Privacy Policy

1. Our Role

Depending on the context, Asteria Limited (HK) may act as an independent controller, processor, service provider, or another legally recognized role.

For website visitors and business contacts, we generally determine how and why personal data is processed.

For End User verification data submitted by Customers, the Customer generally determines the purpose and legal basis of processing, while ASTERIA KYC processes the data to provide contracted services, unless otherwise required by law or agreed in writing.

Customers are responsible for providing their own privacy notices to End Users and for obtaining any required consent or other legal basis before submitting data to ASTERIA KYC.

2. Personal Data We May Process

We may process the following categories of personal data, depending on the Services used:

a. Identity data, such as name, date of birth, nationality, gender, identity number, document number, issuing country, issuing authority, expiry date, and other information appearing on identity documents.

b. Contact data, such as business email address, phone number, company name, job title, and communication records.

c. Document data, such as passport, national ID card, driver’s license, residence permit, proof of address, corporate documents, tax documents, or other documents submitted for verification.

d. Image and video data, such as selfies, facial images, short video clips, liveness frames, document images, and images used to compare identity document photos with live capture images.

e. Biometric-related data, such as face geometry signals, liveness indicators, similarity scores, anti-spoofing signals, and technical measurements used for identity verification and fraud prevention.

f. Screening and risk data, such as sanctions screening results, politically exposed person indicators, adverse media indicators, fraud signals, risk scores, watchlist match indicators, review notes, and compliance statuses.

g. Device and technical data, such as IP address, browser type, device type, operating system, session information, log data, timestamps, user agent, language preference, and security event data.

h. Usage data, such as pages viewed, dashboard actions, API usage, feature interaction, workflow status, and support interactions.

i. Customer account data, such as administrator names, user roles, permissions, organization information, billing-related information, and contract-related information.

3. How We Collect Personal Data

We may collect personal data:

• directly from Customers, End Users, website visitors, or business contacts
• through Customer integrations using API or SDK tools
• through verification workflows and document upload flows
• through dashboard, account, and support interactions
• from service providers and infrastructure systems
• from screening databases, fraud prevention sources, or compliance data providers where enabled by the Customer
• automatically through cookies, logs, analytics tools, and security monitoring systems

4. Purposes of Processing

We may process personal data for the following purposes:

• providing identity verification and KYC workflows
• verifying identity documents
• performing liveness detection and biometric comparison
• detecting fraud, spoofing, document tampering, account abuse, and suspicious activity
• supporting AML, sanctions, PEP, adverse media, and risk screening workflows
• generating verification results, risk indicators, and review statuses
• enabling case management, audit trails, reporting, and compliance review
• maintaining website, dashboard, API, SDK, and service functionality
• providing customer support and technical assistance
• improving security, service reliability, and operational performance
• managing contracts, accounts, billing, and customer communications
• complying with legal obligations, regulatory requests, court orders, and lawful investigations
• enforcing agreements, policies, and acceptable use requirements
• improving product functionality, analytics, and user experience where permitted by law
• protecting the rights, property, safety, and security of ASTERIA KYC, Customers, End Users, and the public

5. Legal Bases for Processing

Depending on the jurisdiction and context, processing may be based on:

• performance of a contract
• consent
• legitimate interests
• compliance with legal obligations
• prevention of fraud and security threats
• substantial public interest or regulatory compliance where applicable
• another lawful basis identified by the Customer

Where ASTERIA KYC processes data on behalf of a Customer, the Customer is responsible for identifying and documenting the applicable legal basis for End User data processing.

6. Biometric and Liveness Processing

ASTERIA KYC may process biometric-related information and liveness signals to help determine whether a person is present, whether an image or video is genuine, whether a document holder matches the person undergoing verification, and whether presentation attack indicators are present.

Biometric and liveness technologies may involve facial comparison, image quality checks, anti-spoofing detection, motion or depth-related signals, device-based signals, and similarity scoring.

Customers must ensure that End Users receive legally adequate notice and, where required, provide consent before biometric-related processing occurs.

7. Automated Processing and Human Review

ASTERIA KYC may generate automated scores, risk indicators, match signals, and workflow statuses. These outputs are intended to support Customer review and operational decision-making.

Customers should not rely solely on automated outputs where human review is required by law, appropriate due to risk level, or necessary to prevent unfair outcomes. Customers remain responsible for final decisions relating to onboarding, rejection, suspension, escalation, account closure, or transaction handling.

8. Cookies and Website Technologies

We use cookies and similar technologies to operate the website, remember preferences, support security, analyze traffic, and improve user experience. More information is provided in the Cookie Policy.

9. Sharing of Personal Data

We may share personal data with:

• Customers that submit or control the relevant verification workflow
• infrastructure, hosting, storage, and security providers
• communications, support, and operational vendors
• analytics and performance monitoring providers
• screening, fraud prevention, and compliance data providers where enabled
• professional advisers, auditors, insurers, or legal representatives
• regulators, law enforcement, courts, government agencies, or competent authorities where required by law
• corporate transaction parties in connection with a merger, acquisition, restructuring, financing, or sale of assets, subject to appropriate safeguards

We do not sell personal information.

10. International Transfers

Personal data may be processed in jurisdictions outside the location where it was collected. Where required, ASTERIA KYC and its Customers are responsible for implementing appropriate safeguards for cross-border data transfers, such as contractual safeguards, transfer assessments, or other mechanisms recognized by applicable law.

11. Data Retention

We retain personal data for as long as reasonably necessary for service delivery, security, fraud prevention, audit, legal compliance, dispute resolution, and contractual purposes. Retention periods may vary depending on the type of data, Customer instructions, regulatory requirements, risk indicators, and operational needs.

Where ASTERIA KYC processes Customer-controlled data, retention may be governed by Customer configuration, contractual terms, legal obligations, and the Data Retention Policy.

12. Security Measures

ASTERIA KYC uses administrative, technical, and organizational safeguards designed to protect personal data from unauthorized access, loss, misuse, alteration, or disclosure. Measures may include access controls, encryption, logging, monitoring, role-based permissions, secure development practices, vulnerability management, and incident response procedures.

No system is completely secure. Customers must also maintain appropriate security measures for their own systems, integrations, devices, users, and credentials.

13. Your Rights

Depending on applicable law, individuals may have rights to access, correct, delete, restrict, object to processing, withdraw consent, request portability, or lodge a complaint with a supervisory authority.

Where ASTERIA KYC processes End User data on behalf of a Customer, requests should generally be directed to the Customer, as the Customer controls the verification relationship and legal basis for processing.

We may assist Customers in responding to valid data rights requests where required by applicable agreement or law.

14. Children

ASTERIA KYC is intended for business and compliance use. The Services are not directed to children. Customers must not submit data relating to minors unless they have a valid legal basis, required authorization, and appropriate safeguards.

15. Customer Administrator Data

If you are a Customer administrator or business contact, we may process your name, business email, company details, job title, access logs, support requests, and usage data to manage your account, provide support, secure the Services, and communicate with you.

16. Marketing Communications

We may send business communications about ASTERIA KYC services, updates, events, or relevant content where permitted by law. You may opt out of marketing communications using the unsubscribe mechanism or by contacting us. Operational, security, legal, or service-related communications may still be sent where necessary.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Updated versions will be posted on the website with a revised effective date. Continued use of the website or Services after publication indicates acknowledgment of the updated policy.