New: Hypersign is now eIDAS 2.0 ready verifiable credentials and EUDI Wallet compliance built in. See case studies →
← Legal, Privacy & Security
Privacy

Privacy Policy

Last updated: June 2026

How Hypersign collects, uses, stores, discloses, and deletes personal data across all products and services. Applies to website visitors, API customers, business partners, and end users going through a Hypersign-powered verification flow.

1. Who We Are

Hypersign operates through three legal entities depending on the jurisdiction of the customer or end user. The entity that acts as data controller or processor for your data depends on where you or your end users are located.

RegionEntityRegistered Address
European Union & EEAHypermine Labs UG21 Wasserturmstrasse, Trudering-Reim, Munich, Germany
Asia-PacificHypermine Technologies Private Ltd2214, 21st Floor, Tower 2, Sobha City, Bengaluru, India
Middle East & AfricaHypermine MEA FZCOA2, Building 2, Dubai Silicon Oasis, Dubai, UAE

When in doubt about which entity governs your data, contact us at privacy@hypermine.de and we will direct your request to the correct entity.

Contact Points

  • General privacy: privacy@hypermine.de
  • Data Protection Officer: dpo@hypermine.de
  • Security incidents: security@hypermine.de
  • Legal & contracts: legal@hypermine.de

2. Scope and Our Role

This policy applies to:

  • Visitors to hypersign.id and all associated web properties
  • Customers using the Hypersign API, dashboard, or SDKs
  • Business contacts and partners
  • End users who go through an identity verification flow powered by Hypersign

Hypersign acts in one of three roles depending on context:

RoleContext
ControllerWhen we process data to operate our own website, marketing, support, and business relationships
ProcessorWhen we process end-user verification data on behalf of a customer (the customer is the controller)
Independent ControllerWhen we process data for platform security, fraud prevention, and regulatory compliance

3. Categories of Personal Data We Process

Identifiers & contact information
Name, email address, phone number, postal address, government-issued ID number.
Business & account data
Company name, job title, billing information, API credentials, account activity logs.
Verification data
Identity document images (passport, national ID, driver's licence, residence permit), document fields extracted via OCR and MRZ, questionnaire responses, watchlist screening inputs and results, KYB filings, UBO records.
Biometric & liveness data
Facial images and video frames captured during liveness checks, anti-spoofing signals, 1:1 face match scores. Processed under the stricter requirements of GDPR Article 9, BIPA, CUBI, and Washington H.B. 1493.
Device, network & technical data
IP address, browser type, device identifiers, operating system, session timestamps, VPN/proxy signals, geolocation derived from IP.
Communications & support data
Emails, chat messages, and support tickets exchanged with Hypersign.
Third-party & public-source data
Sanctions lists, PEP databases, adverse media sources, public business registries (for KYB).
Recruitment data
CV, work history, and interview notes for job applicants.

4. How We Use Personal Data

Website and service operation
Account creation, authentication, billing, dashboard functionality, and customer support.
Identity and fraud infrastructure services
Running KYC, KYB, AML screening, liveness detection, face match, document verification, and transaction monitoring on behalf of customers.
Platform security and abuse prevention
Detecting fraudulent sessions, blocking bad actors, preventing API abuse, and protecting end users.
Model improvement
Hypersign may use anonymised or pseudonymised data to improve the accuracy of its models. Data used for this purpose cannot reasonably be linked back to an identifiable individual. You may opt out — see Section 11.
Business communications
Responding to sales enquiries, sending product updates, and maintaining business relationships.
Recruiting and hiring
Evaluating job applications and conducting interviews.
Legal compliance
Meeting obligations under GDPR, AMLD6, eIDAS 2.0, DPDP (India), UAE PDPL, and other applicable laws.

6. How We Disclose Personal Data

To customers
Verification results and extracted data are returned to the customer who initiated the session. The customer is the controller of that data.
To Hypersign group entities
Data may be shared within the Hypermine group (Germany, India, UAE entities) for service delivery and support.
To service providers & sub-processors
Hypersign uses sub-processors for cloud infrastructure, communication tools, and analytics. Access to the full sub-processor list requires a signed NDA — email legal@hypermine.de to request it.
To professional advisers
Lawyers, accountants, and auditors under confidentiality obligations.
To authorities
When required by law, court order, or regulatory obligation.
In M&A transactions
To successors or acquirers in the event of a merger, acquisition, or asset sale.

Hypersign does not sell, lease, trade, or otherwise profit from biometric identifiers or biometric information.

7. International Transfers

Where personal data is transferred outside the country of collection, Hypersign relies on:

  • EU: Adequacy decisions, Standard Contractual Clauses (SCCs), and intra-group data transfer agreements
  • India: Transfers governed by the Digital Personal Data Protection Act 2023 (DPDP) and associated rules
  • UAE: Transfers governed by the UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL)

Customers can configure data residency to keep verification data within the EU by default (AWS eu-central-1, Frankfurt).

8. Retention

Data CategoryDefault Retention
Verification session dataConfigurable: 30 days to 10 years, or indefinite
Biometric dataSubject to stricter caps under GDPR Art. 9, BIPA, CUBI, Washington H.B. 1493
Account and billing dataDuration of the customer relationship plus applicable statutory period
Marketing and communication dataUntil opt-out or 3 years from last interaction
Recruitment data6 months from final decision unless consent is given for longer

Per-session deletion is available via API. Customers can configure their own retention window from the dashboard.

9. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access — Request a copy of the personal data we hold about you.
  • Correction — Request that inaccurate data is corrected.
  • Deletion — Request erasure of your personal data.
  • Restriction — Request that we stop actively processing your data.
  • Objection — Object to processing based on legitimate interests.
  • Portability — Receive your data in a machine-readable format.
  • Withdraw consent — At any time where processing is based on consent.
  • Automated decisions — Request human review of any automated decision.

How to exercise your rights: Email privacy@hypermine.de. We will respond within 30 days (EU: one calendar month).

When Hypersign acts as a processor: Rights requests relating to verification data must be directed to the customer who conducted the verification. Hypersign will assist customers in responding to those requests where required.

Supervisory Authorities

RegionAuthority
Germany / EUBavarian State Office for Data Protection Supervision (BayLDA) or the Federal Commissioner for Data Protection (BfDI)
IndiaData Protection Board of India (under DPDP Act 2023)
UAEUAE Data Office

10. Cookies and Similar Technologies

Hypersign uses cookies and similar technologies on its website and dashboard. Full details, including a list of cookies by category and how to manage them, are set out in the Cookies Policy.

Hypersign respects Global Privacy Control (GPC) signals on browsers that support it.

11. Anonymised Model Training and Fraud Detection — Your Opt-Out

Hypersign may use pseudonymised or anonymised verification data to improve its fraud detection and identity verification models. This is based on legitimate interests. Data used for this purpose cannot reasonably be linked back to an identifiable individual.

Opt-out. Submit a deletion request via the Hypersign API, or email privacy@hypermine.de with the subject line "Model Training Opt-Out." Opt-outs apply prospectively from the date of the request.

India

DPDP Addendum

Applies to customers and end users located in India under the Digital Personal Data Protection Act 2023.

In addition to the rights in Section 9:

  • You have the right to appoint a nominee to exercise your data rights in the event of death or incapacity.
  • Hypersign will notify the Data Protection Board and affected individuals in the event of a personal data breach.
  • Children's data (under 18) will not be processed without verifiable parental consent.
  • Hypersign does not engage in behavioural monitoring of children.
California

CCPA / CPRA Addendum

Applies to California residents under the California Consumer Privacy Act and California Privacy Rights Act.

Hypersign does not sell or share personal information as defined by the CCPA/CPRA. Sensitive personal information is used only for permitted purposes. California residents have the right to know, delete, correct, and obtain portability of their personal information, and will not be discriminated against for exercising these rights.

14. Security

Hypersign applies administrative, technical, and organisational safeguards appropriate to the sensitivity of the data processed:

  • AES-256 encryption at rest; TLS 1.3 in transit
  • Biometric data stored under a separate Customer Master Key (KMS)
  • Role-based access control and environment separation
  • Continuous monitoring and alerting
  • Quarterly penetration testing

Hypersign maintains the following security certifications:

SOC 2 Type 1 (Type 2 in progress)
ISO/IEC 27001:2022
iBeta Level 1 PAD (ISO/IEC 30107-3)

Full details are set out in the Information Security Policy.

15. Children

Hypersign's public website and standard API services are not directed at children under 16 (or the applicable minimum age in the relevant jurisdiction). Customers may use Hypersign for age verification purposes only with an appropriate legal basis and in compliance with applicable children's privacy laws.

16. Changes to This Privacy Policy

Hypersign updates this policy periodically. The effective date is shown at the top of the page. Material changes will be communicated by email to registered customers and/or by a prominent notice on the website, as required by applicable law.

Have questions about this Privacy Policy?

Email the right team directly — we route you to the correct contact.