Privacy Policy

Effective Date: 2026-05-30
Last Updated: 2026-05-30

1. Introduction

This Privacy Policy explains how EBIS Next Generation ID Limited ("EBIS", "Company", "we", "us", "our") collects, uses, stores, and protects personal data when you visit our websites, register on our platform, or use any of our services. This Policy applies to:

• ebisbank.com — corporate and informational website
• portal.ebisbank.com — the Octaverse Hub portal (IDSign, eVIDence, VIC AI, The Commeety)
• ebisbaid.ebisbank.com — the EBIS AID (Autonomous Identity) portal

2. Who We Are

EBIS Next Generation ID Limited is a verified digital identity company registered in England and Wales. Registered address: 1, Parkshot, Richmond TW9 2RD United Kingdom. We are the data controller for personal data processed through our websites and platform. For data protection enquiries, contact us at support@ebisbank.com.

We are registered with the Information Commissioner's Office (ICO) as a data controller in the United Kingdom.

3. What Data We Collect

3.1 Visitors to Our Websites (ebisbank.com, ebisbaid.ebisbank.com)

When you browse our public websites, we may collect:

• Anonymised or truncated IP address
• Browser type, version, and operating system
• Pages visited, time on site, and referring URL
• Cookie identifiers and basic analytics data
• UTM campaign parameters (utm_source, utm_medium, utm_campaign, utm_content, utm_term) where present in links you follow

3.2 Registered Users (portal.ebisbank.com)

When you register and use the Octaverse Hub portal, we collect and process:

• Identity data: full name, first name, last name, date of birth, nationality, and identity/passport number (for EBIS AID verification)
• Contact data: email address, phone number, postal address
• Account data: EBIS ID, identity level (Level 0–5), verification status, account creation date
• Business data: company name, job title, industry, business registration details (for business profile verification)
• Payment data: subscription plan, billing history, Stripe customer ID. We do not store full card numbers — all payment card data is handled by Stripe
• Identity verification data: government-issued identity documents submitted for KYC/KYB verification, Stripe Identity session data
• Digital identity data: EBIS wallet address, EBU token balance and transaction history, Web3 identity session tokens (for Level 3+ users)
• Platform activity: login history, session tokens, feature usage, agent source and UTM attribution data
• Referral data: referral code used at registration and referrals made

3.3 IDSign Users

When you use IDSign, we additionally process:

• Documents you upload for signing (PDFs and other supported formats)
• Signatures you create (drawn, typed, or adopted names)
• Signer identity data for recipients of envelopes you send
• OTP delivery addresses (email) used for signature verification
• Audit trail data: timestamps, IP hashes, user agent hashes for each signing event
• Signed document PDFs and their SHA-256 hashes stored as legal evidence
• Consent records (truthfulness, voluntary consent, legal acknowledgement)

3.4 eVIDence Users

When you use eVIDence video calls, we process:

• Identity data of call participants (linked to EBIS ID)
• Room metadata: room name, creation time, participants, call duration
• In-call messages and file transfers where evidence mode is enabled
• Booking page data and scheduled meeting details
• Join request records and participant approval logs

Video and audio streams are transmitted via LiveKit infrastructure. We do not retain raw audio/video recordings unless evidence mode is explicitly activated for a session.

3.5 The Commeety Users

When you use The Commeety, we process:

• Posts, comments, reactions, and votes you create
• Deal Room messages, files, and documents shared between participants
• EBU bond pledges, deal milestones, and bond burn/return records
• Connection requests and accepted connections
• Breach reports filed by or against you, and VIC verdict records
• Community warnings and suspension records
• VIC content moderation logs (blocked messages are logged with category and severity)
• Commeety profile settings and persona data you choose to share
• Declaration signatures for Commeety access
• Invitation and booking records

3.6 VIC AI Users

When you use VIC AI, we process:

• Your conversation messages and VIC responses
• Token usage counts per session
• Subscription tier and quota window data

VIC AI is powered by Anthropic's Claude technology. Messages you send to VIC are transmitted to Anthropic's API for processing. Please refer to Anthropic's Privacy Policy for information on how they handle data. We do not share your identity data with Anthropic — messages are sent as anonymous API requests.

4. How We Use Your Data

We use the data we collect to:

• Create and manage your account and identity level
• Provide and operate IDSign, eVIDence, VIC AI, The Commeety, and EBIS AID services
• Process subscription payments via Stripe
• Verify identity documents for KYC/KYB compliance
• Generate and maintain legally binding signature audit trails in IDSign
• Monitor The Commeety for community standards compliance via VIC AI
• Enforce Deal Room breach rules and manage EBU bond transactions
• Send transactional emails (account notifications, OTPs, subscription confirmations) via our cPanel SMTP service
• Send marketing and outreach communications to leads who have consented or where legitimate interest applies
• Attribute user registrations to marketing campaigns via UTM parameters
• Analyse platform usage and improve our services
• Comply with legal, regulatory, and contractual obligations
• Detect and prevent fraud, abuse, and security incidents

We do not sell or rent personal data to third parties.

5. Legal Bases for Processing

Where GDPR or UK GDPR applies, we process personal data under the following legal bases:

• Contract performance — processing necessary to provide the services you have subscribed to
• Legal obligation — KYC/KYB identity verification, tax and financial records, compliance with UK law
• Consent — marketing communications, optional analytics cookies, and processing of special category data where required
• Legitimate interests — platform security, fraud prevention, abuse detection, VIC content moderation, product analytics, and outreach to business leads

6. Third-Party Data Processors

We share data with the following categories of trusted third-party processors who act on our behalf under contractual data protection obligations:

• Stripe (payment processing, KYC identity verification) — United States, with Standard Contractual Clauses. Data Processing Agreement in place.
• Supabase (database and authentication infrastructure) — AWS London (eu-west-2), United Kingdom. Data Processing Agreement in place.
• WHUK / Webhosting UK (cPanel shared and dedicated hosting) — United Kingdom. Data Processing Agreement in place.
• Anthropic (Claude AI, powering VIC AI) — United States, with Standard Contractual Clauses. Messages sent to VIC are processed via Anthropic's API.
• LiveKit (WebRTC video infrastructure for eVIDence) — for call session routing and media relay.
• VM6 Networks (VPS hosting for platform daemons and proxy services) — United Kingdom.

We do not share personal data with advertising networks, data brokers, or social media platforms without your explicit consent.

7. Cookies and Tracking

We use cookies and similar technologies for:

• Session management and authentication (strictly necessary)
• Security tokens and CSRF protection (strictly necessary)
• Anonymous analytics and traffic measurement (functional/analytics)
• UTM campaign attribution for registered users (functional)

We do not use third-party advertising or tracking cookies. For full details, see our Cookie Policy.

8. Data Retention

We retain personal data for as long as necessary to fulfil the purposes described in this Policy, or as required by law:

• Active account data: retained for the duration of your account plus 2 years after closure
• IDSign audit trails and signed documents: retained for 7 years to meet legal evidence requirements
• Payment and billing records: retained for 7 years for tax and accounting purposes
• Identity verification documents: retained for the period required by applicable KYC/AML regulations
• VIC content moderation logs: retained for 12 months
• The Commeety breach and warning records: retained for the duration of your account
• eVIDence session metadata: retained for 24 months
• Marketing lead data: retained until you unsubscribe or request deletion
• Anonymous analytics: may be retained indefinitely in aggregated, non-identifiable form

9. International Data Transfers

Our primary data infrastructure is hosted in the United Kingdom (Supabase on AWS London, WHUK, VM6 Networks). Some data is transferred internationally to:

• Stripe (United States) — protected by Standard Contractual Clauses and Stripe's Data Processing Agreement
• Anthropic (United States) — protected by Standard Contractual Clauses for API-level processing

All international transfers outside the UK/EEA are subject to appropriate safeguards as required by UK GDPR.

10. Your Rights

If you are in the UK or EEA, you have the following rights under UK GDPR / GDPR:

• Right of access — request a copy of your personal data
• Right to rectification — request correction of inaccurate data
• Right to erasure — request deletion of your data where no overriding legal basis exists
• Right to restriction — request that we limit how we process your data
• Right to data portability — receive your data in a machine-readable format
• Right to object — object to processing based on legitimate interests
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at support@ebisbank.com. We will respond within 30 days. We may need to verify your identity before processing your request. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

11. Children's Privacy

Our services are not directed to persons under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us at support@ebisbank.com and we will delete it promptly.

12. Security

We implement technical and organisational security measures including:

• HTTPS encryption in transit across all domains
• Row-level security (RLS) policies on our Supabase database
• Column-level access restrictions — sensitive fields (recovery phrases, Stripe keys, wallet data) are excluded from public-facing queries via a restricted view layer
• Hashed storage of passwords, OTP codes, and sensitive identifiers
• Access controls and service role key separation
• Automated agent monitoring and anomaly detection via Telegram alerts
• Regular security reviews and Data Processing Agreements with all sub-processors

No system is entirely secure. In the event of a data breach affecting your rights, we will notify you and the relevant supervisory authority as required by law.

13. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last Updated" date will be revised accordingly. Significant changes will be communicated to registered users by email or in-portal notification. Continued use of our services after an update constitutes acceptance of the revised Policy.

14. Contact

For any questions about this Privacy Policy or our data practices:
support@ebisbank.com
EBIS Next Generation ID Limited
1, Parkshot, Richmond, TW 9 2RD United Kingdom