Privacy Policy - SIROS ID Platform
Effective Date: 2026-01-13
Last Updated: 2026-01-13
At SIROS, located at Bredgränd 4, 111 30 Stockholm, Sweden, we believe your identity belongs to you. This Privacy Policy explains how we collect, protect, and handle your sensitive personal information when you use the SIROS ID Platform (the "Product" or "Service"). We are committed to transparency and to protecting your privacy in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR) (EU) 2016/679 in Europe, and to meeting the requirements of recognized Trust Frameworks where applicable.
This Privacy Policy forms an integral part of your agreement with SIROS, alongside our End User License Agreement (EULA).
By using the SIROS ID Platform, you acknowledge that you have read and understood this Privacy Policy.
Table of Contents
Introduction
This Privacy Policy describes how SIROS processes personal data when you use the SIROS ID Platform (the “Product” or “Service”). It explains what categories of personal data we collect, why we collect it, how we use it, and when it may be shared in limited circumstances.
This Policy also explains how SIROS protects personal data through technical and organizational security measures, how long data is retained, and how data is deleted or anonymized in accordance with the retention and destruction practices described in this document. Where relevant, it addresses cross-border data transfer practices and your rights under applicable data protection laws, including the GDPR (EU) 2016/679.
This Privacy Policy forms part of your agreement with SIROS and should be read together with the End User License Agreement (EULA). If you have questions or wish to exercise your data protection rights, you can contact SIROS using the contact details provided in Section 10.
Data We Collect
To provide a secure digital identity and enable the functionality of the SIROS ID Platform, we collect the following categories of information. Handling such Sensitive Personal Information (SPI) requires stringent legal and technical safeguards.
1.1 Identity Documents: With your explicit consent we may process, digital copies of government-issued IDs, such as a passport, driver's license, or national ID card, along with the data contained within them (e.g., full name, date of birth, nationality, document number, expiry date, photo) for the purpose of issuing digital credentials to your identity wallet that can be used by you to identify yourself to third party services outside the SIROS ID platform. Such credentials are only accessible by you. Digital copies of identity documents are never processed outside our servers.
1.2 Biometric Data: With your explicit consent, we may process biometric identifiers such as facial geometry or fingerprint scans for the purpose of authenticating an identity document such as a passport, drivers license or other ICAO document that carries biometric verification data. Such processing is always done using our own technical infrastructure. Biometric data is never processed outside our servers. Biometric data is only kept for as long as is necessary to perform a validation of an identity document.
1.3 Technical Data: Your IP address, device type, operating system version, and unique device identifiers to ensure secure connections, prevent fraud, and optimize service delivery. Privacy Policy v1.0 - Jan 2026 Document Owner: SIROS Legal
1.4 Verification Logs: A history of when and with whom you shared your credentials (including timestamp and recipient only) and the logs that are mandatory in law such as the Implementing Regulation (EU) 2024/2979. These logs are only accessible by you.
1.5 Account Information: Information necessary to create and maintain your account, such as your FIDO public keys.
1.6 Communication Data: Records of your communications wit
How We Use Your Data (Purpose of Processing)
We use your information strictly for the following purposes, based on your consent, contractual necessity, legal obligations, or our legitimate interests:
2.1 Identity Verification: To confirm that the person using the SIROS ID Platform matches the identity documents provided, ensuring the integrity of your digital identity, to prevent fraud, and to verify age where required.
2.2 Authentication: To allow you to securely log in to the SIROS ID Platform and to use your digital ID for authentication with third-party services when authorized by you.
2.3 Security and Fraud Prevention: To detect and block suspicious login attempts, fraudulent document uploads, deepfakes, or "spoofing" techniques, and other malicious activities, protecting both you and the integrity of the SIROS ID Platform.
2.4 Legal Compliance: To comply with GDPR, "Know Your Customer" (KYC) and Anti-Money Laundering (AML) regulations, and other legal or regulatory obligations where applicable.
2.5 Service Improvement: To monitor, analyze, and improve the performance, features, and security of the SIROS ID Platform.
Biometric Data Consent and Processing
We treat biometric data with the highest level of sensitivity and adhere to stringent privacy-by-design principles.
3.1 Express, Informed Consent: By using this service, you provide your express, informed consent for SIROS to collect, capture, and process your biometric identifiers (e.g., facial geometry, iris scans, or fingerprints). This consent is obtained through a prominent "I Agree" checkbox or similar mechanism within the app flow.
3.2 No Central Storage of Raw Biometric Templates: We do not store your raw biometric templates (e.g., actual facial images or fingerprint scans) on our central servers. Instead, we use mathematical representations (hashes or templates) that are derived from your biometrics. These representations are designed so they cannot be reversed into your actual face or fingerprint.
3.3 Local Processing (where applicable): In many configurations, biometric data processing and verification occur directly on your device's secure enclave, meaning your raw biometric data never leaves your device and is never transmitted to our servers.
3.4 Purpose Limitation: Biometric data, or its derived representations, is used solely for the purpose of identity verification, authentication, and preventing fraudulent access within the SIROS ID Platform. It is never sold, rented, leased, or shared with advertisers or for marketing purposes.
3.5 Destruction of Biometric Data: Once the initial purpose for collecting biometric data (e.g., completion of the KYC check or verification) has been satisfied, your biometric data, or its derived representations, will be destroyed from our systems in accordance with our data retention policies and industry-standard wiping protocols.
Sharing Your Information (Disclosure of Sub-Processors)
We only share your data in the following limited circumstances:
4.1 With Your Explicit Consent: We only release specific identity attributes (such as "Over 18 status," "Full Name," or other attributes) to third-party "Relying Parties" (e.g., banks, rental agencies, government services) when you explicitly authorise the share within the SIROS ID Platform. You are always in control of what information is shared and with whom.
4.2 With Trusted Service Providers (Sub-Processors): We may share your encrypted data with trusted third-party vendors and service providers who assist us in operating the SIROS ID Platform. These include:
Cloud hosting providers
Biometric verification engines
OCR (Optical Character Recognition) services for document analysis
Government database checks for identity validation
Customer support platforms. These sub-processors are contractually bound to protect your data, maintain confidentiality, and are prohibited from using your data for their own purposes. They are obligated to maintain the same level of data protection as outlined in this policy.
4.3 For Legal Requirements: If required by a valid subpoena, court order, governmental request, or to comply with applicable laws and regulations. We will make reasonable efforts to notify you before disclosing your data under such circumstances, unless legally prohibited from doing so.
4.4 Business Transfers: In connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business by another company. We will ensure that the acquiring entity is bound by privacy obligations consistent with this Policy
Cross-Border Data Transfers
Your data will be exclusively maintained in the EU/EEA region by cloud providers that have both their legal presence, operations and infrastructure in EU/EEA.
Data Retention and Destruction Schedule
6.1 Identity Data: We retain your identity attributes and other personal data only for as long as your account is active and necessary to provide you with the Service or until the initial purpose for collecting it has been satisfied (e.g., completion of a specific KYC check).
6.2 Deletion: If you request account deletion, we will purge your personal data from our systems within 30 days, unless we are legally required to retain it for audit purposes or other legitimate reasons (e.g., fraud prevention, dispute resolution, or compliance with statutory retention periods such as 5-7 years for financial compliance if applicable to the service provided). Data retained for legal reasons will be securely archived, subject to strict access controls, and only accessed as required by law.
6.3 Data Destruction: After the retention period, data is permanently deleted or anonymized using industry-standard wiping protocols to ensure it cannot be reconstructed.
6.4 Anonymized Data: We may retain anonymized and aggregated data for analytical purposes, which cannot be used to identify you.
Your Rights (GDPR and Other Applicable Laws)
Depending on your location and applicable data protection laws (e.g., GDPR in Europe), you have certain rights regarding your personal data:
7.1 Right to Access: You can request a copy of the personal data we hold about you.
7.2 Right to Rectification: You can request that inaccurate personal data about you be corrected.
7.3 Right to Erasure ("Right to Be Forgotten"): You can request that we delete your personal information, subject to certain legal obligations to retain data.
7.4 Right to Restrict Processing: You can request that we limit the processing of your personal data under certain conditions.
7.5 Right to Data Portability: You can request to receive your digital identity data in a structured, commonly used, and machine-readable format, and have the right to transmit that data to another controller.
7.6 Right to Object: You can object to the processing of your personal data under certain conditions.
7.7 Right to Withdraw Consent: You can revoke your permission to process your biometrics or other consent-based processing at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
7.8 Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, place of work, or place of the alleged infringement.
To exercise any of these rights, please contact us using the details provided in Section 10.
Security Measures and Breach Notification
We employ industry-standard security practices and cutting-edge technologies to protect your data, including:
8.1 End-to-End Encryption: Your data is protected by AES-256 encryption at rest and TLS 1.2+ encryption in transit.
8.2 Zero-Knowledge Architecture: Where technically possible and appropriate for our service, we design our systems so that even SIROS cannot access or view your private identity data in its raw form.
8.3 Access Controls and Audits: Strict access controls, regular security audits, and employee training are in place to ensure only authorized personnel can access sensitive data, and only when necessary.
8.4 Secure Development: Our development processes integrate security best practices to build secure products from the ground up.
8.5 Data Breach Notification: In the event of a confirmed data breach that compromises your sensitive personal information, we will notify you and the relevant regulatory authorities within 72 hours of discovery, in accordance with applicable law.
Children's Privacy
The SIROS ID Platform is not intended for use by individuals under the age of 18 without the explicit permission and oversight of a legal guardian. We do not knowingly provide services to children without the consent of a legal guardian. If we become aware that we have inadvertently provided services to a minor without the permission of a legal guardian, we will take steps to delete such accounts and suspend service as quickly as possible.
Contact Us and Data Protection Officer (DPO)
If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, or if you wish to exercise your data protection rights, please contact us:
Data Protection Officer (DPO) / Privacy Contact:
Email: legal@siros.org
Physical Address:
Bredgränd 4
111 30 Stockholm Sweden
