This Privacy Policy regulates the manner in which BLINK.ING DOO BEOGRAD, company ID: 21332755, VAT ID: 110297552,with headquarters in Savski Venac, Belgrade, 89/5 Karađorđeva Street, (hereinafter: “the Company“) collects, uses, stores, and protects the personal data of individuals whose personal data are processed through the Android application Blinking Verify (hereinafter: the “User” / “Users”), in accordance with the Law on Personal Data Protection of the Republic of Serbia (“Official Gazette of RS”, No. 87/2018) (hereinafter: the “Law”) and the General Data Protection Regulation (GDPR).
The Application is intended for Users undergoing remote identity verification (KYC) procedures with the Company’s business partners, such as banks and other financial and/or regulated institutions in Serbia, Montenegro, and other countries (hereinafter: the “Partner” / “Partners”). In such cases, the Partner acts as the data controller, while the Company processes personal data in the capacity of a data processor, on behalf of and under the instructions of the Partner.
The Company may also act as an independent data controller with respect to certain categories of data (e.g., technical and security logs, system operation records, etc.) that it processes for the purposes of ensuring system security, improving the performance of the Application, and fulfilling its own legal obligations.
Biometric data (the User’s facial photograph and the facial image stored in the chip of the identity document) constitute a special category of personal data within the meaning of the Law and the GDPR. Such data are processed solely to the extent necessary to reliably verify the User’s identity and prevent misuse, and are subject to enhanced technical and organizational security measures.
By using the Application, the User confirms that they are familiar with this Privacy Policy.
1. Data Collection
The Company may collect the following categories of personal data of the User:
- Data from the identity document read via NFC, such as: full name, date and place of birth, gender, nationality, address of residence, ID card/passport/other identification document number, issuing authority, country of issuance, date of issuance and expiry date, unique personal identification number or any other unique identifier (if included in the document), the digital facial photograph stored in the document’s chip, as well as technical and security elements of the document (e.g., data required for verifying the authenticity and integrity of the document).
- Biometric and related data: the User’s facial photograph captured via the device camera (selfie) for comparison with the digital facial image stored in the identity document and for verifying the User’s identity.
- Technical and application usage data: device type and model, operating system version, Application version, IP address and access timestamp, error data, logs and other technical parameters relevant for the security and proper functioning of the Application, as well as basic information on which screens/steps the User has interacted with during the identity verification process.
- Other data voluntarily provided by the User while using our services (e.g., through communication with customer support).
2. Purpose of Processing and Processors
The data are processed for the following purposes:
- Conducting remote identity verification (KYC) on behalf of the Partner, including: reading data from the identity document via NFC, verifying the authenticity and validity of the document, confirming that the User is the rightful holder of the document, and transmitting the results and required data to the Partner conducting the verification procedure.
- Ensuring system security and preventing misuse, including: preventing and detecting fraud, protecting against attempts to use another person’s identity document, and safeguarding the information security and integrity of the Application and associated systems.
- Maintaining and improving the Application and related services, including: resolving technical issues, optimizing performance, and enhancing the user experience.
- Maintaining records, protecting legal rights, and fulfilling contractual obligations with Partners, as well as submitting, exercising, or defending legal claims, where applicable.
Data is collected exclusively to the extent necessary to achieve the stated purposes.
Personal data will not be further processed in a way that is inconsistent with the stated purposes.
When necessary for the performance of its business activities, the Company may engage third parties — data processors — to process personal data on its behalf and under its instructions (for example: hosting providers, IT support, marketing or accounting agencies).
The Company concludes a data processing agreement with each processor, regulating mutual rights and obligations in accordance with Article 45 of the Law on Personal Data Protection.
Processors are obliged to apply appropriate technical, organizational, and personnel measures to ensure the security of personal data and to process such data solely for the purposes determined by the Company.
3. Legal Basis for Processing and Consent to the Processing of Personal Data
The processing of personal data is carried out only if one of the following legal bases applies:
- the User has given consent for processing in a specific purpose
- processing is necessary for the performance of a contract or to take steps at the User’s request prior to entering into a contract
- processing is necessary for compliance with a legal obligation of the Company
- processing is necessary for the legitimate interests pursued by the Company, except where such interests are overridden by the interests or fundamental rights and freedoms of the User
The User gives consent by downloading the application from the Google Play Store, thereby confirming that they are familiar with the purpose of processing, the scope of the data collected, and their rights set forth in this Privacy Policy.
4. Data Sharing
The Company may share data only with contractual partners involved in the provision of services, strictly to the extent necessary to fulfill the purpose of processing, or with competent authorities when required by the Law.
5. Data Security
Such measures include, among others:
- restricting access to personal data to authorized persons only
- the use of passwords, antivirus, and security systems;
- regular software updates and maintenance of security protocols
- maintaining records of data access and modifications
- confidentiality obligations for all employees and associates
- contractual data protection obligations with data processors
- physical protection of documentation containing personal data.
In the event of a personal data breach, the Company shall take all legally prescribed actions, including notification of the Commissioner and the data subjects, in accordance with Articles 52–55 of the Law.
6. User Rights
- The User has the right to request from the Company, access to their personal data, as well as their rectification, deletion, or restriction of processing, in accordance with the Law on Personal Data Protection.
- The User has the right to withdraw consent for data processing at any time, whereby the withdrawal does not affect the legality of the processing carried out before the withdrawal.
- The User has the right to object to the processing of their personal data, as well as the right to data portability, in accordance with applicable regulations.
- The User has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects their rights or position, in accordance with Article 38 of the Law.
- The Company does not make decisions within the Application that are based solely on automated processing and that produce legal effects concerning the User. The decision on whether to conclude a contract with the User is made by the Partner, in accordance with its own internal rules and procedures.
In the event of an objection, the Company shall cease processing the User’s data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the User, or if the processing is necessary for the establishment, exercise, or defense of legal claims.
The User may submit the objection via email to the address specified in this Privacy Policy.
An exception to this right is possible only if automated processing is necessary for the conclusion or performance of a contract between the User and the Partner or the Company, if such processing is required by law, or if the User has given their explicit consent, in accordance with Article 39 of the Law.
The User may exercise these rights electronically by sending a request to the Company’s email address specified in this Privacy Policy.
The Company will respond to the User’s request as soon as possible, and no later than 30 days from the date of receipt.
7. Right to File a Complaint with the Commissioner
The User has the right to file a complaint with the Commissioner for Information of Public Importance and Personal Data Protection if they believe that the processing of their personal data has been carried out contrary to the provisions of the Law on Personal Data Protection.
The Commissioner can be contacted at the official address: Bulevar kralja Aleksandra 15, 11000 Belgrade, or via email at: office@poverenik.rs.
8. Data Retention
Personal data are retained for as long as necessary to fulfill the purpose of processing, unless otherwise required by the Law.
After the expiration of the specified period, the data is deleted or archived in accordance with the legal obligations of the Company.
9. Changes to the Policy
The Company reserves the right to amend this Privacy Policy in accordance with applicable regulations. All changes will be made available within the Application through an updated version of this text and will apply from the moment of publication, unless otherwise indicated.
10. Contact
For any questions regarding the processing of personal data, you may contact us via email at support@blinking.id or in writing at the Company’s registered address.
11. Final Provisions
This Privacy Policy has been prepared in accordance with the relevant regulations of the Republic of Serbia and the GDPR.
For all matters not expressly regulated by this Privacy Policy, applicable regulations of the Republic of Serbia shall apply.