GDPR Compliance

Last updated: January 2025

Our Commitment to GDPR

Quickkyb is committed to protecting the personal data of our users and complying with the General Data Protection Regulation (GDPR) for European Union residents.

What is GDPR?

The General Data Protection Regulation (GDPR) is a European Union regulation that strengthens data protection for individuals within the EU and the European Economic Area (EEA). It gives individuals more control over their personal data and imposes stricter rules on organizations handling personal data.

Our GDPR Compliance

Lawful Basis for Processing

We process personal data based on the following lawful bases under Article 6 of GDPR:

  • Contract Performance: Processing necessary to provide our KYB services
  • Legal Obligation: Compliance with AML/CFT regulations
  • Legitimate Interests: Fraud prevention and security
  • Consent: Where you have given explicit consent (e.g., marketing)

Data Controller

Quickkyb Limited acts as the Data Controller for personal data processed through our platform.

Contact for GDPR Matters: [email protected]

Your Data Rights

Under GDPR, you have the following rights regarding your personal data:

1. Right to be Informed (Article 13 & 14)

We provide clear information about:

  • What data we collect
  • How we use your data
  • Your rights regarding your data
  • Who we share your data with

2. Right of Access (Article 15)

You have the right to obtain:

  • Confirmation that your data is being processed
  • A copy of your personal data
  • Information about how we process your data

How to Exercise: Submit a data access request via email to [email protected]

Response Time: Within 30 days

3. Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected or incomplete data completed.

How to Exercise: Contact us at [email protected]

4. Right to Erasure (Right to be Forgotten) (Article 17)

You have the right to request deletion of your personal data when:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent (where processing is based on consent)
  • The data has been processed unlawfully

Note: We may retain data if required for legal, regulatory, or legitimate business reasons.

5. Right to Restrict Processing (Article 18)

You have the right to request restriction of processing when:

  • You contest the accuracy of the data
  • Processing is unlawful but you don't want erasure
  • We no longer need the data but you require it for legal claims

6. Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used format and transmit it to another controller.

Format: JSON, CSV, or XML

7. Right to Object (Article 21)

You have the right to object to processing based on:

  • Legitimate interests
  • Direct marketing

Note: We will honor your request unless we have compelling legitimate grounds for processing.

8. Rights in Relation to Automated Decision-Making (Article 22)

While we use AI for document extraction, you have:

  • The right not to be subject to solely automated decisions with legal effects
  • The right to human intervention and explanation

Note: Our AI-assisted decisions always involve human review for high-stakes matters.

How to Exercise Your Rights

To exercise any of your GDPR rights:

  1. Email: [email protected]
  2. Subject: "GDPR Request - [Your Right]"
  3. Include: Your account email and specific request

Response Time: We will respond within 30 days of receiving your request

Verification: We may need to verify your identity before processing your request

Data Protection Measures

Security

  • Encryption in transit (TLS 1.3)
  • Encryption at rest (AES-256)
  • Regular security audits
  • Penetration testing
  • Access controls and authentication

Data Minimization

  • We collect only data necessary for our services
  • We retain data only as long as necessary
  • We anonymize data where possible

Data Retention

  • Account Data: While your account is active
  • Verification Records: 7 years (regulatory requirement)
  • Usage Logs: 2 years
  • Marketing Data: Until you unsubscribe

International Data Transfers

Your data may be transferred to and processed in countries outside the EEA. We ensure adequate protection through:

  • Standard Contractual Clauses (SCCs): Commission-approved contracts for data transfers
  • Adequacy Decisions: Transfers to countries with adequate data protection laws
  • Supplemental Measures: Additional security measures where required

Data Locations: Our primary data centers are in Hong Kong, Singapore, and Europe (Frankfurt).

Data Breach Notification

In the event of a personal data breach:

  • We will notify affected individuals without undue delay
  • We will notify supervisory authorities within 72 hours of becoming aware
  • Notification will include:
    • Nature of the breach
    • Categories of data affected
    • Likely consequences
    • Measures taken to address the breach

Data Protection Officer (DPO)

While not required under GDPR (we don't meet the threshold), we have appointed a Data Protection Representative:

Contact: [email protected]

Children's Data

Our services are not intended for children under 16. We do not knowingly process personal data of children under 16 without parental consent.

Privacy by Design and by Default

  • We implement data protection from the start of any project
  • Default settings prioritize privacy
  • Regular Data Protection Impact Assessments (DPIAs) for high-risk processing
  • Minimum data collection by default

Third-Party Processors

We use third-party services that process data on our behalf:

  • Cloud Infrastructure: Cloudflare, AWS (EEA data centers)
  • Payment Processing: Stripe, Airwallex (GDPR compliant)
  • Analytics: Google Analytics (with IP anonymization)
  • Support: Intercom (GDPR compliant)

All processors are carefully vetted for GDPR compliance and bound by data processing agreements.

Consent Management

  • Cookie Consent: Granular consent banner with customization options
  • Marketing Consent: Opt-in only, with easy unsubscribe
  • Withdrawal: You can withdraw consent at any time

Supervisory Authority

If you are unsatisfied with our response to your GDPR request, you have the right to lodge a complaint with:

  • Your local Data Protection Authority (DPA)
  • The Hong Kong Privacy Commissioner for Personal Data (for Hong Kong residents)
  • Your national supervisory authority (for EEA residents)

Contact Us

For all GDPR-related inquiries and rights requests:

  • Email: [email protected]
  • Address: [Your Hong Kong Address]
  • Response Time: Within 30 days

Additional Resources