PRIVACY POLICY AND PERSONAL DATA PROTECTION

This Privacy Policy and Personal Data Protection (hereinafter, the "Policy") is intended to inform, describe and regulate the conditions, obligations and responsibilities under which Servicios de Avanzada Veinticinco Cuarenta Sociedad de Responsabilidad Limitada, Legal ID: 3-102-934846, domiciled in Costa Rica, San José, San José Hospital, Avenida 8, Calle 28, Centro Corporativo Internacional, Torre C, Office Number 501 (hereinafter the "Company" or "Controller"), in its capacity as controller of personal data processing, collects, uses, stores, shares and protects the personal data of the user (hereinafter, the "User") of the CertiusOne® mobile application (hereinafter, "APP").

Likewise, this Policy informs, describes and regulates the conditions, obligations and responsibilities under which the Company, in addition to its role as Controller with respect to the User's personal data, acts as Processor of the personal data processing performed by the User, to the extent that the latter uses the APP as an identity verification platform, such verification being understood as the systematic process involving the capture and rigorous validation of information and credentials (such as identity documents, biographical or biometric data) for the purpose of verifying the identity of an individual for the User's purposes and business operations.

By registering and using the APP, the User accepts the conditions set forth herein and consents to the processing of their data in accordance with this Policy, without prejudice to the rights afforded to them under the Law on the Protection of Individuals with Regard to the Processing of Their Personal Data, No. 8968, and its Regulations (hereinafter, "Law 8968").

The User may also access this Policy at the following link https://docs.verificada.net/Politica-de-Privacidad-y-Proteccion-de-Datos-Personales.pdf or on the app store webpage without requiring authentication in the App.

Glossary

For the purposes of this Policy, the following terms shall have the meanings set forth below:

1.- Personal Data Collected and Purposes of Processing

The Company may process personal data of both the User and the Data Subject on behalf of the User, and use such data for the legitimate purposes determined in this Policy. To learn which data is collected and processed by the Company, as well as the specific purposes for which such data is used, please review the following table:

Personal Data Processed Purposes of Processing
A.- User Identification Data:
Full name, email address, phone number.
  • Identify and authenticate the User in the APP, as well as recovery of access credentials.
  • Sending communications related to APP management, completed identity verification reports, communications regarding the commercial relationship between the User and the Company.
  • Responding to User information requests and providing customer service.
  • Offering services in accordance with the User's profile and transactional habits.
  • Collecting payment for the Services.
B.- Data Subject Identification Data
Identity document number, photograph of the official identity document (National ID, DIMEX or Passport) through which the Data Subject's data is accessed, such as: full name, photograph of the person in the document, handwritten signature in the document, date of birth, nationality, electoral address, place of birth, document expiration date, sex. Photographs of the Data Subject or the location where the identity verification process is conducted may also be collected.
  • Querying providers for verification of the Data Subject's identity at the User's request.
  • Identity verification and delivery of the report to the User.
C.- Biometric Data of the Data Subject*
Fingerprint and facial biometric features.
  • Sending biometric data to providers to perform identity verification of the Data Subject at the User's request.
  • Matching facial biometric data against the official identity document.
D.- User Transactional Information
Purchase amount.
  • Processing User payments through the payment processor ONVO.
  • Creation and management of payment records for internal control and accounting.
E.- Security and Verification
Data Subject Geolocation.
  • Verifying that the identity capture process is being conducted at a location consistent with the in-person transaction with the User.
  • Strengthening the confidence level of the verification by linking the validated identity to a specific geographic and temporal coordinate.
  • Maintaining evidence of the verification process.
F.- Statistical Information or Metadata:
Device type, model, operating system, device ID, APP version, network provider, IP address, language settings, statistical usage information and usage habits, date and time of User account registration.
  • Understanding how Users interact with the APP to improve the user experience and User support.
  • Notifying the User of their completed transactions.
  • Offering services in accordance with the User's profile and transactional habits.

1.1.- Non-Retention and Real-Time Transmission of Biometric Data Clause

1.2.- Personal Data of Minors

The APP may be used by any adult natural person or legal entity with legal capacity to contract. The APP does not collect or process personal information of minors, unless permitted by law or unless the informed consent of their legal representatives has been obtained.

If a person believes that the Company has collected or is processing personal data of minors over whom they are the legal guardian, they may contact the Company to request the exercise of rights guaranteed under Law 8968 and in accordance with clause (6) of this Policy.

The Company shall delete the personal data of minors stored in the APP if the User has not obtained the informed consent of the minor's legal representatives or guardians.

1.3.- Device Function Access Permissions

For the proper provision of the Services, the APP requires the User to authorize access to the camera and geolocation functionalities. The following provides a detailed description of each requested permission, the specific purpose justifying it, the moment it operates, the data it generates, and the conditions of its processing, in accordance with the principles of transparency, data minimization and privacy by design required by Law 8968 and the requirements of application distribution platforms.

1.3.1.- Camera Permissions

a.- Permission Identification

b.- Purposes of Camera Access

c.- Nature of Biometric Processing and Absence of Storage

The Company expressly states that:

d.- Moment of Permission Activation

Access to the camera is activated exclusively during the active use of the APP by the User, at the moment the User initiates an identity verification process of a Data Subject. The APP does not access the camera in the background, does not store images in the device gallery, and does not access pre-existing photographs of the User or the Data Subject.

e.- Legal Basis for Processing

Access to the camera and biometric processing of the Data Subject is based on the informed, express and prior consent of the Data Subject, the obtaining and safekeeping of which is the exclusive responsibility of the User in its capacity as Controller, in accordance with the obligations set forth in Section 10, subsection a) of this Policy.

1.3.2 Geolocation Permission

a.- Permission Identification

b.- Purpose of Geolocation Access

The APP requests access to the Data Subject's device precise geographic location during the identity verification process, for the following specific purposes:

c.- Access Mode: Only During Active Use (Foreground)

The APP accesses the device's geolocation only while the verification process is actively running on screen. The APP does not request or use background location access permissions. Consequently:

d.- Precision of Location Collected

The APP collects the precise location of the Data Subject's device at the time of verification. Approximate location (Coarse Location) is not used, as the geospatial coherence purpose requires a coordinate with a sufficient level of precision to link the verification event to a specific location.

e.- Processing, Sharing and Retention of the Coordinate

The captured geospatial coordinate is incorporated into the record of the identity verification performed, is accessible by the User as part of the verification report, and is retained by the Company in accordance with the period established in Section 5 of this Policy. The coordinate is not shared with third parties other than the User for advertising, marketing or behavioral analytics purposes, nor is it used to create location profiles of the Data Subject.

f.- Legal Basis for Processing

Access to the Data Subject's precise geolocation is based on the informed, express and prior consent of the Data Subject, the obtaining and safekeeping of which is the responsibility of the User in its capacity as Controller, in accordance with the obligations set forth in Section 10, subsection a) of this Policy.

2.- Legal Basis for Processing

The processing of data is based primarily on the informed consent of the User and the Data Subject, as well as on the performance of the contractual relationship between the User and the Company; compliance with legal obligations in accordance with regulations on financial matters (electronic payment methods), fraud prevention, prevention of money laundering and financing of terrorism and drug trafficking; the legitimate interest of the Company in improving services and protecting its operations and the data managed by its APP; and the consent of the User, where promotional communications, access to sensitive data, device data or service personalization are involved.

When acting in the capacity of Processor and processing personal data on behalf of and at the instruction of the User, the legal basis for processing shall be those defined by the User in its capacity as Controller with respect to the data collected from the Data Subject.

3.- With Whom Is Personal Data Shared or Disclosed?

Personal data processed by the Company is not sold to third parties; however, for the operation of the APP's services and functionalities, the personal data processed may be shared with:

i) internal Company employees, who are subject to strict legal confidentiality obligations, as well as other companies forming part of the same Economic Group or that may join it in the future;

ii) payment processors exclusively for the operation of payment services;

iii) technology service providers or intermediaries such as:

iv) also with other technology service providers contracted by the Company (or by other companies of the same Economic Group), which provide infrastructure, platform, software, communications, storage and cloud document custody services, or other services. All of the foregoing act in the capacity of Processors, and the Company maintains processing agreements with them as required by Law 8968;

v) the personal data will also be shared with companies of the same Economic Interest Group, when necessary for the provision of services;

vi) and with competent authorities when a duly grounded legal requirement exists.

The Company may also share the User's personal data with third-party services that, via API or Web services, may be integrated into the APP, services such as electronic invoicing, point-of-sale (POS) systems, CRMs, digital marketing platforms, Call Center platforms, instant electronic messaging applications, administrative management solutions, email management software, calendar and office productivity tools, market research or commercial intelligence providers, data storage and processing providers.

The Company will only share the transaction amount with the Costa Rican payment gateway ONVO. At the time of payment, the User will be redirected to a page under ONVO's control, where they must enter their financial information. Once the transaction is completed, ONVO will return confirmation to the App.

Therefore, during this process, the App does not have access to the User's financial information. ONVO processes such data in accordance with its own privacy policy, located at https://onvopay.com/policies.

4.- International Data Transfers

The Company does NOT perform international transfers of personal data, in accordance with the terms of Article 14 of Law 8968, and Articles 2, subsection w) and 40 of the Regulations of the Law on the Protection of Individuals with Regard to the Processing of Their Personal Data No. 37554-JP, which establish that a transfer occurs only when data is transferred to another Controller; in this case, the Company shares or transfers data to its service providers or technology intermediaries for the purpose of providing the service, and such transfer of data is governed under the conditions of a data processing agreement.

5.- Retention of Personal Data

After the User's last interaction with the APP, personal data will be retained for the period strictly necessary to fulfill the processing purposes and while legal, contractual or regulatory obligations subsist. The retention period shall be five (5) years, unless a regulation requires its retention for a longer period; beyond this period, the Company may retain data in anonymized and encrypted form solely for research and statistical purposes.

In the case of identity verification information of the Data Subject supplied by the Providers at the User's request, the Company shall retain it in encrypted form for a period of five (5) years, for the sole purpose of complying with requests made by a judicial authority or if necessary for the defense of the Company's legitimate interests. The Company does not retain or store any type of biometric data used in the identity verification process; such data is used solely to make the query to the Providers.

5.1.- Deletion or Erasure of Personal Data and Account Closure

A.- For the User

The User has the right to request at any time the deletion of their User Account and the erasure of their personal data. To this end, the Company provides two mechanisms: a "self-service" mechanism and a direct support option that does not require access to the App. The User may choose their preferred method according to the following options:

1. In-App Mechanism: Profile → Delete Account → Confirmation, then select the desired option:

2. Deletion request through electronic means: The User may contact us through any of the following channels to request deletion of their account:

Once the request has been validated, the Company shall immediately proceed to the definitive deletion of the Account and its associated data. However, the Company shall retain, under strict security and encryption measures, billing records and security logs for a period of five (5) years in order to comply with tax and technical audit obligations.

B.- For the Data Subject or Interested Party

Since the User is the Controller of the Data Subject's data processing, any request for deletion of information contained in verification reports must be directed primarily to the User who conducted the transaction.

Notwithstanding the foregoing, the Data Subject may contact the Company through the support channel to request the dissociation of their identity from the APP's historical records. The Company, in its capacity as Processor, shall technically collaborate with the User to carry out the deletion in the storage systems, provided that no legal retention obligation exists (such as court orders or ongoing fraud investigations).

Biometric Data

6.- User Rights

The User may exercise the following rights at any time:

To exercise any of these rights, the User must send a written communication to the email address info@certiusone.net or to WhatsApp WhatsApp: +506 7023 7145. The Company may request evidence of the requester's identity to ensure that the request is made by a legitimately authorized person.

If the User requests the deletion, cancellation or objection to the processing of personal data, the Company will be unable to continue providing services to the User due to the impossibility of processing the personal data required for the fulfillment of the services.

The User, as Controller, must attend to and guarantee the exercise of rights requests by the Data Subjects, for which the Company shall collaborate in accordance with the provisions of this Policy.

7.- Information Security

The Company has implemented technical and organizational security measures, in accordance with industry best practices and the security principles of Law 8968, including: data encryption in transit and at rest, two-factor authentication (2FA), biometric authentication through the personal device, periodic security audits, access control policies and incident management, data processing agreements with third parties with whom personal data is shared, in order to ensure regulatory compliance and the security of personal data.

8.- The Company as Data Processor

In the specific case of the use of the APP by the User, the latter shall hold the status of Controller with respect to personal data processing by defining the purposes of the processing of the Data Subject's identification data and the means through which such data is collected and processed. Therefore, the Company in its capacity as Processor, through the APP, provides a technological service to the User, processing personal data on its behalf. The User in its capacity as Controller engages the APP's services and decides on the purpose and use of the information to verify the identity of the Data Subjects in the course of its activities.

8.1.- Object and Purposes of the Data Processing Agreement

The object of this processing agreement is the provision of access to the APP service so that the Company may provide identity verification services for the Data Subjects for the purposes determined by the User itself.

9.- Obligations of the Data Processor

The Company, in its role as Processor, is hereby authorized to process personal data on behalf of the User as necessary for the provision of the Services. The processing shall consist of the collection, storage and communication by transmission of the personal data described in clause 1 of this Policy. Therefore, the Company as Processor undertakes to:

a- Process data solely for the identity verification requested by the User, refraining from processing personal data for purposes other than those specified. The Company may adopt all organizational and operational decisions necessary for the provision of the Service. However, the decisions it adopts must in all cases respect the purposes requested by the User.

b- Implement and maintain adequate technical and organizational security measures to protect personal data against alteration, disclosure, loss or unauthorized access, in accordance with Art. 10 of Law 8968 and Art. 34 of its regulations.

c- Extend the confidentiality obligations with respect to the personal data accessed to all of its personnel and providers. This duty of confidentiality shall persist even after the termination of the contractual relationship.

d- Refrain from transferring or disclosing the Data Subject's personal data, except upon express instructions from the User.

e- Subcontract the services of providers (RACSA and VERIDAS) for the provision of the Services on behalf of the User.

f- Collaborate with the User, through technical and organizational measures, so that the User may fulfill its obligation to respond to requests for the exercise of rights by the Data Subjects.

g- Make available to the User all information necessary to demonstrate compliance with its obligations, as well as to enable the audits or inspections carried out by the Controller or another auditor authorized by them.

h- Maintain the duty of secrecy with respect to the personal data accessed by virtue of this agreement, even after its purpose has concluded.

i- Ensure that persons authorized to process personal data expressly and in writing commit to respecting confidentiality and complying with the applicable security measures, of which they must be duly informed.

j- Maintain available to the User the documentation evidencing compliance with the obligation set forth in the preceding subsection.

k- Ensure the necessary training in personal data protection for persons authorized to process personal data.

l- Notify the User, without undue delay and within a maximum period of 48 hours, of any breach of personal data security so that the User may fulfill its obligation to notify the Data Subject and/or PRODHAB. Notification shall not be required when it is unlikely that such security breach will constitute a risk to the rights and freedoms of natural persons.

10.- Obligations of the User as Controller of the Data Subject's Personal Data

The User, as Controller with respect to the Data Subject's processed data, is the primary guarantor of the Data Subjects' rights and has the following obligations:

a- Legal basis: to be the sole party responsible for ensuring that all processing of data carried out through the APP is supported by a valid legal basis, primarily the informed, express, free and unequivocal consent of the Data Subject, in accordance with Art. 5 and 9 of Law 8968.

b- Duty to inform: to inform the Data Subject in advance of the purposes of the processing, the identity of the User, the rights available to them, and the other requirements of Article 5 of Law 8968. The User must also ensure the currency, truthfulness, accuracy and adequacy to the intended purpose of the personal data it processes.

c- Consent management: to collect, safeguard and be able to demonstrate at all times the explicit consent of the Data Subject for the processing of their sensitive data.

d- Lawful instructions: to provide the Company only with instructions that comply with applicable personal data protection legislation.

e- Attention to Data Subject Rights: to be the direct point of contact for Data Subjects and to manage and respond to all requests for the exercise of rights (access, rectification, erasure).

f- Processing procedures: to establish and document procedures for the inclusion, retention, modification, blocking and deletion of personal data collected from Data Subjects through the APP, whether on-site or in the cloud, based on minimum action protocols and security measures in the processing of personal data, also ensuring the application of the principle of information quality of the database created through personal data processing.

g- Communications and Sub-processing: The User understands and accepts that, for the provision of the service, the Company must communicate the necessary data to the providers (RACSA, TSE, DGME and VERIDAS).

h- Ensuring that the informed consent obtained from the Data Subject explicitly covers the international data transfer that Veridas's service may entail, thereby complying with Article 31, subsection f) of Law 8968. The responsibility for legitimizing such transfer lies with the User.

i- In the event of a data breach, the User shall be the sole party obligated to notify the affected Data Subject and the Agency for the Protection of Inhabitants' Data (PRODHAB) within the legal period of five (5) business days, in accordance with Articles 38 and 39 of the Regulations. The Company's notification to the User shall contain all relevant information to facilitate such compliance.

11.- Data Subjects' Rights and Procedure for Their Exercise

Data Subjects may exercise before the User their rights of access, rectification, erasure, objection, restriction of processing and withdrawal of consent, in accordance with the following Procedure:

a- The Data Subject must submit their request to exercise rights directly to the User, who collected the Data Subject's data and ordered verification of their identity in line with the User's interests and line of business.

b- The User must handle and respond to the request within a maximum period of five (5) business days.

c- If fulfilling the request requires assistance from the Company as data Processor, the User shall send it the appropriate instruction so that the Company may provide the necessary technical support, with the Company placing at the User's disposal the communication channels for that purpose.

12.- Validity and Review

This data processing agreement enters into force on the date the Services are contracted and shall have the same duration as the principal commercial relationship. Confidentiality obligations shall survive termination of the contractual relationship. The Processor (the Company) may amend this Policy at any time. Changes shall be notified through the APP or the official website and shall take effect upon publication. Continued use of the APP after notification implies acceptance of the changes.

13.- User Acceptance Statement

By using the APP's services, the User (Controller of processing) declares and warrants that:

  1. 1. They have read, understood and accepted the terms of this Privacy Policy and Personal Data Protection Policy in full.
  2. 2. They shall comply with all obligations as Controller of the database, especially obtaining the informed consent of each Data Subject before carrying out any processing through the APP.
  3. 3. They shall release and hold harmless the Company in its role as Processor from any liability arising from breach of their obligations as Controller, especially regarding the lack of a legal basis for the processing of data.

14.- Contact

For inquiries, requests or complaints related to this Policy, you may contact the Company at the email address info@certiusone.net or at the WhatsApp number +506 7023 7145.

Last updated: March 23, 2026