Privacy Policy
RCDevs YumiPass Privacy Policy
This Privacy Policy explains how RCDevs YumiPass (“Yumipass”, “we”, “us” or “our”) processes personal data in connection with its digital identity verification, authentication and identity evidence platform.
Yumipass enables organizations to verify the identity of individuals remotely using official identity documents, NFC checks, biometric checks, liveness detection, technical metadata and audit evidence.
This Privacy Policy applies to:
- end users who complete an identity verification through Yumipass;
- administrators and users of customer organizations;
- customer representatives and business contacts;
- prospects, website visitors and support contacts;
- partners and integration contacts.
This Privacy Policy should be read together with our Cookie Policy, where applicable.
01
Who is responsible for processing your data?
Depending on the context, Yumipass may act either as a processor or as a controller.
1.1 Processing on behalf of Yumipass customers
Where Yumipass provides its platform to a customer organization so that the customer can verify the identity of its own users, employees, customers, signatories or other individuals, the customer generally acts as the controller.
In that case, the customer decides:
- why the identity verification is required;
- which individuals are subject to verification;
- which verification checks are enabled;
- which documents are accepted;
- how results are used;
- how long evidence is retained;
- whether the result affects access to a service, account recovery, authentication, onboarding or signature workflows.
Yumipass generally acts as a processor, processing personal data on behalf of and under the documented instructions of the customer.
1.2 Processing by Yumipass for its own purposes
Yumipass may act as a controller for certain processing activities carried out for its own purposes, including:
- management of Yumipass customer accounts;
- platform administration;
- security and fraud prevention;
- technical logging;
- legal and regulatory compliance;
- billing;
- customer support;
- business communications;
- service improvement, where Yumipass determines the purposes and essential means of the processing.
02
Contact details
Controller / Company:RCDevs Identity
1 Boulevard du Jazz
4370 Esch-sur-Alzette
Luxembourg
Privacy contact: privacy@yumipass.com
03
Personal data we process
The categories of personal data processed depend on the customer configuration, the use case and the verification policy selected.
3.1 Identity data
Yumipass may process identity data such as:
- first name;
- last name;
- date of birth;
- nationality;
- country of issuance;
- information appearing on an official identity document.
3.2 Document data
Yumipass may process document-related data such as:
- type of identity document;
- document number;
- issuing country;
- issue date;
- expiry date;
- document images;
- data extracted by OCR;
- data read from the NFC chip, where available;
- cryptographic verification results;
- document authenticity results.
3.3 Biometric data
Yumipass may process biometric-related data, including:
- selfie image;
- facial image extracted from the identity document;
- technical representations used for facial comparison;
- face match results;
- biometric matching scores;
- liveness detection results;
- anti-spoofing indicators.
Biometric data may qualify as a special category of personal data under Article 9 GDPR where processed for the purpose of uniquely identifying or authenticating an individual.
3.4 Technical data
Yumipass may process technical data such as:
- IP address;
- device identifiers;
- session identifiers;
- operating system;
- browser type;
- mobile device information;
- logs;
- timestamps;
- security metadata;
- error reports;
- audit trails.
3.5 Administrator and customer account data
For customer representatives and administrators, Yumipass may process:
- name;
- professional email address;
- organization;
- role;
- access rights;
- login history;
- actions performed in the administration console;
- support requests;
- billing-related information.
3.6 Proof Package data
Depending on the customer configuration, the Proof Package may include:
- transaction identifier;
- timestamps;
- OCR results;
- NFC results;
- biometric results;
- liveness results;
- decision status;
- audit metadata;
- technical logs;
- evidence required for traceability.
The verification result may include statuses such as:
- Approved;
- Rejected;
- Review Required.
04
Purposes of processing
Yumipass processes personal data for the following purposes.
4.1 Identity verification
Yumipass may process data to:
- verify the identity of an individual remotely;
- check the validity of an identity document;
- detect altered, forged or manipulated documents;
- verify data extracted from the document;
- read and verify NFC data, where available;
- compare the user’s face with the document photo;
- detect presentation attacks, spoofing or deepfake attempts;
- generate a verification result.
4.2 Authentication and account security
Yumipass may be used to:
- authenticate a user;
- strengthen authentication;
- perform step-up authentication;
- support account recovery;
- support password reset;
- support MFA recovery;
- secure sensitive transactions;
- verify identity before granting access to a system.
4.3 Electronic signature and identity evidence
Yumipass may be used before or alongside electronic signature processes to:
- verify the identity of a signatory;
- generate identity evidence;
- associate identity evidence with a signing workflow;
- strengthen the evidentiary value of a digital transaction.
Unless expressly stated otherwise, Yumipass is not a qualified trust service provider under the eIDAS Regulation.
4.4 Platform administration
Yumipass processes data to:
- create and manage tenants;
- administer customer accounts;
- configure verification policies;
- manage access rights;
- operate APIs;
- provide support;
- maintain and improve the platform.
4.5 Security, fraud prevention and compliance
Yumipass processes data to:
- prevent unauthorized access;
- detect misuse or abuse;
- monitor security events;
- investigate incidents;
- maintain audit trails;
- enforce contractual rights;
- comply with legal obligations.
05
Legal bases
Where Yumipass acts as a processor, the legal basis for processing is determined by the customer acting as controller.
Depending on the use case, the customer may rely on:
- performance of a contract;
- compliance with a legal obligation;
- legitimate interests;
- consent;
- another appropriate legal basis under applicable law.
Where biometric data is processed and qualifies as a special category of personal data under Article 9 GDPR, the customer must also identify an appropriate Article 9 condition.
Where Yumipass acts as a controller, the legal bases may include:
| Purpose | Possible legal basis |
|---|---|
| Customer account administration | Contract performance or legitimate interests |
| Platform security | Legitimate interests |
| Fraud prevention | Legitimate interests or legal obligation |
| Customer support | Contract performance |
| Billing | Contract performance or legal obligation |
| Business communications | Legitimate interests or consent, depending on the case |
| Legal compliance | Legal obligation |
| Establishment or defence of legal claims | Legitimate interests or legal claims |
06
Recipients of personal data
Personal data may be accessed by the following categories of recipients, strictly on a need-to-know basis:
- authorized Yumipass personnel;
- authorized customer personnel;
- hosting providers;
- security providers;
- technical service providers;
- support providers;
- analytics or monitoring providers, where applicable;
- legal, accounting or compliance advisers;
- public authorities, courts or regulators where legally required.
Yumipass does not sell end-user personal data.
07
Sub-processors
Yumipass may use sub-processors to provide hosting, infrastructure, support, security, monitoring, communication, maintenance or other services necessary to operate the platform.
Where Yumipass acts as a processor, the use of sub-processors is governed by the applicable Data Processing Agreement.
The list of sub-processors is available at:
[link to sub-processor list]
08
International transfers
Personal data is primarily hosted and processed in:
European Union / Luxembourg
Where personal data is transferred outside the European Economic Area, Yumipass implements appropriate safeguards, such as:
- adequacy decisions;
- Standard Contractual Clauses;
- supplementary technical and organizational measures;
- encryption;
- access controls;
- data minimization.
Details of applicable international transfers are provided in the relevant customer agreement, DPA or sub-processor list.
09
Data retention
Retention periods depend on the customer configuration, the applicable contract and the relevant legal requirements.
Where Yumipass acts as a processor, retention periods are generally determined by the customer acting as controller. Yumipass applies the retention settings configured by the customer or agreed in the applicable contract.
As a default configuration, and unless otherwise agreed with the customer, Yumipass may apply the following indicative retention periods:
| Data category | Indicative retention period |
|---|---|
| Identity verification data | 90 days after completion of the verification process |
| Proof Package | 5 years after completion of the verification process |
| Biometric data used for face matching and liveness checks | Deleted immediately after the verification result is generated, or within 24 hours at the latest, unless a longer period is configured by the customer and legally justified |
| Selfie and document facial image | 90 days after completion of the verification process, unless earlier deletion is configured |
| Document images | 90 days after completion of the verification process, unless longer retention is required by the customer’s legal obligations |
| OCR-extracted identity data | 90 days after completion of the verification process, unless included in the Proof Package |
| NFC data and NFC verification results | 90 days after completion of the verification process, unless included in the Proof Package |
| Verification result — Approved, Rejected, Review Required | 5 years after completion of the verification process |
| Technical logs | 12 months |
| Security logs and audit trails | 12 to 24 months, depending on security requirements |
| Administrator account data | Duration of the customer agreement, then up to 5 years for evidence and limitation purposes |
| Customer contract and billing data | 10 years where required for accounting and tax purposes |
| Support data | 3 years after closure of the support request |
| Business contact and prospect data | 3 years from the last active contact |
| Cookie consent records | 6 months to 13 months, depending on the consent management configuration |
Yumipass may retain certain data for a longer period where required to comply with legal obligations, resolve disputes, enforce contractual rights, prevent fraud, ensure platform security or establish, exercise or defend legal claims.
Where data is no longer required, Yumipass deletes, anonymizes or archives it in accordance with applicable retention settings and legal requirements.
For biometric data, Yumipass applies a data minimization approach. Biometric data should be retained only for the period strictly necessary to perform the relevant verification, unless the customer determines and documents a longer retention period based on a valid legal basis and an applicable Article 9 GDPR condition.
10
Security
Yumipass implements technical and organizational measures designed to protect personal data, including:
- encryption in transit;
- encryption at rest;
- access controls;
- role-based permissions;
- strong authentication for administrative access;
- tenant separation;
- logging and monitoring;
- security event detection;
- vulnerability management;
- backups;
- incident response procedures;
- internal access limitation;
- deletion or anonymization mechanisms.
The exact security measures may depend on the service plan, configuration and contractual arrangements.
11
Automated decisions
Yumipass may generate a verification result, such as:
- Approved;
- Rejected;
- Review Required.
Depending on the customer’s configuration, this result may be used automatically or reviewed by a human operator.
Where a result has legal or similarly significant effects on an individual, the customer is responsible for ensuring that the use of the result complies with applicable rules on automated decision-making, transparency, contestation and human intervention.
12
Your rights
Depending on the circumstances and applicable law, individuals may have the following rights:
- right of access;
- right to rectification;
- right to erasure;
- right to restriction of processing;
- right to object;
- right to data portability;
- right to withdraw consent, where processing is based on consent;
- right to lodge a complaint with a supervisory authority.
Where Yumipass acts as a processor, requests relating to personal data should generally be addressed to the customer acting as controller.
Yumipass will reasonably assist the customer in responding to such requests in accordance with the applicable DPA.
Privacy contact : privacy@yumipass.com
13
Complaints
Individuals may lodge a complaint with their competent data protection authority.
Where applicable, individuals located in France may contact the CNIL. Individuals in other EU/EEA countries may contact their local supervisory authority.
14
Changes to this Privacy Policy
Yumipass may update this Privacy Policy from time to time to reflect legal, technical or operational changes.
The version published at the time of consultation is the applicable version.