RariMe Privacy Notice
Last Updated: May 31, 2024
This RariMe Privacy Notice (the "Privacy Notice") is designed to help you understand how Rarilabs Inc., a Delaware corporation, having its principal place of business at 1101 Brickell Avenue, South Tower, 8th Floor, Miami, FL 33131, the United States ("Rarilabs", "we", "us" or "our"), collects, uses, and shares your personal information, and to help you understand and exercise your privacy rights. This Privacy Notice is incorporated by the reference into the RariMe General Terms & Conditions (https://rarime.com/general-terms.html) (the "Terms") and together with the Terms constitutes a binding agreement between you and Rarilabs and describes our information handling practices when you access and use the Application (as defined in the Terms), Website (as defined in the Terms), and any other Services (as defined in below). If you choose to access or use the Application, Website or Services, such actions and any Dispute (as defined in the Terms) over privacy is subject to this Privacy Notice and Terms, including limitations on damages.
Capitalized terms used but not defined in this Privacy Notice shall take the meanings assigned to such terms by the Terms.
Notice at Collection. At or before the time of collection, California residents may have a right to receive notice of our practices, including the categories of personal information to be collected, the purposes for which such information is collected or used, whether such information is sold or shared and how to opt out of such uses, and how long such information is retained. You can find those details in this statement by clicking on the above links.
1. SCOPE AND UPDATES TO THIS PRIVACY NOTICE 1
2. PERSONAL INFORMATION WE COLLECT 2
3. HOW WE USE YOUR PERSONAL INFORMATION 3
4. HOW WE DISCLOSE YOUR PERSONAL INFORMATION 3
5. SPECIFIC INFORMATION ABOUT THE USE OF THE WEBSITE AND OUR SERVICES 4
6. YOUR PRIVACY CHOICES AND RIGHTS 7
7. INTERNATIONAL TRANSFERS OF PERSONAL INFORMATION 9
8. RETENTION OF PERSONAL INFORMATION 10
9. SUPPLEMENTAL NOTICE FOR CALIFORNIA RESIDENTS 10
10. SUPPLEMENTAL NOTICE FOR NEVADA RESIDENTS 13
This Privacy Notice applies to personal information processed by us, including in the Application, on the Website, and in other online or offline offerings. To make this Privacy Notice easier to read, where the context allows, the Application, Website and other offerings are collectively called the "Services".
Changes to Our Privacy Notice. We may revise this Privacy Notice from time to time in our sole discretion. The revised Privacy Notice will be effective immediately at the time of posting, unless a later effective date is expressly stated therein. We will also revise the "Last Updated” date stated above. If there are any material changes to this Privacy Notice, we will notify you as required by applicable law. You understand and agree that you will be deemed to have accepted the updated Privacy Notice if you continue to use our Services after the new Privacy Notice takes effect.
It is your responsibility to periodically review this Privacy Notice. The Users are bound by any changes to this Privacy Notice by using our Services after such changes have been first posted. If you do not agree to the new Privacy Notice, your only remedy is to discontinue use of the Services.
The categories of personal information we collect depend on how you interact with us, our Services, and requirements of applicable law. We collect information that you provide to us, information we obtain automatically when you use our Services, and information from other sources such as third-party services and organizations, as described below.
We may collect personal information that you provide to us.
Automatic Collection of Personal Information. We may collect certain information automatically when you use our Services, such as your Internet protocol (IP) address, user settings, MAC address, mobile carrier and other unique identifiers, browser or device information, location information (including approximate location derived from IP address), blockchain information (such as your Digital Assets Wallet address, on-chain activities, interactions with the Services and other similar activities).
Referrals and Sharing Features. Our Services may offer various tools and functionalities that allow you to provide personal information about your friends through our referral service. Our referral services may also allow you to forward or share certain content with a friend or colleague, such as an email inviting your friend to use our Services. Please only share with us contact information of people with whom you have a relationship (e.g., relative, friend, neighbor, or co-worker).
Provide Our Services. We use your personal information to fulfill our contract with you, to provide you with our Services and to comply with the law, such as:
Administrative Purposes. We use your personal information for various administrative purposes, such as:
With Your Consent. We may use personal information for other purposes that are clearly disclosed to you at the time you provide personal information or with your consent.
We disclose your personal information to third parties for a variety of business purposes, including to provide our Services, to protect us or others, or in the event of a major business transaction such as a merger, sale, or asset transfer, as described below.
Without the support of other companies, we would not be able to provide our Services in the desired form. To use the services of these companies, it is necessary to share your personal information with these companies to a certain extent. The disclosure of data is limited to selected third-party service providers and only to the extent necessary for the optimal provision of our Services.
The legal basis for this data processing is the performance of a contract within the meaning of Article 6(1)(b) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the "GDPR").
Your data may be disclosed to third parties to the extent necessary for the fulfilment of the contractual relationship. The legal basis for these disclosures is the necessity for the performance of a contract within the meaning of Article 6(1)(b) of the GDPR. For these data processing activities, the third-party service providers are considered data controllers under the data protection laws, and not us. It is the responsibility of these third-party service providers to inform you about their own data processing, which may extend beyond the mere sharing of data for the provision of services, and to comply with data protection laws.
The categories of third parties with whom we may share your personal information are described below.
We may access, preserve, and disclose any information we store associated with you to external parties if we, in good faith, believe doing so is required or appropriate to: comply with law enforcement or national security requests and legal process, such as a court order or subpoena; protect your, our, or others’ rights, property, or safety; enforce our policies or contracts; collect amounts owed to us; or assist with an investigation or prosecution of suspected or actual illegal activity.
The legal basis for this data processing is our legitimate interest within the meaning of Article 6(1)(f) of the GDPR in protecting our rights and fulfilling our obligations, as well as in the sale of our company or parts thereof.
If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, purchase or sale of assets, or transition of service to another provider, your information may be sold or transferred as part of such a transaction, as permitted by law and/or contract.
The legal basis for this data processing is our legitimate interest within the meaning of Article 6(1)(f) of the GDPR in protecting our rights and fulfilling our obligations, as well as in the sale of our company or parts thereof.
When you visit our Website, the web servers temporarily store every access in a log file. The following data is collected without your intervention and stored by us until automatically deleted:
The collection and processing of this data is carried out for the purpose of enabling the use of our Website (establishing a connection), ensuring the long-term security and stability of the system, and enabling error and performance analysis and optimization of our Website.
In case of an attack on the network infrastructure of the Website or suspicion of other unauthorized or improper use of the Website, the IP address and other data will be analyzed for clarification and defense purposes; if necessary, they may be used in civil or criminal proceedings for the identification of the respective User.
The legal basis for this data processing is our legitimate interest within the meaning of Article 6(1)(f) of the GDPR in the purposes described above.
For the operation of our Website, we use the services of our hosting provider: Google LLC, having its principal place of business at 1600 Amphitheatre Parkway, Mountain View, California 94043, United States, or its affiliates, as described at https://cloud.google.com/terms/google-entity ("Google"). As a result, your data may be stored in a Google database, which may enable Google to access your data if this is necessary for the provision of the software and for support in using the software. For more information on data processing in relation to Google, see https://cloud.google.com/terms/data-processing-addendum. The legal basis for this processing is our legitimate interest within the meaning of Article 6(1)(f) of the GDPR in using the services of third-party providers.
If you contact us through our contact addresses and channels (e.g., by e-mail, phone), your personal information is processed. We process the data you provide us with, such as your name, email address, phone number, and your request. Additionally, the time of receipt of the request will be documented. We process this data to address your request (e.g., providing information about our products and services, providing customer and technical support, incorporating your feedback into the improvement of our products and services, etc.).
The legal basis for this data processing is our legitimate interest under Article 6(1)(f) of the GDPR in addressing your request or, if your request is aimed at the conclusion or performance of a contract, in the implementation of the necessary measures within the meaning of Article 6(1)(b) of the GDPR.
As described in the Terms, the Application consist of the web application "RariMe", available at the Website (the "Web Application"), MetaMask (as defined below) "snap" ("RariMe Snap") and corresponding mobile application (the "Mobile Application").
On our Website, you can access RariMe Snap. In general, RariMe Snap allows Users to store their Public Key (as defined in the Terms) through the Digital Asset Wallet, such as in the application "MetaMask" (https://metamask.io/) ("MetaMask").
RariMe Snap operates in combination with a browser extension, Web Application, mentioned below, and a software running on top of a blockchain network. The User may import the Public Key generated by the Mobile Application into RariMe Snap, which then store this Public Key in browser extension. Via RariMe Snap we do not have any access to the Identifying Document data.
The respective personal information is processed for the purpose of providing the identity storing and managing services. The legal basis for this data processing is the performance of a contract within the meaning of Article 6(1)(b) of the GDPR.
For providing RariMe Snap, we rely on the MetaMask browser extension provided by Consensys Software Inc., having its principal place of business at 49 Bogart Street NY 11206, the United States. Therefore, your data may be stored in a database of Consensys Software Inc., which may allow Consensys Software Inc. to access your data if this is necessary for providing the software and supporting its use. The legal basis for this processing is our legitimate interest within the meaning of Article 6(1)(f) of the GDPR in using the services of third-party providers. Information about data processing by Consensys Software Inc. can be found at https://consensys.io/privacy-policy.
We are not responsible for the data processing in connection with the base layer of the blockchain network. We are also not responsible for the verification activities initiated by the User.
The Web Application is the Interface (as defined in the Terms) which reflects the Public Keys, which are stored in RariMe Snap, and allows manage them and use to access and exchange identity-related information.
The Web Application operates in combination with a browser extension, RariMe Snap, and a software running on top of a blockchain network. Via Web Application we do not have any access to the Identifying Document data.
The legal basis for this data processing is the performance of a contract within the meaning of Article 6(1)(b) of the GDPR.
Downloading Mobile Application
When downloading the Mobile Application, the respective application store provider collects your personal information, in particular:
For the purposes and scope of such data processing, please refer to the privacy policy of the relevant application store providers:
By downloading our Mobile Application from the App Store or Google Play, you have legitimized yourself to the respective application store (e.g., via your Apple ID). A use by Apple Inc. or Google LLC of the data collected in connection with the download or use of the applications that is not in compliance with the GDPR can therefore not be ruled out on the part of Rarilabs. We have no influence on this. However, we do not pass on data to Apple Inc. or Google LLC.
The legal basis for the data processing is your consent by deciding to download the application within the meaning of Article 6(1)(a) of the GDPR and the performance of a contract within the meaning of Article 6(1)(b) of the GDPR.
Use of Mobile Application
The Application allows you to create a profile for the Digital Identity creation purposes in a privacy enhancing manner. For this purpose, the Identifying Document should be scanned via the Mobile Application. You decide what Identifying Document is scanned for this purpose. The Identifying Document data is stored encrypted on the Device (as defined in the Terms) and can only be decrypted with a passcode determined by the User. After scanning the Identifying Document data, the Application creates the Digital Identity, which is unique data associated with the respective User.
In the context of the Mobile Application, we do not have access to the Digital Identity and Identifying Document data, such information is stored solely and exclusively on the Device.
The Application publishes the Digital Identity upon request by the User on the blockchain. For this purpose, the Application is connected via interface with a service provided by us and operated on cloud machines. We use for this purpose cloud services provided by a third-party service provider. The cloud server is operated in the United States and Singapore. It cannot entirely exclude that the third-party service provider has access to the Digital Identity in exceptional circumstances. However, from the perspective of the third-party service provider the Digital Identity are qualified as anonymized data.
The legal basis for the data processing for this purpose is the performance of a contract within the meaning of Article 6(1)(b) of the GDPR.
We are not anymore responsible for the processing of the Digital Identity on the blockchain. We are neither data controller nor joint controller for any processing activities on the blockchain.
Third-Party Verification Process
When the User wants to initiate a verification process, the Application retrieves Identifying Document data from the local storage of the device. The Application generates a new zero-knowledge proof (the "ZKP") proving inter alia that the respective User has the Digital Identity. The Application discloses the ZKP to the verifier and the verifier runs the ZKP verification.
The legal basis for the data processing for this purpose is the performance of a contract within the meaning of Article 6(1)(b) of the GDPR.
We are not responsible for the processing activities of the verifier.
Your Privacy Choices. The privacy choices you may have about your personal information are determined by applicable law and are described below.
Your Privacy Rights. In accordance with applicable law, you may have the following rights:
If you would like to exercise any of these rights, please contact us as set forth in "Contact Us" below. We will process such requests in accordance with applicable laws. Please note that many of the above rights are subject to exceptions and limitations. If we are not able to provide the requested information or make the change you requested, you will be provided with the reasons for such decisions.
Your rights and our responses will vary based on your country or state of residency. Please note that you may be located in a jurisdiction where we are not obligated, or are unable, to fulfill a request. In such a case, your request may not be fulfilled.
In the United States, state consumer privacy laws may provide their residents with additional rights regarding our use of such residents’ personal information. For example:
If you would like to exercise any of these rights, please contact us as set forth in "Contact Us" below.
We do not discriminate against individuals who exercise any of their rights described in this Privacy Notice. However, we may require use of your personal information to provide access to the Services. Therefore, when you exercise your deletion right, in particular, you may lose access to certain aspects of the Services that require your personal information.
If applicable laws grant you an appeal right and you would like to appeal our decision with respect to your request, you may do so by informing us of this and providing us with information supporting your appeal.
Supervisory Authority. If your personal information is subject to the applicable data protection laws of the European Economic Area, Switzerland, or United Kingdom, you have the right to lodge a complaint with the competent supervisory authority if you believe our processing of your personal information violates applicable law.
We have the right to transfer your personal information to third parties located abroad if it is necessary to carry out the data processing described in this Privacy Notice. Specific data transfers have been mentioned above. When making such transfers, we will ensure compliance with the applicable legal requirements for disclosing personal information to third parties. The legal provisions governing the disclosure of personal information to third parties are duly observed. The countries to which data is transmitted include those that, according to the decision of the Federal Council and the European Commission, have an adequate level of data protection (such as the member states of the EEA or, from the European Union's (the "EU") perspective, Switzerland), as well as those countries (such as the United States) whose level of data protection is not considered adequate (see Annex 1 of the Data Protection Ordinance and the website of the EC). If the country in question does not provide an adequate level of data protection, we ensure that your data is adequately protected by these companies by means of appropriate safeguards, unless an exception is specified on a case-by-case basis for the individual data processing (see Article 49 of the GDPR). Unless otherwise specified, this refers to the choice of companies certified under the Privacy Framework agreement or standard contractual clauses as referred to in Article 46(2)(c) of the GDPR, which can be found on the websites of the Federal Data Protection and Information Commissioner (FDPIC) and the EC. If you have any questions regarding the implemented measures, please contact us as set forth in "Contact Us" below.
For the sake of completeness, we would like to inform Users residing or based in Switzerland or EU that certain third-party service providers mentioned in this Privacy Notice are located in the United States. It is important to note that there are surveillance measures by the United States authorities in place that generally allow for the storage of all personal information of individuals whose data has been transmitted from Switzerland or EU to the United States. This occurs without differentiation, limitation, or exception based on the purpose for which the data is being collected and without an objective criterion that would restrict the United States authorities' access to the data and its subsequent use to specific, strictly limited purposes that can justify the interference associated with accessing and using the data. Furthermore, we would like to point out that affected individuals from Switzerland or EU do not have legal remedies or effective judicial protection against general access rights of the United States authorities, which would allow them to access the data concerning them and to rectify or delete it. We explicitly highlight this legal and factual situation to enable you to make an informed decision regarding your consent or opposition to the use of your data.
For Users residing in Switzerland or a member state of the EU, we also want to inform you that, from the perspective of the EU and Switzerland, the United States does not provide an adequate level of data protection, among other reasons, as explained in this paragraph. In cases where we have mentioned in this Privacy Notice that data recipients are located in the United States, we will ensure through the choice of companies certified under the Privacy Framework agreement or through contractual arrangements with these companies and, if necessary, additional appropriate safeguards, that your data is adequately protected at our third-party service providers.
How long we retain your personal information depends on the context in which, and purposes for which, we collected it. We store the personal information we collect as described in this Privacy Notice for as long as you use our Services, or as necessary to fulfill the purpose(s) for which it was collected, provide our Services, resolve Disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and comply with applicable laws.
To determine the appropriate retention period for personal information, we may consider applicable legal requirements, the amount, nature, and sensitivity of the personal information, certain risk factors, the purposes for which we process your personal information, and whether we can achieve those purposes through other means.
This Supplemental Notice for California Residents supplements our Privacy Notice and only applies to our processing of personal information that is subject to the California Consumer Privacy Act of 2018 (as amended from time to time) (the "CCPA").
The CCPA provides California residents with the right to know what categories of personal information Rarilabs has collected about them, whether Rarilabs disclosed that personal information for a business purpose (e.g., to a service provider), whether Rarilabs "sold" that personal information, and whether Rarilabs "shared" that personal information for "cross-context behavioral advertising" in the preceding twelve months. California residents can find this information below:
Category of Personal Information Collected by Rarilabs |
Category of Third Parties To Whom Personal Information is Disclosed to for a Business Purpose |
Category of Third Parties To Whom Personal Information is Sold and/or Shared |
Identifiers |
|
N/A |
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) |
|
N/A |
Protected classification characteristics under California or federal law |
|
N/A |
Commercial information |
|
N/A |
Biometric information |
N/A |
N/A |
Internet or other electronic network activity |
|
N/A |
Geolocation data |
N/A |
N/A |
Sensory data |
N/A |
N/A |
Professional or employment-related information |
N/A |
N/A |
Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g, 34 C.F.R. Part 99)) |
N/A |
N/A |
Inferences drawn from other personal information to create a profile about a consumer |
N/A |
N/A |
Personal information that reveals a consumer’s social security, driver’s license, state identification card, or passport number |
|
N/A |
Personal information that reveals a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account |
N/A |
N/A |
Personal information that reveals a consumer’s precise geolocation |
N/A |
N/A |
Personal information that reveals a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership |
N/A |
N/A |
Personal information that reveals the contents of a consumer’s mail, email, and text messages unless Rarilabs is the intended recipient of the communication |
N/A |
N/A |
Personal information that reveals consumer’s genetic data |
N/A |
N/A |
Biometric information that is processed for the purpose of uniquely identifying a consumer |
N/A |
N/A |
Personal information collected and analyzed concerning a consumer’s health |
N/A |
N/A |
Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation |
N/A |
N/A |
The categories of sources from which we collect personal information and our business and commercial purposes for using and disclosing personal information are set forth in "Personal Information We Collect", "How We Use Your Personal Information", and "How We Disclose Your Personal Information" above, respectively. We will retain personal information in accordance with the time periods set forth in "Retention of Personal Information."
We may "sell" and "share" your personal information to provide you with "cross-context behavioral advertising" about Rarilabs’s products and services.
Additional Privacy Rights for California Residents
Opting Out of "Sales" of Personal Information and/or "Sharing" for Cross-Context Behavioral Advertising under the CCPA. California residents have the right to opt out of the "sale" of personal information and "sharing" of personal information for "cross-context behavioral advertising." California residents may exercise these rights by using the information found in "Contact Us".
Disclosure Regarding Individuals Under the Age of 16. Rarilabs does not have actual knowledge of any "sale" of personal information of minors under 16 years of age. Rarilabs does not have actual knowledge of any "sharing" of personal information of minors under 16 years of age for "cross-context behavioral advertising."
Disclosure Regarding Opt Out Preference Signals. Applicable law may provide for an opt out by broadcasting an Opt Out Preference Signal, such as the Global Privacy Control (GPC) (on the browsers and/or browser extensions that support such a signal). To download and use a browser supporting the GPC browser signal, click here: https://globalprivacycontrol.org/orgs. If you choose to use the GPC signal, you will need to turn it on for each supported browser or browser extension you use.
Disclosure Regarding Sensitive Personal Information. Rarilabs may only uses and discloses sensitive personal information for the following purposes:
Non-Discrimination. California residents have the right not to receive discriminatory treatment by us for the exercise of their rights conferred by the CCPA.
Verification. To protect your privacy, we will take steps to reasonably verify your identity before fulfilling requests submitted under the CCPA. These steps may involve asking you to provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative. Examples of our verification process may include Rarilabs’s request for the specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Authorized Agent. Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information. To authorize an agent, provide written authorization signed by you and your designated agent using the information found in "Contact Us" below and ask us for additional instructions.
If you are a resident of Nevada, you have the right to opt out of the sale of
certain personal information to third parties who intend to license or sell that personal information. Please note
that we do not currently sell your personal information as sales are defined in Nevada Revised Statutes Chapter
603A. If you have any questions, please contact us as set forth in "Contact Us" below.
The Services are not directed to children under 18 (eighteen) (or other age as required by local
law), and we do not knowingly collect personal information from children.
If you are a parent or guardian and believe your child has uploaded personal information to our Services without your consent, you may contact us as described in "Contact Us" below. If we become aware that a child has provided us with personal information in violation of applicable law, we will delete any personal information we have collected, unless we have a legal obligation to keep it, and terminate the child’s account, if applicable.
Third-Party Websites/Applications. The Services may contain links to other websites/applications and other websites/applications may reference or link to our Services. These third-party services are not controlled by us. We encourage our Users to read the privacy policies of each website and application with which they interact. We do not endorse, screen, or approve, and are not responsible for, the privacy practices or content of such other websites or applications. Providing personal information to third-party websites or applications is at your own risk.
Verification Process. Only you, or a person that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. If you designate an authorized agent to submit requests to exercise certain privacy rights on your behalf, we will require verification that you provided the authorized agent permission to make a request on your behalf. You must provide us with a copy of the signed permission you have given to the authorized agent to submit the request on your behalf and verify your own identity directly with us.
The verifiable consumer request must:
Our verification process may also include a request for additional information to confirm your identity or your authorized agent’s identity (such as your name, email address and date of birth) or to obtain proof that you have given your authorized agent permission to act on your behalf. If our verification process is successful, we will respond to your request within the time and in the manner required by applicable law. If we cannot validate the identity of you and/or your authorized agent or obtain proof that you have given your authorized agent permission to act on your behalf, we will attempt to contact you to inform you.
We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm that the personal information relates to you. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
We will deliver our written response by mail or electronically, at your option. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the personal information from one entity to another entity without hindrance, specifically by electronic mail communication. Further, if you would like to appeal any decision we make about your request, you may contact us as stated in the "Contact Us" section below.
Rarilabs is the controller of the personal information we process under this Privacy Notice.
If you have any questions about our privacy practices or this Privacy Notice, or to exercise your rights as detailed in this Privacy Notice, please contact us at: