Select Page

Privacy Policy

Last updated 04.09.2019

At KCPass OÜ (hereinafter referred to as “KCPass” or “we”) we value your privacy and take personal data protection really seriously. Without exceptions, we follow the principles of data processing set out in this privacy policy and we guarantee you no surprises. We consider integrity and confidentiality of personal data of utmost importance and guarantee lawfulness of personal data processing. The privacy policy explains how we collect and use personal data including in our website –

At any time, if you have a question regarding the data processing – please feel free to contact us!

You can find our contact details below.

1. Terms and definitions

1.1. personal data – means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

1.2. processing of personal data – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organizing, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

1.3. controller –  means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

1.4. processor – means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

1.5. third party – means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;

1.6. personal data breach – means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;

1.7. data subject – person whose personal data is processed (e.g. website user or a contact person of a legal entity client).

2. Principles

2.1. KCPass and the processors working for us, process personal data adhering to the following principles:

2.1.1. lawfulness, fairness and transparency – the processing is lawful, fair and transparent to the data subject;

2.1.2. purpose limitation – collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;

2.1.3. data minimization – adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

2.1.4. accuracy – the personal data is accurate and up to date; we employ all reasonable measures to ensure that inaccurate personal data is deleted or corrected;

2.1.5. storage limitation – kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;

2.1.6. integrity and confidentiality – processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

3. Processing by KCPass

3.1. KCPass is a all-in-one full legal entity verification solution that ensures businesses have enough info on their potential partners or customers. Therefore, our clients are organizations that have asked KCPass to run a KYB check on behalf of them on their potential partner or customer. To carry out those checks, KCPass uses external registers, service providers and compiles information that is already public (e.g. legal entities have to declare ultimate beneficiary owner data; adverse media checks). 

3.2. KCPass shares the results of the abovementioned KYB check with client through a compiled report. Our client then decides how and if they want to proceed with the business relation with the potential partner or customer. 

3.3. KCPass runs KYB checks on legal entities and KCPass processes business data (business-to-business relation) upon the request of our client. KCPass does not exclude the possibility that to some extent, personal data shall be processed.

4. Security of processing

4.1. KCPass applies necessary, and appropriate organizational, physical and technological security measures (which also include regular back-ups and action logs) to protect personal data. 

4.2. KCPass has provided relevant training to all employees regarding processing of (personal) data.

4.3. KCPass may use processors to process personal data, we ensure that all our processors act in accordance with our instructions, applicable law and apply all appropriate organizational and technological security measures.

5. Lawful basis of processing

5.1. KCPass processes personal data to ensure performance of a contract, based on a consent or to comply with legal obligations. If we shall initiate additional processing of personal data, we shall ensure that this will be done on a lawful basis. 

5.2. We process personal data to ensure performance of a contract when we have concluded a contract with our client. In such cases, the client of KCPass is obligated to ensure that a lawful basis of processing is obtained. 

5.3. Legal obligations of processing includes all personal data processing under relevant laws and regulations, for example: Employment Contracts Law, the Money Laundering and Terrorism Financing Prevention Act or the Accounting Act.

5.4. When processing personal data with consent as lawful basis, we only process specifically what data subject has consented to and on those purposes. The consent shall be freely given, specific and informed. Data subject can take back consent at any given time and as easily as it was given.

6. KCPass as the processor of personal data

6.1. Taken into account the information provided in clause 3 of this Privacy Policy, KCPass acts, in most cases, as a processor of personal data on behalf of our client. To ensure data subjects privacy rights KCPass abides by confidentiality principles and strictly limits disclosure of personal data.

6.2. Only the persons authorized by KCPass have the right to access, modify and process personal data.

6.3. KCPass processes personal data received directly from the client or indirectly (through various external registers and service providers).

7. Types of personal data

7.1. personal data that we process can be the following: first and last name, personal identification number (i.e. ID code), copy of identification document (e.g. ID-card, passport).

7.2. contact details that we process can be the following: e-mail address, contact telephone number, postal address, place of residence.

7.3. Internet data that we process can be the following: data on website visitors’ sessions (anonymously), cookies, log data and IP addresses.

8. Purposes of processing personal data

8.1. The purpose of processing the personal data is to:

8.1.1. provide all-in-one full legal entity verification solution, which could consist of the following actions: identity check – we verify whether the person is who they claim to be; documents check – we make sure that all required business documentation are valid; legitimacy check – we verify that the business is a legitimate entity; beneficiary check – we identify the real beneficiaries of a business; rights check – we identify whether the person has the right to represent the company.

8.1.2. process purchase and sales invoices;

8.1.3. to improve the user experience on our website and to anonymously track the usage of webpage by users;

8.1.3. comply with legal obligations and activities resulting thereof.

9. Retention of personal data

9.1. KCPass retains personal data only as long as this is necessary to fulfil the purpose for which the personal data is processed, unless there is an applicable legal obligation stating otherwise. As we are processing (personal) data based on the request of our client, once instructed by our client, either through our agreement with the client or through an ad hoc request, we delete the information we have collected. 

9.2. KCPass shall securely destroy and/or delete all personal data that has fulfilled its purpose or upon expiry of the retention term.

10. Third parties and data processors

10.1. Strictly limited by necessity and pursuant to the purposes, KCPass may forward personal data to third parties and use data processors for the following purposes:

10.1.1 for providing all-in-one full legal entity verification solution and in some cases, we need to use external partners (e.g. external registers) to reach the aforementioned goal;

10.1.1. for issuing sales invoices;

10.1.2. for client relationship management;

10.1.3. to partners to improve the quality of our services.

10.2. Regardless of access restrictions, KCPass shall release a personal data to a person who has the legal right to request personal data (e.g. police, court, supervisory authority, auditors etc).

11. Rights of the data subject

11.1. The data subject has the right to receive information regarding processing of their personal data. Data subject can obtain a copy of their personal data held by KCPass by submitting a request via e-mail to

11.2. KCPass has a legal obligation to make sure that the person requesting information about themselves is indeed the person who has the right to receive the data. For this reason, requesters may have to prove their identity or their right to request the data.

11.3. The data subject has the right to deletion of personal data if the processing of personal data took place on the basis of consent.

11.4. The data subject has the right to restrict the processing of personal data.

11.5. Where feasible and possible, a data subject has the right to data portability.

11.6. The data subject has the right to lodge a complaint to the Data Protection Inspectorate regarding processing of personal data.

12. Cookies

12.1. The website administered by KCPass,, uses cookies to make the user experience on the website more convenient and the use thereof smoother.

12.2. A cookie is a small text file that a web browser automatically saves in the device used by the user.

12.3. We use cookies to gather anonymous and generalized statistics on the number of website visitors and information on how the website is used, in order to improve our websites user-friendliness.

12.4. It is possible to refuse or block cookies on the device, this may mean that the website may not function properly and all services may not be available. To refuse or block cookies you need to change your browser settings.

13. Changes to the privacy policy

13.1. Privacy is important to KCPass and we update this privacy policy regularly. The version published on KCPass website is always the latest version.

14. Contact information

14.1. If you have any issues, concerns or suggestions pertaining to the processing of personal data, contact us via the following contact details:


Tina 9, Tallinn, Harju County