Privacy Policy

1. Introduction

Scytales ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use Scytales Connector ("Service").

We are a data controller under the General Data Protection Regulation (GDPR) and comply with all applicable data protection laws.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address
• Name (optional)
• Company name (optional)
• Password (encrypted)

2.2 Verification Metadata

When credentials are verified through our Service, we collect:

• Timestamp of verification
• Credential type (e.g., mDL, PID)
• Verification result (success/failure)
• IP address (for fraud prevention)

Important: We do NOT store the actual credential data or personal information contained within credentials. All credential data is processed in-memory and immediately discarded after verification.

2.3 Usage Data

We automatically collect:

• API usage statistics (number of requests, endpoints used)
• Browser type and version
• Device information
• Pages visited and time spent
• Error logs and performance metrics

2.4 Cookies and Tracking

We use strictly necessary cookies for authentication and session management. We do not use advertising or third-party tracking cookies. You can disable cookies in your browser, but this may affect Service functionality.

3. How We Use Your Information

We use collected information to:

• Provide and maintain the Service
• Process credential verifications
• Authenticate users and prevent fraud
• Send service-related notifications
• Provide customer support
• Improve and optimize the Service
• Comply with legal obligations
• Enforce our Terms of Service

4. GDPR Rights (EU Users)

If you are located in the European Economic Area (EEA), you have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restriction: Limit how we use your data
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Object: Object to data processing
• Right to Withdraw Consent: Withdraw consent at any time

To exercise these rights, contact us at privacy@scytales.com. We will respond within 30 days.

5. Data Retention

We retain data as follows:

• Account data: Until account deletion or 2 years of inactivity
• Verification metadata: 90 days (for fraud prevention and compliance)
• Audit logs: 7 years (legal requirement)
• Credential data: 0 days (never stored, processed in-memory only)

6. Data Security

We implement industry-standard security measures:

• Encryption in transit (TLS 1.3)
• Encryption at rest (AES-256)
• Regular security audits and penetration testing
• Access controls and authentication
• ISO 27001 certified infrastructure
• SOC 2 Type II compliance

However, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

7. Data Sharing and Disclosure

We do NOT sell your personal data. We may share data with:

7.1 Service Providers

Third-party vendors who assist us in providing the Service (e.g., hosting, payment processing, customer support). All vendors are bound by data processing agreements.

7.2 Legal Requirements

We may disclose data when required by law, court order, or government request, or to protect our rights and safety.

7.3 Business Transfers

In the event of a merger, acquisition, or asset sale, your data may be transferred. We will notify you before your data is transferred and subject to a different privacy policy.

8. International Data Transfers

Our servers are located in the European Union. If you access the Service from outside the EU, your data may be transferred to and processed in the EU. We ensure adequate safeguards through:

• EU Standard Contractual Clauses (SCCs)
• Adequacy decisions by the European Commission
• Data Processing Agreements (DPAs)

9. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact us immediately at privacy@scytales.com.

10. Your Choices

• Account Deletion: You can delete your account at any time from your dashboard or by contacting support
• Email Preferences: Opt out of marketing emails via unsubscribe links (service emails cannot be opted out)
• Cookie Settings: Manage cookies through your browser settings
• Data Export: Request a copy of your data in JSON format

11. Third-Party Links

The Service may contain links to third-party websites. We are not responsible for the privacy practices of these sites. We encourage you to read their privacy policies.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via:

• Email notification
• In-app notification
• Banner on our website

Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

For privacy-related questions, requests, or complaints:

Email: privacy@scytales.com
Data Protection Officer: dpo@scytales.com
Mail: Scytales Privacy Team, [Address], Brussels, Belgium

EU Representative

For EU-specific inquiries, you may contact our EU representative at eu-rep@scytales.com.

Supervisory Authority

You have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.

14. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt-out of sale of personal information (we do not sell data)
• Right to non-discrimination for exercising your rights

To exercise CCPA rights, email privacy@scytales.com with "CCPA Request" in the subject line.