Privacy Policy

Personal Data Collected from Users and Site Visitors

The Personal Data we collect depends on how you interact with us, the services you use, and the choices you make.

“Personal Data” refers to any information associated with an identified or identifiable individual, which can include data that you provide to us, and that we collect about you during your interaction with our services (such as device information, IP address, etc.).

We collect information about you from different sources and in various ways when you use our services, including information you provide directly, information collected automatically, third-party data sources, and data we infer or generate from other data.

Information you provide directly. We collect Personal Data you provide to us.

• Email Address. To set up a Skyfire account, you must provide us with an email address.

• Payment information. If you make a purchase, we collect credit card numbers, financial account information, and other payment details. In that process, we may also collect name and contact details such as postal address, and phone number.

• Communications. If you send us email messages or other communications, we collect and retain those communications.

Information we collect automatically. When you use our services, we collect some information automatically. For example:

• Identifiers and device information. When you visit our websites, our web servers automatically log your Internet Protocol (IP) address and information about your device, including device identifiers (such as MAC address); device type; and your device’s operating system, browser, and other software including type, version, language, settings, and configuration. As further described in the Cookies, Mobile IDs, and Similar Technologies section below, our websites and online services store and retrieve cookie identifiers, mobile IDs, and other data.

• Geolocation data. Depending on your device and app settings, we collect geolocation data when you use our apps or online services.

• Transaction data. If you use our services to make payments to us, receive payments from us, generate or redeem identity or payment access authorizations, or otherwise transact with our services, we receive your to data collected and used by us to facilitate transactions you request (“Transaction Data“). Some Transaction Data is Personal Data and may include: your name, email address, contact number, amount and date of purchase, and in some instances, information about what was purchased. We may also receive your transaction history with Connected Services.

• Usage data. We automatically log your activity on our websites, apps and connected products, including the URL of the website from which you came to our sites, pages you viewed, how long you spent on a page, access times, and other details about your use of and actions on our website. We also use tools on certain pages of our services to record and analyze your interaction with our services, including tools to track cursor movements and clicks, and record your screen while you’re on our website, to help us improve your experience.

• Content of communications with us. We collect recordings or transcripts of audio and video communications you have with us, as well as the contents of your communications with us via our website or use our services, such as through our website, forms, applications, surveys, chat features, and other channels.

Information we create or generate. We infer new information from other data we collect, including using automated means to generate information about your likely preferences or other characteristics (“inferences“). For example, we infer your general geographic location (such as city, state, and country) based on your IP address.

Information we obtain from third-party sources. We also obtain the types of information described above from third parties. These third-party sources include, for example:

• Third party partners. Third party applications and services you choose to connect with or interact with through our services, including any services that accept Skyfire services to verify your identity or facilitate payment for their products and services (“Connected Services“) that you choose to interact with.

• Co-branding/marketing partners. Partners with which we offer co-branded services or engage in joint marketing activities.

• Service providers. Third parties that collect or provide data in connection with work they do on our behalf, for example companies that determine your device’s location based on its IP address.

• Publicly available sources. Public sources of information such as open government databases.

When you are asked to provide Personal Data, you may decline. And you may use web browser or operating system controls to prevent certain types of automatic data collection. But if you choose not to provide or allow information that is necessary for certain services or features, those services or features may not be available or fully functional.

Cookies, Mobile IDs, and Similar Technologies

We use cookies, web beacons, mobile analytics and advertising IDs, and similar technologies to operate our websites and online services and to help collect data, including usage data, identifiers, and device information.

For more information about what cookies and similar technologies we use and how we use them, see our Cookie Policy at www.skyfire.xyz/cookie-policy.

How we use Personal Data

We use the Personal Data we collect for purposes described in this Privacy Policy or otherwise disclosed to you. For example, we collect and use the categories of Personal Data described above for the following purposes:

• Product and service delivery, including to provide and deliver our services, including troubleshooting, improving our services, and personalizing our services.

• Business operations, including to operate our business, such as billing, accounting, improving our internal operations, securing our systems, detecting fraudulent or illegal activity, and meeting our legal obligations.

• Product improvement, development, and research, including to develop new services or features, and conduct research. We may use Personal Data to generate aggregate and statistical information to understand and explain how our services are used. Examples of how we use Personal Data to analyze, improve, and develop our products and services include:

    o Using analytics on our Site, including as described in our Cookie Policy, to help us understand your use of our Site and services and diagnose technical issues.

    o Training artificial intelligence models to power our services and protect against fraud and other harm.

    o Analyzing and drawing inferences from Transaction Data to reduce costs, fraud, and disputes.

• Personalization, including to understand you and your preferences to enhance your experience and enjoyment using our services.

• Customer support, including to provide customer support and respond to your questions.

• Communications, including to send you information, including confirmations, invoices, technical notices, updates, security alerts, and support and administrative messages.

• Marketing, including to communicate with you about new services, offers, promotions, rewards, contests, upcoming events, and other information about our services and those of our selected partners (see the Choice and Control section of this privacy policy for how to change your preferences for promotional communications).

How we disclose Personal Data

We disclose Personal Data with your consent or as necessary to complete your transactions or provide the services you have requested or authorized.

In addition, we disclose each of the categories of Personal Data described above, with the types of third parties described below, for the following business purposes:

• Public information. You may select options available through our services to publicly display and share your name and/or username and certain other information, such as your profile, demographic data, content and files, or geolocation data.

• Service providers. We provide Personal Data to vendors or agents working on our behalf for the purposes described in this policy. These providers offer critical services such as providing cloud infrastructure, verifying identities, and identifying potentially harmful activity. We authorize these service providers to use or disclose the Personal Data we make available to them to perform services on our behalf and to comply with relevant legal obligations. We require these service providers to contractually commit to security and confidentiality obligations for the Personal Data they process on our behalf. The majority of our service providers are based in the United States of America.

• Financial services & payment processing. When you provide payment data, for example to make a purchase, we will provide payment and transactional data to banks and other entities as necessary for payment processing, fraud prevention, credit risk reduction, or other related financial services.

• Affiliates. We enable access to Personal Data across our subsidiaries, affiliates, and related companies, for example, where we share common data systems or where access is needed to provide our services and operate our business.

• Corporate transactions. We may disclose Personal Data as part of a corporate transaction or proceeding such as a merger, financing, acquisition, bankruptcy, dissolution, or a transfer, divestiture, or sale of all or a portion of our business or assets.

• Legal and law enforcement. We will access, disclose, and preserve Personal Data when we believe that doing so is necessary to comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies.

• Security, safety, and protecting rights. We will disclose Personal Data if we believe it is necessary to: protect our customers and others, for example to prevent spam or attempts to commit fraud, or to help prevent the loss of life or serious injury of anyone; operate and maintain the security of our services, including to prevent or stop an attack on our computer systems or networks; or protect the rights or property of ourselves or others, including enforcing our agreements, terms, and policies.

Third party analytics and advertising companies also collect Personal Data through our website and apps including identifiers and device information (such as cookie IDs, device IDs, and IP address), geolocation data, usage data, and inferences based on and associated with that data, as described in our Cookie Policy. These third party vendors may combine this data across multiple sites to improve analytics for their own purpose and others. For example, we use Google Analytics on our website to help us understand how users interact with our website; you can learn how Google collects and uses information at www.google.com/policies/privacy/partners.

Please note that some of our services include integrations, references, or links to services provided by third parties whose privacy practices differ from ours. If you provide Personal Data to any of those third parties, or allow us to share Personal Data with them, that data is governed by their privacy statements. Finally, we may share de-identified information in accordance with applicable law. For example, we share information publicly to show trends about the general use of our services.

Other third-party analytics providers we use on our websites are described in our Cookie Policy. Some of the data disclosures to these third parties may be considered a “sale” or “sharing” of Personal Data as defined under the laws of California and other U.S. states. Please see the Choice and Control of Personal Data and California Privacy Rights sections for more details.

Data Retention

We retain Personal Data for as long as necessary to provide the services and fulfill the transactions you have requested, comply with our legal obligations, resolve disputes, enforce our agreements, and other legitimate and lawful business purposes. Because these needs can vary for different data types in the context of different services, actual retention periods can vary significantly based on criteria such as the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we use your Personal Data and whether we can achieve those purposes through other means, and our legal or contractual obligations.

Choice and Control of Personal Data

We provide a variety of ways for you to control the Data we hold about you, including choices about how we use that data. In some jurisdictions, these controls and choices may be enforceable as rights under applicable law.

You may choose whether your personal data is:

• Used for Different Purposes: We will only use your Personal Data for the purposes described in this Privacy Policy or as otherwise disclosed at the time of collection. If we intend to use your Personal Sata for a purpose that is materially different from the original purpose, we will notify you and provide you with the opportunity to opt out before such use begins.

• Shared with Third Parties: If we plan to share your Personal Data with third parties for purposes other than fulfilling our services (for example, for their own marketing purposes), we will provide you with a clear opportunity to opt out of such sharing. You can manage your preferences by contacting us at [email protected] or through your account settings.

• Sensitive Data: For sensitive personal data (for example, financial details or other categories defined by law), we will not share such data with third parties or use it for materially different purposes unless you provide affirmative express consent (opt-in). You may provide or withdraw this consent at any time by contacting us at [email protected].

Access, portability, correction, and deletion. If you wish to access, correct, or delete Personal Data about you that we hold, you may email [email protected] to make your request.

Communications preferences. You can choose whether to receive promotional communications from us by email, and telephone. If you receive promotional email from us and would like to stop, you can do so by following the directions in that message or by contacting us as described in the Contact Us section below. If you receive a sales call from us, you can ask to be placed on our do-not-call list. These choices do not apply to certain informational communications including surveys and mandatory service communications.

Choices for Cookies and Similar Technologies. See our Cookie Policy for choices about cookies and other analytics and advertising controls.

Data sales. Some privacy laws define “sale” broadly to include some the disclosures described in the How we Disclose Personal Data section above. To opt-out from such data “sales” please contact us at [email protected].

Except for the automated controls described above, if you send us a request to exercise your rights or these choices, to the extent permitted by applicable law, we may decline requests in certain cases. For example, we may decline requests where granting the request would be prohibited by law, could adversely affect the privacy or other rights of another person, would reveal a trade secret or other confidential information, or would interfere with a legal or business obligation that requires retention or use of the Personal Data. Further, we may decline a request where we are unable to authenticate you as the person to whom the Personal Data relates, the request is unreasonable or excessive, or where otherwise permitted by applicable law. If you receive a response from us informing you that we have declined your request, in whole or in part, you may appeal that decision by submitting your appeal as described in the Contact Us section below.

European, UK, Swiss Data Protection Rights

If the processing of Personal Data about you is subject to European Union, United Kingdom, and/or Swiss data protection laws, you have certain rights with respect to that data:

• You can request access to, and rectification or erasure of, Personal Data;

• If any automated processing of Personal Data is based on your consent or a contract with you, you have a right to transfer or receive a copy of the Personal Data in a usable and portable format;

• If the processing of Personal Data is based on your consent, you can withdraw consent at any time for future processing;

• You can object to, or obtain a restriction of, the processing of Personal Data under certain circumstances; and

• For residents of France, you can send us specific instructions regarding the use of Personal Data after your death.

To make such requests please contact us as described in the Contact Us section below.

You also have the right to lodge a complaint with a supervisory authority, but we encourage you to first contact us with any questions or concerns.

We rely on different lawful bases for collecting and processing Personal Data about you, for example, with your consent and/or as necessary to provide the services you use, operate our business, meet our contractual and legal obligations, protect the security of our systems and our customers, or fulfill other legitimate interests. They are summarized in following table.

California Privacy Rights

Although our operations are not currently subject to the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), we try to operate in accordance with those laws. If you are a California resident and the processing of Personal Data about you is subject to the CCPA and CPRA), you have certain rights with respect to that information.

Notice at Collection. At or before the time of collection, you have a right to receive notice of our practices, including the categories of Personal Data as described herein, the purposes for which such information is collected or used (as described herein), whether such information is sold or shared, and how long such information is retained (as described herein).

Right to Know. You have a right to request that we disclose to you the Personal Data we have collected about you. You also have a right to request additional information about our collection, use, disclosure, or sale of such Personal Data. Note that we have provided much of this information in this privacy policy. You may make such a “request to know” by emailing us at [email protected].

Rights to Request Correction or Deletion. You also have rights to request that we correct inaccurate Personal Data and that we delete Personal Data under certain circumstances, subject to a number of exceptions. To make a request to correct or delete, email us at [email protected].

Right to Opt-Out / “Do Not Sell or Share My Personal Information”. You have a right to opt-out from future “sales” or “sharing” of Personal Data as those terms are defined by the CCPA. The CCPA/CPRA requires us to describe the categories of Personal Data we sell and/or share to third parties and how to opt-out of future sales or sharing. The CCPA/CPRA defines “sell,” “share,” and “personal information” very broadly, and some of our data sharing described in this privacy policy may be considered a “sale” or “sharing” under those definitions. We let analytics providers collect IP addresses and cookie IDs along with associated device and usage data when you access our website, but we do not “sell” or “share” any other types of Personal Data.

If you do not wish for us or our partners to “sell” or “share” Personal Data relating to your visits to our websites for advertising purposes, you can make your request by using a Global Privacy Control, or emailing us at [email protected]. If you opt-out using these choices, we will not share or make available such Personal Data in ways that are considered a “sale” or “sharing” under the CCPA. However, we will continue to make available to our partners (acting as our service providers) some Personal Data to help us perform advertising-related functions. Further, using these choices will not opt you out of the use of previously “sold” or “shared” Personal Data or stop all interest-based advertising. We do not knowingly sell or share the Personal Data of minors under 16 years of age.

Right to Limit Use and Disclosure of Sensitive Personal Information. You have a right to limit our use of sensitive Personal Data for any purposes other than to provide the services or goods you request or as otherwise permitted by law. Note that we do not use Sensitive Personal Data for any such additional purposes.

You may designate, in writing or through a power of attorney, an authorized agent to make requests on your behalf to exercise your rights under the CCPA/CPRA. Before accepting such a request from an agent, we will require the agent to provide proof you have authorized it to act on your behalf, and we may need you to verify your identity directly with us.

Further, to provide, correct, or delete specific pieces of Personal Data will need to verify your identity to the degree of certainty required by law. We will verify your request by asking you to send it from the email address associated with your account or requiring you to provide information necessary to verify your account. For some types of Personal Data we may have, there may be no reasonable method by which we can verify your identity

Finally, you have a right to not be discriminated against for exercising these rights set out in the CCPA/CPRA.

Additionally, under California Civil Code section 1798.83, also known as the “Shine the Light” law, California residents who have provided Personal Data to a business with which the individual has established a business relationship for personal, family, or household purposes (“California Customers”) may request information about whether the business has disclosed Personal Data to any third parties for the third parties’ direct marketing purposes. Please be aware that we do not disclose Personal Data to any third parties for their direct marketing purposes as defined by this law.

California Customers may request further information about our compliance with this law by e-mailing [email protected]. Please note that businesses are required to respond to one request per California Customer each year and may not be required to respond to requests made by means other than through the designated e-mail address.

Location of Personal Data

The Personal Data we collect may be stored and processed in your country or region, or in any other country where we or our affiliates, subsidiaries, or service providers process data. Currently, we use data centers in the United States. We take steps designed to ensure that Personal Data is processed and protected as described in this policy wherever the data is located.

Location of Processing European Personal Data. We transfer Personal Data from the European Economic Area (EEA), United Kingdom (UK), and Switzerland (“European Personal Data“) to other countries, some of which have not been determined by the European Commission to have an adequate level of data protection. When we do so, we use legal mechanisms, including contracts, to help ensure your rights and protections.

We may share your Personal Data with third parties, such as service providers or business partners, to fulfill the purposes outlined in this Privacy Policy. When we transfer your Personal Data to a third party, we take steps to ensure compliance with applicable law:

• Contractual Safeguards: We enter into written agreements with all third parties receiving Personal Data, requiring them to provide at least the same level of privacy protection as required by applicable law. These agreements include obligations to process your data only for the purposes specified, implement appropriate security measures, and notify us of any breaches or inability to comply with legal requirements.

• Limited and Specific Purposes: We only transfer Personal Data to third parties for purposes consistent with those described in this Privacy Policy or as otherwise authorized by you.

• Liability and Oversight: We remain responsible and liable if a third party processes your Personal Sata in a manner inconsistent with applicable law, unless we can demonstrate that we are not responsible for the event giving rise to the harm. We conduct due diligence to verify that third parties meet applicable legal standards and periodically review their compliance.

We commit to refer unresolved complaints concerning our handling of European Personal Data to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your European Personal Data-related complaint from us, or if we have not addressed your European Personal Data-related complaint to your satisfaction, please visit https://www.jamsadr.com/dpf-dispute-resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.

Finally, under limited circumstances and after other available dispute resolution mechanisms have been exhausted, binding arbitration is available to address certain residual complaints related to European Personal Data not resolved by other means.

Security

We take reasonable and appropriate steps to help protect Personal Data from unauthorized access, use, disclosure, alteration, and destruction.

Changes to the Privacy Policy

We will update this Privacy Policy when necessary to reflect changes in our services, how we use Personal Data, or the applicable law. When we post changes to the Privacy Policy, we will revise the “Last Updated” date at the top of the Privacy Policy. If we make material changes to the Privacy Policy, we will provide notice or obtain consent regarding such changes as may be required by law.

Contact Us

If you have a privacy concern, complaint, or a question for Skyfire, please feel free to contact us via email at [email protected].

Our postal address is Skyfire Systems Inc., 166 Geary Street, STE 1500 #2292 San Francisco, CA 94108.

Our data protection representative for the European Economic Area and Switzerland is Mr. Olivier Willocx. To make an inquiry to [email protected], please contact [email protected].

Our data protection representative for the UK is: Mr. Olivier Willocx. To make an inquiry to [email protected], please contact [email protected].

Facial Scan and Biometrics Information

This section describes how Skyfire and its Verification Service Providers treat scans of facial geometry extracted from the uploaded images of your identity documents and your selfie.

Biometric information is generally understood to be unique physical characteristics such as your face geometry through which you can be identified or recognized. We will only process biometric information for the purpose of uniquely identifying you where we have your consent to do so.

Skyfire or its Verification Service Provider, in providing the Service:

• compares the data from a scan of facial geometry extracted from the government identification document that you upload to the data from a scan of facial geometry extracted from the photo of your face that you upload (“Scan Data“), in order to help verify your identity (“Verification“); and

• may also use your information, including Scan Data, to detect and prevent fraud (“Fraud Prevention“).

The uploaded images and Scan Data, are collected, used and stored directly by the Verification Service Provider. The Verification Service Provider stores all uploaded images and Scan Data in an encrypted format. The Verification Service Provider and its third party vendors may have access to the Scan Data to provide some or all of the analysis, to store the data, to maintain backup copies, and to service the systems on which such data is stored. The Verification Service Provider will permanently destroy Scan Data upon completion of Verification, unless the Verification Service Provider or Skyfire is otherwise required by law or legal process to retain the data.

Skyfire does not store the Scan Data in your Skyfire account.

Notice for Illinois Residents:

Our Verification Service Provider uses the reasonable standards of care within its industry to store, transmit, and protect from disclosure Scan Data in a manner that is the same as or more protective than the manner in which it stores, transmits, and protects other confidential and sensitive information. Our Verification Service Provider will not sell, lease, trade, or, other than to provide the Verification and Fraud Prevention services to Skyfire described in this policy, otherwise benefit from data from scans of facial geometry extracted from the photos of your face that you upload. Other than as set forth herein, our Verification Service Provider will not disclose, redisclose, or otherwise disseminate data from scans of facial geometry extracted from the photos of your face that you upload unless doing so:

• Completes a transaction requested and authorized by you or your legally authorized representative;

• Is required by state or federal law, or municipal ordinance;

• Is required pursuant to a warrant or subpoena issued by a court of competent jurisdiction; or

• Is expressly consented to by you.