Menu

Menu

Menu

Privacy Policy for Hopae Connect

Last updated

Oct 13, 2025

1. Introduction

At Hopae Inc. (hereinafter referred as “we,” “us,” or “our”), we are committed to respecting and safeguarding your personal data in accordance with the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and any related data protection laws.

This Privacy Policy explains how we collects, uses, discloses, and otherwise processes personal data in connection with Hopae Connect (”our services”), and details your rights and our obligations.

Hopae Connect is a global identity verification platform that allows organizations to verify user credentials using trusted digital sources such as government eIDs or certified wallets.

2. Scope

This Privacy Policy applies to the processing of personal data by us in the context of Hopae Connect when:

2.1 Verification Requests are made by Service Providers that use Hopae Connect to authenticate user credentials.

2.2 We interact with external authorities (e.g., government eID, certificate authorities) to confirm the validity of credentials.

2.3 We communicate with the end users in the course of delivering services(to support the verification flow). This may include sharing information, confirming identity, or supporting secure interactions as part of the verification process.

3. Definitions

  • “GDPR”: The General Data Protection Regulation, which governs the protection of personal data within the EU.

  • “Personal Data”: Any information related to an identified or identifiable natural person.

  • “Processing”: Any operation performed on personal data, such as collection, storage, use, disclosure, or destruction, whether automated or manual.

  • “Data Subject”: Any individual whose personal data is processed by the Hopae Connect.

  • “Data Controller”: The entity that determines the purposes and means of processing personal data.

  • “Data Processor”: The entity that processes personal data on behalf of a controller.

  • “Service Provider”: The entity that uses our Hopae Connect service to verify or validate user identities and credentials. As the Data Controller, the Service Provider determines the purpose and means of processing Personal Data, while we acts as a Data Processor. The Service Provider is responsible for obtaining user consent and ensuring compliance with data protection laws.

4. Roles and Responsibilities

We may act as:

  • A Data Processor when we process personal data strictly on behalf of Service Providers. In such cases, those platforms act as the primary data controller, and we processes data under their instructions.

When acting as a Processor, we will enter into a Data Processing Agreement (DPA) with the controller to ensure GDPR compliance, including confidentiality obligations, sub-processor management, and appropriate data protection measures.

4.1 Data Processor

When acting as a Data Processor, we process personal data—such as user credentials or cryptographic proofs—solely on behalf of Service Providers, who act as the Data Controllers. This data is processed strictly for the duration of the verification session and is securely erased immediately thereafter. We do not retain this personal data beyond what is necessary to complete the verification.

We enters into Data Processing Agreements (DPAs) with each Service Provider to ensure GDPR compliance. These agreements cover confidentiality, sub-processor oversight, and robust safeguards to protect personal data throughout the Hopae Connect verification flow.

5. What Personal Data We Process

5.1 Identity Data

  • Personal Data submitted by users may include the following identity attributes, depending on the requirements of the service provider and the type of credential:

    • Full Name (e.g., given name and family name)

    • Date of Birth

    • Place of Birth

    • Gender (where provided)

    • Nationality or Citizenship

    • Government-issued Identifier (e.g., national ID number, passport number)

    • Issuing Authority (e.g., the government agency or issuer of the credential)

    • Credential Expiration Date (where applicable)

    • Document Type (e.g., eID card, passport, driving license)

    • Photograph or Digital Portrait (for visual identification, if required)

    • Cryptographic Proofs such as digital signatures or zero-knowledge proofs used to confirm authenticity and integrity.

5.2 Technical and Log Data

  • System & Application Logs: IP addresses, HTTP headers, timestamps, session identifiers, error logs.

  • Verification Audit Trails: Records linking specific verification events, including success/failure outcomes.

5.3 Operational Metadata

  • Transaction/Session Metadata: Data that captures when a credential check occurred, the credential type, QR code usage, and Hopae Connect’s internal validation status.

We strive to minimize personal data processing and limit the data we store only to that which is necessary to perform verification services.

6. Purposes and Legal Bases for Processing

We may process personal data for the following purposes:

Purpose of Processing

Purpose

Legal Basis for Processing

Identity Verification

Validate user credentials and confirm their authenticity to protect against misuse.

- GDPR Article 6(1)(b) (performance of a contract or pre-contractual measures) if the user is entering into a service that requires verification.

Compliance with Legal Obligations

Comply with obligations under EU or Member State laws, regulatory requirements, and court orders.

- GDPR Article 6(1)(c) – where processing is necessary for compliance with a legal obligation.

7. Retention Periods

We keep personal data only as long as necessary to fulfill the stated purposes or comply with legal obligations. Retention specifics:

  • Verification Data: Stored temporarily and deleted once the verification or audit period ends, unless further retention is mandated by law, contract, or security requirements.

  • Log Data: Maintained for a reasonable duration (90 days) for error diagnosis, security monitoring, and audit controls.

Once data is no longer required, we securely delete or anonymize it.

8. Sharing of Personal Data

We may share personal data with:

  1. External Verification Entities: Government eID systems, certification authorities, or trusted third parties solely to confirm credential authenticity.

  2. Sub-Processors: Cloud hosting, infrastructure, or specialized verification partners bound by strict data protection agreements ensuring GDPR compliance. We uses Amazon Web Services (AWS) as its cloud infrastructure provider, which may act as a sub-processor. We ensures that AWS has robust data protection measures in place and that any sub-processing relationship complies with the GDPR.

  3. Corporate Affiliates: Entities under Hopae, subject to internal data handling rules offering equivalent protection.

  4. Regulatory or Law Enforcement: If required by law, legal processes, or to defend our legal rights.

Our Sub-Processors are subject to Data Processing Agreements.

We will never sell or rent personal data to third parties.

9. International Data Transfers

We have implemented measures to ensure that all personal data collected within the European Economic Area (EEA) is stored on servers located within the EEA. Transfers of personal data outside the EEA occur only where necessary—e.g. to fulfill contractual obligations or comply with legal requirements—and are governed by the following safeguards:

Standard Contractual Clauses All transfers are subject to the European Commission’s Standard Contractual Clauses (SCCs), ensuring enforceable data-protection obligations on recipients.

Supplementary Technical and Organizational Measures We apply additional protections such as end-to-end encryption, pseudonymization, and strict access controls to mitigate any residual risks.

Recipient Due Diligence Prior to any transfer, we verify that the recipient maintains data-protection standards at least equivalent to those required under EU law.

10. Data Subject Rights

Under the GDPR, individuals have the following rights regarding their personal data:

  1. Right to Access (Article 15) – Request information on whether and how we processes your personal data, and obtain a copy if we do.

  2. Right to Rectification (Article 16) – Correct inaccuracies in your data.

  3. Right to Erasure (Article 17) – Request deletion of your data, subject to legal or contractual limitations.

  4. Right to Restrict Processing (Article 18) – Ask us to limit certain processing under specific circumstances.

  5. Right to Data Portability (Article 20) – Obtain your personal data in a structured, commonly used format and transfer it to a third party, if technically feasible.

  6. Right to Object (Article 21) – Object to processing based on legitimate interests.

  7. Right not to be Subject to Automated Decision-Making (Article 22) – Where applicable, request manual review of any automated decisions significantly affecting you.

How to Exercise Your Rights

Contact us using the details in Section 13. We aim to respond within one month, aligning with GDPR requirements.

11. Security Measures

We employs robust security controls to protect personal data:

  • Encryption of data in transit (TLS/SSL) and at rest (where applicable).

  • Access Controls to ensure only authorized personnel have access to personal data.

  • Network Security including firewalls and regular vulnerability assessments.

  • Security Policies and Training for staff to handle personal data responsibly.

  • Incident Response plan to identify and address data breaches promptly.

Despite our best efforts, no security measure is entirely infallible. However, we regularly review and update our protections to minimize risks.

12. Automated Decision-Making

Hopae Connect may rely on automated checks (e.g., cryptographic validation) to evaluate credential integrity. However, significant decisions that could materially impact individuals typically involve human oversight or validation by external platforms. If you believe you have been subject to an unfair automated decision, you may request human intervention under GDPR Article 22.

13. Contact Information

For inquiries, questions, or requests concerning this Privacy Policy or the Hopae Connect, you may reach us at:

  • Hopae Inc.

  • Address: 166 Geary St. 15th Floor, San Francisco, CA 94108, United States

  • Email: dpo@hopae.com

  • Phone: +82-70-8098-4532

  • Data Protection Officer (DPO): Eric Kim

You also have the right to lodge a complaint with your local supervisory authority if you believe we have not addressed your data protection concerns appropriately.

14. Changes to This Privacy Policy

We may update this policy to reflect changes in our business, services, or legal obligations. Any significant modifications will be posted with a revised Last Updated date. We encourage you to review this policy periodically to remain informed about our data practices.

Conclusion

By using our services, you acknowledge that you have read and understood this Privacy Policy, including how we process and protect your personal data. We are committed to upholding the GDPR principles of transparency, fairness, and lawfulness and will continue to refine our data practices in line with evolving regulatory standards.