Privacy Policy

This policy explains how Okto (“we”, “our”) collects, processes, stores, and shares personal data when you complete an identity verification through our service on behalf of a hospitality partner (“the controller”).

Okto acts as a data processor on behalf of the controller. The controller decides why your data is processed (typically for hospitality check-in compliance, e.g. the Moroccan Fiche de Police); we execute that processing.

1. Who we are

Okto is operated by [TODO: legal entity name + registered address]. Our Data Protection Officer can be reached at data-protection@okto.io.

2. What data we process

• Identity document images — front-side capture of your passport (and bracket-region crop + full camera frame for fraud detection).
• Extracted document fields — name, document number, date of birth, nationality, place of birth, expiry date, sex, issuing authority, MRZ string.
• Selfie — a single still frame extracted from the 6-frame liveness capture.
• Biometric scores — face-match similarity, liveness confidence, document-authenticity scores. We do not store raw face embeddings beyond what is necessary to run the comparison.
• Technical metadata — IP address, user-agent, timestamps, the controller's reference token (vendor_data).

3. Legal basis (GDPR Art. 6)

Processing rests on the controller's legal basis — typically a legal obligation (Art. 6(1)(c), e.g. hospitality registration laws) or a contract (Art. 6(1)(b), e.g. completing your booking).

Biometric matching of your face is a special category under GDPR Art. 9. The controller must obtain your explicit consent before starting the flow — that consent is the basis for our processing.

4. Sub-processors

We use the following sub-processors to deliver the service:

• Amazon Web Services (S3 eu-west-1, Textract, Rekognition) — primary processing infrastructure. EU-region.
• Supabase — application database + auth. EU-region.
• Vercel — application hosting + cron. [TODO: confirm region setting].
• moov-io/Watchman — sanctions screening (self-hosted by us; data does not leave our infrastructure).

The full sub-processor list with addresses and the corresponding Data Processing Agreements is available in the controller's DPA, downloadable from the DPA template page.

5. Retention

We retain identity-document images and selfies for 30 days after the verification reaches a terminal state (approved / rejected / manually decided). After that an automated purge cron deletes the image files from S3 and nulls the corresponding database columns. The skeleton verification record (id, status, completed-at, audit log) is retained for accounting + legal-obligation evidence (e.g. proof that we processed the request) for [TODO: legal review — 5 or 7 years per French and Moroccan hospitality law].

6. Your rights

Under GDPR you have the following rights:

• Access (Art. 15) — receive a copy of all data we hold about you.
• Rectification (Art. 16) — correct inaccurate data.
• Erasure (Art. 17) — have your data removed.
• Restriction (Art. 18) — pause processing during a dispute.
• Portability (Art. 20) — receive a machine-readable copy.
• Objection (Art. 21) — to processing based on legitimate interests.
• Complaint (Art. 77) — lodge with your national supervisory authority (CNIL in France, CNDP in Morocco, BfDI in Germany, etc.).

Address requests to the controller first (the hospitality partner that initiated your verification). If they cannot resolve your request, contact our DPO at data-protection@okto.io. We respond within 30 days.

7. International transfers

Where data leaves the EU/EEA, the transfer relies on Standard Contractual Clauses (SCCs) per Commission Implementing Decision (EU) 2021/914. The specific SCC modules are attached to the DPA with each controller.

8. Security

• TLS 1.2+ for all transport.
• S3 encryption at rest (AES-256, AWS-managed keys).
• Row-level security in our Supabase database — controllers cannot read each other's verifications.
• Photo URLs are pre-signed (4h validity) — there is no public bucket.
• API keys hashed at rest; webhook payloads signed with HMAC-SHA256.
• Per-step attempt caps + per-host rate limiting to prevent abuse.

9. Changes

We will publish material changes to this policy on this page and notify controllers via email at least 30 days before they take effect.

10. Contact

Questions about this policy or how we handle your data: data-protection@okto.io.