Legal

Privacy Policy

Last updated: June 26, 2026

SectID processes personal data as a data processor on behalf of regulated institutions. This policy describes how identity verification data, biometric consent records, and audit metadata are collected, stored, and retained.

1. Information We Collect

When you use SectID services (either directly or through our clients), we may collect the following types of information:

  • Identity Documents: Passport, national ID, driver's license, and other government-issued identification documents.
  • Biometric Data: Facial images and liveness detection data used for identity verification.
  • Contact Information: Name, email address, phone number, and postal address.
  • Business Information: Company registration details, ownership structure, and beneficial ownership information.
  • Usage Data: API requests, webhook events, audit logs, and system interactions.

2. How We Use Your Information

We use the collected information for the following purposes:

  • To provide identity verification and Know Your Customer (KYC) services
  • To conduct Anti-Money Laundering (AML) screening and sanctions checks
  • To verify business entities and beneficial ownership (KYB)
  • To maintain audit trails for regulatory compliance
  • To improve our platform and develop new features
  • To detect and prevent fraud and security incidents

3. Data Protection

We align with the Kenya Data Protection Act, 2019 (ODPC), Uganda Data Protection and Privacy Act, Rwanda's Law N°058/2021, Nigeria Data Protection Act 2023, and Ghana's Data Protection Act, 2012 (Act 843). We support data-subject rights including:

  • Right of Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion of your data (subject to legal retention requirements)
  • Right to Restriction: Limit how we process your data
  • Right to Data Portability: Receive your data in a structured format
  • Right to Object: Object to processing based on legitimate interests

Data-subject rights requests are routed through your organization as the data controller.SectID acts as the data processor and fulfills requests per the controller's instructions.

4. Data Security

We implement comprehensive security measures including:

  • AES-256-GCM encryption at rest for all PII and documents
  • TLS 1.3 for all data in transit
  • Tenant isolation with organization-scoped queries
  • Role-based access control (RBAC) with least-privilege principles
  • Append-only audit logs with cryptographic hash chaining
  • Regular penetration testing and security audits

5. Data Retention

Default retention is seven years unless your organization configures a different policy in Compliance settings. This aligns with financial services regulatory requirements across African jurisdictions. Encrypted blobs are deleted on schedule via the retention engine. Backup retention follows a 30-day rolling cycle.

6. International Transfers

Where data must be transferred outside the African Economic Area, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and adequacy decisions where applicable. Data residency controls allow customers to specify primary storage regions.

7. Cookies and Tracking

We use essential cookies for authentication and session management. Analytics cookies are optional and require consent. We do not use third-party advertising cookies.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through the platform dashboard. Continued use of our services after changes constitutes acceptance.

9. Contact Us

For privacy-related enquiries, contact our Data Protection Officer:

Email: privacy@sectid.com
Address: SectID Ltd, Nairobi, Kenya