GALLEON PRIVACY POLICY

Galleon One Limited, with its registered office at 60/2 Melita Street, VALLETTA VLT1122, MALTA, registration number: C 92185, https://www.galleon.com (the “Galleon”, “we”, “us”) recognize its responsibilities in relation to the collection, holding, processing, use and/or transfer of personal data under the Maltese Data Protection Act 2018 (Chapter 586 of the Laws of Malta) (DPA) and under the General Data Protection Regulation (“GDPR”), with regard to offering services to persons in the European Union. Personal data will be collected only for lawful and relevant purposes and all practicable steps will be taken to ensure that personal data held by us is accurate. We will use your personal data which we may from time to time collect in accordance with this Privacy Policy.

We regularly review this Privacy Policy and may from time to time revise it or add specific instructions, policies and terms. Where any changes to this Privacy Policy are material, we will notify you using the contact details you have provided us with and, where required by the law, we will give you the opportunity to opt out of these changes by means notified to you at that time. This Privacy Policy (“Policy”) describes our best privacy practices concerning information collected in connection with global identity and verification business of Galleon that uses personal information to support its customers with their business needs (the “Services”).

Otherwise, in relation to personal data supplied to us through the website or otherwise, continued use by you of the website, or other products or services of the Galleon (“Services”), or your continued relationship with us shall be deemed to be your acceptance of and consent to this Privacy Policy, as amended from time to time.

Galleon will take all practicable steps to ensure the security of your personal data and to avoid unauthorised or accidental access, erasure or other use of your personal data. This includes physical, technical and procedural security methods, where appropriate, to ensure that your personal data may only be accessed by authorised personnel.

Please note that if providing personal data is essential to receive services, inconsistent or not provided data will limit the functionalities and privileges available to you.

Scope of personal data collected

Our Clients are enterprises, companies, institutions, and businesses that have opted for our Services. The information we collect from the Clients includes their Full Name, Company Email, Phone Number, Company Name, Company Website, Country, Verification Volume, Industry, and any other information required to set up their accounts, with reference to the Services they select, and the End-users they wish to verify.

Depending on the type of verification process selected, i.e. onsite or offsite, the data is collected directly from the End-users or the Clients. In case if it is from the Clients, they take the information and image and video proofs from the End-users and pass the data to us via the API. Galleon will verify only the information that has been provided by the End-users. In case the Clients don’t provide certain information required for the selected services, the missing information is collected from the End-users via OCR technology. They End-users will be asked to show their documents in real-time so relevant information may be extracted from them. Furthermore, if the End-user fails a certain check, the verification process ends. This is to ensure that the Client’s verification balance is not wasted if the End-user is not verified.

The legal basis for this processing is the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract.

Our End-users

The End-users are our Client’s customers, whose identities we verify, documents we authenticate and run against AML lists and databases. Depending on the type of verification process selected, i.e. onsite or offsite, Galleon either collects End-user’s verification data from the Clients or the End-users themselves.

This data includes but is not limited to the images/videos of the End-user’s identity documents (e.g. passport, ID card or driving license), their biometric facial identifiers (e.g. face images/videos). We also require textual information that is either extracted directly from the End-user’s identity particulars or is provided by the End-user at each step.

Data acquisition and Identity Verification Process

Galleon’s Identity Verification Process describes what information we collect, how we collect it and when we collect it. Galleon requires particular information from the End-users or Clients (depending on whether it is an on-site or off-site verification) in order to perform Services.

Personally Identifiable Information:

Personally Identifiable Information (“PII Data”) is collected, which includes name, contact information (email ID and phone number), DoB and any other information required to carry out the verification checks chosen by Galleon’s Client. For instance, if the Client selects the Face Verification Service, we will also collect the image (selfie) or video (short clip showing End-user’s face) proof from the End-user. In the event the Client opts for document verification, we would require an image or video of the desired document.

Akin to this, if the Client selects AML screening Service, we require the End-user’s Name and DoB for running them against the AML databases, sanctions, and watch lists.

Verification Process

  1. A verification request is Accepted
    • If the End-user passes all of the checks pre-set by the Client, the verification request status becomes ‘Accepted’. Galleon then sends these results to the Client through the API. These results are also available to the Client in the back-office management system, along with complete verification details (e.g. End-user’s personal information, image/video proofs, any .pdf reports, and AML results). The End-user is also shown the verification status after the process completes.
  2. A verification request is Declined
    • In cases where the End-user is not verified and the verification status is ‘Declined’, we send these results to the Client through the API, as well as the back office management system. The results show which checks the End-user passed and at which check they failed. The verification ends at the failed check. The complete verification details (e.g. End-user’s personal information, image/video proofs, any .pdf reports, and AML results) is available to the Client in the back-office management system. The End-user is also shown the verification status after the process completes.

How Galleon shares personal and anonymized information.

In general, Galleon shares the personal and anonymized information that we collect in connection with the Services as discussed below:

We share the personal and anonymized information that we collect on behalf of a particular Client with that Client and to such other parties as instructed and agreed with the Client.

Galleon also uses third-party service providers to help us deliver, manage, and improve the Services. These service providers may collect and/or use your personal information or anonymized information to assist us in achieving the purposes discussed herein.

We may also share your personal information with other third parties when necessary to fulfill your requests for Services; to complete a transaction that you initiate; or to meet the terms of any agreement that you have with us or our partners.

We partner with certain other third parties to collect anonymized information and engage in analysis, auditing, research, and reporting.

We may also use or share your personal information with third parties when we have reason to believe that doing so is necessary: to comply with applicable law or a court order, subpoena, or other legal process; to investigate, prevent, or take action regarding illegal activities, suspected fraud, violations of our terms and conditions, or situations involving threats to our property or the property or physical safety of any person or third party; to establish, protect, or exercise our legal rights or defend against legal claims; or to facilitate the financing, securitization, insuring, sale, assignment, bankruptcy, or other disposal of all or part of our business or assets.

Aggregated information

From time to time, we may also share anonymized and aggregated information about Client and End-users of the Services, such as by publishing a report on trends in the usage of the Services.

Utilizing Data for Services

Galleon makes use of the information collected, processed and stored during any and each step of the Identity Verification process on Client’s request for our services in order to verify End-users for a legitimate purpose. We ensure that the Client’s business is completely legal and the information collection and usage is aligned with the End-user’s absolute consent. Our process is completely transparent; the End-user is informed which of their information will be used and for what purpose. Only once the End-user consents to the process, do we start verifying their identity.

We may also use data collected for:

  1. Training our machines to learn algorithms to verify the authenticity of new documents, recognize the text present on them and extract it, match that text using template matching techniques and recognize if the document is original or counterfeit, forged or photo-shopped , photocopied or tampered with.
  2. The purposes of computer vision and machine learning techniques, we continually train our artificial intelligence systems to recognize and verify a wider range of identity documents from around the globe.
  3. Fraud prevention: Whenever a fraudulent user uses the Services, we make sure that we store the documents and images they presented, in our databases.
  4. Training our Human Intelligence officers to effectively be a part of the identity verification process.

Information flow beyond Galleon

Galleon may disclose the information provided by you (End-user or Client) to any member of our group of companies (this means our subsidiaries, our ultimate holding company, and all its subsidiaries) or third party service providers insofar as reasonably necessary for the purposes set out in this policy.

  1. With respect to End-user personal information (including any images, videos, sensitive data, etc.), the Client may require Galleon to collect, use, disclose, or otherwise process data in ways that differ from those described in this Privacy Policy. Some features of the Services may be immobilized or changed by our Client. In order to completely comprehend the handling of End-user private information while using our Services, the End-user must also review the privacy policy of the Client.
  2. We have facilities and staff in different countries around the world and as a result personal information may be transferred to them or accessed from those locations. We take all the necessary actions to ensure the security of your personal information when transferred across borders.
  3. Verification data may travel outside the EU for the purposes of Human Intelligence Checks that serve as an essential part of the Identity Verification Process. This data may be seen and processed, but not stored anywhere outside the European Economic Area (EEA). We have our office in the United Kingdom and provide services in 150+ countries. The hosting facility for our website is situated in the United Kingdom. The European Commission has made an “adequacy decision” with respect to the data protection laws in this country. However, we provide Clients with an option to forego the Human Intelligence checks, relying solely on the results detected and compiled by the Artificial Intelligence System.
  4. We may disclose your personal data to our insurers and/or professional advisers insofar as reasonably necessary for the purposes of obtaining and maintaining insurance coverage, managing risks, obtaining professional advice and managing legal disputes.
  5. Financial transactions relating to our website and services are handled by our payment services provider, Stripe. We will share transaction data with our payment services providers only to the extent necessary for the purposes of processing your payments. You can find information about the payment services providers’ privacy policies and practices at Stripe: https://stripe.com/us/privacy.

Data Storage and Retention

Galleon acquires and stores the information provided by its Clients and End-users for rendering Services. Being the data processor of millions of users comes with certain responsibility and liability on our part. For this reason, our data retention policies and procedures are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data. Below are the terms outlined for this section:

  1. Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  2. We will retain and delete your personal data as follows:
    • End-user data category shall be retained or deleted according to the instructions provided by our Client ( data controller).
      • Personal data of our Clients shared with us shall be retained for a period of two (2) years following which it may be deleted from our system.
  3. If no instructions are provided by the data controller, we will determine the period of retention based on the following criteria:
    • The period of retention of your personal information including any data, images, videos and/or private information will be determined based on the applicable data protection laws and the need for their presence in our system owing to any legal reasons or for the betterment of our website or services.
  4. Notwithstanding the other provisions of this section, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

Data Security

Galleon ensures data security through adequate measures to minimize the likelihood of data breaches, whether pre-emptive or post. Data breaches and protection of data itself come under the wider umbrella of the data lifecycle.

Additionally, observing the GDPR regulations, secure auditory practices are carried out to ensure standardized operations and encryption practices. New techniques are continually implemented in order to keep our Data Security ahead of the curve.

For more information about Galleon’s data security, data protection and policy in case of data breaches, read our Ultimate Guide to GDPR Compliance. If you feel like you have encountered a shortfall in our policy or a security breach in Galleon’s system, reach out to us for adequate error reporting.

How We Use Cookies

If you access our information or services through the GALLEON website, you should be aware that cookies are used. Cookies are data files stored on your browser. If you have accepted cookies by using tools displayed when entering the GALLEON website, the website automatically installs and uses them on your browser when you access it. We may also use cookies without your consent where it is strictly necessary to provide our services and you have explicitly requested them, such as [maintaining your session when you have logged in to your account or remembering the contents of your cart]. You can also change your settings for cookies on our websites using the tool below:

Cookies are used for the following purposes:

  • For statistical purposes through [analysis of aggregate data on traffic and manner of use of our websites]
    We create statistics that help us understand how you access GALLEON, which allows us to improve the structure of GALLEON and its content and thus improve your experience;
  • Creating a profile for you in order to display matching materials in regard to advertising networks, such as the Google Display Network;
  • To run statistics on traffic to reliably conduct settlements with advertising partners;
  • To remember your settings between browsing sessions and customize the Site to better suit your needs and preferences, such as selecting the display language or currency.
  • For marketing purposes, also on the basis of automated processing containing profiling elements, in particular, for [adaptation of our websites, offers and advertising to your interests]
    We use cookies to [assign you an unique identifier that lets us collect information about your actions on our website, viewed content and your use of our products and services]. We then use this information to [create a profile of your interests on the basis of content that we think was interesting for you (for example because you viewed it for a certain period of time, searched for certain types of games or added some products to your cart) as well as content that other users similar to you have found engaging]. By using [this profile of your interests we can adapt our websites, offers and advertising to your needs by replacing the default content with content more relevant to your interests (for example we can show you games that we think you might like instead of the default game categories or personalize the newsletter to which you subscribed)].

    To achieve the above goals, the Site uses two basic types of cookies, session cookies and persistent cookies. Session cookies are temporary files that are stored in your browser until you logout, leave the website or close the browser. Persistent cookies are stored in your browser for a longer period of time, as specified in the parameters of the cookie or until you remove the cookie.

    Cookies may be used by partners and advertising networks, such as the Google Display Network to display ads specific to you and in accordance your preferences while using GALLEON. To achieve this goal cookies may store information about your navigation path or the time you spent on GALLEON. To see what information was collected about you by the Google Display Network, you can view and edit the information derived from cookies with the following tool provided by Google: https://www.google.com/ads/preferences/ .

    Your browser’s default setting is likely set to allow for the storage of cookies. You can change your browser’s settings and delete or prevent cookies. For details, consult your browser’s documentation. Please note that if you do so you may not be able to utilise or activate certain functions available on GALLEON.

Your rights under the GDPR

Pursuant to the GDPR you also have the following rights:

  • Right to be informed, which is satisfied through this notice.
  • Right to erasure. You have the right to have your data erased and no longer processed if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, if consent was withdrawn or objection was filed and there are no other legal basis for processing. If we have disclosed the personal data in question to third parties, we will inform them about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so.
  • Right to restriction on processing. If there are grounds for restriction on processing, for example if you contest the accuracy of your personal data, it will be stored and processed otherwise only if you consent or to exercise legal claims, or for the protection of rights of another natural or legal person. If we have disclosed the personal data in question to third parties, we will inform them about the restriction on the processing of the personal data, unless it is impossible or involves disproportionate effort to do so. We will inform you before the restriction is lifted.
  • Right to objection to processing. You have the right to object to processing based on legitimate interests (including profiling) and direct marketing (including profiling). We will no longer process you data, unless we have compelling legitimate grounds for processing or we need to process the data for the establishment, exercise or defense of legal claims.
  • Right to portability. You have the right to receive personal data that you provided to us in a structured, commonly used and machine-readable format and to transmit those data to another data controller.
    You may contact us to exercise your rights through “Contact us” section below.
  • Right to lodge a complaint with a supervisory authority. If you are unhappy about the way we process personal data you may contact us and, if you are unsatisfied with our answer, file a complaint to data protection authority in [Poland] or in your country.

General

If this Privacy Policy is translated into any other language, and there is any inconsistency or conflict between the English and translated versions of this Privacy Policy, the English version shall prevail.