Privacy Policy
This Privacy Policy explains how FInchInnovate ("we", "us") collects, uses, stores, and protects personal data through the FinchSCAN platform โ an AI-powered AML screening, eKYC, and compliance SaaS solution available via web and mobile (iOS & Android).
This Policy Covers
- Business Clients and their authorised users accessing FinchSCAN
- End-users (individuals) whose data is submitted for identity or business verification (KYC/KYB)
- Visitors to www.finchscan.com
Designed to Comply With
- EU General Data Protection Regulation (GDPR) โ Regulation 2016/679
- UAE Personal Data Protection Law (PDPL) โ Federal Decree-Law No. 45 of 2021
- UAE Data Protection and Digital Authority (DPDA) guidelines
- UAE AML Law โ Federal Law No. 10 of 2025
- Apple App Store Privacy Guidelines & Google Play Data Safety requirements
| Term | Definition |
|---|---|
| Client | A business or institution that has contracted with FInchInnovate to use FinchSCAN. |
| Data Controller | The party that decides why and how personal data is processed. Clients are Controllers for their customers' data; FInchInnovate is Controller for platform operations. |
| Data Processor | A party that processes data on behalf of a Controller. FInchInnovate acts as Processor when handling end-user data for Clients. |
| End-User / Data Subject | A natural person whose data is submitted for KYC/KYB screening or verification. |
| KYC | Know Your Customer โ individual identity verification. |
| KYB | Know Your Business โ corporate entity verification, including UBO identification. |
| PEP | Politically Exposed Person. |
| UBO | Ultimate Beneficial Owner โ natural person(s) ultimately owning or controlling a corporate entity. |
| PDPL | UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021). |
| DPDA | India's Digital Personal Data Protection Act, 2023 (DPDP Act). |
| Company | FInchInnovate |
| Platform | FinchSCAN (www.finchscan.com) |
| Jurisdiction | United Arab Emirates |
| Data Storage | UAE-based data centre โ all data stored within the UAE |
| Privacy Contact | [email protected] |
| Data Protection Officer | [email protected] |
๐ Controller / Processor Relationship: When Clients use FinchSCAN to screen or verify their customers, the Client is the Data Controller and FInchInnovate is the Data Processor. A Data Processing Agreement (DPA) is signed with every Client before processing begins.
4.1 KYC โ Individual Identity Data
- Full name, date of birth, nationality, country of residence, email, phone number
- Government-issued ID documents (passport, national ID, Emirates ID, driving licence)
- Document images, MRZ data, NFC chip data
- Facial biometric data and liveness detection data โ Video KYC (special category)
- Video recordings of KYC sessions
4.2 KYB โ Corporate / Business Data
- Company name, trade licence number, jurisdiction of incorporation
- Certificate of incorporation, memorandum & articles of association, ownership structure
- UBO information โ names, ID documents, ownership percentages
- Authorised signatory details
- Sanction and adverse media screening results for the company and its UBOs/directors
- Source of funds and source of wealth declarations (where required)
4.3 AML Screening Data
- Name, aliases, date of birth, nationality submitted for screening
- Results matched against sanctions lists, PEP lists, adverse media, and watchlists
- Risk scores, match reports, and audit trails
4.4 Client Account & Platform Data
- Authorised user names, email addresses, hashed passwords, roles
- Usage logs, audit trails, and access records
- Support communications
4.5 Technical & Device Data
- IP address, device type, operating system, browser information
- Mobile device identifiers (for app usage)
- Session data and crash/error logs
| Purpose | Legal Basis (GDPR) |
|---|---|
| AML/CFT name screening & customer due diligence | Legal Obligation |
| KYC โ individual identity verification | Legal Obligation Consent |
| KYB โ corporate entity & UBO verification | Legal Obligation Contract |
| Video KYC & biometric processing | Explicit Consent Legal Obligation |
| Ongoing monitoring & risk alerts | Legal Obligation Legitimate Interest |
| Payment processing via Stripe | Contract Performance |
| SMS notifications (OTP, alerts) | Consent |
The FinchSCAN mobile app uses Video KYC to verify individual identities digitally. This involves collecting biometric data, which is a special category under GDPR and the PDPL.
What Happens During a Video KYC Session
- User opens the FinchSCAN app and grants camera and optionally microphone permission
- A live video session is recorded; the user presents their identity document
- Liveness detection confirms physical presence (not a photo or replay attack)
- Facial biometrics are extracted and matched against the document photo
- Session result is reported to the Client; recording is stored securely in the UAE data centre
Device Permissions Used
| Permission | Usage |
|---|---|
| ๐ท Camera | Required for video capture, document scanning, and liveness detection. Only active during a KYC session โ never in the background. |
| ๐ Microphone | May be used during live sessions (if enabled). Not recorded in the background. |
| ๐ผ Photo Library | Not accessed. FinchSCAN does not read your device photo library. |
- Biometric data is classified as sensitive / special category data. Explicit informed consent is obtained before any biometric data is collected.
- All video recordings are encrypted (AES-256 at rest, TLS 1.3 in transit) and stored exclusively in our UAE data centre.
For corporate customers, FinchSCAN collects and processes both entity-level data and personal data of individuals associated with the business (directors, UBOs, authorised signatories) for AML/CFT compliance and customer due diligence.
KYB Data We Process
- Corporate documents: trade licence, certificate of incorporation, ownership chart
- Personal data of UBOs and directors: name, nationality, ID documents, shareholding percentage
- Adverse media and sanctions screening results for the entity and its associated individuals
- Source of funds / source of wealth documentation (where required by the Client's risk framework)
๐ก Where UBOs or directors are natural persons, their data is subject to the same protections as individual KYC data โ including data subject rights, consent requirements, and retention rules set out in this Policy.
We share limited personal data with the following trusted third-party providers. All providers are bound by data processing agreements and applicable data protection law.
| Third Party | Purpose | Data Shared | Location |
|---|---|---|---|
| Stripe, Inc. | Payment gateway โ subscription billing & invoicing for Client accounts | Client billing name, email, tokenised card details (raw card data not stored) | USA (EU SCCs / adequacy safeguards apply) |
| SMS Service Provider (e.g. Twilio / similar) | Delivery of OTP codes, verification SMS, and system alert notifications | Mobile phone number only | UAE / Regional |
| Cloud / Infrastructure Provider | Hosting of platform and data storage | All platform data (subject to UAE data residency requirement) | UAE |
| Risk Intelligence Data Providers | Global sanctions, PEP, and adverse media database access for screening | Name, date of birth, nationality (query data only) | International |
| Email Communication Provider | Transactional emails (alerts, reports, account notifications) | Email address, notification content | UAE / Regional |
- Stripe: Used solely for payment processing. We do not store card numbers. Stripe is PCI DSS Level 1 certified. See stripe.com/privacy.
- SMS Provider: Phone numbers are used only to deliver transactional messages โ not shared for marketing purposes.
- Data: All data stored within the UAE. International transfers (e.g. to Stripe in the USA) are covered by Standard Contractual Clauses (SCCs) or equivalent PDPL safeguards.
The FinchSCAN mobile app is available on the Apple App Store and Google Play. The following disclosures apply per Apple's App Privacy and Google Play's Data Safety requirements.
| Data Collected | Purpose | Linked to Identity |
|---|---|---|
| Name, email | Account authentication | โ Yes |
| Identity documents (images) | KYC / KYB verification | โ Yes |
| Facial biometrics (Video KYC) | Biometric identity verification | โ Yes |
| KYB corporate documents | Corporate entity verification | โ Yes |
| Video & audio recordings (KYC sessions) | KYC session audit record | โ Yes |
| IP address, device identifiers | Security & fraud prevention | โ No |
| App usage data, crash logs | Performance & debugging | โ No |
- No advertising: FinchSCAN does not display ads or share data with advertising networks.
- No background tracking: Camera and microphone are used only during active KYC sessions.
- Third-party SDKs are prohibited from using end-user data for their own purposes.
| Data Category | Retention Period |
|---|---|
| KYC successful verification | 7 years |
| KYC unsuccessful verification | 12 months |
| KYB successful verification | 7 years |
| KYB unsuccessful verification | 12 months |
| Beneficial owner data | 7 years |
| Identity documents (scans) | 7 years |
| Facial biometric data (video/images) | 24 months (success) 12 months (fail) |
| Sanctions screening results | 7 years |
| PEP screening results | 7 years |
| Adverse media screening | 3 years |
| Ongoing monitoring records | 7 years |
| Transaction data | 7 years |
| Payment records & invoices | 7 years |
| Fraud investigation files | 7 years min |
| Regulatory investigation | 7 years+ |
| Audit logs & access records | 3 years min |
| Support / communication | 3 years |
| IP address & device logs | 90 days |
| Analytics & cookies | 12 months |
After the retention period, data is securely deleted or anonymised. Clients may specify shorter retention periods in their DPA where not conflicting with legal minimums.
Under GDPR and UAE PDPL, you have the following rights:
Request a copy of your personal data we hold.
Ask us to correct inaccurate or incomplete data.
Request deletion of your data.
Ask us to limit processing in certain circumstances.
Receive your data in a machine-readable format.
Object to processing based on legitimate interest.
Withdraw consent at any time for consent-based processing.
Not be subject to purely automated decisions with significant legal effect.
๐ง To exercise your rights, email [email protected] with subject line 'Data Subject Rights Request'.
We respond within 30 days and may ask for proof of identity to protect your data. If your data was submitted by a Client for screening, please contact that Client directly โ they are the Data Controller responsible for your data.
The FinchSCAN web platform uses cookies for:
- Session management and authentication โ strictly necessary, cannot be disabled
- Platform performance analytics โ aggregated, anonymised data only
- Security and fraud detection
- User preferences and settings
You can manage cookie preferences in the Cookie Settings panel within the platform or via your browser settings.
FinchSCAN is a B2B compliance platform and is not directed at persons under 18. We do not knowingly collect personal data from minors. If a Client's KYB/KYC process incidentally involves minor-related data, it is processed solely on the Client's lawful instructions.
Contact [email protected] if you believe minor data has been collected in error.
We may update this Policy at any time. Where changes are material, we will notify Clients by email or in-platform notice at least 30 days before changes take effect.
The 'Last Updated' date at the top of this document will always reflect the current version. Continued use of the platform after the effective date constitutes acceptance of the updated Policy.
โฑ We acknowledge all privacy enquiries within 5 business days and aim to resolve complaints within 30 calendar days.