Legal

Data Protection Policy

last updated: 2026-07-02 · operated by sk21.tech

This policy describes the technical and organizational measures behind the privacy claims on our landing page. It applies to all verification data processed by PrivateKYCBot (operated by SK21.TECH) and is reflected in the data processing agreement (DPA) we sign with every Customer.

1. Roles

The company requesting a verification is the data controller; PrivateKYCBot is the data processor and acts only on the controller's documented instructions. data-controller: you · processor: privatekycbot

2. Data we process

We collect the minimum the configured flow requires — nothing else (data minimization).

3. Core guarantees

4. Retention & deletion

Retention is configured per flow by the controller:retention: 0d | 30d | 90d → auto-purge. Zero-day means media passes through to the controller's pipeline and is purged as soon as delivery is confirmed. When any window closes, media and PII are deleted automatically. Data-subject deletion and export are first-class operations (DELETE /api/subjects/:id → purged + receipt) and we assist controllers with data-subject requests without undue delay.

5. Security measures

6. Sub-processors

We use a small set of infrastructure sub-processors: Google Cloud (hosting), Cloudflare (CDN/DNS), and the messaging platforms chosen by the end user (Telegram,WhatsApp/Meta) for message delivery. Controllers are notified before we add or replace sub-processors that touch verification data.

7. International transfers

Where verification data crosses borders, transfers rely on appropriate safeguards (such as the EU Standard Contractual Clauses) as set out in the Customer's DPA.

8. Breach notification

We notify affected controllers of a personal data breach without undue delay after becoming aware of it, with the information needed for their own regulatory notifications (for GDPR controllers, supporting their 72-hour obligation).

9. Contact

Data protection contact:[email protected]. A signed DPA, the current sub-processor list, and security documentation are available to Customers on request.