GDPR-Expanded Privacy Policy

Effective Date: 2026-05-30
Last Updated: 2026-05-30

1. Data Controller

EBIS Next Generation ID Limited acts as the data controller for all personal data processed via its websites and platform services, including:

• ebisbank.com — corporate and informational website
• portal.ebisbank.com — the Octaverse Hub portal (IDSign, eVIDence, VIC AI, The Commeety)
• ebisbaid.ebisbank.com — the EBIS AID (Autonomous Identity) portal

Registered address: 1,Parkshot, Richmond, TW9 2RD, United Kingdom.
Data protection contact: support@ebisbank.com

EBIS Next Generation ID Limited is registered with the Information Commissioner's Office (ICO) as a data controller in the United Kingdom in accordance with the UK GDPR and the Data Protection Act 2018.

2. Legal Bases for Processing (Article 6 UK GDPR / GDPR)

We process personal data under one or more of the following legal bases:

• Contract performance (Art. 6(1)(b)) — processing necessary to provide the services you have subscribed to, including account management, IDSign signing workflows, eVIDence call sessions, The Commeety deal rooms, and VIC AI interactions.
• Legal obligation (Art. 6(1)(c)) — identity verification for KYC/AML compliance, tax and financial record-keeping, and compliance with UK law and applicable regulations.
• Consent (Art. 6(1)(a)) — marketing communications, optional analytics cookies, and processing of any special category data where required. Consent may be withdrawn at any time without affecting the lawfulness of prior processing.
• Legitimate interests (Art. 6(1)(f)) — platform security, fraud prevention, abuse detection, VIC AI content moderation, product analytics, business lead outreach, and UTM campaign attribution. We have conducted legitimate interest assessments for these activities and concluded that our interests do not override data subjects' rights.

3. Categories of Data and Sources

We process the following categories of personal data:

• Identity data: name, date of birth, nationality, identity/passport number — collected directly from users during EBIS AID registration and KYC/KYB verification.
• Contact data: email address, phone number, postal address — collected directly from users at registration.
• Technical data: IP address (anonymised or hashed), browser/device information, session tokens, login timestamps — collected automatically.
• Financial data: subscription plan, Stripe customer ID, billing history — collected via Stripe during payment. Full card numbers are never stored by EBIS.
• Digital identity data: EBIS ID, identity level, wallet address (Level 3+ users), EBU token balance and transaction history — generated and maintained by the platform.
• Document data (IDSign): documents uploaded for signing, signature artifacts, audit trail hashes, signed PDF outputs — collected directly from IDSign users.
• Communication data (The Commeety): posts, comments, deal room messages, breach reports, and VIC content moderation logs — generated through platform use.
• Behavioural data: UTM campaign attribution, source agent, feature usage patterns — collected automatically from platform interactions.

We do not collect or process genomic or biometric raw data via these websites. No special category data (Art. 9 GDPR) is processed except where you have provided explicit consent for identity document verification purposes.

4. Data Subject Rights (Articles 15–22 UK GDPR / GDPR)

If you are located in the UK, EEA, or another jurisdiction with equivalent data protection rights, you have the following rights:

• Right of access (Art. 15) — request a copy of your personal data and information about how it is processed.
• Right to rectification (Art. 16) — request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17) — request deletion of your personal data where no overriding legal basis for retention exists. Note: IDSign audit trails and signed documents are subject to a 7-year legal retention period and cannot be deleted on request during that period.
• Right to restriction of processing (Art. 18) — request that we limit how we process your data while a dispute or request is being resolved.
• Right to data portability (Art. 20) — receive your data in a structured, machine-readable format (applies where processing is based on consent or contract).
• Right to object (Art. 21) — object to processing based on legitimate interests. You may always opt out of marketing communications.
• Right to withdraw consent (Art. 7(3)) — where processing is consent-based, you may withdraw at any time.
• Rights related to automated decision-making (Art. 22) — see Section 7 below.

To exercise these rights, submit a request to support@ebisbank.com. We will respond within 30 calendar days. We may need to verify your identity before processing the request. If you are unsatisfied with our response, you may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk (UK) or your local supervisory authority (EEA).

5. Data Processors and Sub-Processors

EBIS acts as data controller and has appointed the following data processors under Article 28 GDPR. All processors are bound by Data Processing Agreements (DPAs) that comply with UK GDPR / GDPR requirements:

• Stripe, Inc. — Payment processing, subscription management, and KYC identity verification (Stripe Identity).
  Location: United States. Transfer mechanism: Standard Contractual Clauses (SCCs) under UK IDTA / EU SCCs.
  DPA status: ✅ In force via Stripe's standard Data Processing Agreement incorporated into the Stripe Services Agreement.
• Supabase, Inc. — Database hosting, user authentication, and real-time platform infrastructure.
  Location: AWS London (eu-west-2), United Kingdom — data does not leave the UK for primary storage.
  DPA status: ✅ Signed by EBIS (30 May 2026) — countersignature by Supabase pending.
• WHUK (Webhosting UK Co. Ltd) — Shared and dedicated cPanel web hosting for portal.ebisbank.com and related PHP application files.
  Location: United Kingdom.
  DPA status: ✅ Sent to WHUK (Harry Smith) — countersignature pending.
• Anthropic, PBC — Large language model API (Claude) powering the VIC AI service. Messages are transmitted as anonymous API requests; no user identity data is included in API payloads.
  Location: United States. Transfer mechanism: Standard Contractual Clauses.
  DPA status: Anthropic's standard API Terms and Privacy Policy apply.
• LiveKit, Inc. — WebRTC infrastructure for eVIDence video call routing and media relay.
  Location: United States / distributed infrastructure. Transfer mechanism: Standard Contractual Clauses.
• VM6 Networks Ltd — VPS hosting for platform daemons, the Claude API proxy, Postiz social scheduler, and LiveKit server components.
  Location: United Kingdom.

We do not engage advertising networks, data brokers, or social media platforms as processors of personal data without your explicit consent.

6. International Transfers

Our primary data infrastructure is located in the United Kingdom:

• Supabase database — AWS London (eu-west-2) ✅ UK-based, no international transfer
• WHUK hosting — United Kingdom ✅ UK-based
• VM6 Networks VPS — United Kingdom ✅ UK-based

The following transfers outside the UK require safeguards under UK GDPR Article 46:

• Stripe (USA) — Protected by UK International Data Transfer Agreement (IDTA) / Standard Contractual Clauses incorporated into Stripe's DPA.
• Anthropic (USA) — Protected by Standard Contractual Clauses. Only anonymous message content is transferred; no personal identity data.
• LiveKit (USA/global) — Protected by Standard Contractual Clauses for real-time session routing only; no persistent personal data storage.

We do not transfer personal data to countries without an adequacy decision or appropriate safeguards in place.

7. Automated Decision-Making and Profiling

EBIS does not use solely automated decision-making that produces legal or similarly significant effects on individuals under Article 22 GDPR.

The following automated processes are in use but do not produce legal effects without human oversight:

• VIC AI content moderation — automated regex and AI analysis of messages on The Commeety flags potential policy violations. Flagged content may be blocked automatically. Serious violations are escalated to the Commeety Council (human review). Users may appeal any automated decision.
• Lead scoring — registered lead data is automatically scored for outreach prioritisation. This does not affect your rights as a registered user.
• Identity level gating — access to certain platform features is automatically determined by your EBIS AID identity level. Level advancement requires human-reviewed document verification.

8. Security Measures (Art. 32 GDPR)

We implement the following technical and organisational security measures:

• HTTPS/TLS encryption in transit across all domains (ebisbank.com, portal.ebisbank.com, ebisbaid.ebisbank.com)
• Row-Level Security (RLS) policies on the Supabase database — users can only access their own data by default
• Column-level access restrictions — sensitive fields (recovery_phrase_hash, stripe_customer_id, wallet_address, sovereign_login_email, web2id_email, phone, address) are excluded from platform-wide queries via a dedicated profiles_public view
• Hashed storage for passwords, OTP codes, IP addresses, and session tokens
• Separation of service role keys — agent infrastructure uses separate API keys from user-facing services
• Data Processing Agreements with all sub-processors
• Automated monitoring of platform daemons and infrastructure with anomaly alerts
• Regular internal security audits of database RLS policies

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected data subjects without undue delay, as required by UK GDPR Article 33–34.

9. Retention Periods

Personal data is retained only for as long as necessary for the stated purposes or as required by law:

• Active account data: duration of account + 2 years after closure
• IDSign audit trails and signed document PDFs: 7 years (legal evidence retention)
• Payment and billing records: 7 years (HMRC / tax requirements)
• Identity verification documents (KYC/KYB): as required by applicable AML regulations (typically 5 years post-relationship)
• VIC AI content moderation logs: 12 months
• The Commeety breach and warning records: duration of account
• eVIDence session metadata: 24 months
• Marketing lead data: until unsubscribe or deletion request
• Anonymous analytics: indefinitely in aggregated form

10. Contact and Supervisory Authority

For any GDPR-related enquiries or to exercise your data subject rights:
support@ebisbank.com
EBIS Next Generation ID Limited
1,Parkshot, Richmond, TW9 2RD, United Kingdom

You have the right to lodge a complaint with a competent supervisory authority. For UK residents: Information Commissioner's Office (ICO) — ico.org.uk. For EEA residents: your national data protection authority.