Data that we hold and how we use it
As an app user, we do not act as the Controller for the messages between you and the Provider. We are the Controller of your registration data for the App itself, any log data and then your Nivo Identity if you have set one up. Your Nivo identity will include the results of your ID&V check, if you have agreed to share it with us for future use with a new provider. We collect registration data to enable you to use the system, your log data (data about your usage and the device type you use) to help us detect fraud and ensure the system is working correctly. Your Nivo identity data is used to enable you to “passport” your identify between providers and speed up any future onboarding or applications.
Lawful basis for processing
Our lawful basis for processing your data is a combination of Contract, Consent and Legitimate Interest. We use Contract as a lawful basis for the data you provided when you downloaded and registered yourself as a user on the App. If you create a Nivo ID and add the results of an ID&V check, we ask your consent to transfer that from your provider to us. Once transferred, we process it under contract and legitimate interest, depending on the process. We use consent if we process any of the biometric data from your ID&V check.
Data Sharing and Transfers
Like most companies, we use a number of other companies as part of our data processing, for example cloud services and technology services. We have Data Processing Agreements in place with these providers. Where data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example US Privacy Shield or Standard Contractual Clauses. We do not sell your data to anybody. As part of the service we offer you, with your consent, and only upon your instruction, we transfer your Nivo Identity to new providers.
We hold data on our app users for the time of which you are an active user and then for 7 years afterwards in case of any dispute.
Technical and Operational Security
All data is password protected, access controlled by 2factor authentication, backed up securely and encrypted when appropriate. All employees are trained in data protection and are aware of their obligations to ensure the privacy of all data subjects. Data Privacy by Design and Default is an integral part of our development processes. All devices are protected by leading enterprise mobility management technologies. We are ISO 27001 certified.