Privacy Policy

1. Introduction

KeyFlux Pty Ltd ("KeyFlux", "we", "us", or "our") is committed to protecting your privacy and handling your personal information responsibly. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our digital identity infrastructure services, including credential issuance, verification, and management platforms.

This policy applies to users in the European Union, United Kingdom, Australia, New Zealand, Singapore, and other jurisdictions where we operate. We comply with applicable privacy laws including the General Data Protection Regulation (GDPR), Australian Privacy Act 1988, New Zealand Privacy Act 2020, and Singapore Personal Data Protection Act (PDPA).

2. Information We Collect

2.1 Information You Provide

• Account registration details (name, email address, organisation name)
• Business contact information for enterprise customers
• Payment and billing information
• Communications with our support team
• Credential data you choose to issue or verify through our platform

2.2 Information Collected Automatically

• Device information (IP address, browser type, operating system)
• Usage data (features accessed, API calls, timestamps)
• Log data for security and performance monitoring
• Cookies and similar tracking technologies (see our Cookie Policy)

2.3 Credential Data

As a digital identity infrastructure provider, we process credential data on behalf of our customers (data controllers). This may include identity attributes, verification results, and cryptographic proofs. We process this data solely according to our customers' instructions and applicable data processing agreements.

3. How We Use Your Information

We use your information for the following purposes:

• Providing and maintaining our services
• Processing credential issuance and verification requests
• Managing your account and providing customer support
• Processing payments and preventing fraud
• Sending service-related communications
• Improving our services and developing new features
• Complying with legal obligations and enforcing our terms
• Protecting the security and integrity of our platform

4. Legal Basis for Processing (GDPR)

For users in the EU/EEA and UK, we process personal data based on:

• Contract: Processing necessary to provide our services to you
• Legitimate Interests: Improving our services, security, and fraud prevention
• Legal Obligation: Compliance with applicable laws and regulations
• Consent: Where you have given explicit consent for specific processing

5. Data Sharing and Disclosure

We may share your information with:

• Service Providers: Third parties who assist in operating our platform (hosting, payment processing, analytics)
• Business Partners: Trust registry operators and credential ecosystem participants
• Legal Requirements: When required by law, court order, or government request
• Business Transfers: In connection with a merger, acquisition, or sale of assets

We do not sell your personal information to third parties.

6. International Data Transfers

KeyFlux operates globally and may transfer your data to countries outside your jurisdiction. For transfers from the EU/EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. For transfers from Australia and New Zealand, we ensure comparable protections are in place as required by local privacy laws.

Our primary data processing occurs in secure data centres located in Australia, with additional processing capabilities in the EU and Asia-Pacific region to ensure data residency requirements are met.

7. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes outlined in this policy, unless a longer retention period is required by law. Account information is retained while your account is active and for a reasonable period thereafter. Credential verification logs are retained according to regulatory requirements and customer agreements, typically for 7 years for financial services compliance.

8. Your Privacy Rights

8.1 Rights Under GDPR (EU/UK)

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Rights related to automated decision-making

8.2 Rights Under Australian Privacy Act

• Right to access your personal information
• Right to request correction of inaccurate information
• Right to complain to the Office of the Australian Information Commissioner (OAIC)

8.3 Rights Under New Zealand Privacy Act

• Right to access your personal information
• Right to request correction
• Right to complain to the Office of the Privacy Commissioner

8.4 Rights Under Singapore PDPA

• Right to access your personal data
• Right to correction
• Right to withdraw consent

9. Data Security

We implement industry-standard security measures to protect your information, including:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• Multi-factor authentication for account access
• Regular security assessments and penetration testing
• SOC 2 Type II certified infrastructure
• ISO 27001 aligned information security management
• Hardware Security Modules (HSMs) for cryptographic key management

10. Children's Privacy

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. For significant changes, we will provide additional notice via email or through our platform.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:

For EU residents, you may also lodge a complaint with your local data protection authority. For Australian residents, you may contact the Office of the Australian Information Commissioner (OAIC). For New Zealand residents, you may contact the Office of the Privacy Commissioner.