Back to Help Center

¿Cómo registrarse en Procys?

Te explicamos en sencillos pasos cómo empezar a trabajar con Procys desde la página principal. ¡Registrarse no lleva más de tres minutos!

¿Cómo registrarse en Procys?

Last Updated: December 3, 2025

1. Introduction

This Privacy Policy ("Policy") describes in comprehensive detail how Procys ("Procys", "we", "us", "our") collects, processes, stores, transfers, and protects Personal Data in the course of providing identity verification, KYC/KYB/AML screening, fraud prevention, document analysis, website services, customer account management, and all related operational activities.

Procys acts both as:

  • A Data Controller under GDPR for website visitors, marketing recipients, analytics users, newsletter subscribers, account holders, and system log data; and
  • A Data Processor under GDPR for identity verification/KYC/KYB/AML/biometric processing conducted strictly on behalf of our customers (the "Data Controllers").

"Customers" means Procys' business clients that subscribe to, access, or otherwise use the Procys Services for identity verification and related compliance purposes, and that determine the purposes and essential means of such verification. For the avoidance of doubt, Customers act as the Data Controllers in respect of the Personal Data processed through the Procys Services, and Procys processes such Personal Data solely on the Customers' documented instructions.

Among the types of Personal Data that this application collects, by itself or through third parties, there are cookies; usage data; first name; last name; phone number; company name; email address and Policy applies to any personal data collected by following medium

  • Through our website, apps, forms, and any other platforms that we operate;
  • Via API/SDK integrations provided to Customers in connection with their use of the Services;
  • Directly from end-users during a verification workflow or related workflow conducted through the Services; and
  • Indirectly through our Customers or other authorized third parties who submit end-user data to Procys for processing within the Services.

By using the Procys website or services, Users acknowledge having read and understood this Policy.

Any use of Cookies or of other tracking tools by this application or by the owners of third-party services used by this Application serves the purpose of providing the Service required by the User, in addition to any other purposes described in the present document and in the Cookie Policy, if available.

2. Definitions

For the avoidance of doubt and to ensure alignment with the General Data Protection Regulation (GDPR), the following terms shall have the meanings set out below:

Personal Data

Any information relating to an identified or identifiable natural person, including but not limited to name, identification number, biometric identifiers, online identifiers, device information, or elements relating to physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Processing

Any operation performed on Personal Data, such as collection, recording, storage, adaptation, retrieval, consultation, use, transmission, restriction, erasure, destruction, or profiling.

Data Controller

The entity, alone or jointly with others, determines the purposes and means of for which and the essential means by which Personal Data are processed. In this context, Procys acts as Data Controller respect of Personal Data processed for the operation, security, and improvement of its websites and platforms customer account administration, and business communications such as support, service notices, and marketing where permitted by law. For such activities, Procys determines the purpose and manner of processing and assumes the corresponding GDPR obligations.

Data Processor

The entity which processes Personal Data on behalf of, and strictly in accordance with the documented instructions of, the Data Controller, and which does not determine the purposes or essential means of such processing. In this capacity, Procys acts as a Data Processor when performing KYC, KYB, AML, and identity-verification services for its Customers, including the collection, analysis, validation, and matching of identity information (and any related biometric or fraud-prevention checks) solely to enable the Customer's verification workflow. For these processing activities, Procys processes Personal Data only for the limited purpose of providing the Services, implements appropriate technical and organizational measures, and complies with its obligations as a processor under Article 28 GDPR and the applicable data processing agreement with the Customer.

Special Categories of Data

Personal Data revealing racial or ethnic origin, and biometric data processed for the purpose of uniquely identifying a natural person, as well as any other special categories of Personal Data within the meaning of Article 9(1) GDPR.

Biometric Data

Personal Data resulting from technical processing of physical characteristics (e.g., facial features) enabling unique identification of a natural person.

Sub-Processor

Any third party (including any affiliate) appointed or otherwise engaged by Procys, in its capacity as a Data Processor, to process Personal Data on Procys' behalf and solely for the purpose of providing the Services to the relevant Data Controller. Each such third party shall be bound by a written agreement imposing data protection obligations no less protective than those set out in this Policy and Article 28 GDPR, including obligations to act only on documented instructions, maintain appropriate technical and organizational security measures, ensure confidentiality, and assist Procys in meeting its processor obligations.

3. Categories of Personal Data Processed

Procys processes Personal Data in detailed categories, depending on its role as Controller or Processor:

A. Data Collected When Procys Acts as Data Controller

Website Visitor & Interaction Data

  • IP address
  • Browser metadata
  • Device fingerprint
  • Approximate geolocation (inferred from IP)
  • Pages accessed, session duration, clickstream data
  • Cookies & similar identifiers
  • Device IDs (where available), local storage identifiers, session IDs, hashed identifiers

Account Creation & Customer Data

  • First name, last name
  • Company name
  • Email address
  • Phone number
  • Login credentials (stored securely with hashing)
  • Billing information (if applicable)
  • Support records and correspondence

Marketing & Newsletter Data

  • Email address
  • Subscription preferences
  • Interaction with marketing communication

B. Data Collected When Procys Acts as Data Processor (Identity Verification / KYC)

Identity Document Data

  • Passport
  • National ID card
  • Driving license
  • Residence permit
  • Any document uploaded by the user
  • MRZ (Machine Readable Zone) data
  • Document metadata, issuing authority, validity dates

Biometric Data (Special Category)

Processed only with explicit consent:

  • Selfie image
  • Liveness video
  • Facial recognition vectors
  • Anti-spoofing metrics

AML/KYB Screening Data

  • Full name
  • Date of birth
  • Nationality
  • PEP status
  • Sanctions list matches
  • Regulatory watchlist results
  • Adverse media summaries
  • Business registry checks (KYB)

Technical Data for Fraud Prevention

  • IP address
  • Device fingerprinting
  • Behavioral signals
  • Metadata from device camera or sensors

Verification Metadata

  • Timestamps
  • Results of checks
  • Audit trails
  • API request logs

4. Legal Basis for Processing (GDPR Articles 6 & 9)

When Procys Acts as Data Controller

Processing is based on:

Consent

Where required by law, Procys processes Personal Data on the basis of the data subject's freely given, specific, informed and unambiguous consent. This includes, in particular, the use of non-essential cookies and similar tracking technologies, the sending of direct marketing communications, and the processing of information submitted through optional website forms or preference settings. Data subjects may withdraw their consent at any time with effect for the future, without affecting the lawfulness of processing carried out prior to withdrawal.

Contractual Necessity

Where processing is necessary for the performance of a contract to which the data subject is party (e.g., to create and maintain a customer account, deliver support, or provide the Services as subscribed to), or to take steps at the request of the data subject prior to entering into such a contract.

Legal Obligation

Where processing is necessary to comply with a legal obligation to which Procys is subject under Union or Member State law, including but not limited to financial record-keeping, tax reporting, response to lawful governmental requests, and compliance with court orders or similar legal process.

Legitimate Interests

Where processing is necessary for the purposes of the legitimate interests pursued by Procys or by a third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data). Legitimate interests include fraud prevention, network and information security, internal administration and reporting, and direct marketing in the context of existing business relationships where permitted by applicable law.

When Procys Acts as Data Processor

Processing is carried out solely on the basis of the documented instructions of the Data Controller (the Customer), which must establish an appropriate lawful basis under Article 6(1) GDPR for the relevant processing. For Special Categories of Data (including biometric data), the Customer must further ensure that one of the conditions set out in Article 9(2) GDPR is met. Procys shall not be responsible for the Customer's selection of, or failure to establish, a valid legal basis.

Typical Customer Lawful Bases

  • Explicit Consent (Art. 6(1)(a) & 9(2)(a)) - For biometric processing
  • Contractual Necessity (Art. 6(1)(b)) - For identity verification required to onboard a user
  • Legal Obligation (Art. 6(1)(c) & 9(2)(b)) - For AML/KYC screening mandated by law
  • Public Interest / Official Authority (Art. 6(1)(e) & 9(2)(g)) - Where required by financial regulators
  • Substantial Public Interest (Art. 9(2)(g)) - For preventing fraud or money laundering

5. Purpose Limitation

Personal Data processed by Procys shall be collected for specified, explicit, and legitimate purposes, and shall not be further processed in a manner that is incompatible with those purposes. The purposes for which Personal Data are processed depend on Procys's role:

A. When Procys Acts as Data Controller

  • Website operation, hosting, and performance optimization
  • User authentication, session management, and account administration
  • Customer support and service communications
  • Marketing communications and newsletters (where consent is obtained or permitted by law)
  • Analytics, usage analysis, and service improvements
  • Fraud detection, prevention, and security incident response
  • Compliance with legal, regulatory, or contractual obligations
  • Internal business reporting, audit, and compliance functions

B. When Procys Acts as Data Processor

Procys processes Personal Data solely for the purpose of providing the Services to the Customer, strictly in accordance with the Customer's documented instructions and the parties' data processing agreement. Such purposes may include:

  • Identity verification of the Customer's end-users
  • Document authentication and validation
  • Biometric comparison for identity assurance (where explicitly authorized by the Customer)
  • AML/KYB screening and sanctions checks
  • Fraud detection and prevention on behalf of the Customer
  • Provision of verification results and audit trails to the Customer
  • Technical support, debugging, and service operation for the Customer's use of the Services

6. Data Retention

Procys retains Personal Data only for as long as is necessary to fulfill the purposes for which it was collected, to comply with applicable legal, regulatory, or contractual obligations, or to resolve disputes and enforce agreements. The specific retention periods vary depending on Procys's role and the nature of the data:

A. When Procys Acts as Data Controller

  • Website visitor data - Up to 24 months from the date of last activity, or as configured in cookie preference settings
  • Customer account data - For the duration of the customer relationship, plus up to 7 years thereafter to comply with financial record-keeping and legal obligations
  • Marketing data - Until consent is withdrawn or as required by applicable direct marketing regulations
  • Support records - Up to 5 years from the date of the last interaction
  • System logs and security data - Up to 12 months, or longer if required to investigate or defend against legal claims or security incidents

B. When Procys Acts as Data Processor

Procys retains end-user KYC/KYB data only in accordance with the Customer's documented instructions, the parties' data processing agreement, and applicable law. Unless otherwise instructed by the Customer, Personal Data is retained for:

  • KYC verification data - Up to 12 months from completion of the verification workflow, or as required by applicable AML/KYC regulations or the Customer's retention schedule
  • Biometric data - Processed temporarily and deleted immediately upon completion of the verification session, or retained only as long as explicitly authorized by the Customer and permitted by law
  • Audit logs - Up to 12 months from the date of the verification event, or longer if required by applicable financial or regulatory requirements

Upon expiry of the applicable retention period, or upon receipt of a valid deletion request from the Customer or the data subject (where applicable), Personal Data shall be securely deleted or anonymized in accordance with industry-standard data sanitization practices, unless retention is required by law.

7. Data Subject Rights (GDPR Chapter III)

In accordance with Articles 15–22 GDPR, data subjects have the following rights with respect to their Personal Data:

Right of Access (Art. 15)

Data subjects have the right to obtain from Procys confirmation as to whether or not Personal Data concerning them is being processed, and, where that is the case, to access that Personal Data and to receive information about the processing, including the purposes of processing, the categories of data concerned, the recipients or categories of recipients, the retention period, and the existence of other rights.

Right to Rectification (Art. 16)

Data subjects have the right to obtain the rectification of inaccurate Personal Data and to have incomplete Personal Data completed, taking into account the purposes of the processing.

Right to Erasure ("Right to be Forgotten") (Art. 17)

Data subjects have the right to obtain the erasure of Personal Data concerning them without undue delay where one of the grounds set out in Article 17(1) GDPR applies, such as where the data is no longer necessary for the purposes for which it was collected, where consent has been withdrawn and there is no other legal ground for the processing, or where the data has been unlawfully processed. This right is subject to the exceptions set out in Article 17(3), including where retention is necessary to comply with a legal obligation or for the establishment, exercise, or defense of legal claims.

Right to Restriction of Processing (Art. 18)

Data subjects have the right to obtain restriction of processing where one of the conditions set out in Article 18(1) GDPR is met, including where the accuracy of the Personal Data is contested, where the processing is unlawful but the data subject opposes erasure and requests restriction instead, or where the data subject needs the data for legal claims but Procys no longer requires it for its purposes.

Right to Data Portability (Art. 20)

Where processing is based on consent or contract and is carried out by automated means, data subjects have the right to receive the Personal Data concerning them in a structured, commonly used, and machine-readable format, and to transmit those data to another controller where technically feasible.

Right to Object (Art. 21)

Data subjects have the right to object, on grounds relating to their particular situation, to processing of Personal Data based on legitimate interests (Art. 6(1)(f)) or for public interest / official authority (Art. 6(1)(e)). Procys shall cease such processing unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims. Data subjects also have an unconditional right to object to processing for direct marketing purposes.

Right to Withdraw Consent (Art. 7(3))

Where processing is based on consent, data subjects have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Right Not to be Subject to Automated Decision-Making (Art. 22)

Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, unless one of the exceptions in Article 22(2) applies. Where automated decision-making is used, Procys (or the Customer, as applicable) shall implement suitable measures to safeguard the data subject's rights and freedoms, including the right to obtain human intervention, to express their point of view, and to contest the decision.

How to Exercise Your Rights

Requests Involving Personal Data under Procys's Control:

If Procys acts as a Data Controller for your Personal Data, you may exercise your rights by submitting a request to: privacy@Procys.com

Requests Involving KYC Data:

Where Procys acts as a Data Processor, such requests must be directed to the Data Controller (Procys's customer). Procys will support the Controller in fulfilling the request.

Procys will respond to valid requests within one month of receipt, and may extend this period by two further months where necessary, taking into account the complexity and number of requests. In such cases, Procys will inform the data subject of the extension and the reasons for delay within one month of receipt of the request. Procys reserves the right to request additional information to verify the identity of the data subject before responding to a request.

8. Cookies and Tracking Technologies

Procys uses cookies and similar tracking technologies on its website and platforms to enable essential functionality, enhance user experience, perform analytics, and deliver targeted content. A cookie is a small text file that is stored on a user's device when they visit a website. Cookies can be "session" cookies (which expire when the browser is closed) or "persistent" cookies (which remain on the device for a set period or until manually deleted).

Categories of Cookies Used

Essential / Strictly Necessary Cookies

These cookies are essential for the operation of the website and cannot be disabled in our systems. They are usually set in response to actions made by you, such as setting your privacy preferences, logging in, or filling in forms. Without these cookies, certain features of the website may not function properly.

Performance / Analytics Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our website. They help us understand which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies, we will not know when you have visited our site and will not be able to monitor its performance.

Functional Cookies

These cookies enable enhanced functionality and personalization, such as remembering your preferences (e.g., language, region) or recognizing you when you return to the site. If you do not allow these cookies, some or all of these services may not function properly.

Targeting / Advertising Cookies

These cookies may be set through our site by our advertising partners to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Managing Cookies

You can manage your cookie preferences through the cookie consent banner displayed when you first visit our website, or by adjusting the settings in your web browser. Most web browsers allow you to control cookies through their settings preferences, including the ability to refuse or delete cookies. Please note that disabling or removing certain cookies may impact the functionality of our website and your ability to access certain features.

For more information about cookies and how to manage them, please visit www.allaboutcookies.org or the help section of your web browser.

9. Data Sharing and Disclosure

Procys does not sell, rent, or trade Personal Data to third parties for their own marketing purposes. However, Procys may share or disclose Personal Data with the following categories of recipients, under the conditions and for the purposes set out below:

A. Customers (Data Controllers)

Where Procys acts as a Data Processor, Procys provides verification results, audit logs, and other outputs to the relevant Customer in accordance with the parties' data processing agreement and the Customer's documented instructions. The Customer remains the Data Controller for such data and is solely responsible for its lawful use and onward processing.

B. Service Providers and Sub-Processors

Procys engages third-party service providers (including affiliates) to support the operation, security, and delivery of the Services. These sub-processors may include:

  • Cloud hosting and infrastructure providers
  • Data storage and database management services
  • Identity verification, biometric matching, and fraud prevention vendors
  • AML/sanctions screening data providers
  • Analytics and performance monitoring tools
  • Email delivery, marketing automation, and customer support platforms
  • Payment processors and billing systems
  • IT security, backup, and disaster recovery services

Each sub-processor is bound by a written agreement imposing data protection obligations no less protective than those set out in this Policy and Article 28 GDPR, and is subject to appropriate technical and organizational security measures. Procys maintains a current list of sub-processors, which is available upon request. Where required by applicable data processing agreements, Procys will provide advance notice of any new sub-processors and allow Customers to object on reasonable grounds.

C. Legal and Regulatory Authorities

Procys may disclose Personal Data to law enforcement, regulatory authorities, courts, or other governmental bodies where required or permitted by applicable law, including in response to:

  • Valid legal process (e.g., subpoena, search warrant, court order)
  • Regulatory request or investigation
  • Legal obligation under Union or Member State law
  • Protection of the rights, property, or safety of Procys, its users, or the public
  • Prevention, detection, or investigation of fraud, security breaches, or other unlawful activity

Where legally permitted and feasible, Procys will notify the affected data subject or Customer in advance of such disclosure, unless such notification is prohibited by law or court order.

D. Internal Personnel

Access to Personal Data is restricted on a strict need-to-know basis to Procys personnel who are duly authorized for the performance of their functions, are subject to role-based access controls, and are bound by written confidentiality and data-protection obligations. Such access is permitted only to the extent necessary to provide and secure the Services, and is logged and monitored in accordance with Procys' internal security policies.

10. International Data Transfers

When Personal Data is transferred outside the European Economic Area (EEA), Procys enforces:

  • Standard Contractual Clauses (SCCs)
  • Technical safeguards (encryption, pseudonymization)
  • Organizational controls
  • Vendor risk assessments
  • Continuous monitoring

End-user KYC Personal Data shall not be transferred to, accessed from, or otherwise processed in any jurisdiction outside the controlled regions designated by Procys and/or the applicable Customer, except (i) where such transfer is required by Union or Member State law or a binding order of a competent authority, in which case Procys shall, to the extent legally permitted, notify the Customer in advance, or (ii) where the Customer has expressly authorized the transfer in writing under the parties' agreement and the requisite transfer safeguards under Chapter V GDPR (including, where applicable, Standard Contractual Clauses or an adequacy decision) are in place.

11. Security Measures (Technical & Organizational Controls)

Procys implements a multi-layered security framework:

Technical Controls

  • AES-256 encryption at rest
  • TLS 1.2+ encryption in transit
  • Secure key management
  • Device fingerprinting
  • Rate limiting & anti-abuse systems
  • Biometric anti-spoofing
  • Hardened infrastructure
  • Network segmentation

Organizational Controls

  • RBAC (role-based access control)
  • Employee background checks
  • Mandatory confidentiality agreements
  • Security awareness training
  • Regular internal audits
  • Incident response procedures
  • Vendor due diligence

Procys follows principles of:

  • Data minimization
  • Privacy by Design
  • Privacy by Default

12. Automated Decision-Making and Profiling

Procys may employ automated processing to processes included but not limited to:

  • Detect fraudulent documents
  • Perform liveness checks
  • Conduct biometric comparisons
  • Identify AML risks

Human review is made available where required by applicable law and, in any event, where requested or configured by the relevant Customer through documented instructions. Procys shall not rely exclusively on automated processing to take decisions that produce legal effects concerning an end-user or similarly significantly affect that end-user, and any such outcome shall be subject to meaningful human intervention, including the right to obtain human review and to contest the result, in accordance with Article 22 GDPR.

13. Customer Responsibilities (When Procys Acts as Processor)

Customers must:

  • Provide lawful basis for KYC collection
  • Obtain explicit consent for biometric processing
  • Deliver required privacy notices
  • Handle end-user rights requests
  • Ensure compliance with AML/KYC regulations

Procys shall not be responsible or liable for, and hereby disclaims any and all liability arising out of, any failure by a Customer to comply with its applicable legal, regulatory, or contractual obligations in connection with the Customer's use of the Services, including any obligation to establish a lawful basis for processing, provide required notices, obtain valid consents, conduct KYC/KYB/AML checks, or honour data subject rights. Any such compliance remains solely the Customer's responsibility as Data Controller.

14. System Logs and Monitoring

For operational reliability, Procys collects:

  • Timestamps
  • API logs
  • IP metadata
  • Verification event logs
  • Device fingerprints
  • Error logs

These may be used for, including but not limited to:

  • Incident investigation
  • Debugging issues
  • Regulatory audits
  • Fraud detection

Personal Data is retained for a period not exceeding twelve (12) months from the date of collection or completion of the relevant verification workflow, unless a shorter or longer retention period is required by applicable law or the Customer's documented instructions consistent with such law, in which case Procys shall retain the data only for so long as is necessary for those purposes.

15. Changes to This Privacy Policy

Procys may modify this Policy from time to time to reflect changes in applicable laws or regulatory guidance, developments in our Services, technologies, or business practices, or to address operational, security, or risk management requirements. Any such amendments shall be effective upon publication of the updated Policy on our website (or within the applicable platform), with the "Last Updated" date revised accordingly. Where changes are material, Procys will take reasonable steps to notify affected users and/or Customers in advance, including by prominent notice on the website or by direct communication where feasible. Continued use of the Services after the effective date of an updated Policy constitutes acceptance of the revised terms.

Changes may be made for:

  • Legal changes
  • New services
  • Security updates
  • Industry practices

16. Contact Information

For privacy-related questions or concerns:

Procys B.V.
Email: privacy@Procys.com