1.  Introduction and Scope

This Privacy Notice is issued by Amana Sovereign Identity Proprietary Limited ("Amana"), a company incorporated in South Africa (registration number 2025/282754/07). Amana delivers identity verification and related services to clients globally, operating in the role of data processor. We process personal data exclusively on behalf of our clients, who act as data controllers, and determine the purposes, legal basis, and retention rules for the information we handle.

In most cases, Amana processes data solely as instructed, including for anti-money laundering (AML), counter-terrorist financing (CTF), fraud prevention, or regulatory compliance obligations of our clients. Where required by law or in limited instances—such as during product development or internal analytics—Amana may act as a data controller, but only for clearly defined and legally justified purposes.

This Notice outlines how Amana collects and manages personal data, including: identifiers, biometric data, internet or device information, geolocation data, and visual data, in the course of delivering its services and fulfilling its responsibilities under applicable privacy legislation, particularly the General Data Protection Regulation (GDPR).

We do not sell personal information. We may share data with our clients and service providers as necessary to perform our services.

Please note that our clients maintain their own privacy notices regarding how they handle your personal data. This document does not cover client-specific policies or practices.

Separate notices apply if you are a resident of California (Section 15), Illinois, Washington, or Texas (Section 16). In the event of any inconsistency between such notices and this notice, the provisions specific to those jurisdictions will take precedence. If you are a resident of California, some of the data collected is classified as sensitive personal information under California law.

2.  Our Commitment to Data Protection

Amana upholds the core principles of data protection as mandated by the GDPR and supports its clients in maintaining compliance. These principles guide how we process personal data:

• Lawfulness, fairness, and transparency: We process data in a legal and clear manner, with accountability throughout.
• Purpose limitation: Data is used strictly for the objectives defined by our clients and not for unrelated purposes.
• Data minimisation: Only the minimum necessary information is collected and processed.
• Accuracy: Reasonable steps are taken to ensure data is correct and updated when necessary.
• Storage limitation: Data is retained only for as long as instructed by our clients, after which it is securely deleted.
• Security: We implement robust technical and organisational measures to safeguard data from unauthorised access, disclosure, alteration, or loss.
• International transfers: Data is only transferred outside the European Economic Area (EEA) when suitable protection mechanisms are in place.

3.  Legal Grounds and Processing Purposes

A. Acting on Behalf of Clients

Amana processes personal data primarily to deliver services under agreements with our clients, who are responsible for defining the purpose and legal basis of the processing. These services include:

• Remote identity verification, including biometric checks where authorised;
• Anti-Money Laundering (AML) compliance, such as identity screening and transaction risk assessment;
• Sanctions screening, including checks against politically exposed person (PEP) lists and government watchlists;
• Customer Due Diligence (CDD) and Know Your Customer (KYC) procedures, as required by financial and regulatory frameworks;
• Responding to data subject requests when authorised to do so by the client.

Once the data has fulfilled the purpose for which it was collected, and in accordance with the client’s instructions, Amana securely returns the data to the client or deletes it entirely from its systems, including all backups.

B. Processing Under Legitimate Interest

In limited circumstances, Amana may act as a data controller to process certain personal data where permitted by applicable laws and justified by legitimate interest. These scenarios may include:

• Fraud detection and prevention, where we compare submitted identity data against records of known or suspected criminal or fraudulent activity;
• Identity verification for legal or procedural purposes, such as confirming the identity of individuals making data access requests or exercising privacy rights;
• Retention for legal obligations, where data must be preserved to establish, exercise, or defend against legal claims.

4.  Data Processing Activities

Amana conducts a range of data processing activities to provide identity verification and compliance services to clients. These include collection, storage, consultation, analysis, comparison, transmission, restriction, and deletion of personal data. Processing is performed based on the client’s instructions and in accordance with applicable legal and regulatory obligations.

A. Document Verification

To assess the authenticity of submitted identity documents, Amana performs:

• Automated extraction and comparison of identity attributes (e.g., name, date of birth);
• Detection of tampering, screenshots, or manipulated images;
• Validation of document security features such as MRZ, QR codes, barcodes, and embedded chips;
• Cross-verification across submitted documents to evaluate consistency and trustworthiness.

B. Biometric Identity Verification

Facial biometric data may be processed to verify that a facial image submitted during onboarding matches the one on a government-issued ID. This includes:

• Extraction and comparison of facial features using secure algorithms;
• Liveness detection to confirm the person is physically present (e.g., by asking them to blink, smile, or move);
• Spoof detection (e.g., masks, emulators, deepfakes);
• Re-identification checks to detect multiple identity attempts for the same client.

C. Sanctions and Risk Screening

Personal data may be screened against third-party databases to support Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) compliance. These checks include:

• Screening against global and local sanctions lists;
• Identification of politically exposed persons (PEPs);
• Adverse media review;
• Validation through government or commercial registries (e.g., ID, address, or credit databases);
• Email and phone number risk scoring based on domain information, usage patterns, and reputation data.

D. Know Your Business (KYB) Checks

Amana conducts due diligence on business entities by verifying their legal existence, ownership, and control structure. This includes analysing corporate documents and conducting registry searches to identify company officers and ultimate beneficial owners (UBOs).

E. Fraud Detection

Amana implements a robust fraud detection and control network using both built-in and client-defined checks. These include:

• Detection of manipulated documents (e.g., signs of Photoshop use) and risk triggers;
• Correlation of user data such as IP address, device metadata, geolocation, email, and phone number against prior fraud markers or suspicious activity;
• Use of biometric re-identification to flag users attempting to create multiple identities for the same client;
• Consultation with data providers to check for risk factors such as residence in high-risk countries or adverse media matches.

These measures help assign appropriate risk scores and assist clients in identifying potentially fraudulent or suspicious users. Clients may access insights from the fraud detection network without viewing personal data directly.

F. Verification Outcomes

Amana does not make decisions that produce legal or similarly significant effects based solely on automated processing. We support our Clients by providing data (e.g., biometric verification results, risk indicators), but all final decisions are made by our Clients. Where Clients use automated tools that may affect individuals, they are responsible for ensuring appropriate safeguards, including human review mechanisms and compliance with GDPR Article 22.

• If the verification is successful, all required checks have been completed and the client may proceed with onboarding.
• If the verification is unsuccessful, Amana informs the client of the outcome and returns it to the client for review.
• The client is solely responsible for interpreting results and deciding whether to approve, deny, or reinitiate onboarding based on its internal policies and risk assessment.

Amana ensures a combination of machine processing and human oversight in the verification process, particularly where complex or uncertain data is involved.

5.  Types of Personal Data Processed by Amana

Depending on the identity verification or compliance services requested by the Client, Amana may collect and process the following categories of personal data about Users:

Category

Examples

General Personal Data: Full name, sex, personal identification number or code, date of birth, nationality, citizenship, legal capacity, location (street, city, postcode, country).

Identity Document Data: Document type, issuing country, document number, expiration date, machine-readable zone (MRZ), barcode or QR code contents, and document security features.

Facial Image Data: Selfie images and facial images from identity documents.

Contact Details: Email address, phone number, residential address.

Technical Data: IP address, domain name, date/time of interactions with services, device and browser attributes (e.g., camera model, OS, browser version).

Geolocation Data: Approximate location based on IP address (e.g., city, country).

Unique Identifier: Internal user ID assigned by Amana for system reference purposes.

Publicly Available Risk Data: Information about whether the User appears on global or local sanctions lists or is classified as a Politically Exposed Person (PEP).

Additional Information: User-submitted data during communication (e.g., support inquiries, clarification requests).

Device Behavioural Data: Device fingerprint (e.g., screen size, user agent, incognito mode, OS, geolocation), browser and session activity (e.g., paste, focus change, mouse movement), battery usage, accelerometer/G-meter data, and touch/mouse/keyboard events—used for fraud detection.

6.  Lawfulness of Personal Data Processing

When Amana is engaged by a Client to perform identity verification, compliance checks, or fraud prevention procedures for their end users, the processing of personal data is performed solely on behalf of that Client and based on the legal grounds the Client relies upon.

In accordance with Article 6 of the EU GDPR, data controllers (in this case, Amana’s Clients) must identify and rely on an appropriate legal basis for processing personal data. Typically, Clients rely on one or more of the following legal grounds:

• Article 6(1)(c) GDPR – The processing is necessary to comply with a legal obligation to which the Client (as controller) is subject;
• Article 6(1)(e) GDPR – The processing is necessary for the performance of a task carried out in the public interest;
• Article 6(1)(a) GDPR – The data subject has given consent for one or more specific purposes.

Amana processes personal data strictly within the scope of the Client’s instructions and does not determine the purposes or legal grounds for such processing. For information on the specific legal basis relied upon, users should refer to the privacy notice of the Client whose services they are accessing.

Amana may also process where Amana is subject to a legal obligation (e.g., under a valid legal request, judicial procedure, or litigation hold), we may process personal data as necessary to comply with that obligation in accordance with Article 6(1)(c) GDPR.

7.  Personal Data Retention Period

The retention period for personal data depends entirely on the processing purpose and is defined by the Client, who controls the data and instructs us accordingly.

Generally, regulated financial companies subject to Anti-Money Laundering (AML) and Counter-Financing of Terrorism (CFT) regulations are required to retain User data for a minimum period of five years after the end of the Client’s relationship with the User or after an occasional transaction. In some jurisdictions, longer mandatory retention periods may apply.

If you, as a User, wish to request deletion of your personal data, please direct your request to the Client that controls your verification process. Amana acts solely on the Client’s instructions with respect to data retention and deletion.

Personal data will be retained and stored by Amana only as long as necessary to fulfill the Client’s purposes and comply with applicable laws or contractual retention periods. Upon expiration of the Client-defined retention period or upon instruction by the Client, personal data will be securely deleted.

Data Deletion and Destruction Procedures

To delete data from the Amana Identity Verification System (including storage and dashboards), we use secure deletion methods that locate all records tied to a User’s unique identifier and remove them from storage systems, including cloud storage. These deletion processes ensure that data is rendered unrecoverable, including any biometric data when applicable.

Data deletion from local equipment follows operating system standards and may involve ‘empty trash’ mechanisms or, if necessary, complete physical destruction of storage media when data sensitivity requires it.

Similarly, data on removable media or mobile devices is deleted using device-specific sanitization procedures or factory resets before equipment reuse, recycling, or disposal.

Handling of sensitive data on any device or media outside controlled processes is strictly prohibited.

Deletion Requests

Requests for deletion of personal data will be fulfilled within 30 days, reflecting the complexity of Amana’s systems and data processing environment.

User personal data may be retained for up to 90 days after a Client’s deletion request to comply with legal obligations, ongoing investigations, or security requirements. Data will be deleted when no longer legally or contractually required.

Retention for Service Development and Legal Compliance

When personal data is used for the purpose of fraud detection, or compliance auditing, it may be retained in pseudonymized or aggregated formats for limited periods necessary to refine detection algorithms or meet regulatory obligations.

Where data is retained for the establishment, exercise, or defense of legal claims (litigation hold), it will be held only for the duration of such proceedings.

In all cases, Amana does not retain personal data beyond the period for which the Client has provided lawful instructions or for which a lawful basis exists.

8.  Data Subjects’ Rights

Amana acts solely as a processor and assists Clients in fulfilling their obligations to enable Data Subjects to exercise their rights under applicable privacy laws.

As a Data Subject, you generally have the following rights:

• To obtain confirmation from the Client whether your personal data is being processed.
• To request correction of inaccurate or incomplete personal data held by the Client.
• To request erasure of your personal data (“right to be forgotten”), subject to limitations such as legal obligations or legitimate interests that require processing.
• To request restriction of processing where:
  • The accuracy of the personal data is contested during verification by the Client.
  • The processing is unlawful and you prefer restriction over erasure.
  • The Client no longer needs the data for processing, but you require it for legal claims.
  • You object to processing pending verification of overriding legitimate interests.
• To be informed about any rectification, erasure, or restriction actions taken.
• To receive your personal data in a portable format, enabling transfer to another controller.
• To object to processing based on public or legitimate interest grounds as defined by law.
• Not to be subject to decisions based solely on automated processing unless authorized or consented.
• To lodge a complaint with the relevant supervisory authority.

To exercise these rights, please contact the Client who controls your data and manages your verification. Amana acts only on Clients’ instructions and will forward your requests accordingly. Amana does not independently make decisions about these rights.

If you wish to withdraw consent or object to processing based on legitimate interests, your request should be made to the Client. Amana supports Clients by forwarding such requests but does not decide on them independently.

Given the critical role of identity verification and fraud prevention for the financial system, objections to processing may rarely lead to cessation of processing where compelling overriding grounds exist.

Requests for data subject rights will be processed promptly by the Client, with Amana’s assistance as a processor. Verification of the requestor's identity may be required to protect data security.

9.  Responsibilities

Amana’s responsibilities include:

• Acting only under the documented instructions of Clients regarding personal data processing.
• Implementing policies and procedures to support compliance with applicable data protection laws.
• Ensuring personnel comply with privacy requirements and maintain data security.
• Engaging third-party processors only after due diligence and contractual guarantees for data protection.

10.                        Data Protection Measures

Amana implements comprehensive measures to protect personal data, including but not limited to:

• Processing personal data only under Client agreements and data processing contracts compliant with applicable laws.
• Secure data submission via dedicated APIs.
• Storing all data securely in data centers with high security standards.
• Encrypting personal data at rest and in transit.
• Authorizing and training personnel handling personal data.
• Conducting regular security audits and vulnerability assessments aligned with recognized standards (e.g., ISO/IEC 27001, SOC 2).
• Taking special precautions with sensitive or regulated personal data, including avoiding processing where no legal basis exists.
• Applying robust physical, software, and network security controls.

11.                        Personal Data Breaches

In the event of a personal data breach or suspected breach, Amana promptly reports the incident to the Client and, if required by the Client or applicable law, supports the Client in notifying the relevant supervisory authority and affected individuals.

The report includes:

• A description of the breach, including scope and root cause;
• Details on the categories and approximate number of individuals and records affected;
• Recommended or agreed measures for containment, mitigation, and prevention.

Amana does not notify regulators or data subjects directly unless explicitly instructed by the Client. As a processor, Amana provides assistance and information as needed for the Client to fulfill their obligations under applicable data protection laws.

12.                        Data Disclosure

a) Third Parties

Amana may engage third-party subprocessors only where authorized by the Client and as necessary to deliver services under the Client’s instructions. These third parties may include:

• Subprocessors needed to support verification, fraud prevention, or document processing functions;
• Data providers used to validate identity or documentation as part of the service;

All third parties are contractually required to:

• Process personal data solely on Amana’s or the Client’s documented instructions;
• Maintain appropriate data security;
• Refrain from using the data for their own purposes unless explicitly permitted by applicable law or instructed by the Client.

If any third-party subprocessor further engages their own data providers who use data for independent purposes, such relationships must be disclosed to and approved by the Client in advance.

b) Legal or Regulatory Recipients

Where legally required or instructed by the Client, Amana may support the disclosure of personal data to:

• Governmental authorities, regulators, law enforcement bodies, courts, or legally authorized officers (e.g., notaries or bailiffs);
• Other Clients, where instructed to do so by the controlling Client and where a lawful basis exists (e.g., consent, contractual obligation, or legal obligation).

Amana ensures that any such disclosure is:

• Conducted under strict compliance with applicable data protection laws;
• Limited to the minimum necessary information;
• Documented for audit and legal traceability.

13.                        International Data Transfers

All personal data processed by Amana is stored on secure servers located within the EU or in jurisdictions required by national data localisation laws, as determined and instructed by the Client. Clients have the authority to select and approve the locations for data storage and processing to ensure compliance with their applicable legal obligations.

Where necessary for service provision—such as to support communications, verifications, or integrations—and when authorized by the Client, Amana may facilitate the transfer of personal data outside of the EU/EEA, the UK, or other relevant jurisdictions to third parties or recipients previously approved by the Client (as outlined in Section 12).

Whenever international transfers are required, Amana supports the Client in implementing appropriate safeguards in accordance with Chapter V of the EU GDPR, such as:

• Transfers based on an Adequacy Decision by the European Commission;
• Standard Contractual Clauses (SCCs) adopted by the EU;
• Other legally recognized data transfer tools, including Binding Corporate Rules or appropriate contractual clauses.

Amana does not independently determine the legal basis or destination for any cross-border data transfer. It relies on Clients to provide instructions and ensure that the chosen mechanisms align with their regulatory obligations. For Clients operating in jurisdictions outside of Europe, Amana facilitates data transfers under the mechanisms permitted by local law, as directed by the Client.

14.                        Children's Personal Data

Our services are not directed to children, and we do not knowingly collect or process personal data from anyone under the age of 16 (or applicable age of digital consent in their jurisdiction). If we become aware that we have inadvertently received personal data from a child, we will delete such information as soon as possible.

15.                        Sale of Personal Data and CCPA Reference

Amana does not sell personal data under any circumstances. Amana fully complies with the applicable restrictions and prohibitions outlined in the California Consumer Privacy Act (CCPA), as well as the requirements of the EU GDPR.

For further details regarding how the CCPA applies to Amana's processing activities when acting on behalf of U.S.-based Clients, please refer to the [https://www.AmanaSI.com/CCPAPrivacyNotice].

16.                        Special Notice to Residents of Illinois, Washington, or Texas (USA)

When acting on behalf of a Client, Amana may process biometric data—such as facial geometry scans or voiceprints—strictly for the purposes of identity verification, as instructed by the Client. This includes both:

·        Biometric identifiers (e.g., facial scans, voiceprints)

·        Biometric information (data derived from those identifiers)

Amana processes such data solely in accordance with Client instructions and only after obtaining explicit, informed written consent from the individual, as required by law. All biometric data is permanently deleted once it is no longer necessary, in line with the retention policy specified in Section 7.

Amana does not independently determine the purposes or means of biometric data processing and does not reuse, share, or retain such data beyond the scope of the Client's lawful instructions.

Where the laws of Illinois, Washington, or Texas apply, this section overrides any conflicting statements in this Notice. It is the sole responsibility of the Client to ensure compliance with relevant state laws such as the Biometric Information Privacy Act (BIPA), including the provision of required notices and obtaining necessary consents.

17.                        Changes to This Notice

Amana regularly reviews and updates this Privacy Notice to ensure continued compliance with applicable data protection laws and evolving best practices.

Amana reserves the right to amend this Privacy Notice at any time. Updates will become effective immediately upon publication on our website. Users are encouraged to periodically review this Notice to stay informed of any changes. Continued use of Amana's services after the Notice is updated constitutes acceptance of the revised terms.

To request access to previous versions of this Privacy Notice, or if you have any questions, please contact us at privacy@AmanaSI.com. Our compliance team is available to assist you.

Contact Us

If you have any questions about how your personal data is processed, or if you wish to exercise any of your rights under applicable data protection laws (including the GDPR), you can contact us at:

Privacy@AmanaSI.com

Please note that our clients determine the purposes and legal basis for processing your personal data. We act as a service provider processing data on behalf of our clients. See Section 8 - Data Subjects’ Rights

This mailbox is monitored by our relevant privacy staff to ensure compliance with data protection laws and to assist with any queries or requests you may have.

‍