Privacy Policy

This Privacy Policy provides comprehensive information pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR") and the German Federal Data Protection Act (BDSG) regarding the processing of personal data in the context of using the Software-as-a-Service application Flonk (hereinafter "Flonk" or "Application"), provided at https://flonk.id. Due to the processing of biometric data within the meaning of Art. 9(1) GDPR, our service is subject to particularly high data protection requirements, which we address with the utmost transparency.

1. Controller and Contact

1.1 Controller within the meaning of the GDPR

The controller for data processing in connection with the operation of the website https://flonk.id as well as for all own processing activities is:

MedConnect GmbH
Bayernstraße 10
30855 Langenhagen
Germany

Phone: +49 (0) 511 94 27 41 45
Email: support@flonk.id
Web: https://flonk.id

Authorised Managing Director: oec. Michael Mansholt
Registered in the commercial register of the local court of Hannover under HRB 226358

1.2 Role as Processor

For the actual identity verification of the data transmitted by you as an end user ("data subject"), MedConnect GmbH acts in principle as a processor within the meaning of Art. 28 GDPR on behalf of our business customers (hereinafter "Customers"). The controller within the meaning of Art. 4(7) GDPR in these cases is the respective Customer who has integrated the verification process into their onboarding, contracting, or compliance workflow. For data processing on the https://flonk.id website, in the customer portal, and for our own business purposes (e.g. marketing, contract administration with Customers), MedConnect GmbH remains the independent controller.

1.3 Data Protection Officer

Due to the extensive processing of biometric data (Art. 9(1) GDPR) and the obligation under § 38 BDSG, we have appointed a Data Protection Officer. You can reach the DPO at:

MedConnect GmbH
Attn: Data Protection Officer
Bayernstraße 10
30855 Langenhagen

The DPO is available for all matters relating to the processing of your personal data and the exercise of your rights. On request, we will treat enquiries confidentially and without disclosure to other staff members.

2. Subject Matter and Purposes of Processing

Flonk is a Software-as-a-Service application for digital identity verification, serving the secure and lawful verification of the identity of natural persons. Processing is carried out for the following purposes:

• a) Identity verification and document authenticity check — Capture, reading, and validation of official identity documents (national ID cards, passports, driving licences, and comparable documents from more than 200 countries), including checks for manipulation, holograms, security features, and matches against reference databases.
• b) Biometric match (1:1) — Algorithmic comparison of the photo from the presented identity document with a live image of your face for unique identification within the meaning of Art. 4(14) GDPR.
• c) Liveness detection — Analysis of video sequences, 3D depth data, and micro-movements to determine that a live, present person is involved and not a reproduction (photo, mask, deepfake, video recording).
• d) Age verification (in particular 18+) — Confirmation of minimum age based on identity document data.
• e) KYC/AML compliance — Supporting our Customers in fulfilling their legal obligations under the German Anti-Money Laundering Act (GwG), the Telecommunications Act (TKG), the Interstate Treaty on the Protection of Minors in the Media (JMStV), the Pharmacy Act, the Trust Services Act (VDG), and other applicable regulations.
• f) Fraud prevention — Detection and defence against identity theft, multi-accounting, and other abusive usage attempts.
• g) Documentation obligations — Audit-proof logging of identity verifications to fulfil evidentiary obligations toward supervisory authorities and auditors.
• h) Provision of website, developer portal, and API infrastructure — Including technical operation, security, stability, and error analysis.
• i) Contract administration with Customers — Creation of API keys, billing, support, and customer management.

3. Legal Bases for Processing

The processing of personal data takes place — depending on the processing situation — on the basis of one or more of the following legal grounds:

3.1 Consent pursuant to Art. 6(1)(a) and Art. 9(2)(a) GDPR

The processing of your biometric data (facial image from the identity document, live capture, liveness video) takes place exclusively on the basis of your explicit consent, which you grant before the start of verification by active confirmation in the Flonk application. The consent in particular covers the processing of special categories of personal data within the meaning of Art. 9 GDPR. It is voluntary and may be withdrawn at any time with effect for the future (see section 9).

3.2 Performance of a contract pursuant to Art. 6(1)(b) GDPR

Where verification serves the initiation, conclusion, or performance of a contractual relationship between you and our Customer, the processing of non-biometric identity data is based on this legal ground.

3.3 Legal obligation pursuant to Art. 6(1)(c) GDPR in conjunction with Art. 9(2)(g) GDPR

Where our Customers are legally obliged to identify their contractual partners (e.g. §§ 10 ff. GwG, § 4 GwG, § 11 TKG, §§ 1, 4 JMStV, § 12a SGB I for telematics infrastructure), processing of the data required to fulfil these obligations is based on this legal ground.

3.4 Legitimate interest pursuant to Art. 6(1)(f) GDPR

For fraud prevention, system security, abuse detection, aggregated statistical analyses, and the improvement of our algorithms (exclusively on the basis of anonymised or pseudonymised data), we rely on our legitimate interest as well as the aligned interest of our Customers in a secure, reliable, and tamper-resistant verification service.

3.5 Substantial public interest pursuant to Art. 9(2)(g) GDPR

Insofar as the processing of biometric data is necessary to fulfil legal identification obligations of our Customers, this legal ground may apply in addition.

4. Categories of Processed Data

Within the framework of identity verification and use of the Flonk application, we process the following data categories:

4.1 Master data from the identity document

First and last name, birth name, academic titles, date of birth, place of birth, country of birth, nationality, gender, address (if printed on the document), signature image.

4.2 Document-specific data

Document type, document number, issuing authority, date of issue, period of validity, country of issue, MRZ data (Machine Readable Zone), security features, holograms, optical variable graphics, NFC chip data (for electronic identity documents).

4.3 Biometric data (Art. 9(1) GDPR)

• Photo from the identity document
• Live selfie capture(s) via the camera of your device
• Short video sequences for liveness detection, including 3D depth measurement data and micro-movement analyses
• Biometric templates derived from the images (mathematical representations of facial features)

4.4 Verification and result data

Timestamps of verification start and end, result (successful / not successful / manual review required), confidence and risk scores, liveness score, match score, reasons for any rejections, language and country of the session.

4.5 Technical and device information

IP address, browser type and version, operating system and version, device type and model, screen resolution, approximate location based on IP address, user agent, referrer URL, device fingerprint, camera and sensor information, access timestamp.

4.6 Session and metadata

Unique session ID, Customer reference ID, transmitted client metadata (e.g. pseudonymous Customer user ID, email address, if transmitted by our Customer), webhook status, SDK used and its version.

4.7 Log data

Server logs, audit logs, security logs, error logs.

4.8 Data of Customer staff (dashboard users)

Name, business email address, role, login data, API key hashes, access logs.

5. Origin of Data

We collect data predominantly directly from you in the course of the verification process (upload or capture of the identity document, selfie, liveness check). In addition, data may be transmitted by our respective Customer (e.g. reference ID, email address, anticipated verification purpose). For authenticity checks, we compare document features against publicly accessible reference databases (e.g. PRADO, ICAO specifications) as well as specialised document libraries. A check against sanctions, PEP, or address registers only takes place if explicitly commissioned by our Customer.

6. Recipients and Categories of Recipients

6.1 Commissioning business customers

The result of verification and the data required to fulfil the respective verification purpose are transmitted exclusively to the Customer that commissioned the verification. Raw biometric data (selfies, videos, templates) are in principle not disclosed to Customers but remain within our infrastructure; transmission only takes place to the extent contractually agreed and legally permissible.

6.2 Processors of MedConnect GmbH (sub-processors)

We engage carefully selected service providers with whom we have concluded agreements pursuant to Art. 28 GDPR. An up-to-date list of sub-processors is available on request. These include in particular:

6.3 Authorities and courts

Where we are legally obliged or where this is necessary for legal prosecution (e.g. pursuant to §§ 161, 163 StPO, requests by the German Federal Financial Supervisory Authority, or data protection supervisory authorities).

6.4 Legal, tax, and audit advisors

Within the scope of statutory cooperation obligations and under strict confidentiality.

7. Transfers to Third Countries

The processing of your data principally takes place within the European Economic Area (EEA), primarily in data centres in Amsterdam (Netherlands). A transfer to third countries (states outside the EEA) does not regularly occur. Insofar as our infrastructure partner Railway Corp. (registered office: San Francisco, USA) may, in exceptional cases, access configuration and metadata in the course of operations, Railway Corp. is certified under the EU-US Data Privacy Framework; the transfer therefore takes place on the basis of an adequacy decision of the European Commission pursuant to Art. 45 GDPR. We have additionally agreed EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) as well as additional technical and organisational protection measures (in particular encryption at rest and in transit, strict access controls, regional data residency in the EU). A transfer of raw biometric data to third countries does not take place.

8. Retention Period

8.1 Verification data (incl. biometric data)

The personal data collected in the course of identity verification, including biometric data, is stored encrypted in European data centres. The storage period depends on our Customer's verification purpose and the applicable statutory retention periods:

• Up to 10 years for verifications within the scope of the GwG (§ 8(4) GwG)
• Up to 6 years for transactions relevant under commercial and tax law (§ 257 HGB, § 147 AO)
• Shorter periods in other use cases, where no statutory retention basis applies

8.2 Early anonymisation

The commissioning Customer may at any time arrange early anonymisation of your data. In doing so, personal components are irreversibly removed; remaining purely statistical data allows no conclusions about your person.

8.3 Biometric templates

Where cross-session recognition is not contractually required, biometric templates are deleted immediately after the match has been completed.

8.4 Server logs

Technical logs are in principle deleted automatically after 30 to 90 days, unless longer retention is exceptionally required to investigate security incidents.

8.5 Data from business customer relationships (contract documents, invoices)

Stored until the expiry of statutory retention periods (typically 10 years after the end of the contract).

Upon expiry of the respective retention periods, your data will be irrevocably deleted or anonymised.

9. Your Rights as a Data Subject

You have the following rights, which you may exercise toward us at any time:

9.1 Right of access (Art. 15 GDPR)

You have the right to obtain information as to whether and which personal data we process about you.

9.2 Right to rectification (Art. 16 GDPR)

We will rectify incorrect data without undue delay upon your request.

9.3 Right to erasure (Art. 17 GDPR)

You may request the erasure of your data, provided no statutory retention obligations or other processing grounds preclude this.

9.4 Right to restriction of processing (Art. 18 GDPR)

9.5 Right to data portability (Art. 20 GDPR)

You have the right to receive your data in a structured, commonly used, and machine-readable format, or to have it transmitted to another controller.

9.6 Right to object (Art. 21 GDPR)

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your data based on Art. 6(1)(e) or (f) GDPR.

9.7 Withdrawal of consent (Art. 7(3) GDPR)

You may withdraw a given consent at any time with effect for the future. Please note that after withdrawal, identity verification is technically no longer possible and our Customer may not be able to maintain the business relationship initiated with you; statutory retention obligations remain unaffected.

9.8 Right to lodge a complaint (Art. 77 GDPR)

You may lodge a complaint with a data protection supervisory authority at any time. Competent for MedConnect GmbH is:

Die Landesbeauftragte für den Datenschutz Niedersachsen
Prinzenstraße 5
30159 Hannover
Phone: +49 (0) 511 120-4500
Email: poststelle@lfd.niedersachsen.de

To exercise your rights, an informal notification to support@flonk.id is sufficient. For security reasons, we are entitled to verify your identity before providing information.

10. Automated Decision-Making and Profiling

Identity verification involves automated decision-making within the meaning of Art. 22 GDPR: based on algorithmic evaluations (document authenticity, facial match, liveness detection), a verification result is produced that may affect the contractual relationship between you and our Customer (e.g. opening an account, releasing a purchase, access to age-restricted content).

Logic of the decision: confidence scores are determined for document authenticity, biometric match, and liveness, and compared against defined thresholds. Where results are ambiguous, the case is referred for manual review by trained staff.

Your rights: You have the right to obtain human intervention on the part of the controller (our Customer), to express your point of view, and to contest the decision (Art. 22(3) GDPR). Please direct your request primarily to our Customer; we support handling on their instruction.

Processing is necessary for entering into or performing the contract between you and our Customer (Art. 22(2)(a) GDPR) and/or based on your explicit consent (Art. 22(2)(c) GDPR).

11. Data Security and Technical-Organisational Measures

We have implemented comprehensive technical and organisational measures pursuant to Art. 32 GDPR to ensure a level of protection appropriate to the risk. Our measures include in particular:

• Encryption — TLS 1.3 for any data transmission, AES-256 encryption for data at rest, hardware-based key management (HSM/KMS).
• Access management — Strict need-to-know principle, role-based access controls (RBAC), multi-factor authentication for all administrative access, regular access reviews.
• Network and application security — Web Application Firewall, DDoS protection, regular penetration tests by independent auditors, code reviews, continuous vulnerability scanning.
• Data segregation — Multi-tenant architecture with logical separation of Customer data.
• Backup and resilience — Encrypted backups, geographically redundant data storage within the EU, documented disaster recovery plans, 99.99% availability SLA.
• Audit trails — Tamper-proof logging of all access to personal data.
• Personnel — Written commitment of all staff to data secrecy, regular data protection and security awareness training.
• Data Protection Impact Assessment (Art. 35 GDPR) — A comprehensive DPIA has been carried out for the processing of biometric data and is regularly updated.
• Privacy by Design / by Default (Art. 25 GDPR) — Privacy-friendly defaults, data minimisation, and pseudonymisation are an integral part of our product development.

12. Provision of the Website https://flonk.id

When you visit our website, we process the following data to deliver the content and to ensure stability and security: IP address, date and time, accessed resource, transmitted data volume, HTTP status code, referrer URL, browser, and operating system. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in stable and secure operation). This data is deleted after a maximum of 90 days.

Cookies and comparable technologies

We use exclusively technically necessary cookies pursuant to § 25(2)(2) TDDDG. Tracking or analytics cookies are only set on the basis of your consent (Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG) via our consent management tool. You may withdraw your consent at any time via the cookie settings.

Contacting us

If you contact us via the contact form or by email, we process your details for the handling of the enquiry (Art. 6(1)(b) or (f) GDPR). The data is deleted as soon as it is no longer required, at the latest upon expiry of statutory retention obligations.

Developer portal and API keys

When creating a developer account, we process the data provided in the registration form to provide the service on the basis of Art. 6(1)(b) GDPR.

13. Obligation to Provide Data

The provision of your personal data is neither legally nor contractually mandatory. You are not obliged to give your consent. However, identity verification via Flonk is technically not possible without providing the required data. A consequence of non-provision may therefore be that our Customer cannot enter into or continue the business relationship initiated with you.

14. Amendments to this Privacy Policy

We reserve the right to amend this Privacy Policy in order to adapt it to changes in the legal framework, adjustments of our services, or changes to data processing. The respective current version is always available at https://flonk.id/datenschutz. Material changes that affect your rights will be communicated to you in good time and in an appropriate form.

15. Contact for Data Protection Matters

For all questions, concerns, and exercise of rights in connection with data protection, you can reach us at:

MedConnect GmbH
Attn: Data Protection Officer
Bayernstraße 10
30855 Langenhagen
Email: info@medconnect.gmbh
Phone: +49 (0) 511 94 27 41 45