do not collect fingerprints, DNA, retinal scans, or other biometrics; and we do not use your data to identify you in unrelated databases (our facial recognition is 1:1 matching between your selfie and your ID photo, not 1:many against a gallery).

Purpose of Biometric Processing: We use biometric data exclusively for identity verification, fraud prevention, and compliance purposes. The biometric comparison of your selfie to your ID photo is used to authenticate your identity and prevent someone else from impersonating you. We may also use the biometric data to prevent fraud by checking it against our internal fraud database (for example, ensuring the same biometric hasn’t been used with different identities fraudulently). We do not use biometric information for any other purpose such as marketing, profiling unrelated to fraud, or determining personal characteristics beyond identity. Biometric data will not be sold, leased, or otherwise disclosed to third parties except as needed to perform our services or as required by law. For instance, we may share the biometric match result or related data with the Client who requested the verification and with our secure biometric processing vendors (as described in “How We Share Personal Data”), but we will not allow any third party to use your biometric data for their own purposes.

Consent and Notice: In jurisdictions that require it, we will obtain your consent for biometric data collection and processing. For example, if you are an Illinois resident (where BIPA applies) or in another location with biometric privacy laws, you will be presented with a consent disclosure (either by Bynn or by our Client on our behalf) explaining why biometric data is being collected and how it will be used, retained, and destroyed. By proceeding with the biometric aspect of the verification (e.g., taking a selfie and clicking “Continue”), you provide your explicit consent to our collection, use, and storage of your biometric data for identity verification purposes. If you do not consent, you may have alternative verification options (like manual processes, if offered by the Client), but Bynn’s automated service will not proceed without required consent. We also facilitate any written release requirements under state laws: this Privacy Notice along with on-screen prompts are intended to serve as your written release for Bynn to collect and use your biometrics for the stated purposes.

Storage and Protection: Biometric data is stored securely using encryption and with restricted access. We treat biometric identifiers as highly sensitive information. They are stored on Amazon AWS servers with robust security. Access to raw biometric data (like facial templates or images) is limited to essential processes and personnel. Even within Bynn, we typically retain the raw images and do not necessarily store the computed biometric template longer than needed for the comparison – often, the template is held in memory for matching and then discarded, with only the images retained for audit. We also implement measures to prevent inadvertent disclosure (for example, images are watermarked or tagged to prevent misuse).

Retention and Deletion: As noted in “Data Retention”, Bynn will not retain biometric data longer than necessary to accomplish its verification purpose, and in compliance with applicable law. By default, once your identity verification is completed and sufficient time has passed for any necessary audits or re-checks, we either delete the biometric data or store it in an irreversibly transformed way. In any event, for U.S. residents, we will permanently destroy your biometric identifiers within 3 years of your last interaction with our Services, if not earlier. For certain states: Illinois – we interpret completion of purpose or 3-year rule strictly, and Texas – we aim to delete within 1 year of purpose fulfillment (unless otherwise required). If our Client requests a shorter retention or immediate deletion of biometrics after verification, we honor that.

Your Rights Over Biometric Data: You may have specific rights regarding biometric information. For instance, Illinois BIPA grants individuals the right to sue for certain biometric privacy violations. We are committed to complying with all such laws so that you should never need to resort to that. You also have general data access and deletion rights (see “Your Privacy Rights” below) that extend to biometric info. If you want to confirm whether we have biometric data about you, or request its deletion, you can contact us. Note that if we processed your biometric data on behalf of a Client, we may refer you to the Client as required by law, but we will assist in facilitating any legitimate request.

No Profit from Biometrics: We do not sell, rent, or trade biometric data. We do not profit from your biometric identifiers in any way apart from using them to provide our contracted service (identity verification). Any sharing of biometric data is only with service providers or the requesting Client as described, and not for independent commercial use.

By including this section, we aim to be transparent and compliant regarding biometric data, addressing requirements such as those found in Illinois, Texas, Washington, and other jurisdictions with biometric privacy laws. If you have further questions about our biometric data practices, please contact us at privacy@bynn.com.

Your Privacy Rights

You have several rights regarding the personal data that we hold about you, subject to applicable laws. We strive to give you appropriate control over your information. These rights may include:

Right to Access: You have the right to request confirmation of whether we are processing your personal data and, if so, to request a copy of the data and to learn details about how we process it. This is sometimes called a “Data Subject Access Request.” We will provide you with a copy of the personal data we have about you, in a common digital format, subject to some exceptions (for example, we may not include data that would reveal information about another individual or proprietary assessments that are protected by law). For California residents, this includes the right to request the categories of personal information we have collected and shared about you, and the specific pieces of information collected.
‍
Right to Rectification (Correction): If any of your personal data that we have is inaccurate or incomplete, you have the right to request that we correct or update it. For instance, if you realize the name or address in our records is spelled wrong, you can ask us to fix it. We may need to verify the correct information or check with the source (such as our Client) to ensure accuracy.
‍
Right to Deletion: You can request that we delete your personal data in certain circumstances. This is sometimes called the “Right to be Forgotten.” We will honor deletion requests provided we do not have a legal obligation or other valid reason to retain the data. For example, if we processed your data on behalf of a financial institution, they might need to keep records for regulatory reasons, which could prevent immediate deletion. We will inform you if that is the case. When we delete data, we will also direct our service providers to delete the data.
‍
Right to Restrict Processing: You have the right to request that we limit the processing of your data in certain situations – for instance, if you contest the accuracy of the data or have objected to processing (see below) and we are evaluating the request, or if processing is unlawful and you prefer restriction over deletion. When processing is restricted, we will continue to store your data but not use it further until the issue is resolved.
‍
Right to Object: You have the right to object to our processing of your personal data when that processing is based on legitimate interests (or another applicable basis) and you have a particular situation that makes you want to object. You also have an absolute right to object to use of your data for direct marketing, but as noted, we do not use your data for direct marketing. If you object to processing used for fraud prevention or service improvement (legitimate interests), we will consider your objection and whether our interests in processing override your rights and freedoms. If you have a compelling reason, we will cease the processing. Where applicable laws provide, you may also object to automated decision-making, including profiling, if such processing produces legal or similarly significant effects on you. In Bynn’s case, while our verification uses automated algorithms, decisions like denying a verification are typically reviewed by our Clients, not solely by us; nevertheless, you can object to purely automated processing and request human review.
‍
Right to Data Portability: To the extent required by law, you have the right to receive the personal data you provided to us in a structured, commonly used and machine-readable format, and you have the right to transmit that data to another entity. For example, you could request us to provide your verification data in a JSON or CSV file. Where technically feasible, you can also ask that we send this data directly to another organization, if our systems allow it. Note this right applies to data processed by us by automated means, where the processing is based on your consent or the performance of a contract (which might be a narrower scope in our context).
‍
Right to Withdraw Consent: If we process any personal data based on your consent, you have the right to withdraw that consent at any time. For example, if you consented to biometric processing but later change your mind, you can withdraw consent by contacting us (or in some cases, by not completing the verification). However, withdrawing consent will not affect the lawfulness of any processing we already performed before your withdrawal. Also, if you withdraw consent, we might have to terminate the verification or related service that relied on it. We will inform you if that is the case.

Right to Non-Discrimination: Bynn will not discriminate against you for exercising any of your privacy rights. This means we won’t deny you the use of our service, charge you different prices, or provide a different level of quality just because you exercised a right under CCPA or other law (beyond what is permitted – e.g., if deletion of data prevents us from providing the service, that is a consequence of deletion, not a discriminatory action). We do not offer financial incentives in exchange for your data, so this is not applicable.
‍
Right to Appeal: If we decline to take action on a rights request (for example, we cannot delete data due to a legal obligation, or we find a request unfounded), certain laws (such as in some U.S. states like Virginia) allow you to appeal our decision. We will inform you if we do not fulfill a request and give you instructions on how to appeal. Typically, you can initiate an appeal by contacting us again and stating that you are appealing our decision. A higher authority within our privacy team will review the case. If the appeal is denied, you may have the right to contact your state Attorney General or relevant authority.
‍
Right to Lodge a Complaint: If you believe we have infringed your data protection rights or handled your data unlawfully, you have the right to complain to a supervisory authority. For EU residents, this would be your country’s Data Protection Authority (DPA). For UK residents, the Information Commissioner’s Office (ICO). For California residents, you can contact the California Privacy Protection Agency (CPPA) or the California Attorney General. We would appreciate the chance to address your concerns directly first, so we encourage you to contact us so we can try to resolve any issue.

Exercising Your Rights: To exercise the rights described above, please contact us by email at privacy@bynn.com. Please clearly state your request – for example, “I request access to my personal data” or “Please delete my data” – and include the following information for verification purposes: your full name, the email or phone number you used during the verification, the date or context of the verification (e.g., which Client/service you were signing up for), and any other info that may help us locate your records. We may need to verify your identity before acting on your request, to ensure we do not give your data to the wrong person. We might ask you to provide additional information or answer some verification questions (but we will never ask for new sensitive information just to handle a request – mainly we may reference data we already have, for confirmation).

If your personal data was provided to us by a Client and we process it on their behalf, we may refer your request to that Client (the data controller). For example, if you ask Bynn to delete data that we processed for a certain bank, we may need to alert the bank so they can also delete their copy and confirm no legal need to retain. In many cases, we can directly handle the request, but please understand if we redirect you to the Client – it’s often because the Client needs to authorize the change (especially for deletion or access in regulated industries). We will cooperate with our Clients to ensure your rights are respected.

Response Timing: We aim to respond to privacy rights requests as quickly as possible, typically within 30 days. If we need more time (for example, your request is complex or we have a high volume of requests), we will inform you of the reason and extension period (an additional 30 or 60 days, as permitted). For CCPA requests, we strive to confirm receipt within 10 business days and provide a substantive response within 45 calendar days. If we cannot fulfill your request, we will explain why (unless we are legally prevented from doing so).

California Privacy Rights (CCPA/CPRA): If you are a California resident, in addition to the rights above (many of which overlap), you have the right to request: (1) the categories of personal information we have collected about you in the last 12 months, the categories of sources of that information, the business or commercial purpose for collecting it, the categories of third parties with whom we shared it, and for certain categories, the categories of information sold or disclosed; (2) the specific pieces of personal information collected about you (data portability); (3) deletion of your personal information; (4) correction of inaccurate personal information; and (5) to opt-out of the “sale” or “sharing” of your personal information (if applicable). Bynn does not sell personal information and does not share it for cross-context advertising, so there is no need to opt-out on that front. If that ever changes, we will provide a “Do Not Sell or Share” link on our website. You also have the right to not be discriminated against for exercising your CCPA rights. This Privacy Notice is intended to provide the disclosures required by CCPA, including the categories of data (see “Personal Data We Collect”), the purposes (see “How We Use”), and the sharing of data (see “How We Share”). For ease: in the last 12 months, we have collected identifiers(like name, email, government IDs), customer records information (like account info and documents), biometric information (facial data), internet or electronic activity (device and usage data), geolocation data, professional or employment information (if you provided it for KYB), and inferences (fraud indicators). We collect these from you or our Clients, and from verification sources, and use them for the purposes stated above. We disclose these categories to our service providers and Clients (business purpose disclosures) but have not sold them. California residents may contact us at privacy@bynn.com to exercise their rights, or via any webform/number we provide. If you have an authorized agent making a request on your behalf, we will require proof of authorization and still take steps to verify your identity indirectly. For minors under 16, we do not sell data, so no opt-in is required.

For residents of other U.S. states, which have their own privacy laws effective or upcoming, we aim to provide you with similar rights to access, correct, delete, and opt-out of certain processing (like targeted advertising or sale, which we do not do). You can exercise these rights in the same manner described above.

If you want to unsubscribe from any Bynn marketing emails (for example, if you visited our website and signed up for newsletters), you can click the “unsubscribe” link in those emails or contact us. Note that this Privacy Notice primarily concerns verification services data; we separate marketing communications which are minimal.

Finally, if you have any issues with how we handled your request or need further assistance, reach out to us. We are committed to respecting your rights and will make every effort to address your concerns thoroughly and promptly.

Children’s Privacy

Bynn’s services are not directed to children under the age of 13, and we do not knowingly collect personal information from children in this age group. Identity verification is typically required for adults (for example, to open a bank account you generally must be 18 or older). In some cases, a minor above 13 but under the age of majority (18 in most jurisdictions, 16 in some) may go through a verification – for instance, verifying age for age-restricted products or if parental consent is being verified. In those scenarios, our Client is responsible for obtaining any necessary parental consent, and we treat the minor’s data with heightened protection. If we need to process personal data of a child under 16 in the context of providing our service, we will ensure compliance with COPPA (Children’s Online Privacy Protection Act) and applicable laws, which may involve obtaining verifiable parental consent via our Client or directly.

If you are a parent or guardian and believe that a child under 13 (or under 16 in certain jurisdictions) has provided personal data to Bynn without proper consent, please contact us at privacy@bynn.com. We will take steps to promptly delete such data from our records. We do not use children’s data for any marketing or profiling purposes.

In instances of age verification, we may collect a date of birth to confirm someone is above a required age (e.g., 18+). We consider those using our verification for age attestation to be doing so with appropriate consent and understanding if they are minors (e.g., a 16-year-old verifying for a social media platform might require a parent’s approval per the platform’s policy, but Bynn as a processor would simply verify the provided info).

We reiterate: our Services are intended for use by adults or by minors under adult supervision/consent as required. We do not intentionally invite or allow children under 13 to use our identity verification independently.

Changes to this Privacy Notice

We may update or modify this Privacy Notice from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will change the “Last Updated” date at the top of this Notice. If the changes are significant, we may also provide a more prominent notice or seek consent as required by law. For example, for any substantial changes affecting how we use biometric data or share information, we will notify our Clients and/or users (via our website or during the verification process) and obtain re-consent if needed.

We encourage you to review this Privacy Notice periodically to stay informed about how we protect your personal data. If you continue to use our Services or submit information after an updated Privacy Notice comes into effect, it indicates that you have read and understood the current version of the Notice.

In the event of any conflict between this Privacy Notice and any prior privacy policy or notice, the terms of this Privacy Notice will prevail. We keep historical versions of this Notice archived and can provide them upon request for your reference.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Notice or our data practices, please contact us:

Email: privacy@bynn.com

Mailing Address:

Bynn Intelligence Inc.,
Attn: Privacy Officer
2261 Market Street STE 22340
San Francisco, CA 94114
USA

We will gladly assist with inquiries about your personal data, privacy preferences, or any issues you wish to discuss. For security and privacy reasons, we may need to verify your identity before disclosing or modifying any information in response to a request.

Disclaimer and Limitation of Liability: This Privacy Notice is for your general information and does not create any contractual rights or obligations above and beyond what data protection law mandates. While Bynn is committed to safeguarding your personal data, we do not guarantee that our services will be error-free or completely secure against every threat. To the fullest extent permitted by law, Bynn Intelligence Inc. and its affiliates, officers, employees, and agents shall not be liable for any indirect, incidental, special, consequential or punitive damages, or any loss of data, revenue, or profit, arising out of or in connection with the use of your personal data or our Services, even if we have been advised of the possibility of such damages. In jurisdictions that do not allow the exclusion or limitation of certain liabilities, our liability will be limited to the maximum extent permitted by applicable law. We are also not responsible for the privacy practices or content of any third-party websites or services that are outside of our control, including our Clients’ websites – if you submit information to a third party, such processing is governed by their privacy policy. Nothing in this disclaimer is intended to limit any of your rights under law; if any part of this limitation is found invalid, it will be severed to the narrowest extent to comply with law.

By using Bynn’s identity verification Services, you acknowledge and accept the practices and terms outlined in this Privacy Notice, including the collection and use of your data and the limitations of liability stated. If you do not agree, please refrain from using our Services. We appreciate your trust in Bynn to verify identities securely and privately, and we will continue to work hard to maintain that trust.

‍