Privacy Notice

Last updated: 2024/11/30

Preamble

This is the Privacy Policy of zkMe embedded applications running under the brand "ByteMe" (integrated into Telegram, Kakao, Line, WeChat, and other messaging applications) (the “MiniApp Services”). zkMe and ByteMe are brand of zkMe Technology Limited (HK). Please note: Separate Privacy Policies are available for the main zkMe Services and the website www.zk.me.

Privacy is one of our core values, so zkMe Technology Limited. (“we”, “us”, “our” or “zkMe”) respects your privacy. Our MiniApp Services are designed to minimize the amount of data that is collected about you ("you", or "User"). In order to interact with you and improve the MiniApp Services, we do collect some information.

This MiniApp Service Privacy Policy ("Policy") will explain to you what data we collect, and how we use your personal data. It also describes how you can access, update, or otherwise take control of the personal data that we have collected from you. We, being a software-as-a-service business, take our responsibilities with regard to the requirements of CCPA and the EU GDPR very seriously.

By the nature of the ByteMe application (on your end user device) processes a wide variety of information, including personal identifiable information and special categories of personal data. For each type of data laid out below, we will therefore explain in the highest degree of detail, the processing level and depth in order for you to understand how ByteMe processes your personal identifiable data.

Your Personal Data is collected from you when:

a. You open our mobile app, embedded mini-app, or interact with a website pop-up;

b. You create or update your digital credentials through our mobile app or website pop-up;

c. You verify your credentials through our mobile app or website pop-up;

d. You access or use any feature, content, software, hardware or other product available on or through the Services or otherwise provided by us.

Your access and use of the Services is conditioned on your providing us with any requested User Information.

1. Personal Identifiable Information (PII)

1.1 What data is collected?

For each credential that you verify and generate anonymous zero-knowledge proofs from, a unique set of personal identifiable information (PII) is processed. Currently, the following credentials are supported:

1.ByteMe Face Symmetry Score

(based on facial recognition).

In order to verify your Proof-of-Citizenship, the following data is processed:

  • your nodal point faceprint.

    • This data is provided by you when you verify credentials within the MiniApp Services, as you use the MiniApp Services, or as you engage with the Company through its MiniApp Services. We consider all such information voluntarily provided.

    1.2 How we use data

    The main purpose for the collection of personal data is to programmatically generate (with the help of external AI models) a gamified social profile with the intent to drive brand engagement on social media.

    Your personal data is not stored, accessed, shared or in any other way processed besides mentioned above.

    1.3 How we secure and retain data

    PII data is not stored on zkMe servers. PII data is sent and processed by two AI models provided by Leonardo.ai and AWS (Claude 3.5). These models are hosted on servers situated in Sydney, Australia and Cincinnati, USA. Data is actively removed from zkMe servers after the MiniApp Service is provided and not retained further.

    zkMe takes the highest degree of commercially reasonable measures, including administrative, technical, and physical safeguards, to:

    1. protect your profile from loss, theft, misuse, and unauthorized access, disclosure, alteration, and destruction,

    2. protect against any threats or hazards to the security or integrity of the profile,

    3. protect against unauthorized access to, or unauthorized disclosure of the profile, and

    4. take such security measures required by any applicable privacy laws.

    2. Special Categories of Personal Data

    2.1 What data is collected?

    When you create a DID with our MiniApp Services, we collect the following Special Category of Personal Data:

  • your nodal point faceprint from picture-based facial recognition,
  • your Email-Address.

    • You provide certain User Information when you register for your account with the MiniApp Services, as you use the MiniApp Services, or as you engage with Company through its MiniApp Services. We consider all such information voluntarily provided.

    2.2 How we use data

    The main purpose for the collection of personal data is to programmatically generate (with the help of external AI models) a gamified social profile with the intent to drive brand engagement on social media.

    Your personal data is not stored, accessed, shared or in any other way processed besides mentioned above.

    2.3 How we secure and retain data

    PII data is not stored on zkMe servers. PII data is sent and processed by two AI models provided by Leonardo.ai and AWS (Claude 3.5). These models are hosted on servers situated in Sydney, Australia and Cincinnati, USA. Data is actively removed from zkMe servers after the MiniApp Service is provided and not retained further.

    zkMe takes the highest degree of commercially reasonable measures, including administrative, technical, and physical safeguards, to:

    1. protect your profile from loss, theft, misuse, and unauthorized access, disclosure, alteration, and destruction,

    2. protect against any threats or hazards to the security or integrity of the profile,

    3. protect against unauthorized access to, or unauthorized disclosure of the profile, and

    4. take such security measures required by any applicable privacy laws.

    We cannot completely guarantee that unauthorized third parties will never be able to defeat our security measures or use your profile for improper purposes. In the event that your profile in our possession or under our control is compromised as a result of a security breach, we shall give prompt notice to you, with full particulars, and shall immediately commence a thorough investigation of any such incident. This data is provided by you when you verify credentials within the MiniApp Services, as you use the MiniApp Services, or as you engage with the Company through its MiniApp Services. We consider all such information voluntarily provided.

    3. Device & Usage Information

    3.1 What data is collected?

  • Service Usage Data may automatically be collected when you interact with our MiniApp Services. This information may include data about your interactions with the features, content and links contained in our MiniApp Services, time of interaction, operating system used, IP address, language preferences, and other cookie data. While none of this data will allow us to directly identify who you are, some of this data can be used to approximate your location.
  • Supplementary Data may be received about you from Data Providers. We may combine this data with the information we already have about you in order to maintain accuracy of our records, and provide products and services that you may be interested in.
  • App Analytics might be provided by third-party tools to collect information on how you interact with our App. This data may include information on which pages you visit, how much time you spend on each page, which operating system and browser you use, and geographic location information. These tools will generate cookies for this purpose which can only be used by the service provider. The data collected may be transmitted to and stored by these service providers in a country other than where you reside. This information does not include personal data such as names, addresses, email addresses, etc, and will be stored and used in accordance with their own privacy policies.

    • 3.2 How we use data

  • Delivering, updating, and improving the MiniApp Services that we provide to you. We collect various data you use and interact with our MiniApp Services. We use this data to:

    • a. improve and optimize the performance of our MiniApp Services,

    b. identify and investigate security risks, and needed enhancements to our MiniApp Services,

    c. detect and prevent fraud and abuse of our MiniApp Services,

    d. collect statistics about the use of our MiniApp Services,

    e. analyze which of our MiniApp Services are most relevant to you.

    Device & Usage information is collected anonymously and not linked to your identity or profile.

    3.3 How we secure and retain data

    Device & Usage information is stored on zkMe servers. zkMe takes the highest degree of commercially reasonable measures, including administrative, technical, and physical safeguards, to:

    1. protect your profile from loss, theft, misuse, and unauthorized access, disclosure, alteration, and destruction,

    2. ensure the security, confidentiality, and integrity of your profile through the use of, among others, state of the art encryption like threshold and FH encryption,

    3. protect against any threats or hazards to the security or integrity of the profile,

    4. protect against unauthorized access to, or unauthorized disclosure of the profile, and

    5. take such security measures required by any applicable privacy laws.

    4. Your Data Subject rights

    You may contact our Data Protection Officer (DPO) for any reason through the "Contact Us" form or via the following e-mail address: [email protected].

    If you have any questions that aren’t addressed by this Privacy Policy, please let us know! Use it to contact us for anything related to our use of your information, including opting-out of sharing your information with others, updating your information, finding out what information we have about you, or for anything that you feel violates any of your above listed rights.

    If you make a request to delete your personal data, that request will be honored only to the extent where the data is no longer needed for the MiniApp Services, or when it is no longer required for our business, legal or contractual record keeping requirements. Any request to delete all or any personal data related to a Visitor is fulfilled within 30 days. This period is justified by the complexity of the systems and technologies we operate to process the data. Where a Personal Data Breach occurs or is suspected, it is reported immediately to the DPO or the CEO and, where applicable, to the data protection authority and the individual affected by the breach. The report includes full and accurate details of the incident (including its reasons and magnitude) and sets out the planned measures intended to eliminate the breach.

    We adhere to the principles of personal data protection as envisaged in CCPA and the EU GDPR. In accordance with these principles, Personal Data is:

  • Processed fairly and lawfully and in a transparent manner in relation to the Data Subject;
  • Processed for specified, explicit and legitimate purposes only and not further processed in a manner that is incompatible with those purposes;
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • Kept accurate and up to date;
  • Retained in a form permitting identification of Data Subjects for no longer than is necessary for the purposes for which they are processed;
  • Not retained longer than necessary;
  • Processed in a manner that ensures their appropriate security;
  • Not transferred outside the EEA without adequate protection. follow generally accepted standards to collect, store and protect Personal Data, including the use of encryption.
  • We retain personal data for as long as it is needed to provide the MiniApp Services.

    • We process the Personal Data under §28 of the EU GDPR. We may determine the purposes and means of Personal Data Processing under §24 of the EU GDPR. We ensure that no Personal Data is used for any purposes incompatible with the aforementioned ones. If we are legally permitted to do so, we will take reasonable steps to notify you in the event we are required to provide your information to third parties as part of a legal process. It should be underlined that we do not sell Personal Data and strictly comply with restrictions and prohibitions under CCPA and the EU GDPR.

    As the Data Controller, we respect and guarantee the following rights of each Data Subject:

  • Right to obtain confirmation as to whether or not his or her personal data are being processed (§15 of the EU GDPR);
  • Right to rectification (§16 of the EU GDPR);
  • Right to erase Personal Data (§17 of the EU GDPR) if one of the following applies: (i) the Personal data is no longer necessary in relation to the purposes for which was collected or otherwise processed; (ii) Data Subject objects to the Processing and there are no overriding legitimate grounds for the Processing; (iii) the Personal Data have been unlawfully processed;
  • Right to restrict personal data processing (§18 of the EU GDPR) if one of the following applies: (i) the accuracy of the personal data is contested; (ii) the processing is unlawful and the Data Subject objects to the erasure of the Personal Data and requests to restrict their use instead; (iii) zkMe Technology Limited no longer needs the Personal Data for the purposes of the processing, but they are required by the Data Subject to establish, exercise or defend legal claims; (iv) the Data Subject has objected to processing pending the verification whether zkMe Technology Limited legitimate grounds override those of Data Subject;
  • Right to be informed (§19 of the EU GDPR);
  • Right to data portability (§20 of the EU GDPR);
  • Right to object (§21 of the EU GDPR) if the processing is justified by the "public interest" or "legitimate interest" legal ground as set out in point (e) and (f) of §6(1) of the GDPR;
  • Right not to be subject solely on automated processing (§22 of the EU GDPR) unless one of the following applies: (i) such decision is necessary for entering into, or performance of a contract; (ii) such decision is authorised by the law to which zkMe is subject and which also lays down suitable measures to safeguard the Data Subject's rights and freedoms and legitimate interests, or (iii) such decision is based on the Data Subject's explicit consent;
  • Right to lodge a complaint (§77 of the EU GDPR).

    • We guarantee that making a request for receiving personal data is free unless a reasonable cost is to be charged where requests are unfounded or excessive or repetitive in character.

    5. Definitions

  • CCPA

    • the California Consumer Privacy Act of 2018, Civil Code sections 1798.100.

  • EU GDPR

    • the General Data Protection Regulation 2016/679 (GDPR) is a regulation in European Union (EU) law on data protection and privacy in the EU and the European Economic Area (EEA).

  • Consent

    • any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which they, by a statement or by clear affirmative action, signify agreement to the processing of their Personal Data;

  • Data Processor

    • zkMe Technology Limited where it processes personal data;

  • Data Providers

    • third-party service providers or public authorities are used to collect additional information necessary for the provision of the MiniApp Services.

  • Data Subject

    • any Visitor whose Personal Data zkMe Technology Limited may process;

  • Personal Data

    • any information relating to an identified or identifiable Data Subject;

  • Personal Data Breach

    • a breach of data security leading to unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

  • Personal Data Processing

    • any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

  • Special Categories of Personal Data

    • Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation;

  • Third-Party Processors

    • processors authorised to process data activities under the direct authority of zkMe Technology Limited ;

  • Visitor

    • any individual using the embedded MiniApp Services;

  • Website

    • https://www.zk.me/

    6. Changes to the Privacy Policy

    This App Privacy Policy is constantly reviewed and amended in order to provide appropriate compliance with CCPA and the EU GDPR.

    If we make any substantial changes, we will notify you through the MiniApp Services. Any changes to this Policy will be effective upon fifteen (15) calendar days following our notification posting through the MiniApp Services. These changes will be effective immediately for new users of the Services. Continued use of the Services following notice of changes to this Policy shall indicate your acknowledgement and acceptance of such changes and agreement to be bound by the updated Policy.