Gizlilik Politikası

Prove ID Privacy Policy

Version: 2.0
Update and Effective Date: 14.08.2025

Introduction

This Privacy Policy provides information on how Prove ID processes your personal data when you use its mobile application ("Mobile Application"), website ("Website"), and related products (WebSDK, Customer Portal). Our goal is to enable you to make informed decisions by understanding what information we collect, how it is used, and when it is shared.

If you wish to access, correct, or delete your personal data, object to its processing, or transfer your data to another party, you can contact us through the methods specified in Article 17 of this document.

1. Summary of This Policy

This summary has been prepared to help you quickly understand the essential information about how Prove ID processes your personal data. It is recommended that you read the full text for details.

Who are we?

Prove ID is a Techsign product that provides identity verification and biometric verification solutions.

What data do we collect?

  • Name, surname, contact information
  • Information obtained from identity documents
  • Biometric data such as face, voice, and signature (with explicit consent)
  • Device and connection information (IP, browser information, etc.)
  • Customer portal and website usage data
  • Feedback, support requests, marketing permissions

Why do we collect it?

  • To verify your identity
  • To provide and improve services
  • To ensure security
  • To manage customer relations
  • To fulfill legal obligations

With whom do we share your data?

  • Only with trusted business partners necessary for the operation of the service
  • With competent authorities when legally required
  • Abroad only with your consent and when adequate safeguards are in place

How long do we retain it?

Data is deleted or anonymized when the purpose ceases or the legal period expires.

What are your rights?

  • Access, correction, deletion of your data
  • Request restriction of processing
  • Withdraw consent
  • Request portability
  • Object
  • Right to lodge a complaint

How can you reach us?

  • Contact forms on our website
  • Provided e-mail addresses
  • Our postal address

2. Definitions

Prove ID ("we"): Refers to Prove ID products and the company developed and provided by Techsign Information Technologies Software Industry and Trade Joint Stock Company.
Mobile Application: Refers to the version of Prove ID that runs on a mobile device.
WebSDK: Refers to the version of Prove ID that runs through web browsers on computers and mobile devices.
Demo: Refers to the test and evaluation versions of Prove ID products provided on the App Store, Google Play, and at https://test.dashboard.proveid.io/.
Customer Portal: Refers to the customer portal provided at https://proveid.io/ and https://test.proveid.io/ (Demo-linked portal).
Personal Data: Any kind of information that directly or indirectly (alone or in connection with other data) enables the identification of a real person; including name, surname, identity document data, contact details, facial image data, biometric and non-biometric signature data, voice data, data identifying the user's device, and data enabling the determination of the user's method of using the Website and/or services.
User ("you"): Refers to the person who accesses the Website, Prove ID Demo and non-Demo products or software, or contacts us in any way.
Corporate Customer: Refers to commercial customers who have purchased or contacted us to purchase Prove ID products and/or services, including potential ones.
Website: Refers to the domain names https://proveid.io/ and https://test.proveid.io/ and their subdomains (e.g., https://test.dashboard.proveid.io/, https://dashboard.proveid.io/).

3. Prove ID's Role

Prove ID acts as a data controller in most personal data processing activities in Demo applications and the Demo customer portal. In the video call feature provided within the application, it acts as a joint data controller together with the service provider under the framework of an agreement with a third party.

According to the contracts concluded with our corporate customers, we may also act as a sub-processor in non-Demo processes. During processing, our role as data controller or processor is determined according to the type of integration and the customer agreement.

4. Personal Data We Collect

4.1. Data Collected Due to Demo Usage

The purpose of our Demo applications is to enable our corporate customers (including potential ones) who test our applications to experience our processes and technologies, to check the results of verifications performed with their own personal data (via Mobile Application, WebSDK, or User Portal), and to make reasonable decisions about our products. For this reason, some personal, biometric, transactional, device, and environmental data are collected and processed in our Demo applications and User Portal.

Device and environmental data:

During the use of our Demo applications (iOS, Android) and WebSDK, permission to access your device's camera is requested. This permission is active only during the transaction and access is terminated as soon as the transaction ends. If microphone or gallery access is required, separate permission is requested before the relevant transaction. Depending on the type of transaction and the Demo environment, information about the model of the device you use for the Demo may be collected, as well as your device's internet connection strength, environmental noise level and lighting, and whether the device's NFC feature is enabled.

Biometric data:

Information relating to the facial image (for checks such as comparison with the identity document, liveness control, verification of being the holder of the identity), information relating to the voice (for operations such as transaction approval, liveness, compatibility, data matching, voice questioning), and when required by the type of transaction, information relating to the biometric signature created by finger or stylus input on the screen (for comparison with the static signature on an official document) are collected.

Data obtained from identity documents:

Identifying information on the front and back sides of official identity documents issued by governments (identity card, driver's license, passport, residence permit, blue card, etc.), as well as information embedded in the chip of the document that can be read via NFC technology on mobile devices (such as ID number, name, surname, date of birth, document number, photograph), are collected (for identity verification purposes).

Additional data from the Commercial Customer Acquisition Flow:

If requested, a "commercial customer verification function" may be provided through the Mobile Application. Under this function, users are expected to upload images and/or files of the Trade Registry Gazette and Signature Circular belonging to the prospective customer company. In order to verify both documents and identify the authorized representative, some data contained in the documents (e.g., identifying information of the notary and document issuing the signature circular, identifying information of the authorized person(s) named in the document, identifying information of the company published in the trade registry gazette, ownership structure, identifying information of shareholders, authorized representatives, type of representation) are collected and processed.

Data obtained with additional documents:

If the Demo flow is defined this way, users may upload additional documents via the Mobile Application and WebSDK. The content of the documents submitted by the user in the Demo is not processed but stored visually.

Customer Portal data:

During the creation of a user account in the Customer Portal for Demo purposes, name, surname, e-mail, and password (stored as hashed) are collected. For security purposes, IP address, login/logout time, browser information, and logs of transactions performed are recorded during portal sessions. These logs are retained for 1 year and are accessible only by authorized technical staff. In support requests submitted through the portal, the message content, attached files, and contact information are processed. This information is retained until the request is resolved or for a maximum of 2 years.

Biometric data processing safeguards:

Biometric data are protected as sensitive personal data under Article 6 of the Turkish Personal Data Protection Law (KVKK) and Article 9 of the GDPR. Processing is carried out only with your explicit consent obtained for the purposes specified in the information notice. They are not transferred to third parties and are used solely for the purpose of the transaction. End-to-end encryption is used in data transmission, and highly secure servers and access controls are applied for data storage.

Scope of processing:

  • Biometric data for the purposes of Face Liveness, Face Matching, Identity Holding, Signature Comparison, Transaction Approval by Voice, Voice Liveness, Voice Compatibility, Voice Data Matching, and Question Asking.
  • Personal information for extracting data from identity and other official documents submitted.

Transfer:

  • In the Mobile Application, all data transfers are encrypted, processed on Prove ID servers, and the result is transmitted back to your device in encrypted form.
  • When using the WebSDK, the data flow begins on the browser side, transmitted to the Prove ID server via SSL/TLS encryption. At the end of the processing, the produced verification result is returned to the client in encrypted form.

Deletion:

  • We retain the results of Demo transactions created with a user account until users complete their review of their data, unless deletion is requested. We do not use this data for any other purpose. If no deletion request is received, we automatically delete this data after 2 years.
  • We automatically delete the results of Demo transactions performed in guest mode (if the user has not created an account at the end of the transaction) after the session is closed. For Demo transactions in guest mode, there is no user access through the customer portal or any other medium. We do not use this data for any other purpose.

4.2. Data Processed Due to Product/Service Provision

For our corporate customers who have partially or fully purchased our products, integrated them into their own products/services, or used them directly as an end product; we provide a Customer Portal service in order to carry out matters such as product management, process management, video calls, and control/approval of verification results. For this purpose, we request our corporate customers to create users for their employees who will use this portal. We process this data for user processes and authorization.

  • Customer Portal registration: Name, surname, e-mail
  • Communication and contract establishment: Name-surname, title, company name, firm name, e-mail, and message content shared through the contact form.
  • Contract execution: Billing information, e-mail correspondence, bank account details, and, when necessary, contractual data such as personal ID number, date of birth, signature, and duty/position information.
  • Feedback and references: We may request feedback regarding the use of the product/service. We may collect your name-surname, title, and company name for publication on the Website.
  • Marketing activities: During events (with your consent), business card contents (name-surname, corporate e-mail/phone, company name) may be collected.
  • Newsletter: You may register your e-mail address for newsletters; you may unsubscribe at any time using the "unsubscribe" link.
  • Sensitive/additional data: If you provide us with additional data we have not requested (e.g., biometric data), we process them transparently and responsibly, solely for the purpose of fulfilling your request, temporarily, and delete them immediately once your request has been met or becomes unnecessary.

Except for Demo applications, our products/services do not collect personal data on our behalf. Usage information may be collected from our corporate customer for purposes such as billing and reconciliation. Due to maintenance requests from our customers or errors occurring during use, logs or information that may contain personal data may be transmitted to us (the decision and manner of such transmission is at the discretion of the customer).

4.3. Data Collected Due to Website Usage

  • Cookies: We use cookies for the operation of the Website and for keeping statistics (see the Cookie Policy for details).
  • Log records: Certain information automatically transmitted by your browser during each visit is temporarily stored (for detecting violations and for security purposes) and then deleted. If it needs to be retained as evidence, it may be kept until the relevant incident is clarified and may be shared with law enforcement authorities if necessary.

Log contents:

  • Device IP address
  • Referring internet address
  • Service provider name
  • Names of requested files/information
  • Request date, time, and duration
  • Amount of data transferred

These records do not allow the direct identification of the user.

4.4. Data Collected for the Execution of Marketing Activities

During product presentations, fairs, or specialized training, photos and videos may be taken. Your explicit consent may be requested for your appearance, and other personal data may be requested for the purpose of preparing event reports. These reports may be published on our corporate social media accounts (e.g., LinkedIn, Facebook).

4.5. Personal Data Obtained from Third Parties

In certain situations, we may obtain personal data from our business partners; such data is processed in accordance with applicable law and the principles of KVKK and GDPR.

5. Legal Grounds for Collecting Personal Data

Explicit Consent:

We may request your explicit, specific, and freely given consent for the collection/processing of certain types of data in line with the purposes specified in the Information Notice. You have the right to withdraw your consent at any time.

Information Notice:

When obtaining your consent, we provide you with an Information Notice. We expect you to have read and understood this notice.

Contract:

Your personal data may be processed when necessary for the establishment/performance of a contract.

Legitimate Interest:

We may process data under our legitimate interests in circumstances that can reasonably be expected while conducting our business and do not disproportionately affect your rights/freedoms. Examples include:

  • Execution of commercial activities
  • Analysis of Website user activities and improvements
  • Customer account management
  • Interaction with and record-keeping of existing and potential customers
  • Surveys
  • Segmentation of customer database
  • Product/service development
  • Management of payments/receivables and applications to legal authorities
  • Retention of purchase and service requests
  • Prevention of fraud
  • Network and information system security
  • Direct marketing/advertising/promotion
  • Understanding customer behavior and preferences
  • Management of recruitment processes
  • Improvement of services and communications

Legal Obligation:

Data may be processed when necessary to comply with legal obligations, such as tax, official requests, or regulatory requirements.

Vital Interests:

Data may be processed when necessary to ensure the safety of our employees, customers, and visitors and when no other legal basis applies.

6. How We Use Personal Data

Personal data may be used for the following purposes:

  • Identification of the customer/user
  • Recording of customer (and potential customer) information and communication history in CRM
  • Preparation/conclusion/performance of contracts
  • Provision and maintenance of services
  • Communication with user/customer
  • Customer Portal registration and access
  • Requesting feedback and (if agreed) publishing it on the Website
  • Fulfillment of warranty obligations
  • Product/service improvements and new product/service development
  • Monitoring Website security and accessibility
  • Resolution of technical errors and malfunctions
  • Review of complaints and applications
  • Customer retention and satisfaction measurement
  • Account management
  • Refund/receivable tracking
  • Maintenance/improvement of websites/mobile applications and other services
  • Recruitment activities (if applicable)
  • Providing information to competent authorities when required by law
  • Business analysis (statistics, efficiency measurement, service quality, market research, surveys, risk management).
Automated decisions: Automated decision-making processes may be applied. The user will be informed separately and may object in accordance with legislation. In some cases, objections may restrict your ability to benefit from certain opportunities (e.g., receiving commercial offers).

7. How Long We Retain Personal Data

  • For the duration necessary for the purposes of collection.
  • Consent-based data: Until consent is withdrawn or the purpose ceases.
  • Contract-related data: During the contract term; if the contract has expired or was never concluded, 10 years from the last contact date with you/your company.
  • Non-contractual requests: For as long as necessary to fulfill the request.
  • Longer retention: Longer periods may be required due to anti-money laundering laws or other obligations, generally not exceeding 5 years depending on type and purpose of processing.
  • Legal obligations: Duration is determined by the legislation to which we are subject.

When the retention period expires or the data is no longer necessary, it is securely deleted or anonymized.

8. Your Rights

Access:

You may request information on whether your personal data is processed and access the data we hold.

Rectification/Completion:

You may request the correction/completion of inaccurate, incomplete, or incorrect personal data.

Deletion ("Right to be Forgotten"):

You may request deletion of your data if:

  • The purpose no longer exists
  • You have withdrawn consent and no other basis applies
  • You have objected to processing and no overriding legitimate grounds exist
  • Processing is unlawful
  • Deletion is required under the law to which we are subject

Restriction of Processing:

You may request restriction of processing in specific cases (as an alternative to deletion).

Data Portability:

You have the right to receive the data you provided in a structured, commonly used, and machine-readable format and request its transfer to another controller.

Objection:

You may object at any time to processing, particularly for marketing purposes or based on your particular situation.

Not to be Subject to Automated Decisions:

You may request not to be subject solely to automated decisions that significantly affect you, to have such decisions made by humans, to present your views, and to object.

Withdrawal of Consent:

You may withdraw your consent at any time (previous lawful processing remains unaffected, and processing based on other grounds may continue).

Complaint:

You have the right to lodge a complaint with the supervisory authority of your residence, workplace, or where the violation occurred.

Processing of requests: Requests are usually finalized within 1 month, extendable by 2 months in complex/busy cases (with prior notification).
Submission of requests: Requests can be submitted through the methods specified in Article 17 of this document.

9. Children and Minors

We do not knowingly collect/process personal data of individuals under the age of 18. If you are a parent/guardian and believe your child has provided data to us, please contact us immediately; upon becoming aware, we promptly delete the data.

10. Transfer of Personal Data Within Prove ID

As part of our business activities such as development, support, and maintenance of products, your personal data may be shared within our company Techsign, which develops the Prove ID product.

11. Transfer of Personal Data to Third Parties

We may share limited data with service providers who provide services such as e-mail, CRM, hosting, and website development/support. Personal data transferred to these parties is strictly limited, and all reasonable measures are taken for confidentiality and security.

12. Transfer of Personal Data

Your personal data may be shared to a limited extent within the country with our service providers (hosting, software, security, CRM, e-mail services, etc.).

If you consent or upon request of legal authorities, cross-border transfers may be carried out only after adequate data protection measures are ensured.

13. Measures Implemented for Data Protection

Personal data is stored on secure networks; access is restricted to representatives, employees, affiliates, and business partners bound by confidentiality obligations with Prove ID.

Technical measures:

  • Data center service located in Türkiye that ensures necessary safeguards for data security/confidentiality
  • Physical security/fire alarm, video surveillance, and access control systems to prevent unauthorized access
  • SSL encryption for data transfers
  • Firewall
  • Intrusion detection/prevention software and other protective measures permitted by technology

14. "Do Not Track" Signal

When enabled, the "Do Not Track" feature found in some browsers indicates to the sites you visit that you do not wish to be tracked. Since there is no universal standard on how to respond to these signals, we currently do not respond to them. You can manage your tracking preferences in your browser settings.

15. Third-Party Plugins

We use third-party applications or plugins for the operation of some of our services. Plugins are independent extensions of the relevant social network/service providers; therefore, we do not control the amount of data collected/recorded by these providers. Please refer to the privacy policy of the relevant social network for information on which data is processed for what purpose and your rights. If you do not want your data to be collected by these providers, you should not use the relevant plugins.

16. Changes and Updates

This Privacy Policy may be updated from time to time. Please visit this page regularly to follow the changes. The effective date is indicated in the updated version. By continuing to use the Website and/or our services, you are deemed to have read, understood, and accepted the updated version.

This Privacy Policy, prepared in Turkish, may be translated into different languages and published in relevant places. In the event of any dispute arising from the translation, the original Turkish text shall prevail.

17. Contact Information

For all matters related to this Privacy Policy, you may fill out the contact forms on https://proveid.io/, https://test.proveid.io/, or www.techsign.com.tr.

You may also contact us at: Teknopark No:1/1C, Ofis: 1301 34906 Istanbul/Turkiye

Previous Versions