📃KYC Privacy Notice

Effective date: January 16th, 2026. Applies to: Identity verification (“KYC”) performed in GrantFox using Didit (“Didit Digital Identity”).

1) Purpose of this notice

This KYC Privacy Notice explains how personal data is handled when you complete identity verification (KYC) in GrantFox. This notice applies only to the KYC process and supplements any broader privacy policy or terms that apply to GrantFox.

2) Roles & responsibilities (GrantFox vs. Didit)

Didit is the verification service provider that collects and processes KYC data (e.g., identity document images and face/liveness checks) as part of the verification workflow.
Didit acts as a “data processor” for verification data and GrantFox is the “data controller,” meaning GrantFox determines the purpose (identity verification) and can configure retention/deletion settings within Didit’s tools.

Important: GrantFox does not operate Didit’s systems. Didit is responsible for the security and operation of its verification infrastructure.

3) What data is processed during KYC

When you start KYC, you will be asked to provide information directly into the Didit verification flow. Depending on the configured checks, this may include:

Identity document data (e.g., ID/passport images and extracted fields)
Selfie / liveness (face image/video frames for liveness and face-match)
Verification metadata (session identifiers, timestamps, device/browser signals, results)

4) What GrantFox stores vs. what GrantFox does not store

GrantFox stores only minimal KYC outcome data, such as:

A verification status (e.g., approved/failed/in-review)
A verification identifier (e.g., a session reference / vendor reference)
Timestamps (when verification was initiated/completed)

GrantFox does NOT store:

Copies of your identity document
Your selfie/liveness media
Full KYC reports or biometric artifacts

This “store only what we need” approach aligns with the process-and-purge pattern described by Didit, where customers persist only minimal fields (e.g., status/identifiers).

5) How Didit processes, stores, and retains KYC data

Didit states that:

By default, verification data is processed/stored in the EU (with options for enterprise residency features).
Retention is configurable by the customer via console settings; the default is unlimited until a policy is set, and configurable windows can range from 1 month to 10 years.
Verification sessions can be deleted manually via dashboard, or programmatically; Didit describes a Delete Session API to remove verification session data.

GrantFox’s implementation intention: After your identity is verified, GrantFox keeps only the verification status + identifier and does not retain your underlying KYC media.

6) Why we do KYC (purpose & legal basis)

GrantFox processes KYC outcome data to:

Verify identity to help prevent fraud and maintain platform integrity
Determine eligibility to receive payments/rewards and to comply with payment-related requirements
Maintain an audit trail that a verification occurred (without storing your raw KYC media)

Legal bases (may vary by jurisdiction):

Consent (you choose to complete KYC and submit data)
Contract / legitimate interests (to operate a safe platform and enable compliant payments)

With Didit: Your KYC inputs (document/selfie) are provided to Didit to perform verification.
With others: GrantFox may share your verification status (not your KYC images) with payment and compliance partners only when necessary to process rewards/payments, comply with law, or enforce platform policies.

8) Security

Didit describes security and assurance measures including an ISO/IEC 27001 ISMS, penetration testing, least-privilege access controls, and audit logs retained for 365 days (then auto-deleted).

GrantFox applies security measures to protect the limited KYC outcome data we store (status/identifier), but we do not host or store your KYC media.

9) Your choices, rights, and how to request deletion

You may request access, correction, or deletion where applicable under local law. Because GrantFox does not store your document/selfie media, requests involving the underlying KYC data may need to be executed through Didit’s deletion/retention controls (e.g., deletion of a verification session).

How to contact us: Email: [email protected] (Include your GrantFox username/email and the approximate verification date.)

10) Third-party provider terms (Didit)

By initiating KYC, you acknowledge that:

You are submitting your identity data for verification, and
Didit’s Privacy Policy and data retention practices apply to the verification flow in addition to this notice.

11) Liability & responsibility for Didit-hosted data

Didit operates its own systems and is responsible for safeguarding the KYC data it processes and stores. To the maximum extent permitted by applicable law:

GrantFox is not responsible for Didit’s independent systems, security controls, or any incident occurring within Didit’s infrastructure, including unauthorized access, leaks, or misuse of data stored by Didit.
If GrantFox becomes aware of a security incident involving KYC sessions that impacts users, GrantFox will take reasonable steps to coordinate with Didit and provide appropriate notices as required by law.

12) Changes to this notice

We may update this KYC Privacy Notice from time to time. We will post the updated version with a new effective date.

PreviousCommunity & Support

Last updated 3 days ago

Good morning

hashtag1) Purpose of this notice

hashtag2) Roles & responsibilities (GrantFox vs. Didit)

hashtag3) What data is processed during KYC

hashtag4) What GrantFox stores vs. what GrantFox does not store

hashtag5) How Didit processes, stores, and retains KYC data

hashtag6) Why we do KYC (purpose & legal basis)

hashtag7) Sharing of data

hashtag8) Security

hashtag9) Your choices, rights, and how to request deletion

hashtag10) Third-party provider terms (Didit)

hashtag11) Liability & responsibility for Didit-hosted data

hashtag12) Changes to this notice