KYB Platform OÜ (hereinafter KYB Platform or we) is an Estonian company offering digital solutions for verifying and onboarding of legal entities with the aim to minimise risk of fraud and staying compliant with AML regulations (hereinafter service). 

KYB Platform is a B2B company, meaning that most of our clients are other companies. Therefore, in these privacy terms we explain how the personal data of contact persons and representatives of our clients and visitors of our website (hereinafter you or users) is processed when using our services or visiting our website. 

The terms and conditions on how KYB Platform process the data (including personal data) uploaded to or created when using our services by our clients is regulated in our Terms and Conditions (hereinafter  T&C) and in the data processing agreement (hereinafter DPA) between us and our client – in such case our client is in the position of data controller and KYB Platform acts as the data processor.


For a better understanding, we hereby explain some data protection terms used herein.

GDPR means the General Data Protection Regulation (EU) 2016/679), implementation of which started on 25 May 2018, and which is directly applicable in all European Union member states.

Personal data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, by a name, an identification number, location data, an online identifier or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Controller means the entity that decides why and how the personal data is processed. 

Processor means the entity which processes personal data on behalf of the controller.

1. Data Controller

KYB Platform OÜ

Registration code: 16017942

Seat: Maardu city, Harju County, Estonia


2. The type of personal data we collect and process

KYB Platform collects different type of information when you use our services. As we are a B2B business, we collect your data through the use of our services and process your personal data to communicate with the client (i.e. the company on whose behalf you act) for provision of services. This means that processing of your personal data is based on our legitimate interest – you are the representative via whom our client communicates with us and vice versa.

Information collected from the user. The users of KYB Platform service usually provide us with the following data: first and last name, e-mail address, geographic area, position in the company (i.e. our client), language preferences, preferred services, industry in which the company (i.e. our client) operates. This information is provided when signing-up as a user of our services, when using our services via web, when giving us a marketing permission to receive messages from us, when giving us feedback or leaving us a message to contact you or otherwise getting in touch with us.

When you are not a user of our services but visit our website and/or public areas of service you also may provide us with some limited personal information like your first and last name, e-mail address, company you are working for, etc.

Information collected automatically. If you use our services as a user or visit our website, we may automatically record certain information from your device by using different technologies such as cookies and web beacons. The data automatically collected may include: IP addresses (to determine a user’s location, and perform statistical/demographic/usage analysis), information about browsers and user´s device, browsing activity across different sites, pages or other content you view or interact with on the service, dates and times of the visit, access, or use of the service.

Information obtained from other sources. We may also obtain information (incl personal data) from public sources, such as commercial/trade registers, the internet and from third parties, such as credit registers, for background and credit information analysis. 

Information processed through the use of our service by the client. When using the services, our clients (the companies you represent/work for) upload and process various data (e.g. data of their customers, partners, suppliers, merchants, investors or other legal or natural person whom the client wishes to verify via using of the service) through our services. In such a case, the personal data is under control of our client and KYB Platform may process such personal data for the purposes and to the extent necessary to provide the services ordered by the client. in accordance with T&C and DPA. Hence, in such situation KYB Platform acts as a data processor and processes the personal in accordance with the data processing agreement concluded with the client.

3. Purposes and legal basis for the use of personal data

As explained above, we mainly use your data for rendering of the services which the client has ordered from us and for communicating with the client you represent. Doing that we use the data obtained for (i) our business operations (operating, maintaining, improving the features of our services, communicating with clients), (ii) business development (analyzing usage statistics, preferences, trends for development of new services and products), (iii) marketing (news and offers relating to our services and products). You may always opt-out of receiving any marketing communications as described below under Your rights section.

The legal basis for doing this is our legitimate interest – we need to communicate with a legal person and if you act as representative of one, we assume that there is a balance of interest and we do not conflict with your interests, rights and freedoms. In case processing of the personal data is based on the legitimate interest, the data subject always has the right to object to such processing. If you do object, we will inform our client asking to provide us with a new contact person or otherwise comment on your objection.

In connection with your work or area of ​​responsibility, we may from time to time send you direct marketing offers and notices, for example, if your employing company is our customer or if you have previously subscribed to our services as a representative of your company. Such direct marketing activities are also carried out on the basis of our legitimate interest. If you receive such direct marketing messages from us, you always have the right to opt out by clicking the opt-out link at the end of the message.

4. Sharing of your data

With KYB Platform your personal data is accessible only to those employees who need the data to perform their work duties (on a so-called need-to-know basis). Outside KYB Platform, we may share your data with the following persons under the following circumstances and only to the extent required:

  • Persons providing services to us: Your data may be accessible by the persons providing services to us and processing your data on our behalf (data processors) and to the extent needed to perform such services. These include providers of hosting, maintenance, invoicing, marketing, data analytics, and development services .
  • Public authorities and state institutions (e.g. police, courts, data protection authorities): we will only disclose your data when and to the extent we are legally obliged to do it. 
  • Third parties in connection with legal processes (e.g. legal, financial advisers): we may share or disclose your data, if it is necessary to protect our property and rights (incl present legal claims for that purpose), enforce our contracts, defend ourselves against any third-party claims.
  • Third parties in connection with corporate transactions: We may share your information with third parties in the context of a corporate transaction, such as the sale of our company or issuing new shares to investors or sale of company´s business/assets to another company. Also, in the context of the creation of a joint venture, merger or other reorganization.

As a rule, your personal data is processed in the European Economic Area (EEA). However, if there is a need to transfer the data out of EEA, we follow GDPR requirements regulating such transfers.

5. Retaining of personal data

We retain your data for as long as necessary for the purposes of processing described in these privacy terms and to comply with any mandatory legislation: 

  • we will retain the user account data as long you are an active user and for up to 1 year of inactivity;
  • we are legally obliged to keep invoicing data and the documentation which it is based on for 7 years;
  • we keep information on legal transactions between us and our client for the statutory limitation period set for civil claims (3 years, 10 years in case of intentional breach) to be able to protect ourselves against any legal claims and to file legal claims for our protection.

In addition, we may process the data in an aggregated or anonymized format, for example for analysis and statistical purposes and to improve and develop our services.

6. Your rights

Right to access – you have the right to know which data we hold about you (if any). 

Right to data rectification – you have the right to require corrections to your personal data in case they are inaccurate or incomplete. 

Right to data deletion – you have the right under certain conditions to request the deletion of your personal data including in situations where the processing of your personal data is no longer necessary for the purposes for which it was collected, or if the processing of your personal data was based on your consent and you wish to withdraw your consent, and there are no other grounds for processing your personal data. 

Right to restrict processing – you have the right under certain circumstances to forbid or restrict the processing of your personal data for a certain period (e.g. you have submitted an objection concerning data processing). 

Right to object – You have the right to object to data processing which is based on our legitimate interest. KYB Platform will stop processing your personal data upon such objection, unless we can demonstrate compelling legitimate grounds for the processing or processing is needed for the establishment, exercise, or defense of legal claims. You also have the right to object at any time to processing of your personal data for direct marketing. Upon receiving such objection, we shall stop processing your personal data for direct marketing.

In order to exercise your rights, please send your respective inquiry to We have the right to respond to your query within 30 days. 

For the sake of clarity, the provisions of this Section 6 do not apply to personal data that KYB Platform processes on behalf of its clients. In this case, the personal data is controlled by the client and managed according to client´s privacy terms. Hence, all data subject´s request should be made to the client liable for uploading and storage of such data into the service.

7. The right to submit a complaint to a supervisory authority 

Should you need further information concerning your personal data or exercising your rights, you have the possibility to contact us at

If you believe that processing of your personal data breaches the requirements of the GDPR, you have the right, without prejudice to any other administrative or judicial remedy, to file a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement. In Estonia, the relevant supervisory authority is Data Protection Inspectorate (Andmekaitse Inspektsioon).

8. Amendments to these Privacy Terms

KYB Platform has the right to unilaterally change these privacy terms in the event of changes in personal data protection legislation or our own data processing practices. We will notify you of changes on our website. The latest version of the privacy terms is always available on our website