Privacy Policy

Privacy Policy

1. Introduction

1.1. Your privacy is important to us. This privacy policy provides you with information regarding
the processing of your personal information when you make contact with us or use one of
our services.

1.2. This privacy policy is provided per the General Data Protection Regulation 2016/679
(“GDPR”) and any EU national laws implementing or supplementing the same (the “Data
Privacy Laws”).

2. About us and our privacy commitment

2.1. The iCOVER Group (“iCOVER” or “We”), specialized in international verification services
under the brands “iCOVER” and “Square Facts”, is headquartered in France and operates
through several legal entities around the world to provide its clients background screening,
due diligence, and compliance services (“Services”) through a Service Agreement or Terms
of Services agreed upon between iCOVER and you (“Service Agreement”).

2.2. We are firmly committed to respecting your right to privacy and take seriously our
responsibilities concerning the processing of personal information. We do not collect or
process personal information unnecessarily nor solicit or receive information from

2.3. The privacy policy (the “Policy”) sets out important information about your rights
concerning the processing of your personal information in the course of using our services.
The Policy also outlines the basis on which any personal information, we collect from you
or that you provide to us, will be processed in connection with your use of our services.Privacy Policy

2.4. If you have any questions about this Privacy Policy or want to exercise your rights set out
in this Privacy Policy, please contact us by sending an email to privacy@icover-

3. What information do we collect?

3.1. The Policy is primarily related to personal information collected and processed in order tooperate our business.

3.2. We may collect personal information from you in the course of our business, including
through your use of our website, when you contact or request information from us, when
you engage our team to provide Services.

3.3. We collect information such as name and contact details in order to communicate and
facilitate the provision of our services with our clients, potential clients, or suppliers. Initial
information about you can be provided by the company you are working for. You may
provide us with information by using our services or by corresponding with us by phone, e-
mail, or otherwise. Other occasions during which you provide us information are when
searching for a product, placing an order, reporting a problem, or engaging with any other
form of communication with us. We may collect information to respond to inquiries
regarding our products and services or to provide you with information, reports, or

3.4. When you visit our website or use our platforms, we may collect, as a data controller,
information about your visit such as your IP address, login information, browser type, time
zone setting and the pages you visited and, when you use our Services we may collectPrivacy Policy
information on how you use those services. Our websites and online platforms may use
cookies from time to time. Cookies may be used to save your personal preferences so you
do not have to re-enter them each time you access our services. For more information
about our use of cookies and how you can disable them, please see our Cookie Policy.

3.5. In the course of providing our Services to our clients, they engage us on a wide range of
matters to help them mitigate risk such as conducting due diligence on a potential partner,
employee, or client through reports.

3.5.1. The personal information we process in the performance of Services for and on behalf
of our clients, as a data processor, includes but is not limited to any information
relating to an identified or identifiable individual (“Data Subject”), for example, the
individual’s name, contact information, education information, work history,
directorships, financial information, as well as, where necessary, data concerning
criminal convictions and offenses. We treat all such information within the strict
confines of the GDPR.

3.5.2. The lawful bases for such data processing are defined by our client in their privacy
policy or another document and will vary depending on the nature of the information
and the project. Before ordering, iCOVER’s client has assessed the necessity,
permissibility, and relevance of the service. iCOVER’s client warrants to iCOVER that:
(1) the personal data is processed in a lawful, fair, and transparent manner in relation
to the data subject; (2) the personal data is collected for specific, explicit and
legitimate purposes and not further processed in a manner that is incompatible with
those purposes; (3) the personal data is adequate, relevant, and limited to what is
necessary for the purposes for which it is processed; and (4) if applicable after seeking
appropriate legal advice, information notice or authorization form or any other
mandatory document, has been duly provided to/required from the data subject.Privacy Policy

3.5.3. iCOVER warrants the legality of the access to the information expected to be verified
and defines the scope. iCOVER does not guarantee compliant use of the data in this
report by the client. iCOVER has used its professional care and diligence to verify
information against authorized public and/or private sources. iCOVER cannot be held
responsible for the content provided by the sources. iCOVER cannot certify that no
change has occurred since the preparation of the report.

4. What do we do with your information?

4.1. We will only process personal information when the law allows us to.

4.2. We may use your information for the following purposes: Fulfilment of Services, Clientservices, Business administration, and legal compliance or Recruitment:

4.2.1. Where we process your personal information to register you as a customer/user,
accept your orders, deliver Services to you, collect our fees; we do so on the basis
that it is necessary to perform our obligations under a contract with you or a
company you work for. It may also be necessary to comply with certain legal

4.2.2. Where we process your personal information to send you newsletters, respond
to your questions, improve the contents of our website and marketing efforts,
conduct research and analysis, and display content based on your interests; we
do so on the basis that it is necessary for our legitimate business interests. These
interests include the interests of ensuring our clients receive premium service,
growing our business to best satisfy changing market needs, and ensuring
continual improvements to our Services.Privacy Policy

4.2.3. Where we process your personal information for business administration and
legal compliance, we comply with our legal obligations (including Know Your
Client and Anti-Money Laundering or similar obligations), to enforce our legal
rights, in connection with a business transaction; we do so on the basis that we
have a legal obligation to do so.

4.2.4. Where we process your personal information for recruitment purposes to assess
your suitability for any position for which you may apply at iCOVER whether such
application has been received by us online, via email, or by hard copy or an in-
person application; we do so in connection with us taking steps at your request
to enter a contract we may have with you or it is in our legitimate interest to use
personal information in such a way to ensure that we can make the best
recruitment decisions for iCOVER. We will not process any special category data
except where we can do so under applicable legislation. You may request at any
point of the recruitment process iCOVER’s background screening policy.

4.3. We will only use your personal information for the purposes for which we collected it unless
we reasonably consider that we need to use it for another reason and that reason is
compatible with the original purpose. If we need to use your personal information for an
unrelated purpose, we will notify you and we will explain the legal basis which allows us to
do so. Please note that we may process your personal information without your knowledge
or consent, in compliance with this Policy, where this is required or permitted by law.

5. Disclosure of your informationPrivacy Policy

5.1. We only share your personal information with your consent or following this Policy. We will
not otherwise share, sell or distribute any of the information you provide to us except as
described in this notice.

5.2. We may disclose information to any department or authorized person within our company
or any affiliated company within iCOVER and selected third parties only in the
circumstances where it is necessary and the supplier has agreed to the same standards and
terms of privacy as set out in the Policy.

5.3. iCOVER is a global corporation and any information that we collect or that you
provide to us may be shared and processed by any iCOVER entity and affiliated. You
can find out more about the iCOVER entities and locations in Appendix 1.

5.4. We may also share personal information with a variety of the following categories of
third parties as necessary:

5.4.1. Professional advisers such as lawyers and accountants.

5.4.2. Government or regulatory authorities.

5.4.3. Professional indemnity or other relevant insurers.

5.4.4. Regulators/tax authorities/corporate registries.

5.4.5. Third parties to whom we outsource certain services such as, without limitation,
translation services, confidential waste disposal.

5.4.6. Third parties engaged in the course of the services we provide to clients such as
information furnishers.

5.4.7. Third party service providers to assist us with client insight analytics, such as
Google Analytics.Privacy Policy

5.5. A list is provided in Appendix 1, there may be other examples where we need to share
with other parties in order to provide the Services as effectively as we can.

5.6. We will disclose your personal information to third-party recipients in the event that we sell
or buy any business or assets, in which case we will disclose your personal information to
the prospective seller or buyer of our business or assets or if we are under a duty to disclose
or share your personal information in order to comply with any law, legal obligation or
court order, or in order to enforce rights under the GDPR or to apply our Terms of Use and
other agreements.

6. International transfers

6.1. In order to provide the Services we may need to transfer your personal information to
locations outside the jurisdiction in which you provide it.

6.2. If you are based within the European Economic Area (EEA), please note that where
necessary to deliver the Services we will transfer personal information to countries outside
the EEA (including the United States, Mexico, Tunisia, and India).

6.3. All iCOVER entities have signed a data sharing agreement which is based on the EU
standard contractual clauses to ensure we will comply with our legal and regulatory
obligations in relation to personal information, including having a lawful basis for
transferring personal information and putting appropriate safeguards in place to ensure an
adequate level of protection for the personal information.

7. How long we keep your personal information?Privacy Policy

7.1. We will only retain your personal information for as long as necessary to fulfill the purposes
we collected it for, including to satisfy any legal, accounting, or reporting requirements.
The period for which we store your personal information may depend on the type of
information we hold.

7.2. To determine the appropriate retention period for personal information, we consider the
amount, nature, and sensitivity of the personal information, the potential risk of harm from
unauthorized use or disclosure of your personal information, the purposes for which we
process your personal information, and whether we can achieve those purposes through
other means, and the applicable legal requirements. For example, we may hold personal
data as needed for our accounting or tax compliance purposes or where needed for our
compliance with anti-money laundering regulations per the respective statutory periods.

7.3. For Data Subjects, we store their personal information for as long as the data controller
(our client) has instructed us to in the Service Agreement.

8. Security measures

8.1. We use accepted standards of physical and technical measures and require our hosting
partners to use the same standard of care to protect personal information. Despite our best
effort to protect personal information, the transmission of information via the internet is
not completely secure. Once we have received your information, we will use strict
procedures and security features to try to prevent unauthorized access.

8.2. You will find an excerpt of our security measures in Appendix 2.Privacy Policy

9. Your rights

9.1. You have the following rights in relation to the personal information we hold about you:

9.1.1. Your right of access: If you ask us, we’ll confirm whether we’re processing your
personal information and, if necessary, provide you with a copy of that personal
information (along with specific other details). If you require additional copies, we
may charge a reasonable fee.

9.1.2. Your right to rectification: If the personal information we hold about you is inaccurate
or incomplete, you are entitled to request to have it rectified. If you are entitled to
rectification and if we’ve shared your personal information with others, we’ll let them
know about the rectification where possible. If you ask us, where possible and lawful
to do so, we’ll also tell you who we’ve shared your personal information with so that
you can contact them directly.

9.1.3. Your right to erasure: You can ask us to delete or remove your personal information in
some circumstances such as where we no longer need it or if you withdraw your
consent (where applicable). If you are entitled to erasure and if we’ve shared your
personal information with others, we’ll let them know about the erasure where
possible. If you ask us, where it is possible and lawful for us to do so, we’ll also tell you
who we’ve shared your personal information with so that you can contact them

9.1.4. Your right to restrict processing: You can ask us to ‘block’ or suppress the processing
of your personal information in certain circumstances, such as where you contest the
accuracy of that personal information or you object to us. If you are entitled to
restriction and if we’ve shared your personal information with others, we’ll let them
know about the restriction where we can do so. If you ask us, where it is possible andPrivacy Policy
lawful for us to do so, we’ll also tell you who we’ve shared your personal information
with so that you can contact them directly.

9.1.5. Your right to data portability: You have the right, in certain circumstances, to obtain
personal information you’ve provided us with (in a structured, commonly used, and
machine-readable format) and to reuse it elsewhere or to ask us to transfer this to a
third party of your choice.

9.1.6. Your right to object: You can ask us to stop processing your personal information, and
we will do so if we are: (i) relying on our own or someone else’s legitimate interests to
process your personal information, except if we can demonstrate compelling legal
grounds for the processing; or (ii) processing your personal information for direct
marketing purposes.

9.1.7. Your right to withdraw consent: If we rely on your consent (or explicit consent) as our
legal basis for processing your personal information, you have the right to withdraw
that consent at any time.

9.1.8. Your right to complain with the supervisory authority: If you have a concern about any
aspect of our privacy practices, including the way we’ve handled your personal
information, you can report it to the relevant Supervisory Authority.

9.2. Please note that some of these rights may be limited where we have an overriding interest
or legal obligation to continue to process the data.

10. Third-party material

10.1.The website and/or Services may contain links to other sites whose information
practices may be different than ours. Visitors should consult the other sites’ privacy notices
as iCOVER has no control over information that is submitted to, or collected by these third
parties.Privacy Policy

11. Changes to this policy
11.1.Any changes made to this Policy from time to time will be published on the Platform.
Any material or other change to the data processing operations described in this Policy that
is relevant to or impacts on you or your personal data will be notified to you. In this way,
you will have an opportunity to consider the nature and impact of the change and exercise
your rights under the GDPR in relation to that change (e.g., to withdraw consent or to object
to the processing) as you see fit.

12. Contact

12.1.If you have any comments or questions about our privacy policy or our processing
of your information, please contact iCOVER – Data Protection Office – 1rue de la Bourse,
75002 Paris or

12.2.For further information on the protection of personal data, you can consult the
website of the Commission Informatique et Liberté,
Effective date: 1 May 2023Privacy Policy
Appendix 1 – List of sub-processors that may have access to your personal data
●Microsoft (Working tool)
●Google workspace (Working tool)
●Zoom (Communication platform)
●Atlassian (Jira, Confluence)
●Eurecia (HR services)
●Figma (Working tool)
● (Working tool)
●Adobe (Working tool)
●Amazon webservice (hosting system)
●OVH (hosting system)
●Hetzner (hosting system)
● (hosting system)
●Slack (Communication platform)
●Zoho (Customer management)Privacy PolicyPrivacy Policy
Appendix 2 – Security measures

●ISO 27001 certified Information Security Program. iCOVER has developed and implemented
a comprehensive security program that includes reasonable administrative, technical, and
physical safeguards, which are reasonably designed to protect: the security and
confidentiality of Personal Data; against unauthorized access to or use of Personal Data.

●Procedures and Controls. iCOVER has developed, documented, and will maintain
procedures and controls: for the secure handling, transfer, and disposal of Personal Data,
whether in electronic or physical form; to protect against destruction, loss, or damage of
Personal Data due to human error, potential environmental hazards, or technological
failures; to restrict access to Personal Data at physical locations, such as buildings,
computer facilities, and records storage facilities; to authenticate and limit access to its
systems to authorized individuals; for the secure configuration and maintenance of
information systems (e.g., servers, network infrastructure devices, and networks), including
procedures for change management; the pseudonymization and encryption of Controller
Data; for detecting, preventing and responding to attacks, intrusions, or other systems
failures, including actions to be taken in the event of suspected or detected unauthorized
access to its systems.
●Safeguards. iCOVER has designed and implemented reasonable safeguards to control
reasonably foreseeable internal and external risks to its systems by restricting access to
those who have a business need to access various systems, via control of administrative and
user account privileges.
●Monitoring. iCOVER monitors security within its organization by: Using enterprise-grade
automated tools to monitor workstations, laptops, and servers for malware, with central
compilation of such logging; Leveraging firewalls and intrusion prevention systems to
monitor externally facing assets; Collecting and analyzing audit logs of events andPrivacy Policy
generated alerts, to help detect an attack; performing penetration testing on an annual

●Access. iCOVER manages and controls system access by: using Active Directory to control
administrative privileges for Windows servers and some applications; restricting user
account privileges to what is necessary in order to do their job.

●Disaster Recovery/Business Continuity and Incident Response Plans. iCOVER has designed
plans for responding to a: disaster, including processes and procedures for resuming
business operations; network and/or system attack, including incident handling.