Duckcheck Privacy Policy
Last Updated: 9 June 2025
1. Introduction
Welcome to Duckcheck! We provide secure identity verification and onboarding solutions for businesses in the cryptocurrency, healthcare technology, and e-commerce sectors. Your privacy matters to us. We believe in transparency, trust, and responsible data handling. This Privacy Policy explains how we collect, use, share, and protect your personal data when you interact with our website (www.duckcheck.com) or use our identity verification services.
2. Purpose of This Privacy Policy
This policy is designed to help you understand:
- What personal data do we collect?
- How and why we process your data.
- Your rights under applicable data protection laws.
- How do we protect your information?
It applies to all users of www.duckcheck.com and clients who use our B2B identity verification services.
3. Who We Are
Duckcheck Technology Company Ltd. is a leading provider of identity verification and onboarding solutions, empowering businesses in the crypto, health-tech, and commerce sectors to securely and efficiently verify identities. Our services include KYC-as-a-service, offering secure document verification, liveness detection, biometric matching, and AML screening through proprietary tools and integrations.
Website: www.duckcheck.com
Email: privacy@duckcheck.com
4. Our Role as Data Controller and Processor
Duckcheck takes its responsibilities under data protection laws very seriously. Our role in processing your data depends on how you interact with us:
- As a data processor: We process data on behalf of our B2B clients to provide identity verification and onboarding services. In this scenario, our client is the primary data controller, determining the purposes and means of processing your personal data, and we act strictly on their instructions and our contractual agreement with them.
- As a data controller: We collect data directly from our website visitors (e.g., via cookies for analytics) and for our internal business operations (e.g., managing client accounts, billing, direct marketing where you have consented).
We comply with key global data protection laws, including:
- The General Data Protection Regulation (GDPR) for individuals in the European Economic Area (EEA).
- The UK Data Protection Act 2018 (UK DPA 2018) for individuals in the United Kingdom.
- The Nigeria Data Protection Regulation (NDPR) and the Nigeria Data Protection Act (NDPA) for individuals in Nigeria.
- Kenya's Data Protection Act for individuals in Kenya.
- South Africa's Protection of Personal Information Act (POPIA) for individuals in South Africa.
- The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), for California residents in the USA.
5. What Personal Data We Collect
We adhere to the principle of data minimisation, collecting and processing only the personal data that is necessary for the intended purpose. The types of data we may collect include:
Identification Data:
- Scans or images of government-issued identification documents (e.g., passports, national ID cards, driver's licenses, residence permits).
- Information contained within these documents such as your full name, date of birth, gender, nationality, document number, and issuing authority.
Biometric Data:
- Facial images and video frames are captured during the verification process for liveness detection and biometric matching.
- As this is considered 'special category data' under GDPR/UK DPA and 'sensitive personal information' under CCPA/CPRA, we apply enhanced security measures and rely on explicit consent or a substantial public interest basis for its processing, always in compliance with applicable law.
Technical Data:
- IP addresses, browser type, device type, and operating system.
- Session activity, timestamps, and inferred location (derived from IP address, not precise geolocation).
Business Client Data:
- Contact details of authorised representatives (e.g., name, business email, phone number, job title).
- Company name, registration number, business sector, and billing information.
AML/Compliance Data:
- Information obtained from trusted third-party providers by screening against Politically Exposed Persons (PEP) lists, sanctions lists, and adverse media databases.
Marketing Preferences:
- If you subscribe to our updates or newsletters, we collect your name and email address to send you relevant information.
6. How We Collect Your Data
We collect data in three main ways:
- Directly from you: When you interact with our website or use our Services, for instance, by directly uploading documents or completing verification steps through a Duckcheck interface.
- Through our B2B clients: Our primary mode of data collection is when our business clients integrate our services into their platforms. In these cases, our clients securely transmit the data to Duckcheck for processing according to our service agreements.
- From third-party sources: Such as trusted AML databases, identity validation providers, and government registers, to perform necessary checks and corroborate information.
- Automatically via Technology: We automatically collect certain technical information (e.g., IP address, device data) through our systems and integrations to ensure the security, functionality, and performance of our Services. For information on cookies, please refer to our separate Cookie Policy.
7. Legal Basis for Processing Your Data
We process your personal data only when we have a valid legal basis, as required by applicable data protection laws. The specific legal grounds we rely on include:
- Consent: When you voluntarily provide data or explicitly agree to specific uses (e.g., for certain biometric processing where required by law, or for marketing communications). You have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
- Contractual necessity: To deliver our services to our business clients (under our agreements with them) and to individuals directly where there is a contract in place (e.g., for website usage terms or direct service agreements).
- Legal obligation: To meet our obligations under anti-money laundering (AML), fraud prevention, counter-terrorist financing, or other regulatory compliance duties (e.g., record-keeping requirements).
- Legitimate interests: To improve services, ensure the security and integrity of our platform, and support our business operations, provided these interests do not override your fundamental rights and freedoms. Our legitimate interests include preventing fraud and enhancing the security of our services (benefiting both Duckcheck and our clients), analysing service usage to improve functionality, and managing our internal business operations.
8. How We Use Your Data
We use your data primarily to provide our identity verification and onboarding Services to our business clients and to maintain the security and functionality of our platform:
- Verify identity and perform KYC (Know Your Customer) checks: To confirm your identity and the authenticity of your documents.
- Conduct liveness detection and biometric matching: To ensure the person undergoing verification is present and alive, and to match their face with their identification documents.
- Screen for AML risks, fraud, and compliance: To perform checks against PEP lists, sanctions lists, and adverse media to prevent financial crimes and ensure regulatory adherence.
- Monitor security logs and maintain service integrity: To detect and prevent unauthorised access, cyber threats, and ensure the reliable operation of our Services.
- Communicate with you or provide support: To respond to inquiries from our business clients and to diagnose and resolve technical issues.
- Service improvement and optimisation: To analyse usage patterns and develop enhancements to our Services. This may involve anonymised or aggregated data.
We ensure that any profiling conducted is strictly limited to these purposes (identity verification, fraud prevention, and AML compliance) and is not used for marketing or other commercial profiling activities unrelated to identity or fraud prevention.
9. Automated Decision-Making & Profiling
Duckcheck employs automated processing, including profiling, as an integral part of its identity verification and AML screening services. This allows for fast, efficient, and consistent decisions.
Logic Involved:
Our automated systems analyse the data you provide (e.g., identity document details, facial biometrics, liveness checks, and AML screening results) against predefined criteria, regulatory requirements, and fraud detection patterns. This involves:
- Cross-referencing data points for consistency and authenticity.
- Applying algorithms to detect anomalies or signs of fraud.
- Comparing facial biometrics for matching and liveness.
- Screening against comprehensive AML databases.
Significance:
The automated decisions are crucial for determining whether an identity verification is successful and whether an individual meets the compliance requirements set by our business clients (e.g., whether they are clear for onboarding, not on a sanctions list). A negative outcome might result in a rejection of the verification attempt by our client, preventing you from accessing their services.
Your Rights:
Where automated decision-making produces legal or similarly significant effects concerning you, you have specific rights:
- You have the right to request human intervention in the automated decision.
- You can express your point of view and provide additional information relevant to the decision.
- You can contest the decision if you believe it was made in error.
In most cases, the ultimate decision regarding your access to our client's services rests with our business client, who acts as the primary data controller. If you wish to exercise your rights regarding an automated decision, we recommend contacting our client first, as they are best placed to address your specific situation and will coordinate with us as necessary.
10. Data Sharing and Transfers
We share your personal data only when necessary to provide our Services, comply with legal obligations, or with your consent. We implement strict safeguards to ensure your data remains protected. We may share your data with:
Our Business Clients:
We share the results of verification processes with our business clients, who act as data controllers. Our processing of this data is strictly governed by Data Processing Agreements with them, ensuring they meet their own data protection obligations.
Trusted Sub-processors:
We engage carefully vetted third-party service providers (sub-processors) to assist us in delivering our Services. These include:
- Cloud Hosting Providers: Such as Amazon Web Services (AWS) or Google Cloud Platform, for secure storage and processing of data in ISO 27001-certified data centres.
- Specialised Verification Tools: Providers for advanced liveness detection, document authentication, or biometric matching (e.g., equivalents of Cognito, Jumio for specific features).
- AML/PEP/Sanctions Database Providers: For comprehensive risk screening (e.g., ComplyAdvantage equivalents).
- Analytics Providers: For understanding service usage and improvement (using anonymised or aggregated data where possible).
- Payment Processors: For billing our B2B clients.
All our sub-processors are bound by strict data processing agreements to ensure they meet our high standards for data protection and security.
Regulators and Law Enforcement:
We may disclose your personal data if required to do so by law, court order, or governmental regulation, or if we believe such action is necessary to comply with legal processes, protect our rights or property, or ensure the safety of our users or the public.
Other Disclosures:
- Vendors: Other service providers who perform functions on our behalf under strict data processing agreements (e.g., IT support, auditing).
- Intra-group sharing: If Duckcheck operates as part of a larger corporate group, personal data may be shared with affiliated entities for internal administrative purposes, provided appropriate safeguards are in place (e.g., Binding Corporate Rules where applicable).
11. International Data Transfers
Where your personal data is transferred outside your jurisdiction (e.g., from the UK or EU to the US, or from African regions to other countries), we use appropriate safeguards to ensure your data receives an adequate level of protection, in compliance with applicable data protection laws. These safeguards may include:
- Standard Contractual Clauses (SCCs): Implementing the European Commission's (or UK's) Standard Contractual Clauses for transfers to countries not deemed to provide an adequate level of protection.
- Data Privacy Framework (DPF): Relying on mechanisms such as the EU-US Data Privacy Framework, UK Extension to the EU-US Data Privacy Framework, or the Swiss-US Data Privacy Framework, where applicable, provided the recipient is DPF-certified.
- Binding Corporate Rules (BCRs): For intra-group transfers, if applicable.
- Technical and organisational measures: Implementing robust technical and organisational security measures in conjunction with legal transfer mechanisms to ensure data security.
- Consent: In specific circumstances where none of the above safeguards are applicable, we may rely on your explicit consent for international data transfers, ensuring you are fully informed of the risks associated with such transfers.
12. How Long We Keep Your Data
We retain data only for as long as needed to fulfil the purpose it was collected for, as required to meet legal or regulatory obligations, or for the establishment, exercise, or defence of legal claims. Duckcheck is a non-custodial service provider and does not store sensitive documents or biometric data longer than strictly necessary.
Default Retention Periods:
- Verification Data (Documents, Biometrics, Liveness Checks): Typically, this data is deleted within 30 days of the completion of the verification process, but may be retained for up to 90 days depending on specific client contractual requirements (e.g., for their internal audit or regulatory compliance needs) or if legally mandated.
- AML Screening Results: Data related to AML checks (e.g., PEP/Sanctions screening results, adverse media checks) may be retained for longer periods as required by AML regulations (e.g., 5-7 years) to demonstrate ongoing compliance.
- Audit Logs and Transaction Records: Technical logs and records of verification attempts are retained for security, auditing, and troubleshooting purposes for up to 2 years, or longer if legally required.
- Client Company Information: Retained for the duration of our business relationship and for a period thereafter as required for legal, tax, or accounting purposes.
Lawful Basis for Extensions:
We may retain data for longer periods if:
- Required by law or regulation (e.g., anti-money laundering laws).
- Necessary for the establishment, exercise, or defence of legal claims.
- You have given your explicit consent for a longer retention period.
Anonymised or Aggregated Data: Anonymised or aggregated data, which cannot identify you, may be retained indefinitely for analytics, service improvement, and statistical purposes.
Right to Request Deletion: You can request deletion of your personal data at any time, subject to applicable regulations and our legal and operational retention requirements. Please see the "Your Rights" section for more details.
13. Your Rights Under Applicable Law
Duckcheck respects your privacy rights and provides mechanisms for you to exercise control over your personal data. The specific rights available to you may vary depending on your location and applicable data protection laws.
General Data Protection Regulation (GDPR) and UK DPA 2018 Rights (for individuals in the EEA and UK):
- Right to access: You have the right to request a copy of the personal data we hold about you.
- Right to rectification: You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
- Right to erasure ("Right to be Forgotten"): You have the right to request the deletion of your personal data where there is no compelling reason for its continued processing. This right is not absolute and applies in certain circumstances.
- Right to restriction of processing: You have the right to request that we restrict the processing of your personal data in certain situations (e.g., if you contest the accuracy of the data, if the processing is unlawful but you oppose erasure).
- Right to data portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller, where technically feasible.
- Right to object: You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.
- Rights in Relation to Automated Decision-Making and Profiling: You have the right to object to automated decision-making and request human intervention, as explained in Section 9.
California Consumer Privacy Act (CCPA/CPRA) Rights (for California residents):
- Right to Know: You have the right to request information about the categories and specific pieces of personal information we have collected about you, the categories of sources from which it is collected, the purposes for collecting or selling/sharing it, and the categories of third parties to whom we disclose it.
- Right to Delete: You have the right to request the deletion of personal information that we have collected from you, subject to certain exceptions.
- Right to Correct Inaccurate Personal Information: You have the right to request the correction of inaccurate personal information we maintain about you.
- Right to Opt-Out of Sale or Sharing: Duckcheck does not "sell" or "share" personal information as defined by the CCPA/CPRA for cross-context behavioural advertising.
- Right to Limit Use and Disclosure of Sensitive Personal Information: Duckcheck only uses Sensitive Personal Information as necessary to perform the Services requested by our clients, and does not use or disclose it for purposes requiring an opt-out right under CPRA.
- Right to Non-Retaliation: You have the right not to receive discriminatory treatment for exercising your CCPA/CPRA rights.
African Privacy Laws Rights (e.g., NDPR, POPIA, Kenya DPA):
- Nigeria Data Protection Regulation (NDPR) / Act (NDPA): Rights include the right to know what data is collected, the right to request rectification, the right to withdraw consent, the right to object to processing, and the right to seek judicial remedy.
- South Africa's Protection of Personal Information Act (POPIA): Rights include the right to access personal information, request correction or deletion, object to processing for legitimate interests or direct marketing, and complain to the Information Regulator.
- Kenya's Data Protection Act: Rights include the right to be informed, right of access, right to object to processing, right to rectification, and right to erasure.
How to Exercise Your Rights:
Please note: If we are processing your data on behalf of one of our business clients (i.e., Duckcheck is the data processor), you should direct your privacy rights requests to that client first, as they are the primary data controller and are responsible for responding to your requests. They will then coordinate with us as necessary.
If Duckcheck is acting as a data controller (e.g., for data collected directly from our website visitors or for client company information), you can exercise your rights by contacting us at privacy@duckcheck.com.
Please provide sufficient information to allow us to verify your identity and understand your request. We will respond to your request in accordance with applicable data protection laws.
Right to Lodge a Complaint:
You have the right to lodge a complaint with a data protection supervisory authority if you believe that our processing of your personal data infringes applicable data protection laws.
- For individuals in the EEA, you can find the contact details of your local Data Protection Authority here: https://edpb.europa.eu/about-edpb/about-edpb/members_en
- For individuals in the UK, you can contact the Information Commissioner's Office (ICO): https://ico.org.uk/
- For individuals in Nigeria, you can contact the Nigerian Data Protection Commission (NDPC). More information can be found at their website: ndpc.gov.ng
- For individuals in South Africa, you can contact the Information Regulator. More information on lodging a complaint can be found here: https://inforegulator.org.za/complaints/
- For individuals in Kenya, you can contact the Office of the Data Protection Commissioner (ODPC). More information on lodging a complaint can be found here: https://www.odpc.go.ke/file-lodge-a-complaint/
14. How We Protect Your Data
Your data security is a top priority at Duckcheck. We implement robust technical and organisational measures to protect your personal data from unauthorised access, alteration, disclosure, or destruction. These measures include:
- Encryption: All data transmitted to and from Duckcheck is protected using industry-standard encryption protocols (e.g., TLS/SSL). Data stored at rest is also encrypted (e.g., AES-256).
- Access Controls: Strict access controls and multi-factor authentication (MFA) are in place, limiting access to personal data only to authorised personnel who have a legitimate need to access it for their job functions. Access is regularly reviewed and revoked when no longer required.
- Secure Data Hosting: We utilise highly secure cloud infrastructure providers (e.g., AWS) that adhere to stringent security certifications, including ISO 27001.
- Data Minimisation: We collect and retain only the minimum amount of personal data necessary to achieve the stated purposes.
- Pseudonymisation/Anonymisation: Where feasible and appropriate, we employ pseudonymisation or anonymisation techniques to reduce the identifiability of data while allowing for analytics and service improvement.
- Regular Security Audits and Penetration Testing: We conduct regular independent security audits, vulnerability scanning, and third-party penetration testing to identify and address potential security weaknesses.
- Employee Training: All Duckcheck employees receive regular and mandatory training on data privacy, security best practices, and our internal policies.
- Incident Response Plan: We maintain a comprehensive incident response plan to promptly detect, respond to, and mitigate any potential data breaches in accordance with legal requirements.
- Secure Disposal: When data is no longer required, it is securely and permanently deleted from our systems.
15. Children's Privacy
Duckcheck's Services are not intended for individuals under the age of 16 (or the equivalent local age of digital consent). We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child under this age, we will take immediate steps to delete such information from our records. If you believe we may have collected data from a child under this age, please contact us at privacy@duckcheck.com.
16. Third-Party Links and Integrations
Our website and Services may contain links to or integrations with third-party websites, applications, or services (e.g., specific AML providers or payment gateways). This Privacy Policy applies only to Duckcheck's Services. We are not responsible for the privacy practices, content, or security of these third parties. We encourage you to review the privacy policies of any third-party services you interact with before providing any personal data.
17. Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or business operations. When we make significant changes, we will:
- Revise the "Last Updated" date at the top of this Policy.
- For material changes, we will notify you through prominent notices on our website or via email (if applicable and appropriate), prior to the change becoming effective.
We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.
18. Contact Us
Have questions, concerns, or requests regarding this Privacy Policy or our data processing practices? Please reach out to our Privacy Team:
Email: privacy@duckcheck.com
We are committed to working with you to obtain a fair resolution of any complaint or concern regarding your privacy.
For information on cookies, please refer to our Cookie Policy.
Thank you for trusting Duckcheck. We are committed to upholding your privacy.
This policy is designed to meet global data protection standards and local regulatory obligations. We are committed to upholding your privacy.