Data Protection
Last updated 8 June 2026
Because Kycaro handles government IDs and biometric data, we treat data protection as core to the product. This page summarises how we handle that data. It complements our Privacy Policy.
Principles we follow
- We collect only the data we need to verify identity and meet legal obligations.
- We use it only for the purposes we told you about.
- We keep it only as long as necessary, then delete it.
- We protect it with appropriate technical and organisational measures.
Lawful basis
We process sensitive data on the basis of your consent, performance of our contract with you, and compliance with KYC/AML and other legal obligations, depending on the law that applies.
Your rights
Subject to local law, you can ask us to:
- access the personal data we hold about you;
- correct data that is inaccurate;
- delete your data, where no legal retention duty applies;
- restrict or object to certain processing; and
- receive a copy of your data in a portable format.
To exercise these rights, email hello@kycaro.com.
Sub-processors
We use a small number of trusted providers to run the service, including:
- Paystack — payment processing.
- Our hosting provider — application hosting and storage.
Retention and deletion
Identity documents and verification records are deleted once they are no longer needed for the purpose collected or for legal retention, whichever is longer. You may request deletion at any time, subject to those duties.
Data breaches
If a breach affects your personal data, we will act to contain it and, where the law requires, notify you and the relevant authority without undue delay.
Supervisory authority
If you are in Ghana, you may contact the Data Protection Commission. If you are in the EU/UK, you may contact your local data-protection authority.
Contact
For data-protection matters, email hello@kycaro.com.