Demo
Table of content

Privacy Policy

Effective date: September 4th, 2024

PLEASE READ CAREFULLY THIS PRIVACY POLICY BEFORE USING THE SERVICES.

1. Introduction

This is the Privacy Policy (“Policy”) of Gataca Labs S.L.U. (referred to as "Gataca", "we", "our", or "us") in its capacity as Data Controller.

At Gataca we take your privacy very seriously. This Policy explains in a clear and transparent manner, how and when we collect, share and protect your personal data.

This Policy applies to the website, Gataca Studio (including the product extensions Vouch and Enterprise Wallet), Gataca Wallet, and any other products and services (collectively, the “Services”) provided by Gataca and defined in each Terms of Service. Please note that anonymized information or purely statistical data used by Gataca will not be considered personal data.

2. Definitions

  • Client: Any organizations that purchases a software subscription for any of the licensed products within Gataca Studio.

  • End User: Any natural person that uses the Gataca Wallet, or Clients’ own customers/users that view and interact with our Services as part of the Client’s contracted Services.

  • Data Subjects:Any individual who does not fall under the definitions of Client or End User and who may share information with Gataca. This includes, for example, job applicants or potential clients.

  • Authorized User: Any natural person authorized by a Client to configure, manage and administer the Services on Client’s behalf.

  • Personal Data: Data about identified or identifiable natural persons according to Art. 4 of the GDPR.

  • User Data: End User’s DIDs, Cryptographic Keys, Verifiable Credentials licitly obtained and stored in the Wallet, and backup files associated to the End User, and any other data, included but not limited to End User Personal Data that the End User provides to us or our Clients.

  • Client Data: Client’s DIDs, Client’s Cryptographic Keys, Verifiable Credentials licitly obtained from Client’s End Users and stored in Client’s Gataca Studio account, Verifiable Credentials licitly issued by Client or to Client, Client’s backup files, Personal Data related to Client’s representatives or Authorized Users, and any other data, included but not limited to personal data, billing, and legal entity data, that Client provide to us.

  • Usage Data: Data collected automatically either generated by the use of the Services or from the Services infrastructure itself (for example, the duration of a page visit).

  • DIDs: As per the W3C recommendation, DIDs are globally unique persistent identifiers that do not require a centralized registration authority and are often generated and/or registered cryptographically.

  • Verifiable Credentials (VCs): As per the W3C recommendation, VCs are tamper-proof digital credentials whose authorship can be cryptographically verified.

  • Cryptographic Keys: Cryptographic material associated with DIDs and used by the Services to execute signing and encryption or decryption activities on End User’s or Client’s behalf.

  • Data Controller: A natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal information are, or are to be, processed.

    For the purpose of this Policy, we are a Data Controller for

    • Client Data, except for User Data shared by End Users with our Clients via our cloud-based Gataca Studio

    • User Data, when End Users share it directly with Gataca

    For the purpose of this Policy, our Clients are Data Controllers for

    • User Data, when End Users share them with our Clients via our cloud-based Gataca Studio.

  • Data Processor: Any natural or legal person who processes the data on behalf of a Data Controller.

    We are Data Processors for:

    • User Data, when End Users share them with our Clients via our cloud-based Gataca Studio.

    The data processing conditions where Gataca acts as a Data Processor are regulated in the Gataca Studio Terms of Service.

3. Information, Collection and Use

By reading and accepting this Policy, you are informed of the circumstances in which Personal Data will be processed in relation to the Services. Furthermore, in the event that this is the necessary legal basis for the processing of your data, your free, informed, specific and unambiguous consent will be requested so that the Personal Data that you provide through the Services or any forms dependent on the Services may be processed by Gataca, as well as the data derived from your use of the Services and any other data that you may provide in the future.

4. What Personal Data does Gataca access about Clients, Authorized Users and End Users?

The processing of data is dependent on the products, services or functionalities that are being utilized at any given time. The Personal Data in question is derived from a number of different sources:

Data that Clients may provide directly to us:

  • Identity data of Client’s representatives and Authorized Users: first name, last name, role, and employer;

  • Contact data: telephone number, e-mail address, and mailing address;

  • Profile data: country, interests, and preferences;

  • Correspondence data: feedback, form responses, survey responses, customer support requests, or otherwise corresponded with us;

  • Ordering data: contracts, orders, and purchases you make through the Services;

  • Payment data: billing details, your credit card number, bank account number and any other payment-related information.

Data that End Users may provide directly to us:

  • Identifying data: portrait images, copies of your identification document (ID card), and physical characteristics of an individual that enable or ensure their unique identification.

  • Contact data: telephone number, e-mail address, and mailing address;

  • Profile data: country and age threshold

  • Correspondence data: feedback, form responses, survey responses, customer support requests, or otherwise corresponded with us.

Data that End Users provide to our Clients:

  • Any User Data that End Users consent to share with our Clients via our cloud-based Gataca Studio.

Data that other Data Subjects may provide to us (e.g. prospect employees, representatives of prospect Clients):

  • Identity data: first name, last name, role and employer;

  • Contact data: telephone number, e-mail address, and mailing address;

  • Profile data: country, interests, preferences, curriculum vitaes, letters of interest, etc;

  • Correspondence data: feedback, form responses, survey responses, or otherwise corresponded with us

Data that we collect automatically:

  • Technical data: Decentralized Identifiers (DIDs), public keys.

  • Usage data: the Services may automatically detect IP address, domain name, unique device identifier, device and browser type, operating system, demographic information, the pages of our Services that you browsed and the time spent on those pages or features, the frequency with which the Services are used by you, search terms, the links on our Services that you clicked on and other statistics. We use this information exclusively to administer the Services and we analyze this information with the sole purpose of improving the Service.

5. What are the purposes and legal basis for the processing of your data?

5.1 To provide you with access to our Services and to perform the activities associated with our Services

The primary objective of our data processing is to facilitate access to, offer and execute the contracts that govern our Services. The processing of your data is legally based on the execution of the terms that regulate the use of our Services.

To ensure utmost transparency and accuracy, it is essential to note that the purposes and the categories of data processing may vary depending on the specific Service accessed.

5.1.1 Gataca Wallet

The ID Wallet allows the storage of digital documents to facilitate identity verification when accessing online services. In this context, Gataca does not have access to Personal Data stored in your ID Wallet, unless:

  • You have proactively and with explicit consent shared with Gataca one or more Verifiable Credentials from your ID Wallet containing Personal Data.

  • The Verifiable Credentials containing Personal Data and stored in the Wallet have been issued by Gataca via Gataca Attest, in which case the data processing conditions where Gataca acts as a Data Controller are regulated in the Gataca Wallet Terms of Service and this Privacy Policy.

  • The Verifiable Credentials containing Personal Data and stored in the Wallet have been issued directly by our Clients leveraging our cloud-based Gataca Studio service. The data processing conditions where Gataca acts as a Data Processor are regulated in the Gataca Studio Terms of Service.

The sole purpose of this processing is to provide you with the Wallet Service. Additionally, we may process your data to improve our services and to respond to inquiries you may have. This includes providing customer support and detecting, preventing, and addressing technical issues related to the Service.

The processing of your data is legally based on the execution of the Gataca Wallet Terms of Service, as well as to fulfill our legal obligations.

5.1.2 Gataca Attest

Gataca Attest is a service available via the Gataca Wallet that allows End Users to request the issuance of specific Verifiable Credentials by Gataca to End Users. Gataca acts as Data Controller of the End User’s Personal Data that may be processed to issue Verifiable Credentials.

When an End User requests Gataca to issue a Verifiable Credential, Gataca will collect Personal Data. In addition, we may process image data (portrait pictures and copies of your ID documents) and biometric data, for the sole purpose of producing the requested Verifiable Credential.

The processing of your data is based on your consent for the provisioning of the Service requested by you to issue a Verifiable Credential.

5.1.3 Gataca Studio

Gataca will act as Data Controller of Client Data, except for End User Personal Data. Gataca utilizes this data to manage the legal relationship established under the Gataca Studio Terms of Service. This encompasses the management of administrative, fiscal, and accounting activities, as well as the evaluation and monitoring of provided services. We collect various types of data, including identity, contact, technical, usage, order, and payment data from our Clients, their representatives, employees, or other natural persons acting on behalf of the Client.

The legal basis for this processing includes the contractual relationship, compliance with legal obligations as stipulated by applicable regulations during the term of the agreement with our Clients, and our legitimate interest in ensuring efficient Service delivery and compliance.

Furthermore, Gataca Studio may process data in a manner that varies depending on the sub-products in use. For this reason, the specifics of Gataca SSI functionalities, and the product extensions Gataca Vouch and the Enterprise Wallet, are outlined below.

5.1.4 Gataca SSI

Gataca SSI is the core product within Gataca Studio that helps Clients issue and verify Verifiable Credentials to/from End Users.

Gataca will acts as a Data Processor when you share Personal Data with our Clients that leverage our Gataca Studio SSI capabilities. In these cases, the conditions under which we process data are governed by the Gataca Studio Terms of Service.

5.1.5 Gataca Vouch

Gataca Vouch is an add-on product extension within Gataca Studio designed to facilitate secure information exchange between an End User and a Client, with Gataca acting as a trusted intermediary. It uses standard authentication protocols for Clients and allows End Users to provide their information through ID Wallets, to ensure that Personal Data remain private and under their exclusive control.

Gataca becomes the Data Controller of your Personal Data to the extent that you use Gataca Vouch to request that we transfer your Personal Data to a third party. We will process your Personal Data in accordance with this Privacy Policy.

When you access a third-party service that uses Vouch for authentication, you will need to consent to the transfer of your required information to the third party. Additionally, you must agree to share the necessary Verifiable Credentials from your Wallet with us, allowing us to send the authentication response to the third party.

Sometimes, this process requires us to request Verifiable Credentials from your ID Wallet that involves Personal Data. In this process we will clearly inform you about the Verifiable Credentials we need you to share with us in order to deliver a response to the third party, and which specific information will then be transferred to the third party.

We will only request the minimum set of Verifiable Credentials necessary to provide the response to the third party, and we will only share the minimum information necessary to provide the response.

After sending the response to the third party, we will delete all Verifiable Credentials received. We will only keep proof of your consent, which includes your DID. We will not store any information about your identity, location, IP address, relationship with the third party you shared information with, type of device used, language, or any other information that can identify you.

This processing will be based solely on your consent.

5.1.6 Enterprise Wallet

The Enterprise Wallet is an add-on product extension within Gataca Studio that helps Clients store and manage Verifiable Credentials associated to the legal entity.

Gataca will acts as a Data Processor to the extent such Verifiable Credentials include Personal Data of Client representatives, employees, or agents. In these cases, the conditions under which we process data are governed by theGataca Studio Terms of Service.

5.2 To respond to any inquiry and customer support

Gataca may process your data to address inquiries submitted through our customer service channels, such as the ‘Contact Us’, and similar forms on our website, and to provide support while detecting, preventing, and addressing technical issues related to our Services. In these instances, we will only process the personal data that is strictly necessary to manage or resolve your inquiry or request. This may include collecting identification, contact, profile, technical and usage data and correspondence data.

For handling these inquiries or requests, we consider that we have a legitimate interest in responding to the submissions made to us. For questions or issues related to our Services that you have purchased, the processing will be based on the execution of the applicable Terms of Service. Lastly, if your inquiry relates to your data protection rights (further information can be found in section 9 of this Privacy Policy), we will process your data in compliance with our legal obligations.

5.3 To improve our Services

Gataca will use technical and usage data to enhance the services we provide and to identify areas for improvement. The legal basis for this processing is our legitimate interest in improving user experience and delivering higher quality services to you.

5.4 To provide you with news, special offers and general information

We will process data to provide you with updates, special offers, and general information about other goods, services, and events similar to those you have already purchased.

Our legal basis for this is our legitimate interest in marketing our products and services to our Clients.

This applies unless you have opted out of receiving such information, or we are specifically relying on your consent.

5.5 In order to process your application for possible employment vacancies

Gataca may process your personal data through applications received in the Careers section of our website, as well as any applications received through offers available on specialized portals such as LinkedIn. In order to process your application, Gataca will process the information you provide as the Data Controller.

The purpose of this processing is to include your information in Gataca's database of candidates for future selection processes in which your profile may be a suitable fit. The processing is carried out on the basis of the company's intention to establish an employment relationship. In the event of your being hired, the legitimate basis for processing your data will become the performance of a contract to which you, as a data subject, are a party.

The data collected during the recruitment process will remain active in our candidate database for a period of two years. Once the aforementioned period has elapsed and the candidate wishes to remain engaged in the selection processes of the manager, we kindly request that you submit an updated CV.

6. With which recipients will your data be shared?

We do not share the Personal Data that you provide to us with other organizations without your express consent, except as described in this Policy. We disclose Personal Data to third parties under the following circumstances:

  • Affiliates: We may disclose your Personal Data to our corporate affiliates (i.e. our family of companies that are related by common ownership or control) for purposes consistent with this Policy.

  • Business Transfers: We may share Personal Data when we do a business deal, or negotiate a business deal, involving the sale or transfer of all or a part of our business or assets. These deals can include any merger, financing, acquisition, or bankruptcy transaction.

  • Compliance with Laws and Law Enforcement: Protection and Safety. We may share Personal Data for legal, protection, and safety purposes.

  • Third Parties: We may share your Personal Data with your explicit consent when you use some of our Services, such as Gataca Vouch.

7. International transfer of Data

User Data, whereas provided directly to us or to our Clients via Gataca Studio, is stored in servers located in the European Economic Area (EEA).

Any other Personal Data that Gataca processes may be transferred to third parties based in countries outside the European Economic Area (EEA). These transfers will be performed according to the appropriate safeguards to ensure an equivalent degree of protection as set out in the GDPR.

8. Retention of Data

Gataca will retain Personal Data only to the extent necessary to comply with our purposes, including our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes and enforce our legal agreements and policies.

Gataca will also retain anonymized Usage Data for internal analysis purposes.

9. Your Data Protection Rights

Under the applicable data protection regulations you have the following data protection rights:

  • The right to access, update or delete the information we have on you. Whenever made possible, you can access, update or request deletion of your Personal Data directly within your account settings section in the corresponding Service. If you are unable to perform these actions yourself, please contact us to assist you.

  • The right of rectification. You have the right to have your Personal Data rectified if that information is inaccurate or incomplete.

  • The right to object. You have the right to object to our processing of your Personal Data.

  • The right of restriction. You have the right to request that we restrict the processing of your Personal Data.

  • The right to data portability. You have the right to be provided with a copy of the Personal Data we have on you in a structured, machine-readable and commonly used format.

  • The right to withdraw consent. You also have the right to withdraw your consent at any time where Gataca relied on your consent to process your Personal Data.

To exercise your rights, you may (i) log in to your User profile or Settings section on the Services; or (ii) send an email to dpo@gataca.io.

You have the right to file a complaint before a Data Protection Authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority.

10. Changes to this Privacy Policy

We may update our Policy from time to time.

We will let you know via email and/or a prominent notice on our Services and update the "effective date" at the top of this Policy.

You are advised to review this Policy periodically for any changes. Changes to this Policy are effective when they are posted on this page.

11. Contact

If you have any questions about this Policy, please contact our Data Protection Officer at: dpo@gataca.io.

Table of content