A new approach to cybersecurity

For Business → ProtectionGrid For Large Corporates → ProtectionGrid For Law Enforcement → Intelligence For Governments → Intelligence

Legal · Privacy Policy

Privacy Policy

How identiqa collects, processes, and protects personal data. Written to comply with the EU General Data Protection Regulation (GDPR), the EU ePrivacy Directive, and applicable national supplementary laws.

Effective date: 1 May 2026 Last updated: 1 May 2026 Version: 1.0

Draft for legal review. This privacy policy is a professional draft based on standard GDPR requirements. Before going live, it must be reviewed and finalized by a qualified data protection lawyer who can verify the specific data flows, sub-processors, and operational practices match what is stated here. Sections marked with [review] require company-specific input.

Table of contents

01Data Controller
02Data Protection Officer
03Scope of this policy
04Categories of data we process
05Purposes & lawful bases
06Cookies & tracking
07Recipients & sub-processors
08International transfers
09Retention periods
10Your rights
11Security measures
12Minors
13Changes to this policy
14Contact & complaints

Data Controller

The controller responsible for processing personal data on this website and through identiqa services, within the meaning of Article 4(7) GDPR, is:

Identiqa Holding Ltd.
[Registered office address] [review]
Dublin, Ireland
Company number: [IE company number] [review]
VAT: [IE VAT number] [review]

Email: privacy@identiqa.com
General contact: hello@identiqa.com

For B2B customer relationships, the contracting entity is typically Identiqa EU Ops Ltd. (Ireland), which acts as data processor on behalf of customers under separate Data Processing Agreements (DPAs). This privacy policy covers the controller activities of Identiqa Holding Ltd. relating to the website, marketing, and pre-sales communication.

Data Protection Officer

Identiqa has appointed a Data Protection Officer (DPO) in accordance with Article 37 GDPR. The DPO is reachable at:

Data Protection Officer
Identiqa Holding Ltd.
Email: dpo@identiqa.com
Postal: [DPO postal address] [review — can be company address marked "FAO Data Protection Officer"]

You may contact the DPO directly with any privacy-related questions, requests to exercise your rights, or concerns about how we handle personal data.

Scope of this policy

This privacy policy applies to:

Visitors to identiqa.com and its language-specific subdirectories (e.g., /de)
Subscribers to identiqa newsletters and threat briefings
Prospects who contact us through forms, email, phone, or other channels
Users of our customer portal (CyberHub) for account-related information
Participants in identiqa community programs (e.g., CISO Digital community)

For personal data processed by identiqa as a data processor on behalf of customers (e.g., security telemetry, log data, account information processed within ProtectionGrid modules), the relevant Data Processing Agreement and customer-side privacy policy apply.

Categories of data we process

We process the following categories of personal data, depending on how you interact with us:

4.1 Website usage data

Category	Examples	Source
Technical data	IP address (truncated), browser type, OS, device type, referrer URL, timestamps	Automatic
Behavioural data	Pages visited, time on page, click paths, scroll depth (only if you consent to performance cookies)	Automatic
Consent records	Cookie consent state, timestamp of consent, consent version	Automatic

4.2 Communication data

Category	Examples	Source
Contact data	Name, email, phone (optional), company, role, country	You (via form or email)
Inquiry content	Free-text messages, attached files, security context you share with us	You
Communication history	Records of email exchanges, call notes, meeting summaries	Automatic + manual

4.3 Newsletter & marketing data

Category	Examples	Source
Subscription data	Email, name, opt-in timestamp, language preference	You
Engagement data	Whether emails are opened, links clicked (only with consent)	Automatic

4.4 Customer portal & account data

If you have an identiqa account or use our customer portal, we process additional account-related data (login credentials, account settings, usage logs). The detailed handling of this data is governed by the relevant service contract and Data Processing Agreement.

Purposes & lawful bases

We process personal data only when we have a lawful basis under Article 6 GDPR. The following table summarizes our processing activities:

Purpose	Lawful basis	Categories of data
Operating the website (delivering pages, security, error handling)	Legitimate interest, Art. 6(1)(f) GDPR	Technical data
Analytics & site improvement (only with your consent)	Consent, Art. 6(1)(a) GDPR	Behavioural data
Responding to inquiries (sales, support, partnership)	Pre-contractual measures, Art. 6(1)(b) GDPR; legitimate interest, Art. 6(1)(f) GDPR	Contact data, inquiry content
Newsletter delivery	Consent, Art. 6(1)(a) GDPR	Subscription data, engagement data
Customer relationship management	Contract, Art. 6(1)(b) GDPR; legitimate interest, Art. 6(1)(f) GDPR	Communication history, account data
Legal compliance (tax records, regulatory reporting)	Legal obligation, Art. 6(1)(c) GDPR	As required by law
Defence of legal claims	Legitimate interest, Art. 6(1)(f) GDPR	As relevant to the case

Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing prior to withdrawal. Where processing is based on legitimate interest, you have the right to object — see Section 10.

Cookies & tracking

We use cookies and similar technologies on identiqa.com. Cookies are categorized into:

Necessary cookies — required for the website to function (session state, security, your consent choice itself). These are set without consent under Art. 6(1)(f) GDPR and § 25(2) TTDSG (where applicable).
Performance cookies — help us understand how the website is used (anonymized analytics). Set only with your consent.
Marketing cookies — enable personalized content and cross-platform measurement (e.g., LinkedIn Insight Tag, Meta Pixel). Set only with your consent.

You can manage your cookie preferences at any time via the Cookie Settings link in the footer or here in this policy.

Detailed information about specific cookies set, their purpose, provider, and storage duration is available in our cookie banner settings dialog. [review — for full transparency, a separate cookie list with all sub-providers should be maintained and linked here once finalized]

Recipients & sub-processors

We share personal data only with carefully selected service providers (sub-processors) who help us deliver our services. All sub-processors are bound by Data Processing Agreements under Article 28 GDPR. The following categories of recipients receive personal data:

Category	Purpose	Location
Hosting infrastructure	Website delivery, customer portal hosting	EU (own data centres in DE, IE, PT, CY)
Email delivery providers [review]	Newsletter, transactional emails	EU
CRM provider [review]	Customer relationship management	EU
Analytics providers [review]	Website analytics (with consent)	EU
Insurance partners	Cyber insurance referrals (only with explicit request)	EU
Identiqa group entities	EU Ops Ltd. (IE), IP Ltd. (CY), country GmbHs (DE, AT, CH)	EU
Auditors & legal advisors	As needed for compliance, where personal data is involved	EU

A complete and current list of all sub-processors is maintained as part of our Sub-Processor Register available to customers under their Data Processing Agreement. [review — link to public sub-processor list once available]

International transfers

Identiqa's infrastructure operates exclusively within the European Economic Area (EEA). Personal data is not transferred outside the EEA as part of identiqa's core operations.

In the limited cases where transfers may occur (e.g., specific third-party tools that have not yet been replaced with EU-only alternatives, or service partners in non-EEA countries), we ensure such transfers are protected by:

Adequacy decisions of the European Commission (Art. 45 GDPR), where applicable;
Standard Contractual Clauses (SCCs) adopted by the European Commission, in conjunction with appropriate supplementary measures (Art. 46 GDPR); or
Your explicit consent (Art. 49(1)(a) GDPR) where no adequacy or appropriate safeguards apply.

Customers and prospective customers can request the current list of any non-EEA transfers as part of due diligence by contacting dpo@identiqa.com.

Retention periods

We retain personal data only as long as necessary for the purposes set out above, or as required by law. Specifically:

Data category	Retention period	Reason
Web server logs	30 days	Security, troubleshooting
Cookie consent records	13 months	Demonstrating consent
Analytics data (with consent)	14 months	Trend analysis
Contact form submissions	3 years after last contact	Sales follow-up, legitimate interest
Newsletter subscriber data	Until unsubscribe + 30 days	Honoring opt-out
Customer account data	Duration of contract + 6 years	Legal obligations (Irish/EU bookkeeping rules)
Tax-relevant records	10 years	Statutory tax law (varies by jurisdiction)

[review — retention periods should be verified against Irish bookkeeping law and any sector-specific obligations]

Your rights

Under the GDPR, you have the following rights regarding your personal data:

Right of access (Art. 15) — to confirm whether we process your personal data and obtain a copy;
Right to rectification (Art. 16) — to correct inaccurate or incomplete data;
Right to erasure (Art. 17) — to have your data deleted, subject to legal retention obligations;
Right to restriction (Art. 18) — to limit processing in specific situations;
Right to data portability (Art. 20) — to receive your data in a structured, machine-readable format;
Right to object (Art. 21) — to object to processing based on legitimate interests, including direct marketing;
Right to withdraw consent (Art. 7) — at any time, without affecting processing prior to withdrawal;
Right not to be subject to automated decision-making (Art. 22) — including profiling, where it produces legal or similarly significant effects.

To exercise any of these rights, please contact privacy@identiqa.com or our DPO at dpo@identiqa.com. We respond to all requests within one month, in line with Art. 12(3) GDPR.

You also have the right to lodge a complaint with a supervisory authority. The lead supervisory authority for identiqa is the Irish Data Protection Commission (www.dataprotection.ie). You may also contact the supervisory authority of your habitual residence or place of work.

Security measures

identiqa is a cybersecurity company. We apply the same security standards to our own systems that we offer to customers. Specifically:

Hybrid post-quantum encryption for all data in transit (TLS with classical + ML-KEM) and data at rest;
Strict access controls with multi-factor authentication, role-based access, and full audit logging;
EU-only personnel with production access, employed under EU labour law, with documented background checks;
Continuous threat monitoring via our own AI security platform (Aura);
Regular penetration testing and security audits, including external assessments;
Incident response procedures including notification to data subjects and supervisory authorities within 72 hours where required (Art. 33–34 GDPR).

For full technical and organizational measures (TOMs), customers can request our security documentation under NDA.

Minors

identiqa services and this website are directed at business and government customers — not consumers, and not minors. We do not knowingly collect personal data from individuals under 16 years of age. If you become aware that a minor has provided personal data to us, please contact the DPO immediately so we can take appropriate action.

Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices, services, or legal requirements. Material changes will be communicated through our website (and, where appropriate, by email to active users). The "Effective date" at the top of this page indicates when the current version became effective.

Earlier versions of this policy are archived and available on request.

Contact & complaints

For any privacy-related questions, requests, or complaints, please use one of the following:

Privacy & data protection
Email: privacy@identiqa.com

Data Protection Officer
Email: dpo@identiqa.com

Postal address
Identiqa Holding Ltd.
FAO: Data Protection Officer
[Registered office address] [review]
Dublin, Ireland

Supervisory authority
Irish Data Protection Commission
21 Fitzwilliam Square South, Dublin 2, Ireland
www.dataprotection.ie