Demo Request
User Support

Privacy

Information for App Users

General

With these privacy notices, we inform you about how your personal data is processed by us and what rights data protection law grants you in this context. Our app Nect Wallet includes the procedures Nect Ident, Nect Sign, Nect Sign for Businesses, and Nect Box.

§ 1 Controller for Data Processing

The controller is:

Nect GmbH
Großer Burstah 21
20457 Hamburg

privacy@nect.com

§ 2 Data Protection Officer

You can reach our Data Protection Officer at:

Dr. Volkan Güngör

Nect GmbH
Großer Burstah 21
20457 Hamburg

For all questions and concerns regarding your data, please contact privacy@nect.com.

Should you wish to communicate directly with our Data Protection Officer (for example, if you have a particularly sensitive concern), please contact them by postal mail, as email communication can always have security vulnerabilities.

§ 3 Data Processing and Origin

For the initial and secure identity verification, your personal data must first be collected. However, not all previously collected data will be transferred to our partner companies. For information regarding the individual data types, please refer to section III. 1., and for information regarding the recipients of your personal data, please refer to section V.

For some users, before starting the identity verification, a redirection to our landing page occurs (under the URL jump.nect.com or jump.nect.app). This landing page serves to transition the user from a website to our app (“Nect Wallet”). There, the user can enter their mobile number to then receive an SMS from us with the link to the respective app store (where the “Nect Wallet” app is available for download) and/or to launch the app (“Universal Link”). The link can also be determined directly by scanning the QR code on the landing page. Certain procedures (e.g., qualified electronic signature) also provide for the processing of the user’s email address. If a user agreement is concluded between the user and us during the identification process, the stored mobile number and/or email address will be used as a means of communication for the duration of the contract (especially in the case of detected fraud attempts using the user’s identity). The processing of communication means follows based on the granted consent according to Art. 6 para. 1 lit. a) GDPR.

1. Use of Digital Optical Control of the Identification Document

We process the personal data that we receive from our users in connection with the operation of the “Nect Wallet” app or the performance of the optical control of identification documents. For this purpose, the user records, among other things, a video of their identification document and their face. The personal data processed by us in this context consists of

  • First name(s) and last name,
  • Date of birth,
  • Place of birth,
  • Residential address,
  • an image/video copy of the German national ID card or passport (front and back) with the information contained on the identification document,
  • an image/video sequence of the user along with a measurement file (biometric data)
  • an audio sequence of the user along with a measurement file (biometric data)
    Result of the evaluation of the information
  • an individual identification number assigned to the participant
  • an individual reference number assigned to the process – transaction number (UUID)
  • Masked IP address
  • Device identifier and other device data of the mobile device
  • in case of redirection by partners: source of the redirection (e.g., URL of the web portal) and, if applicable, a return destination (e.g., URL of the web portal)
  • for verification of the health insurance card (e.g., electronic health card / eGK): an image/video copy of the card (front and back) with the data contained on the card, as well as regularly the card’s identification number (ICCSN) before the start of verification,
  • for verification of the driver’s license: an image/video copy of the driver’s license (front and back) with the data contained on the driver’s license
  • for electronic signature: the document to be signed

as well as other data comparable to the categories mentioned and serving the secure verification of identity.

To fulfill the Know Your Customer (KYC) principle, we collect KYC-relevant data (e.g., residential address and place of residence) through manual input by the user during the further course of personal identification. The processing of KYC-relevant data follows based on the granted consent according to Art. 6 para. 1 lit. a) GDPR. Beyond the granted consent, we process KYC-relevant data if it is necessary according to Art. 6 para. 1 lit. f) GDPR to protect our legitimate interests or the legitimate interests of third parties (e.g., insurance companies) and if your interests do not outweigh them. Our legitimate interest in using KYC-relevant data consists, for example, in being able to detect criminal or fraudulent activities against you or third parties, e.g., in the area of money laundering. The data query is limited to restricted and necessary information. Adequate protective measures are in place to limit any disproportionate and inappropriate consequences for the data subjects.

2. Use of the Online ID Function of the German National ID Card

In the case of identity verification via the online ID function of the German national ID card (eID), the same personal data listed under section III. 1. of our privacy notices will be processed – with the exception of the user’s audio/video sequence (“selfie”) but including your biometric image and video data of the identification document.

§ 4 Purposes of Processing and Legal Bases

Personal data is processed by us in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) based on the following legal bases:

1. Based on Your Consent (Article 6 para. 1 lit. a), 9 para. 2 lit. a) GDPR)

Insofar as you are over 16 years old and have consented to certain processing of your personal data (e.g., the collection and processing of biometric data), the lawful processing of your personal data takes place on the basis of this consent.

Without your biometric data, the Nect Ident procedure cannot be carried out. You can revoke a granted consent at any time without stating a reason, with effect for the future. This also applies to declarations of consent that you provided to us before the GDPR came into force, i.e., before May 25, 2018. Since the revocation of consent applies to the future, it does not affect the lawfulness of processing up to the time of revocation. Please note that according to section 13 of our General Terms and Conditions, any revocation leads to the termination of the user agreement.

Your consent for data processing by partner service providers employed by us is required if they are not acting as processors within the meaning of Art. 28 GDPR.

2. For the Fulfillment of a Contract (Article 6 para. 1 lit. b) GDPR)

The processing of personal data takes place for the provision of the app’s functions. The above data categories are therefore collected and processed within the scope of contract fulfillment.

Exception: The processing of the user’s biometric data (e.g., photograph), however, is governed by section 1 (Consent).

Insofar as we carry out verifications of health insurance cards for health insurance companies, the entry of the card identification number (ICCSN) is necessary before registration. We collect this as part of pre-contractual measures at the user’s request.

3. Legal or Regulatory Requirements (Article 6 para. 1 lit. c) GDPR) or in the Public Interest (Article 6 para. 1 lit. e) GDPR)

Furthermore, as a company, we are subject to legal obligations in individual cases (e.g., Money Laundering Act, Telecommunications Act, or tax laws). These include, among others, identity and age verification, fraud and money laundering prevention, the fulfillment of tax law control and reporting obligations, as well as the assessment and management of risks within the company.

To ensure the identity of the person to be identified as an identification service provider, we are also legally obliged to ask certain security questions for our partner companies (trust service providers), such as age, ID number, or contract ID number. The legal basis arises from Article 24 paragraph 1 subparagraph 2 letter d sentence 1 of Regulation (EU) No. 910/2014 (eIDAS Regulation) in conjunction with §§ 11, 8 Trust Services Act (VDG).

4. Within the Scope of Legitimate Interests (Article 6 para. 1 lit. f) GDPR)

Beyond the actual fulfillment of the contract with you, we process your data if it is necessary to protect our legitimate interests or the legitimate interests of third parties and if your interests do not outweigh them.

Our legitimate interest in using your personal data consists, for example, in combating corruption or economic crime, and especially in being able to detect criminal or fraudulent activities against you or third parties, e.g., in the area of money laundering. This follows not least from the fact that fraud prevention has been explicitly recognized as a particularly worthy legitimate interest in Recital 47 of the GDPR, where it states that the processing of personal data to the extent strictly necessary for the prevention of fraud also constitutes a legitimate interest of the respective controller. Since our partners (e.g., credit institutions) are legally obliged to establish appropriate security systems and we act on their behalf, these preventive measures apply to us accordingly.

Our interest in processing is legitimate, as the processing of data is limited to restricted and necessary information. Adequate protective measures are in place to limit any disproportionate and inappropriate consequences for the data subjects.

The personal data collected to protect legitimate interests will be retained for as long as necessary to fulfill these purposes. Further information about our legitimate interests can be found below under section VI. or by contacting us.

§ 5 Recipients of the Data

1. Partner Companies

The data collected in the app will not be passed on to third parties. An exception applies if you have accessed our app via a partner, e.g., via insurance, telecommunications companies, banks, or statutory health insurance funds. In this case, we will obtain your explicit consent in the app to electronically transmit your data to the partner. The partner will only receive personal data to the minimal extent legally or functionally required.

For age verification, we regularly only transmit the information on whether you have reached a certain age limit, for example:

  • Person is over 18 years old.

However, it is regularly necessary to transmit the following data, for example, if the identity verification is used to prevent a breach of secrecy within the meaning of § 203 of the German Criminal Code:

  • Last name,
  • First name,
  • Address,
  • Information on whether an address sticker is present,
  • Date and place of birth
  • Verification (partial) result

This ensures that, for example, your biometric video data or copies of the identification document are not transmitted to statutory health insurance funds.

Legislative requirements may necessitate that we transmit further data to the partner. If the result of our identity verification service is needed, for example, to comply with the requirements of the Money Laundering Act or the Telecommunications Act, the following additional data will be transmitted:

  • Copy of the identification document in compliance with data protection and national ID card law requirements
  • Copy of the selfie recording

The purpose of processing your personal data is to confirm your identity to our partner company, such as a health insurance fund. The legal basis is your declaration of consent (Art. 9 para. 2 lit. a) GDPR, Art. 6 para. 1 lit. a) GDPR) and the user agreement (Art. 6 para. 1 lit. b) GDPR).

For the fulfillment of purposes, especially the operation of our IT infrastructure, we also engage service providers who ensure smooth operation (e.g., hosting, managed services). However, these are exclusively used as processors according to Art. 28 GDPR and are contractually obliged accordingly. No processing of personal data in third countries takes place.

If we receive your data from your contractual partner for the purpose of fulfilling the order within the scope of a digital signature (e.g., electronic signing of a contract document according to the eIDAS Regulation), we are exceptionally acting as a processor within the meaning of Art. 28 GDPR in this regard. This means that we carry out all data processing exclusively on behalf of and according to the strict instructions of your responsible contractual partner. In this regard, we would also like to refer to sections 5 and 6 of our General Terms and Conditions (Nect Sign procedure).

In the event of a successful signature process, the document will be stored in your Nect Wallet, with the consequence that your contractual partner (e.g., an insurance company) is no longer responsible for this data processing. Rather, in the course of data storage in your Nect Wallet, we become the controller (again) according to Art. 4 No. 7 GDPR, as you had confirmed your previous personal identification (Nect Ident) with your previously granted declaration of consent (see IV. 1 of these privacy notices) and agreement to our General Terms and Conditions (see section 3 of our General Terms and Conditions). Nevertheless, the signed document will be transmitted to all parties involved and remains there under the responsibility of the respective recipient.

Nect is also obliged, due to or for the fulfillment of the Trust Services Act (VDG), to transmit the data mentioned under section V. to the cooperating companies (trust service providers) known to the customer if the identification purpose is a qualified electronic signature.

2. Integration Partners

Another possibility for the third-party transmission of your personal data mentioned above under section V. 1. is, exceptionally, that the verification of your identity is forwarded via an integration partner (e.g., distributor) by us or the partner (e.g., insurer) or the partner’s customer (e.g., IT service provider). In this process, only a success message regarding the verification status is transmitted to the integration partner. The partner will process the transmitted data to fulfill its legal and/or regulatory requirements (e.g., Money Laundering Act) as well as its rights and obligations arising from the contractual relationship between the partner and you.

The processing of your personal data takes place on the following legal bases:

  • based on your consent to data processing according to Art. 6 para. 1 lit. a) GDPR;
  • for the fulfillment of a contract according to Art. 6 para. 1 lit. b) GDPR;
  • for the fulfillment of a legal obligation to which the partner is subject according to Art. 6 para. 1 lit. c) GDPR;
  • within the scope of the respective contractual relationship with our respective partner service provider, Art. 28 GDPR.

3. Processors

As Nect, we also use processors for individual personal data processing operations. This includes, for example, the sending of automatic email messages within the Nect Sign procedure by service providers. Corresponding data processing agreements are concluded with the service providers in accordance with Art. 28 GDPR. These service providers process personal data only according to explicit instructions and are contractually obliged to ensure appropriate technical and organizational measures for data protection.

4. Third-Party Content

We use links to share information (e.g., needs-based advertising) from your contractual partners and/or our partner companies (e.g., from an insurance company). No plug-ins are used for this purpose, nor are content and/or information from these partner companies integrated into websites operated by us. As long as you do not click on the partner company’s link to share content there, no data will be sent to the respective partner companies. As soon as you click on a link, you will be redirected to a website of the respective partner company.

We process only and exclusively the following data for analysis purposes:

  • IP address
  • Internal User ID (if available)
  • Browser Information
  • User actions (e.g., which link they clicked)
  • Timestamp

If you have given us your consent, the legal basis is Art. 6 para. 1 lit. a GDPR. In the case of consent, you are granted the right – also visually in a highlighted form – to revoke your consent at any time. The revocation of consent does not affect the lawfulness of processing carried out based on the consent until its revocation.

Furthermore, data processing is carried out to protect our legitimate interests in accordance with Art. 6 para. 1 lit. f) GDPR. The legitimate interest of both us and our partner companies is the economic interest and thus the freedom of action and trade in the preparation, optimization, and/or implementation of needs-based advertising measures and/or target-group-oriented advertising to continuously improve the quality of products and/or services. The processing of the IP address will therefore not lead to conclusions about sensitive information about your person or references to your private and/or intimate sphere. The processing of the IP address will at most affect the social sphere, whereby identification of your person will not be possible directly, i.e., without further information. In no case will negative profiles or similar be created through the processing of the IP address.

Further information and data protection notices can be found in the respective data protection declarations of these partner companies.

§ 6 Duration of Storage of Personal Data

Your personal data will only be stored or otherwise processed by us for as long as is necessary to achieve the respective purpose.

If the purpose of processing has ceased, the corresponding personal data will be deleted. In the following cases, deletion may be postponed:

  • Fulfillment of statutory retention periods (e.g., Social Code (SGB IV), Commercial Code (HGB), Tax Code (AO), Banking Act (KWG), Anti-Money Laundering Act (GwG)). The retention periods mentioned therein are generally 6 to 10 years.
  • Securing of evidence within the statutory limitation periods. According to §§ 195 et seq. of the German Civil Code (BGB), these limitation periods can be up to 30 years. The regular limitation period is 3 years.
  • For the purpose of identification within the scope of a qualified electronic signature, the legally prescribed retention obligation is governed by the provisions of Art. 24 paragraph 2 letter h eIDAS Regulation in conjunction with §§ 16 paragraph 4 No. 2, 15 VDG.

If we process your data based on a balancing of interests, such as for purposes of evidence or quality assurance, compliance investigations, or fraud prevention, we will delete your personal data as soon as our legitimate interest no longer exists. The exceptions mentioned above also apply here.

In the event of consent, the data will be deleted as soon as the consent is revoked for the future, unless one of the above-mentioned exceptions applies.

During the process, your device generates data that is stored locally on your device. Similarly, our service transmits data to your device, such as the verification result after the process is completed. These locally stored data are generally not under our control, meaning only you can delete this data (including from any backups).

§ 7 Rights of the Data Subject

You can exercise the following rights:

  • According to Article 7 GDPR, a given declaration of consent can be revoked at any time and without stating reasons. The revocation applies with effect for the future, whereby the lawfulness of the data processing carried out based on the consent until revocation is not affected.
  • According to Article 15 GDPR, every data subject has a right to information. In particular, you can, for example, request information about the processing purposes.
  • According to Article 16 GDPR, the data subject can demand the rectification of inaccurate personal data.
  • According to Article 17 GDPR, the data subject has a right to erasure, unless processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise, or defense of legal claims, or
  • According to Article 18, a right to restriction of processing, for example, if the accuracy of the data is contested by you or the processing is unlawful.
  • According to Article 20 GDPR, the data subject has a right to data portability.
  • If personal data has been processed, for example, on the basis of legitimate interests pursuant to Article 6 para. 1 lit. f) GDPR, the data subject can also object to the processing of personal data concerning them under the conditions of Article 21 GDPR.
  • In addition, §§ 34 and 35 BDSG apply to the right to information (Article 15 GDPR) and the right to erasure (Article 17 GDPR).

To assert these rights, you can contact the following entity:

Nect GmbH
Großer Burstah 21
20457 Hamburg
https://nect.com/privacy-request

Furthermore, according to Article 77 GDPR in conjunction with § 19 BDSG, you have the right to lodge a complaint with the competent data protection supervisory authority. For this purpose, you can contact the supervisory authority of our company’s registered office. The address can be found under the following link on the internet:

https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

§ 8 Obligation to Provide Personal Data

You are not obliged to provide your personal data. If you do not provide certain personal data, we may not be able to provide the app’s functions based on it.

§ 9 Automated Decision-Making

The Nect Ident procedure verifies your identity by comparing recognition and identification document data and then informs you of the result of the identification check. Based on this result, an automated decision may be made by partners in the sense of section 2 lit. a) of our GTC, specifically in cases where you, as a user, have been redirected from the website of this partner (e.g., an insurance or telecommunications company) to our app for identification purposes. Following the identification check, the partner will be informed of the result (according to your consent) so that they can make an automated decision based on it, e.g., whether an insurance contract or the conclusion of a prepaid contract will be entered into with you, or access to the customer portal will be granted. In individual cases, human review of the identification check is provided.

With regard to the above automated individual decisions, you have the right, in accordance with Art. 22 para. 3 GDPR, to human intervention on the part of the controller, to express your own point of view, and to challenge the decision. These rights must be asserted against the partner.

§ 10 Profiling

Your data will not be processed automatically to evaluate certain personal aspects (profiling). Only a comparison of your recognition and identification document data takes place.

§ 11 Use of Google ML Kit

The Google ML Kit is used in the Nect Wallet (both Android and iOS). All data processing takes place on your device; the transfer of images, audio, or video to Google is excluded. When using the Google ML Kit, only the following data is collected:

  • Device information (e.g., manufacturer, model, operating system version) and available hardware accelerators for ML (GPU and DSP).
  • App information (Package Name / Bundle ID, App Version)
  • ML Kit configuration information (e.g., image resolution and format used).
    Event types (e.g., “Initialized”, “Update”, “Execution”).
  • Error codes
  • Performance information
  • Anonymous, installation-specific IDs that cannot be assigned to a person or a device.
  • The IP address of the sender of the network request. The IP address is temporarily stored.

This data is used for (configuration) diagnostics and usage analysis.

We base the collection and forwarding of this data on your consent according to Art. 6 para. 1 lit. a) GDPR as well as on a balancing of interests according to Art. 6 para. 1 lit. f) GDPR.

Furthermore, we have agreed on standard data protection clauses of the European Commission with Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Further information can be found in Google’s privacy policy:

https://safety.google/privacy/data/

https://policies.google.com/privacy/frameworks?hl=de.

§ 12 Information on Your Right to Object according to Article 21 GDPR

1. Case-Specific Right to Object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6 para. 1 lit. e) GDPR (processing in the public interest) or lit. f) (processing based on a balancing of interests), including profiling based on these provisions.

If you object, we will no longer process your personal data. This does not apply if we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or if the processing serves the establishment, exercise, or defense of legal claims.

2. Recipient of an Objection

The objection can be made informally with the subject line “Objection”, stating your name, address, and date of birth, and should be addressed to:

Nect GmbH
Großer Burstah 21
20457 Hamburg
privacy@nect.com

§ 13 Data Processing for Training Purposes

  1. We use personal data of our users – exclusively after explicit consent in accordance with Art. 6 para. 1 lit. a), 9 para. 2 lit. a) GDPR, Art. 24 para. 2 lit. d) eIDAS Regulation, ETSI EN 319 411-1 (REG-6.3.4-02) – to improve our automated systems, especially in the field of machine learning.
  2. Purpose of processing: Improvement, training, and evaluation of our AI-supported systems. This includes, for example, algorithms for natural language processing, form validation, or the detection of incorrect entries.
  3. Categories of data concerned are as follows:
    1. User input (texts, content)
    2. App usage behavior
    3. Support and feedback data
  4. Voluntariness and Revocation This consent is voluntary and can be revoked at any time – without affecting the use of the actual trust services. Revocation is possible via the app settings or by email to privacy@nect.com.
  5. Documentation Consent is documented and stored in accordance with regulatory requirements.
  6. Recipients Recipients are only internal departments or contractually bound processors in accordance with Art. 28 GDPR. No transfer to third countries without appropriate safeguards takes place.
  7. Processing is carried out exclusively for the purposes mentioned above and only for as long as necessary for system improvement or until consent is revoked. Thereafter, the data will be deleted or fully anonymized. For the rest, we refer to points VI and VII.

§ 14 Data Security

We also use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.

§ 15 Topicality

These data protection notices are currently valid. Due to the further development of our app and services or due to changed legal or official requirements, it may become necessary to amend these data protection notices. The currently valid data protection declaration can be accessed and printed by you at any time on the website at https://nect.com.

As of: June 2025