Data protection notes
Information on the processing of personal data when using the Nect Wallet.
Data protection/ privacy notes for users of the Nect Wallet / the Nect Ident process
I. Controller of data processing
The controller is:
Nect GmbH
Grosser Burstah 21
20457 Hamburg, Germany
privacy@nect.com
II. Data Protection Officer
Our Data Protection Officer can be contacted at:
Dr. Volkan Güngör
Nect GmbH
Grosser Burstah 21,
20457 Hamburg, Germany
Any questions or issues relating to your data, should be addressed to privacy@nect.com.
Should you wish to contact our data protection officer directly (for example, because you have a particularly sensitive issue), please send him a letter by post as we cannot guarantee that email communications will always be completely secure.
III. Data processing and origin
For the initial and secure establishment of identity, your personal data must first be collected. However, not all of the previously collected data will be transferred to our partner companies. For information on the individual types of data, please refer to section III. 1. and for information on the recipients of your personal data, please refer to section V.
For some users, a redirect to our landing page (under the URL jump.nect.com or jump.nect.app) takes place prior to the start of the identity verification process. This landing page serves to transfer the user from a website to our app (“Nect Wallet”). There, the user can enter his mobile phone number and then receive an SMS from us with the link to the respective app store (where the app “Nect Wallet” is available for download) and / or call the app (“Universal Link”). The link can also be obtained directly by scanning the QR code on the landing page. Certain procedures (e.g. qualified electronic signature) also provide for processing of the user’s e-mail address. If a usage contract is concluded between the user and us in the course of the identification procedure, the stored mobile phone number and/or e-mail address will be used as a means of communication for the duration of the contract (in particular in the case of detected fraud attempts using the identity of the user). The processing of the means of communication follows on the basis of the consent given according to Art. 6 para.1 lit. a) GDPR.
1. Use of the digital optical control of the identity document
We process the personal data that we receive from our users in the course of operating the “Nect Wallet” app or performing the optical control of identification documents. For this purpose, the user records, among other things, a video of his identity document and his face. The personal data processed by us in this context consist of
Surname and first name(s),
date of birth,
place of birth,
residential address,
a picture/video copy of the federal identity card or passport (front and back) with the information contained on the identity document,
a picture/video sequence of the user together with a measurement file (biometric data)
an audio sequence of the user together with the measurement file (biometric data)
Result of the evaluation of the data
an individual identification number assigned to the participant – identification number
an individual identification number assigned to the transaction – transaction number (UUID)
masked IP address
device identifier and other device data of the mobile device
in case of forwarding by partner: source of forwarding (e.g. URL of the web portal) and, if applicable, a return destination (e.g. URL of the web portal)
in the case of verification of the health insurance card (e.g. electronic health card / eGK): an image/video copy of the card (front and back) with the data contained on the card, and regularly the card’s identification number (ICCSN) before the start of verification,
in case of driver’s license verification: a picture/video copy of the driver’s license (front and back) with the data contained on the driver’s license
in case of electronic signature: the document to be signed
as well as other data comparable to the aforementioned categories and serving to securely establish identity.
To fulfill the Know your Customer (KYC) principle, we collect KYC-relevant data (e.g., residential address and location) in the further course of personal identification by means of manual entry by the user. The processing of KYC-relevant data follows on the basis of the consent given in accordance with Art. 6 para. 1 lit. a) GDPR. Beyond the consent given, we process KYC-relevant data if it is necessary to protect our legitimate interests or the legitimate interests of third parties (e.g. insurance companies) in accordance with Art. 6 para. 1 (f) GDPR and if your interests are not overriding. Our legitimate interest in using KYC-relevant data is, for example, to be able to uncover criminal or fraudulent activities against you or third parties, e.g. in the area of money laundering. The data retrieval only covers limited and necessary information. Appropriate safeguards are in place to limit any disproportionate and inappropriate consequences for the data subjects.
2. Use of the online ID function of the German ID card
In the event of an identity verification via the online ID function of the German identity card (eID), the same personal data listed under point III. 1. of our data protection notice – with the exception of the user’s audio/video sequence (“selfie”) but including your biometric image and video data of the ID document – are processed.
IV. Processing purposes and legal basis
Personal data is processed by us in compliance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) on the following legal basis:
1. Based on your consent (Art. 6 Para. 1 lit. (a), 9 para. 2 lit. a) GDPR)
If you are over 16 years of age and have consented to certain processing of your personal data (e.g., the collection and processing of biometric data), the lawful processing of your personal data is based on this consent.
Without your biometric data, the Nect Ident procedure cannot be carried out. You can withdraw a granted consent at any time without stating a reason with effect for the future. This also applies to declarations of consent that you gave us before the GDPR came into force, i.e. before May 25, 2018. Since the revocation of consent applies to the future, it does not affect the validity of the processing until the time of revocation. Please note that according to section 13 of our General Terms and Conditions of Business (GTCB), any withdrawal will result in the termination of the user contract.
Your consent for data processing by partner service providers used by us is required if they are not acting as processors within the meaning of Art. 28 GDPR.
2. For the fulfillment of a contract (Article 6 para. 1 lit. b) GDPR)
Personal data will be processed to perform the app functions. The above-mentioned data categories will thus be collected and processed within the scope of performing the contract.
Exception: In contrast to this, processing of the user’s biometric data (e.g. photograph) will be based on Item 1 (consent).
Insofar as we carry out verifications of health insurance cards for health insurance companies, then the card number (ICCSN) must be entered before registration can begin. This data is collected within the scope of steps taken prior to a contract at the user’s request.
3. Statutory or legal requirements (Article 6 (1) (c) GDPR) or for reasons of public interest (Article 6 (1) (e) GDPR).
Over and above this, in individual cases we as company are subject to statutory obligations (e.g. money laundering, telecommunications or tax legislation). These include, among others, verification of identity and age; prevention of fraud and money laundering; compliance with tax-law monitoring and reporting obligations and the assessment and steering of risks within the company.
In addition to this, in order to affirm the identity of the person to be identified we, as identification service providers, are obliged by law to ask certain security questions on behalf of our partner companies (providers of trust services) such as age, identity document number or the contract ID number. The legal basis for this is Art. 24 Para. 1 Subpara. 2 (d) Sentence 1 Regulation (EU) No. 910/2014 (eIDAS regulation) in conjunction with Art. 11, 8 German Trust Services Act (VDG).
4. Within the scope of the weighing of interests (Art. 6 Para. 1 (f) GDPR)
Beyond the actual fulfillment of the contract with you, we process your data if it is necessary to protect our legitimate interests or the legitimate interests of third parties and, if your interests do not prevail.
Our legitimate interest in using your personal data could, for example, be to combat corruption or economic crime as well as, in particular, to uncover criminal or fraudulent activities aimed at you or third parties, for example in the field of money laundering. Such processing is not least carried out because Recital 47 of the GDPR specifically recognises prevention of fraud as a legitimate interest which is particularly worthy of protection by stating that processing of personal data to the extent absolutely necessary to prevent fraud also represents a legitimate interest on the part of the relevant data controller. Since our partners (e.g. credit institutes) are obliged by law to set up corresponding security systems and we work for these partners, such prevention measures correspondingly apply to us.
Our interest in processing is legitimate because processing of the data only applies to restricted and necessary information. Appropriate protective measures have been implemented to restrict all disproportionate and improper consequences for data subjects.
Personal data collected for the purpose of safeguarding legitimate interests will be kept for as long as necessary to fulfill these purposes. More information about our legitimate interests can be obtained below under point VI. or by contacting us.
V. Data recipients
1. Partner companies
The data collected by the app will not be transmitted to third parties. An exception to this is if you were forwarded to our app via a partner – e.g. via insurance companies, telecommunications companies, banks or statutory health insurance companies. In such cases, we will ask you to give your explicit consent in the app that we may forward your data electronically to the partner. The partner receives personal data exclusively in each case only to the minimum extent legally or functionally required.
Thus, in the case of age verification, we regularly forward only the information whether you have reached a certain age limit, for example:
The person is over 18 years of age.
It is, however, not generally necessary to forward the following data, for example if verification of identity is being used to prevent a disclosure of secrets as defined by Art. 203 German Criminal Code (StGB):
Surname,
First name,
Address,
Information whether or not there is an address sticker,
Date and place of birth
(Partial) outcome of verification
This ensures that, for example, your biometric video data or copies of the identification document are not transmitted to statutory health insurance companies.
Statutory requirements may make it necessary for us to transmit further data to the partner. For example, if the result of our identity verification service is needed to meet the requirements of the Money Laundering Act or the Telecommunications legislation, the following additional data will be transmitted:
Photocopy of the identity document in compliance with data protection and identity card law requirements
Copy of the selfie recording
The purpose of processing your personal data is to confirm your identity to our partner company, such as a health insurance company. The legal basis is their declaration of consent (Art. 9 para. 2 lit. a GDPR, Art. 6 para. 1 lit. a GDPR) and the user agreement (Art. 6 para. 1 lit. b GDPR).
For purpose fulfillment, especially the operation of our IT infrastructure, we also use service providers who ensure a smooth operation (e.g. hosting, managed services). However, these are used exclusively as processors in accordance with Art. 28 GDPR and are contractually obligated accordingly. There is no processing of personal data in third countries.
If we receive your data from your contractual partner for the purpose of order fulfillment within the scope of a digital signature (e.g. electronic signing of a contractual document in accordance with the eIDAS Regulation), we are exceptionally a processor in this respect within the meaning of Art. 28 GDPR. This means that we perform all data processing exclusively on behalf of and in accordance with the strict instructions of your responsible contractual partner. In this regard, we would like to refer you to clauses 5 and 6 of our GTCB (Nect Sign procedure).
In the event of a successful signature process, the document is stored in your Nect Wallet, with the consequence that your contractual partner (e.g., an insurance company) is no longer responsible for this data processing. Rather, in the course of the data storage in your Nect Wallet, we (again) become the responsible party pursuant to Art. 4 No. 7 GDPR, since you had confirmed your previous personal identification (Nect Ident) with your previously granted declaration of consent (see IV. 1 of this Privacy Notice) as well as consent to our GTCB (see section 3 of our GTCB). Nonetheless, the signed document is transmitted to all parties involved and remains the responsibility of the respective recipient there.
Nect is also obliged by or in order to comply with the German Trust Services Act (VDG) to transmit the data mentioned under point V. to the cooperating companies (trust service providers) known to the customer if the purpose of identification is a qualified electronic signature.
2. Integration partners
A further possible reason for forwarding the personal data stated in Item V. 1. above to third parties may, in exceptional cases, be forwarding of verification of your identity using an integration partner (e.g. a distributor) of ours or of the partner (e.g. the insurer) or of the partner’s customer (e.g. IT service provider). In such cases the integration partner will only be forwarded a report that verification was successful. The partner will process the forwarded data to comply with statutory and/or supervisory regulations which apply to them (e.g. money laundering legislation) and to comply with their rights and obligations arising from the contractual relationship between the partner and yourself.
In each case, processing of your personal data is carried out on the following legal basis:
Based on your consent to data processing as per Art. 6 Para. 1 lit. (a) GDPR
To perform a contract as per Art. 6 Para. 1 lit. (b) GDPR
To comply with a legal obligation to which the partner is subject as per Art. 6 Para. 1 (c) GDPR
Within the scope of the relevant contractual relationship with our corresponding service provider partner as per Art. 28 GDPR.
3. Contract processors
We, as the company Nect, make use of contract processors for specific personal data-related processing flows. This includes, for example, using service providers to send out automated email messages within the scope of the Nect Sign procedure. In accordance with Art. 28 GDPR corresponding contract processing agreements are concluded with such service providers. These service providers thus only process personal data after receiving specific instructions and are contractually obliged to implement appropriate data protection-related technical and organisational measures.
4. Third party content
We use links to share information (e.g. advertising) from your contractual partners and / or our partner companies (e.g. from an insurance company). For this purpose, no plug-ins are used or content from these partner companies is included. As long as you do not click on the link of the partner company to share content there, no data is sent to the respective partner companies. As soon as you click on a link, you will be directed to a website of the respective partner company.
In doing so, we only and exclusively process your IP address.
If you have given us your consent, the legal basis is Art. 6 para. 1 lit. a GDPR.
Furthermore, the data processing is carried out to protect our legitimate interests pursuant to Art. 6 (1) lit. f GDPR. The legitimate interest of both us and our partner companies is the economic interest and thus the freedom of action as well as trade in the preparation, optimization and / or implementation of promotional measures and / or target group-oriented advertising in order to continuously improve the quality of products and / or services.
Further information and notes on data protection can be found in the respective data protection declarations of these partner companies.
VI. Duration of archiving of personal data
We will only archive or otherwise process your personal data for as long as required to achieve the relevant purpose.
When the processing purpose has ended, the corresponding personal data will be erased. Erasure may be delayed in the following cases:
Compliance with archiving periods specified by law (e.g. German Social Insurance Code (SGB IV), German Commercial Code (HGB), German Tax Code (AO), German Banking Act (KWG), German Money Laundering Act (GwG). The archiving periods stipulated by such legislation are generally between 6 and 10 years.
Securing of evidence within the scope of the statute of limitations. In accordance with Art. 195 ff. of the German Civil Code (BGB) these statutes may be up to 30 years. The general statute of limitations is 3 years.
With regard to identification within the scope of a qualified electronic signature, the archiving period specified by law as per Art. 24 Para. 2 (h) eIDAS Regulation in conjunction with Art. 16 Para. 4 (2), 15 VDG.
Where processing of your data is based on weighing up of interests, such as securing of evidence, quality assurance, compliance audits or prevention of fraud, we will erase your personal data as soon as our legitimate interest no longer exists. The above-mentioned exceptions also apply in such cases.
Where consent has been given, data will be erased as soon as this consent is withdrawn, effective for the future, unless one of the above-mentioned exceptions applies.
During the procedure your device will generate data which is stored locally on your device. Our service will also transmit data to your device, such as the outcome of verification after the procedure has been completed. This locally stored data is not generally subject to our control; only you can erase this data (also from possible back-ups).
VII. Data subject rights
You may exercise the following rights:
Under the terms of Article 7 GDPR consent which has been given may be withdrawn at any time and without giving reasons. Withdrawal of consent will be effective for the future, whereby the lawfulness of data processing which has been carried out prior to withdrawal of consent will remain unaffected by the withdrawal.
Under the terms of Article 15 GDPR all data subjects have a right to information. You can, in particular, demand information about the purposes of processing.
In accordance with Article 16 GDPR data subjects may demand the rectification of inaccurate personal data.
In accordance with Art. 17 GDPR data subjects have a right to erasure, insofar as processing of the data is not necessary to exercise the right of freedom of expression and information; for compliance with a legal obligation; for reasons of public interest; or for the establishment, exercise or defence of legal claims, respectively.
In accordance with Article 18 a right to restriction of processing insofar as, for example, you contest the accuracy of the data or processing is unlawful.
In accordance with Article 20 GDPR all data subjects have a right to data portability.
Insofar as personal data was, for example, processed on the basis of legitimate interests as per Article 6 Para. 1 (f) GDPR, data subjects can also object to processing of their personal data under the conditions of Article 21 GDPR.
In the case of the right to information (Article 15 GDPR) and the right to erasure (Article 17 GDPR), Sect. 34 and 35 German Federal Data Protection Act (BDSG) will also apply.
To exercise these rights contact the following entity:
Nect GmbH
Grosser Burstah 21
20457 Hamburg, Germany
https://nect.com/privacy-request
Over and above this, in accordance with Article 77 GDPR in conjunction with Art. 19 BDSG, you have the right to lodge a complaint with the competent data protection supervisory authority. To do so, please contact the supervisory authority responsible for our domicile. The address can be found on the Internet under the following link:
https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html
VIII. Obligation to make personal data available
IX. Automated decision-making
The Nect Ident procedure compares recognition and identity data to verify your identity before informing you of the outcome of the verification. This outcome may, where applicable, lead to automated decision-making by the partner as defined by Section 2 (a) of our GTCB, namely in cases in which you, as a user of the partner’s web presence (e.g. an insurance or telecommunications company), were forwarded to our app for identification purposes. Following verification of identity, the partner will (as per your consent) be informed of the outcome so that they can make an automated decision based on the outcome – for example whether to conclude an insurance or pre-paid contract with you or to whether to grant you access to the customer portal. In individual cases human intervention in the identity verification process is envisaged.
With regard to the above-mentioned automated decision-making and in accordance with Art. 22 Para. 3 GDPR, you have the right to human intervention on the part of the controller; to express your point of view and to contest the decision. These rights must be asserted against the partner.
X. Profiling
XI. Use of Google ML Kit
The Nect Wallet uses Google ML Kit (both Android and iOS). In this context, all data processing takes place on your device; no image, audio or video files are transmitted to Google. Only the following data is generated when using Google ML Kit:
Device information (such as manufacturer, model, operating system version) and accessible hardware accelerators for ML (GPU and DSP).
App information (package name / bundle ID, app version)
ML Kit configuration information (such as the image resolution and format used).
Event types (such as “initialised”, “update”, “execution”).
Error codes
Performance information
Anonymous, installation-specific IDs which cannot be assigned to a person or device.
The address of the network request sender. The IP address will be temporarily stored.
This data is used for (configuration) diagnosis and use analysis.
The collection and forwarding of this data is based on your consent pursuant to Art. 6 (1) a) GDPR and on a weighing of interests pursuant to Art. 6 (1) f) GDPR.
We have also agreed to standard data protection clauses of the European Commission with Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. For more information, please see Google’s privacy policy:
XII. Information regarding your right to object as per Article 21 GDPR
1. Individual case-related right to object
You have the right to object to processing of your personal data which is carried out on the basis of Article 6 Para. 1 (e) (data processing in the public interest) or (f) (data processing on the basis of weighing up of interests) at any time on grounds relating to your personal situation; this also applies for profiling which is based on one of these provisions.
Should you object, then we will no longer process your personal data. Exceptions only apply if we can prove compelling legitimate grounds for processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
2. Recipient of an objection
Objections may be made without any formal conditions being required and with the subject heading “Objection”, stating your name, address and date of birth and should be addressed to:
Nect GmbH
Grosser Burstah 21
20457 Hamburg, Germany
privacy@nect.com
XIII. Data Processing for Training Purposes
We use personal data of our users – exclusively after explicit consent in accordance with Art. 6 Para. 1 lit. a), Art. 9 Para. 2 lit. a) GDPR, Art. 24 Para. 2 lit. d) eIDAS Regulation, ETSI EN 319 411-1 (REG-6.3.4-02) – to improve our automated systems, especially in the field of machine learning (Machine Learning).
Purpose of processing: Improvement, training and evaluation of our AI-supported systems. This includes, for example, algorithms for natural language processing, form validation, or the detection of incorrect entries.
Categories of data concerned:
User input (texts, content)
App usage behavior
Support and feedback data
Voluntariness and Revocation: This consent is voluntary and can be revoked at any time – without affecting the use of the actual trust services. Revocation is possible via the app settings or by email to privacy@nect.com.
Documentation: Consent is documented and stored in accordance with regulatory requirements.
Recipients: Recipients are only internal departments or contractually bound processors in accordance with Art. 28 GDPR. No transfer to third countries without appropriate safeguards takes place.
Processing is carried out exclusively for the purposes mentioned above and only for as long as necessary for system improvement or until revocation of consent. Thereafter, the data will be deleted or fully anonymized. For the rest, we refer to points VI and VII.
XIV. Data security
XV. Currency
These data protection/ privacy notes are currently valid. Further development of our app and its offerings or amendments to statutory or official specifications may make it necessary to amend these data protection/ privacy notes. To view or print off the relevant current data protection/ privacy declaration at any time, please go to our website http://www.nect.com.
Current as of: May 2025