Privacy Policy

1. Data controller

Legaltalent LLC ("Legal Talent", "we", "us"), a limited liability company organized under the laws of the State of Delaware, United States, is the data controller for personal data processed through compliance.legaltalent.ai, validatekyc.com, and related services (collectively, the "Platform").

Registered address: 131 Continental Dr, Suite 305, Newark, Delaware 19713, United States. Tax identifier: 10115923.

For privacy inquiries or to exercise your rights, contact us at contact@legaltalent.ai with the subject line "Privacy request".

2. Scope of this policy

This Privacy Policy applies to:

When our business customers use the Platform to verify their end users, Legal Talent typically acts as a data processor on behalf of that customer. The customer's own privacy notice governs the relationship with their end users. This policy still describes our technical and organizational measures.

• Visitors to our marketing website and documentation
• Administrative users who create accounts on the Platform
• Data subjects whose identity documents, biometrics, or screening data are submitted through workflows configured by our customers
• Individuals who contact us for sales, support, or partnership inquiries

3. Categories of personal data

Depending on how you interact with the Platform, we may process the following categories of personal data (PII):

• Identity data: full name, date of birth, nationality, gender (where collected), government ID numbers, document images, and extracted OCR fields
• Contact data: email address, phone number, postal address
• Biometric data: facial images, liveness check captures, and face-match comparison scores produced during identity verification
• Screening data: sanctions and watchlist match results (OFAC, UN, EU, and other lists), PEP status, adverse media references, and risk scores
• Business data: company name, role, industry, billing contact details, and tenant configuration
• Technical data: IP address, device identifiers, browser type, session logs, API request metadata, and audit timestamps
• Usage data: feature usage, workflow completion events, and aggregated analytics (see Cookies section)

4. Purposes of processing

We process personal data to deliver and improve our KYC/compliance services, including:

• Providing identity verification, AML screening, adverse media search, face match, and continuous watchlist monitoring
• Operating multi-tenant workflows, session management, audit trails, and exportable compliance reports
• Authenticating Platform users, enforcing role-based access, and maintaining tenant isolation
• Billing, invoicing, and account administration for subscription customers
• Responding to support requests, security incidents, and legal obligations
• Analyzing aggregated usage to improve product performance and reliability

5. Legal bases for processing

We rely on one or more of the following legal bases, depending on jurisdiction and context:

Where biometric data or marketing communications require consent under applicable law, we obtain consent through our customers' onboarding flows or through explicit opt-in mechanisms. You may withdraw consent where applicable without affecting the lawfulness of processing before withdrawal.

• Performance of a contract: processing necessary to provide the Platform under our Terms of Service and applicable order forms
• Legitimate interests: fraud prevention, platform security, product improvement, and B2B sales communications, balanced against data subject rights
• Legal obligation: compliance with AML/CFT regulations, court orders, and supervisory requests in jurisdictions where we or our customers operate
• Consent: where required for biometric processing, non-essential cookies, or direct marketing in certain regions

6. Sub-processors and service providers

We use carefully selected infrastructure and service providers to operate the Platform. Primary sub-processors include:

We maintain written agreements requiring sub-processors to implement appropriate security measures and process data only on our instructions. A current list of sub-processors is available on request at contact@legaltalent.ai.

• Amazon Web Services (AWS): cloud hosting, storage, encryption, compute (Lambda), databases (DynamoDB), queues (SQS), and identity services in regions including us-east-1
• Amazon Rekognition: liveness detection and face comparison for identity verification workflows
• Google Analytics (GA4): website usage analytics on marketing pages (see Cookies)
• Email and notification providers used for transactional messages and alerts configured by tenants

7. International data transfers

Legaltalent LLC is organized in Delaware, United States. Our primary AWS infrastructure is located in the United States. Personal data may therefore be transferred to and processed in countries other than your country of residence.

Where required, we implement appropriate safeguards such as Standard Contractual Clauses, data processing agreements with customers, encryption in transit and at rest, and access controls limiting transfers to what is necessary to deliver the service.

Customers in Brazil, the European Economic Area, and other jurisdictions with transfer restrictions should review their own compliance obligations and contact us to execute a Data Processing Agreement (DPA) where needed.

8. Data retention

We retain personal data only as long as necessary for the purposes described above or as required by law:

When a tenant terminates service, we delete or anonymize tenant data according to the contract and applicable retention schedules, subject to legal hold requirements.

• KYC session records, screening results, and audit logs: retained per tenant configuration and contractual terms, typically aligned with AML record-keeping obligations (often five to ten years depending on jurisdiction)
• Account and billing records: retained for the life of the contract plus statutory limitation periods
• Marketing website analytics: aggregated and retained per GA4 default settings (typically 14 months)
• Support correspondence: up to three years unless a longer period is required for dispute resolution

9. Your rights

Depending on your location, you may have the following rights regarding your personal data:

Uruguay — Ley 18.331 (Protección de Datos Personales): access, rectification, update, inclusion, and deletion, subject to exceptions for legal obligations and legitimate interests of the controller.

Brazil — Lei Geral de Proteção de Dados (LGPD): confirmation of processing, access, correction, anonymization, portability, deletion, information about sharing, revocation of consent, and review of automated decisions where applicable.

European Economic Area and UK visitors — GDPR-style rights: access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with a supervisory authority.

To exercise these rights, email contact@legaltalent.ai with sufficient information to verify your identity. If you are an end user of one of our customers, we may direct your request to that customer as the primary controller. We respond within the timeframes required by applicable law.

• Access — obtain a copy of personal data we hold about you
• Rectification — correct inaccurate or incomplete data
• Deletion — request erasure where no overriding legal basis applies
• Portability — receive data in a structured, machine-readable format where technically feasible
• Objection or restriction — limit certain processing activities
• Withdraw consent — where processing is consent-based

10. Security measures

We implement technical and organizational measures appropriate to the sensitivity of KYC and biometric data, including:

• Encryption in transit (TLS) and at rest for stored documents and session data
• Multi-tenant isolation with tenant-scoped access controls and query-level authorization
• Role-based permissions, JWT authentication, and audit logging of administrative actions
• Infrastructure hosted on AWS with regional redundancy, monitoring, and incident response procedures
• Minimization of PII in error responses and client-facing logs; server-side logging with access restrictions
• Regular review of dependencies, access keys, and employee access on a need-to-know basis

11. Cookies and analytics

Our marketing website uses cookies and similar technologies to operate the site and understand aggregate traffic patterns.

Google Analytics 4 (measurement ID G-8SF6NCHY21) collects anonymized usage data such as pages visited, referral source, and device type. You can opt out via browser settings, Google's opt-out add-on, or by disabling non-essential cookies where a consent banner is presented.

The authenticated dashboard uses strictly necessary session cookies for authentication and security. These are not used for cross-site advertising.

12. Children's data

The Platform is a B2B service directed at businesses and compliance professionals. It is not intended for use by individuals under 18 years of age except where a regulated customer verifies age as part of a lawful onboarding process (for example, age-gated industries).

We do not knowingly collect personal data from children for marketing purposes. If you believe we have inadvertently received a child's data outside a customer workflow, contact us and we will take appropriate steps to delete it.

13. Changes to this policy

We may update this Privacy Policy to reflect changes in our services, legal requirements, or sub-processors. Material changes will be posted on this page with an updated "Last updated" date. For active customers, we may also notify account administrators by email or in-product notice.

Continued use of the Platform after changes take effect constitutes acknowledgment of the updated policy, except where applicable law requires explicit consent.