Privacy Policy

RCDevs YumiPass Privacy Policy

This Privacy Policy explains how RCDevs YumiPass (“Yumipass”, “we”, “us” or “our”) processes personal data in connection with its digital identity verification, authentication and identity evidence platform.

Yumipass enables organizations to verify the identity of individuals remotely using official identity documents, NFC checks, biometric checks, liveness detection, technical metadata and audit evidence.

This Privacy Policy applies to:

  • end users who complete an identity verification through Yumipass;
  • administrators and users of customer organizations;
  • customer representatives and business contacts;
  • prospects, website visitors and support contacts;
  • partners and integration contacts.

This Privacy Policy should be read together with our Cookie Policy, where applicable.

01

Who is responsible for processing your data?

Depending on the context, Yumipass may act either as a processor or as a controller.

1.1 Processing on behalf of Yumipass customers

Where Yumipass provides its platform to a customer organization so that the customer can verify the identity of its own users, employees, customers, signatories or other individuals, the customer generally acts as the controller.

In that case, the customer decides:

  • why the identity verification is required;
  • which individuals are subject to verification;
  • which verification checks are enabled;
  • which documents are accepted;
  • how results are used;
  • how long evidence is retained;
  • whether the result affects access to a service, account recovery, authentication, onboarding or signature workflows.

Yumipass generally acts as a processor, processing personal data on behalf of and under the documented instructions of the customer.

1.2 Processing by Yumipass for its own purposes

Yumipass may act as a controller for certain processing activities carried out for its own purposes, including:

  • management of Yumipass customer accounts;
  • platform administration;
  • security and fraud prevention;
  • technical logging;
  • legal and regulatory compliance;
  • billing;
  • customer support;
  • business communications;
  • service improvement, where Yumipass determines the purposes and essential means of the processing.

02

Contact details

Controller / Company:
RCDevs Identity
1 Boulevard du Jazz
4370 Esch-sur-Alzette
Luxembourg

Privacy contact: privacy@yumipass.com

03

Personal data we process

The categories of personal data processed depend on the customer configuration, the use case and the verification policy selected.

3.1 Identity data

Yumipass may process identity data such as:

    • first name;
    • last name;
    • date of birth;
    • nationality;
    • country of issuance;
    • information appearing on an official identity document.
3.2 Document data
  • Yumipass may process document-related data such as:

    • type of identity document;
    • document number;
    • issuing country;
    • issue date;
    • expiry date;
    • document images;
    • data extracted by OCR;
    • data read from the NFC chip, where available;
    • cryptographic verification results;
    • document authenticity results.
3.3 Biometric data

Yumipass may process biometric-related data, including:

  • selfie image;
  • facial image extracted from the identity document;
  • technical representations used for facial comparison;
  • face match results;
  • biometric matching scores;
  • liveness detection results;
  • anti-spoofing indicators.

Biometric data may qualify as a special category of personal data under Article 9 GDPR where processed for the purpose of uniquely identifying or authenticating an individual.

3.4 Technical data

Yumipass may process technical data such as:

  • IP address;
  • device identifiers;
  • session identifiers;
  • operating system;
  • browser type;
  • mobile device information;
  • logs;
  • timestamps;
  • security metadata;
  • error reports;
  • audit trails.
3.5 Administrator and customer account data

For customer representatives and administrators, Yumipass may process:

  • name;
  • professional email address;
  • organization;
  • role;
  • access rights;
  • login history;
  • actions performed in the administration console;
  • support requests;
  • billing-related information.
3.6 Proof Package data

Depending on the customer configuration, the Proof Package may include:

  • transaction identifier;
  • timestamps;
  • OCR results;
  • NFC results;
  • biometric results;
  • liveness results;
  • decision status;
  • audit metadata;
  • technical logs;
  • evidence required for traceability.

The verification result may include statuses such as:

  • Approved;
  • Rejected;
  • Review Required.

04

Purposes of processing

Yumipass processes personal data for the following purposes.

4.1 Identity verification

Yumipass may process data to:

  • verify the identity of an individual remotely;
  • check the validity of an identity document;
  • detect altered, forged or manipulated documents;
  • verify data extracted from the document;
  • read and verify NFC data, where available;
  • compare the user’s face with the document photo;
  • detect presentation attacks, spoofing or deepfake attempts;
  • generate a verification result.
4.2 Authentication and account security

Yumipass may be used to:

  • authenticate a user;
  • strengthen authentication;
  • perform step-up authentication;
  • support account recovery;
  • support password reset;
  • support MFA recovery;
  • secure sensitive transactions;
  • verify identity before granting access to a system.
4.3 Electronic signature and identity evidence

Yumipass may be used before or alongside electronic signature processes to:

  • verify the identity of a signatory;
  • generate identity evidence;
  • associate identity evidence with a signing workflow;
  • strengthen the evidentiary value of a digital transaction.

Unless expressly stated otherwise, Yumipass is not a qualified trust service provider under the eIDAS Regulation.

4.4 Platform administration

Yumipass processes data to:

  • create and manage tenants;
  • administer customer accounts;
  • configure verification policies;
  • manage access rights;
  • operate APIs;
  • provide support;
  • maintain and improve the platform.
4.5 Security, fraud prevention and compliance

Yumipass processes data to:

  • prevent unauthorized access;
  • detect misuse or abuse;
  • monitor security events;
  • investigate incidents;
  • maintain audit trails;
  • enforce contractual rights;
  • comply with legal obligations.

05

Legal bases

Where Yumipass acts as a processor, the legal basis for processing is determined by the customer acting as controller.

Depending on the use case, the customer may rely on:

  • performance of a contract;
  • compliance with a legal obligation;
  • legitimate interests;
  • consent;
  • another appropriate legal basis under applicable law.

Where biometric data is processed and qualifies as a special category of personal data under Article 9 GDPR, the customer must also identify an appropriate Article 9 condition.

Where Yumipass acts as a controller, the legal bases may include:

PurposePossible legal basis
Customer account administrationContract performance or legitimate interests
Platform securityLegitimate interests
Fraud preventionLegitimate interests or legal obligation
Customer supportContract performance
BillingContract performance or legal obligation
Business communicationsLegitimate interests or consent, depending on the case
Legal complianceLegal obligation
Establishment or defence of legal claimsLegitimate interests or legal claims

06

Recipients of personal data

Personal data may be accessed by the following categories of recipients, strictly on a need-to-know basis:

  • authorized Yumipass personnel;
  • authorized customer personnel;
  • hosting providers;
  • security providers;
  • technical service providers;
  • support providers;
  • analytics or monitoring providers, where applicable;
  • legal, accounting or compliance advisers;
  • public authorities, courts or regulators where legally required.

Yumipass does not sell end-user personal data.

07

Sub-processors

Yumipass may use sub-processors to provide hosting, infrastructure, support, security, monitoring, communication, maintenance or other services necessary to operate the platform.

Where Yumipass acts as a processor, the use of sub-processors is governed by the applicable Data Processing Agreement.

The list of sub-processors is available at:

[link to sub-processor list]

08

International transfers

Personal data is primarily hosted and processed in:
European Union / Luxembourg

Where personal data is transferred outside the European Economic Area, Yumipass implements appropriate safeguards, such as:

  • adequacy decisions;
  • Standard Contractual Clauses;
  • supplementary technical and organizational measures;
  • encryption;
  • access controls;
  • data minimization.

Details of applicable international transfers are provided in the relevant customer agreement, DPA or sub-processor list.

09

Data retention

Retention periods depend on the customer configuration, the applicable contract and the relevant legal requirements.

Where Yumipass acts as a processor, retention periods are generally determined by the customer acting as controller. Yumipass applies the retention settings configured by the customer or agreed in the applicable contract.

As a default configuration, and unless otherwise agreed with the customer, Yumipass may apply the following indicative retention periods:

Data categoryIndicative retention period
Identity verification data90 days after completion of the verification process
Proof Package5 years after completion of the verification process
Biometric data used for face matching and liveness checksDeleted immediately after the verification result is generated, or within 24 hours at the latest, unless a longer period is configured by the customer and legally justified
Selfie and document facial image90 days after completion of the verification process, unless earlier deletion is configured
Document images90 days after completion of the verification process, unless longer retention is required by the customer’s legal obligations
OCR-extracted identity data90 days after completion of the verification process, unless included in the Proof Package
NFC data and NFC verification results90 days after completion of the verification process, unless included in the Proof Package
Verification result — Approved, Rejected, Review Required5 years after completion of the verification process
Technical logs12 months
Security logs and audit trails12 to 24 months, depending on security requirements
Administrator account dataDuration of the customer agreement, then up to 5 years for evidence and limitation purposes
Customer contract and billing data10 years where required for accounting and tax purposes
Support data3 years after closure of the support request
Business contact and prospect data3 years from the last active contact
Cookie consent records6 months to 13 months, depending on the consent management configuration

Yumipass may retain certain data for a longer period where required to comply with legal obligations, resolve disputes, enforce contractual rights, prevent fraud, ensure platform security or establish, exercise or defend legal claims.

Where data is no longer required, Yumipass deletes, anonymizes or archives it in accordance with applicable retention settings and legal requirements.

For biometric data, Yumipass applies a data minimization approach. Biometric data should be retained only for the period strictly necessary to perform the relevant verification, unless the customer determines and documents a longer retention period based on a valid legal basis and an applicable Article 9 GDPR condition.

10

Security

Yumipass implements technical and organizational measures designed to protect personal data, including:

  • encryption in transit;
  • encryption at rest;
  • access controls;
  • role-based permissions;
  • strong authentication for administrative access;
  • tenant separation;
  • logging and monitoring;
  • security event detection;
  • vulnerability management;
  • backups;
  • incident response procedures;
  • internal access limitation;
  • deletion or anonymization mechanisms.

The exact security measures may depend on the service plan, configuration and contractual arrangements.

11

Automated decisions

Yumipass may generate a verification result, such as:

  • Approved;
  • Rejected;
  • Review Required.

Depending on the customer’s configuration, this result may be used automatically or reviewed by a human operator.

Where a result has legal or similarly significant effects on an individual, the customer is responsible for ensuring that the use of the result complies with applicable rules on automated decision-making, transparency, contestation and human intervention.

12

Your rights

Depending on the circumstances and applicable law, individuals may have the following rights:

  • right of access;
  • right to rectification;
  • right to erasure;
  • right to restriction of processing;
  • right to object;
  • right to data portability;
  • right to withdraw consent, where processing is based on consent;
  • right to lodge a complaint with a supervisory authority.

Where Yumipass acts as a processor, requests relating to personal data should generally be addressed to the customer acting as controller.

Yumipass will reasonably assist the customer in responding to such requests in accordance with the applicable DPA.

Privacy contact : privacy@yumipass.com

13

Complaints

Individuals may lodge a complaint with their competent data protection authority.

Where applicable, individuals located in France may contact the CNIL. Individuals in other EU/EEA countries may contact their local supervisory authority.

14

Changes to this Privacy Policy

Yumipass may update this Privacy Policy from time to time to reflect legal, technical or operational changes.

The version published at the time of consultation is the applicable version.