GDPR Compliance
OptropicGlobal GmbH is committed to protecting personal data in accordance with the General Data Protection Regulation (GDPR).
Data Controller
OptropicGlobal GmbH Musterstraße 1 10115 Berlin, Germany
Data Protection Officer: privacy@optropic.com
Personal Data We Process
API Customers (B2B)
| Data Type | Purpose | Legal Basis |
|---|---|---|
| Company name | Account management | Contract |
| Contact email | Service communications | Contract |
| API key metadata | Authentication | Contract |
| Usage logs | Billing, fraud prevention | Legitimate interest |
End Users (via Customer Apps)
| Data Type | Purpose | Legal Basis |
|---|---|---|
| IP address (hashed) | Fraud detection | Legitimate interest |
| Device fingerprint (hashed) | Fraud detection | Legitimate interest |
| Scan location (country only) | Fraud detection | Legitimate interest |
Camera images captured during verification are processed entirely on-device. Optropic servers never receive or store photographs.
Privacy by Design
Our architecture implements privacy principles at every level:
1. Data Minimization
- We only collect data necessary for the service
- No personal identifiers in verification requests
- Aggregate statistics over individual tracking
2. Pseudonymization
- IP addresses hashed before storage
- Device fingerprints are one-way hashes
- No correlation between scans and individuals
3. Local Processing
- Physical features analyzed on-device
- Feature vectors converted to cryptographic hashes
- Original images never leave the device
4. Purpose Limitation
- Data used only for stated purposes
- No profiling or behavioral tracking
- No data sold to third parties
Your Rights
Under GDPR, you have the right to:
| Right | How to Exercise |
|---|---|
| Access | Email privacy@optropic.com |
| Rectification | Update via Studio dashboard |
| Erasure | Email privacy@optropic.com |
| Data Portability | Export from Studio dashboard |
| Object | Email privacy@optropic.com |
| Restrict Processing | Email privacy@optropic.com |
We respond to all requests within 30 days.
Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Duration of contract + 7 years |
| API logs | 90 days |
| Verification logs | 2 years |
| Billing records | 10 years (legal requirement) |
International Transfers
Data is processed within the EU. If transfers outside the EEA are necessary, we use:
- EU Standard Contractual Clauses (SCCs)
- Adequacy decisions where applicable
Sub-Processors
| Processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Hosting | EU (Frankfurt) |
| Supabase Inc. | Database | EU (Frankfurt) |
| Stripe Inc. | Payment processing | EU |
Data Processing Agreement
Enterprise customers receive a Data Processing Agreement (DPA) as part of their contract.
Security Measures
Technical and organizational measures protecting personal data:
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- Access control and authentication
- Regular security assessments
- Employee security training
- Incident response procedures
See our Security Policy for details.
Breach Notification
In the event of a personal data breach:
- We will notify the supervisory authority within 72 hours
- We will notify affected individuals if high risk
- We will document the breach and remediation
Contact
For GDPR inquiries or to exercise your rights:
Data Protection Officer privacy@optropic.com
Postal Address: OptropicGlobal GmbH Attn: Data Protection Officer Musterstraße 1 10115 Berlin, Germany
Supervisory Authority
You have the right to lodge a complaint with:
Berliner Beauftragte für Datenschutz und Informationsfreiheit Friedrichstraße 219 10969 Berlin mailbox@datenschutz-berlin.de