DUNA WEBSITE PRIVACY POLICY 

Duna provides a business identity platform to onboard and verify the identity of businesses or individuals as well as other services. Businesses use our technology and services to customise the know-your-customer (“KYC”) onboarding experience. Duna may receive personal data directly or indirectly through these business customers. 

“We”, “our” and “us” refers to the Duna entity responsible for the personal data processing.

This Privacy Policy describes how we collect, use, share and protect personal data when you use our website, leverage our API or otherwise access our products and services (“Service” or “Services”). It also describes how you can reach out to Duna with privacy-related inquiries and the rights and choices you have as a data subject.

1. How We Collect and Use Personal Data

“Personal Data” is any information that can be used to or directly identify you. This includes information that you as a data subject provide to us, and information we collect about you through your interaction with our Services or via third parties. 

Depending on your relationship with Duna, “you” might be:

• A Duna “Customer”: The Customer is a business that is building an onboarding process using the Duna Services to onboard other businesses and/or individuals.
  
  

• A Duna “Connection”: A business or an individual that is sharing details about themselves with a Customer as part of an onboarding flow facilitated by the Services.
  
  

• A “Representative”: This is the individual who is representing the Customer or Connection, such as (1) the legal representative, (2) the ultimate beneficial owner, (3) the person submitting the information and completing the onboarding flow, such as the executive assistant of an officer of the business, (4) another individual added to the account by the aforementioned (1) to (3). 
  
  

• A “Website Visitor”: When you interact with us by visiting our website (without being logged into your Duna account), send us a question to our support queue inquiring about our Services, or when your interaction with us does not qualify as you being a Duna Customer or a Duna Connection. 

We collect personal data in the following ways:

• If the Customer is onboarding a Connection that is an individual, such as a sole proprietor or freelancer: In that case, the onboarding information to verify the Connection is the personal data of the individual who is the sole proprietor or freelancer. This could be their name, address, email, phone number and other salient contact information as requested by the Customer when configuring the Services.
  
  

• If the Customer is onboarding a Connection that is a business: The Connection is onboarded via the information that authenticates a Representative. The Personal Data in this case is the information needed to verify the Representative of the Connection, such as name, email address, phone number, and other identifiers. 
  
  

• The Website Visitor is interacting with the Duna website or other interfaces in relation to Duna.    We use cookies and similar tracking technologies to enhance your experience on our website. You can manage your cookie preferences through your browser settings. Please see Cookies and Similar Technologies for more information. 

The Duna Customer is building the onboarding flow through which Personal Data is collected using the Duna Services. Duna collects this information on behalf of the Customer. The Personal Data collected and processed depends on the Customer’s onboarding flow configuration and can include information such as: name; address, including proof of address; email; phone number; government-issued ID; information pertaining to a person’s AML screening, continuous monitoring and investigations; biometric selfies and liveness checks; qualified electronic signature.

We use Personal Data in the following ways: 

• Develop and Maintain the Services: We continuously strive to improve our Services and the Duna platform. We use the information and feedback we receive from you, including aggregated personal data, to do so. 
  
  

• Analytics: We use analytics on our website and other interfaces to help us understand how you use Duna and to diagnose issues. Please see below to learn more about cookies and third party analytics. 
  
  

• Communication and Customer Support: We use Personal Data to deliver our Services to you. We may use your contact details to inform you about our Services, invite you to events, feedback surveys, customer outreach and research and otherwise for marketing purposes. We  may use your contact details to send you a 2FA authentication message. For any marketing communications, we will only send you messages in compliance with applicable law, including any consent, opt-in or opt-out requirements as applicable to you. Where permitted under applicable law, we may record our calls with you to provide our Services, comply with our legal obligations, perform research and quality assurance, as well as for training purposes.
  
  

• Safety, Compliance and Legal Obligations: We use Personal Data as necessary to comply with our contractual, compliance and legal obligations. We monitor our platform to identify fraudulent, harmful or malicious activities and may use Personal Data to safeguard and protect vulnerable Customers, Connections, Representatives or other individuals.  

2. How We Share Personal Data

We share Personal Data with third parties for the following purposes: 

• Third-Party Service Providers: We leverage service providers to provide our Services. These third parties offer services such as cloud infrastructure, analytics, marketing, communications, analytics, identity verification and other capabilities. We share Personal Data with these third parties to provide services on our behalf. 
  
  

• Compliance, Harm Prevention and Legal Obligation: We share Personal Data when necessary to do so to comply with applicable law, to enforce our contractual rights, to secure and protect the Duna platform and Services, to protect you and us against malicious or fraudulent activities, to protect your and our rights, privacy, safety and security, and to respond to a valid legal request from governmental authorities or courts.
   

• Duna Affiliates: We share Personal Data with our corporate affiliates to provide the Services.
  
  

• Business Transfer: If we enter or prepare to enter into a transaction that modifies the corporate structure of Duna (incl. a merger, sale, joint venture, acquisition, assignment, change of control or other disposition of all or part of our assets or business), we may share Personal Data with third parties associated with such transaction. Any acquiring entity would acquire the right to use Personal Data, subject to the terms of this Privacy Policy.

3. Cookies and Similar Technologies

Cookies are small pieces of text sent to your browser by a website you visit and are stored in your browser directory. They help that website remember information about your visit, which can both make it easier to visit the site again and make the site more useful to you. Similar technologies, including unique identifiers used to identify an app or device, pixel tags, and local storage, can perform the same function. We use the term “Cookies” to describe cookies and similar technologies.

We use Cookies to ensure that our Services function properly, to detect and prevent fraudulent, harmful or malicious conduct, understand how you engage with our Services and website, to analyse and improve our Services and your experience using the Services. 

There are two types of Cookies, (i) first party cookies placed by Duna directly when you use our Services, and (ii) third-party cookies set by other companies, such as Google, for site analytics purposes. 

Duna deploys first-party Cookies for fraud prevention, security, functionality and authentication purposes. We work with third-party providers like Google Analytics. Please see their documentation here to get more information about these cookies and your rights and choices. 

4. Rights and Choices of Individuals

In accordance with applicable law, individuals have rights and choices about how their Personal Data is processed. These rights and choices are: 

• Withdraw consent: You may withdraw your consent if your Personal Data is being processed based on your previous consent.
  
  

• Request information: You may request to know whether Duna is processing your Personal Data and you may request access to this Personal Data. 
  
  

• Rectify Personal Data: You may request that Duna rectify the Personal Data we have on record about you if that information is inaccurate. 
  
  

• Data export: Assuming its technical feasibility, you may request the transfer of your Personal Data records to another company.
  
  

• Object to processing: You may object to the processing of your Personal Data if the data processing is relying on Duna's legitimate interest to process the Personal Data. We will cease processing your Personal Data upon receipt of your objection unless there are compelling grounds or processing is required for legal reasons. 
  
  

• Restrict processing: You may request that Duna restrict the use of your Personal Data in certain circumstances (for example, while Duna is working on another request of yours such as a data rectification request)
  
  

• Delete Personal Data: You may request deletion of your Personal Data in certain circumstances and in accordance with applicable law. 
  
  

• No discrimination: You will not be discriminated against for exercising your rights. 

To exercise your rights, please email privacy@duna.io. 

You may contact Duna’s Data Protection Officer and your competent supervisory authority to seek an appeal against a decision made by Duna regarding these rights. 

5. Data Retention and Security

We make reasonable efforts to implement a level of security commensurate with the risks associated with processing Personal Data. We have technical and organisational safeguards designed to protect Personal Data. Unfortunately, no system can guarantee 100% security. 

We retain Personal Data for as long as necessary to provide the Services. We may continue to retain Personal Data after this period to comply with legal requirements, to monitor against fraud and other misuse, and to comply with compliance obligations. If we retain Personal Data, we do so in accordance with applicable law, and considering record retention obligations and limitations. 

6. Children's Privacy

Our Service is not directed at minors. If you become aware that your child has provided us with Personal Data, please contact us, and we will delete the information.

7. Updates and Notifications 

We may make changes to this Privacy Policy from time to time. Please see the “Last Updated” timestamp at the top of this Privacy Policy for when it was last revised. Any changes will be effective upon posting the revised policy on our website.

8. Contact 

The data controller responsible for this Privacy Policy is Duna B.V. (registered number 89240820), located in Amsterdam, The Netherlands. You can contact Duna at privacy@duna.io.

Appendix A: Cookie Tables Sample
Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but that will cause some parts of the site to not work. These cookies do not store any personally identifiable information.