Privacy Policy
How identiqa collects, processes, and protects personal data. Written to comply with the EU General Data Protection Regulation (GDPR), the EU ePrivacy Directive, and applicable national supplementary laws.
- 01Data Controller
- 02Data Protection Officer
- 03Scope of this policy
- 04Categories of data we process
- 05Purposes & lawful bases
- 06Cookies & tracking
- 07Recipients & sub-processors
- 08International transfers
- 09Retention periods
- 10Your rights
- 11Security measures
- 12Minors
- 13Changes to this policy
- 14Contact & complaints
Data Controller
The controller responsible for processing personal data on this website and through identiqa services, within the meaning of Article 4(7) GDPR, is:
[Registered office address] [review]
Dublin, Ireland
Company number: [IE company number] [review]
VAT: [IE VAT number] [review]
Email: privacy@identiqa.com
General contact: hello@identiqa.com
For B2B customer relationships, the contracting entity is typically Identiqa EU Ops Ltd. (Ireland), which acts as data processor on behalf of customers under separate Data Processing Agreements (DPAs). This privacy policy covers the controller activities of Identiqa Holding Ltd. relating to the website, marketing, and pre-sales communication.
Data Protection Officer
Identiqa has appointed a Data Protection Officer (DPO) in accordance with Article 37 GDPR. The DPO is reachable at:
Identiqa Holding Ltd.
Email: dpo@identiqa.com
Postal: [DPO postal address] [review — can be company address marked "FAO Data Protection Officer"]
You may contact the DPO directly with any privacy-related questions, requests to exercise your rights, or concerns about how we handle personal data.
Scope of this policy
This privacy policy applies to:
- Visitors to identiqa.com and its language-specific subdirectories (e.g., /de)
- Subscribers to identiqa newsletters and threat briefings
- Prospects who contact us through forms, email, phone, or other channels
- Users of our customer portal (CyberHub) for account-related information
- Participants in identiqa community programs (e.g., CISO Digital community)
For personal data processed by identiqa as a data processor on behalf of customers (e.g., security telemetry, log data, account information processed within ProtectionGrid modules), the relevant Data Processing Agreement and customer-side privacy policy apply.
Categories of data we process
We process the following categories of personal data, depending on how you interact with us:
4.1 Website usage data
| Category | Examples | Source |
|---|---|---|
| Technical data | IP address (truncated), browser type, OS, device type, referrer URL, timestamps | Automatic |
| Behavioural data | Pages visited, time on page, click paths, scroll depth (only if you consent to performance cookies) | Automatic |
| Consent records | Cookie consent state, timestamp of consent, consent version | Automatic |
4.2 Communication data
| Category | Examples | Source |
|---|---|---|
| Contact data | Name, email, phone (optional), company, role, country | You (via form or email) |
| Inquiry content | Free-text messages, attached files, security context you share with us | You |
| Communication history | Records of email exchanges, call notes, meeting summaries | Automatic + manual |
4.3 Newsletter & marketing data
| Category | Examples | Source |
|---|---|---|
| Subscription data | Email, name, opt-in timestamp, language preference | You |
| Engagement data | Whether emails are opened, links clicked (only with consent) | Automatic |
4.4 Customer portal & account data
If you have an identiqa account or use our customer portal, we process additional account-related data (login credentials, account settings, usage logs). The detailed handling of this data is governed by the relevant service contract and Data Processing Agreement.
Purposes & lawful bases
We process personal data only when we have a lawful basis under Article 6 GDPR. The following table summarizes our processing activities:
| Purpose | Lawful basis | Categories of data |
|---|---|---|
| Operating the website (delivering pages, security, error handling) | Legitimate interest, Art. 6(1)(f) GDPR | Technical data |
| Analytics & site improvement (only with your consent) | Consent, Art. 6(1)(a) GDPR | Behavioural data |
| Responding to inquiries (sales, support, partnership) | Pre-contractual measures, Art. 6(1)(b) GDPR; legitimate interest, Art. 6(1)(f) GDPR | Contact data, inquiry content |
| Newsletter delivery | Consent, Art. 6(1)(a) GDPR | Subscription data, engagement data |
| Customer relationship management | Contract, Art. 6(1)(b) GDPR; legitimate interest, Art. 6(1)(f) GDPR | Communication history, account data |
| Legal compliance (tax records, regulatory reporting) | Legal obligation, Art. 6(1)(c) GDPR | As required by law |
| Defence of legal claims | Legitimate interest, Art. 6(1)(f) GDPR | As relevant to the case |
Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing prior to withdrawal. Where processing is based on legitimate interest, you have the right to object — see Section 10.
Cookies & tracking
We use cookies and similar technologies on identiqa.com. Cookies are categorized into:
- Necessary cookies — required for the website to function (session state, security, your consent choice itself). These are set without consent under Art. 6(1)(f) GDPR and § 25(2) TTDSG (where applicable).
- Performance cookies — help us understand how the website is used (anonymized analytics). Set only with your consent.
- Marketing cookies — enable personalized content and cross-platform measurement (e.g., LinkedIn Insight Tag, Meta Pixel). Set only with your consent.
You can manage your cookie preferences at any time via the Cookie Settings link in the footer or here in this policy.
Detailed information about specific cookies set, their purpose, provider, and storage duration is available in our cookie banner settings dialog. [review — for full transparency, a separate cookie list with all sub-providers should be maintained and linked here once finalized]
Recipients & sub-processors
We share personal data only with carefully selected service providers (sub-processors) who help us deliver our services. All sub-processors are bound by Data Processing Agreements under Article 28 GDPR. The following categories of recipients receive personal data:
| Category | Purpose | Location |
|---|---|---|
| Hosting infrastructure | Website delivery, customer portal hosting | EU (own data centres in DE, IE, PT, CY) |
| Email delivery providers [review] | Newsletter, transactional emails | EU |
| CRM provider [review] | Customer relationship management | EU |
| Analytics providers [review] | Website analytics (with consent) | EU |
| Insurance partners | Cyber insurance referrals (only with explicit request) | EU |
| Identiqa group entities | EU Ops Ltd. (IE), IP Ltd. (CY), country GmbHs (DE, AT, CH) | EU |
| Auditors & legal advisors | As needed for compliance, where personal data is involved | EU |
A complete and current list of all sub-processors is maintained as part of our Sub-Processor Register available to customers under their Data Processing Agreement. [review — link to public sub-processor list once available]
International transfers
Identiqa's infrastructure operates exclusively within the European Economic Area (EEA). Personal data is not transferred outside the EEA as part of identiqa's core operations.
In the limited cases where transfers may occur (e.g., specific third-party tools that have not yet been replaced with EU-only alternatives, or service partners in non-EEA countries), we ensure such transfers are protected by:
- Adequacy decisions of the European Commission (Art. 45 GDPR), where applicable;
- Standard Contractual Clauses (SCCs) adopted by the European Commission, in conjunction with appropriate supplementary measures (Art. 46 GDPR); or
- Your explicit consent (Art. 49(1)(a) GDPR) where no adequacy or appropriate safeguards apply.
Customers and prospective customers can request the current list of any non-EEA transfers as part of due diligence by contacting dpo@identiqa.com.
Retention periods
We retain personal data only as long as necessary for the purposes set out above, or as required by law. Specifically:
| Data category | Retention period | Reason |
|---|---|---|
| Web server logs | 30 days | Security, troubleshooting |
| Cookie consent records | 13 months | Demonstrating consent |
| Analytics data (with consent) | 14 months | Trend analysis |
| Contact form submissions | 3 years after last contact | Sales follow-up, legitimate interest |
| Newsletter subscriber data | Until unsubscribe + 30 days | Honoring opt-out |
| Customer account data | Duration of contract + 6 years | Legal obligations (Irish/EU bookkeeping rules) |
| Tax-relevant records | 10 years | Statutory tax law (varies by jurisdiction) |
[review — retention periods should be verified against Irish bookkeeping law and any sector-specific obligations]
Your rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15) — to confirm whether we process your personal data and obtain a copy;
- Right to rectification (Art. 16) — to correct inaccurate or incomplete data;
- Right to erasure (Art. 17) — to have your data deleted, subject to legal retention obligations;
- Right to restriction (Art. 18) — to limit processing in specific situations;
- Right to data portability (Art. 20) — to receive your data in a structured, machine-readable format;
- Right to object (Art. 21) — to object to processing based on legitimate interests, including direct marketing;
- Right to withdraw consent (Art. 7) — at any time, without affecting processing prior to withdrawal;
- Right not to be subject to automated decision-making (Art. 22) — including profiling, where it produces legal or similarly significant effects.
To exercise any of these rights, please contact privacy@identiqa.com or our DPO at dpo@identiqa.com. We respond to all requests within one month, in line with Art. 12(3) GDPR.
You also have the right to lodge a complaint with a supervisory authority. The lead supervisory authority for identiqa is the Irish Data Protection Commission (www.dataprotection.ie). You may also contact the supervisory authority of your habitual residence or place of work.
Security measures
identiqa is a cybersecurity company. We apply the same security standards to our own systems that we offer to customers. Specifically:
- Hybrid post-quantum encryption for all data in transit (TLS with classical + ML-KEM) and data at rest;
- Strict access controls with multi-factor authentication, role-based access, and full audit logging;
- EU-only personnel with production access, employed under EU labour law, with documented background checks;
- Continuous threat monitoring via our own AI security platform (Aura);
- Regular penetration testing and security audits, including external assessments;
- Incident response procedures including notification to data subjects and supervisory authorities within 72 hours where required (Art. 33–34 GDPR).
For full technical and organizational measures (TOMs), customers can request our security documentation under NDA.
Minors
identiqa services and this website are directed at business and government customers — not consumers, and not minors. We do not knowingly collect personal data from individuals under 16 years of age. If you become aware that a minor has provided personal data to us, please contact the DPO immediately so we can take appropriate action.
Changes to this policy
We may update this privacy policy from time to time to reflect changes in our practices, services, or legal requirements. Material changes will be communicated through our website (and, where appropriate, by email to active users). The "Effective date" at the top of this page indicates when the current version became effective.
Earlier versions of this policy are archived and available on request.
Contact & complaints
For any privacy-related questions, requests, or complaints, please use one of the following:
Email: privacy@identiqa.com
Data Protection Officer
Email: dpo@identiqa.com
Postal address
Identiqa Holding Ltd.
FAO: Data Protection Officer
[Registered office address] [review]
Dublin, Ireland
Supervisory authority
Irish Data Protection Commission
21 Fitzwilliam Square South, Dublin 2, Ireland
www.dataprotection.ie
