Our privacy policy was last updated on 26/02/2025

Table of Contents

1. Introduction
2. Our Role in Processing Personal Data

1. Definitions and Interpretations

4. Collecting and Using Personal Data
5. Types of Data Collected
6. Use Of Your Personal Data
7. The Purposes of The Processing of Personal Data
8. Sharing Of Personal Data To Third Parties
9. Data Location and Transfer
10. Retention of Personal Data
11. Security of Your Personal Data

1. Your rights Under the GDPR and the CCPA, CPRA
2. Your rights Under the PIPEDA
3. Interaction with third-party products
4. Cookies and Trackers 
5. Links to Other Websites
6. Changes To This Policy
7. Contact us
   
   

1. Introduction

Valid.it Evaluation Solutions Ltd. (also known as Validit Inc., “Valid.it,” “Company,” “We,” or “Us”) provides companies and organizations (“Our Customers” or “Your Organization”) with a mobile-based platform that enables remote, non-invasive integrity testing (the “Platform”). This Privacy Policy (“Policy”) explains:

• The types of Personal Data we collect and process.
• How we handle Personal Data when providing our Platform and Services.
• Our role in processing Personal Data, including when we act as a Data Processor or a Data Controller.
• Your rights regarding your Personal Data and how you can exercise them.
• Additional privacy practices and safeguards we implement to protect personal data.

We prioritize transparency, so even when we act as a Data Processor (meaning when we process data strictly on behalf of our Customers), we provide information about how our Platform handles Personal Data.

2. Our Role in Processing Personal Data

Valid.it acts in two different roles when processing Personal Data:

• When We Act as a Data Processor

In most cases, Valid.it functions as a Data Processor, meaning we process Personal Data exclusively on behalf of our Customers, following their instructions.

• Your Organization as the Data Controller: Your organization determines the purpose and legal basis for processing, provides privacy notices, and obtains consent (if required).
• Assessment Data: All data collected during assessments—including physiological indicators such as heart rate, oxygen saturation, and other biometric-like data—is processed solely based on the instructions of our Customers and for their needs and purposes.
• No Independent Use: Valid.it does not collect, store, or use this data for its own purposes beyond fulfilling contractual obligations.

While this Policy provides clarity about how data is processed assessments and similar processes, it does not govern how Customers use that data or replace their privacy notices. Valid.it processes data solely on behalf of your organization as a Data Processor, and Your organization, as the Data Controller, is responsible for determining the lawful basis for processing, obtaining consent (if required), and providing privacy notices.

For more details on how your data is handled, please review your organization’s privacy policies. If you have any questions or requests regarding data processed on behalf of your organization, please contact your organization’s administrator.

• When We Act as a Data Controller

In certain limited cases, Valid.it acts as a Data Controller, such as when:

• You visit our Website and interact with our content.
• You contact us directly for inquiries or support.
• We process business contact details for contractual purposes.
• We process information related to Customer representatives, administrators, and users of our Platform.

In these cases, we determine the purpose of processing and are responsible for ensuring compliance with applicable data protection laws as a data controller, such as providing this Policy and ensuring that we are authorized to use the data.

3. Definitions and Interpretations
   • The words of which the initial letter is capitalized have meanings defined under the following conditions.
   • For the purposes of this Policy:

• For the purpose of the GDPR (EU General Data Protection Regulations) in this privacy policy, the company is the Data Processor.
• “Account” – a unique account created for You to access our Service or parts of our Service via the platform;
• “Admin” – the Platform Administrator account for the organization You are associated with;
• “CCPA” – California Consumer Privacy Act;
• “CPRA” – California Privacy Rights Act;
• “Cookies” are small files that are placed on Your computer, mobile device, or any other device by a website, containing the details of Your browsing history on that website among its many uses;
• “Data Controller“, for the purposes of the GDPR, refers to the organization You are associated with (“Your Organization” as defined above) as the legal person/agency or other body, which alone or jointly with others determines the purposes and means of the processing of Personal Data;
• “DataProcessor“- for the purpose of the GDPR, refers to The Company or its affiliates which process personal data on behalf of the Data Controller.
• “Device” means any hardware that is used to access the Service such as a computer, a mobile device, or a digital tablet;
• “GDPR” – EU 2016/679 General Data Protection Regulation.
• “Personal Data”– any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or in combination with additional information that We have or that We have access to.
• “PIPEDA” – the Canadian Personal Information Protection and Electronic Documents Act;
• “SaaS” – Software as a Service;
• “Service Provider” means any entity, establishment, or legal person who processes the data (either Usage Data, or Personal Data) on behalf of the Company. It refers to third-party companies and/or individuals employed by the Company to facilitate and/or perform and/or provide the Service on behalf of the Company, or to assist the Company in monitoring, analyzing how the Service is used and improving the Service as deemed necessary. For the purpose of the GDPR, Service Providers in this Privacy Policy are considered Data Sub-Processors (“Data Sub-Processors”);
• “You” or “End user” means the individual accessing or using the Service, conducting the assessment, as applicable; and
• “Usage Data” refers to data collected automatically, either generated using the Service or from the Service infrastructure itself (for example, the duration of a page visit).

• Under GDPR, You can be referred to as the Data Subject or the End-User as the individual using the Service.

4. Collecting and Using Your Personal Data
   • You are not obligated to provide Us with any Personal Data about You. However, in some instances, not providing such Personal Data will prevent Us from providing You with the Services You requested Us to provide You, will prevent Your use of the Services or a part thereof.

5. Types of Data Collected
   • Contact Details and User Data – We collect certain types of personal data that are transferred to Us by Your organization, such as First Name, Last Name, Mobile Phone Number, Email Address, and in some cases Your ID number (this could be Your governmental ID number, or any other number used to identify You by Your organization). While You use Our Service, We may be required to contact You in order to ensure the proper administration of the assessment, in such cases where You or we have incurred a technical issue related to Your use of our Service.

Should we decide to contact or use the personal information provided by Your organization in order to contact You, we may ask You to provide Us with certain personally identifiable information that can be used to identify You. Such information may include, but is not limited to:

• Email address;
• First name and last name;
• Phone number;
• ID number used to identify You by Your organization.

To facilitate the proper administration of the assessment, the following data may be processed on behalf of Your organization while you use the service:

• Physiological Data: Heart Rate (BPM), Oxygen Saturation (SpO2), Respiration, HR Variability (HRV), Standard deviation of pulse rate (SDNN), and Blood Pressure (BP). (These are collected while using the service via the phone camera sensors. Please Note: no pictures or videos of You are collected, the physiological data is collected live while using the service); and
• any other Personal Data that You decide to provide/supply us with.

• Communication Information – We may collect certain personal information when you contact us or interact with our services, including:

• General Inquiries & Newsletter Subscriptions: If you contact us through any channel (e.g., our Website, social media, or by subscribing to our Newsletter), you may provide us with your full name, telephone number, company name, and email address.
• Platform Administrators: We may collect business contact details, such as name, job title, business email, and phone number for administrators using the Platform on behalf of their organization.
• Website Users: When you contact us, request support, or book a demo through our Website, we may collect your name, email, and phone number.

• Usage Data – Usage Data is collected automatically when using the Service.

Usage Data may include information such as Your Device’s Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

When You access the Service by or through a mobile device, We may collect certain information automatically, including, but not limited to, the type of mobile device You use, Your mobile device’s unique ID, the IP address of Your mobile device, Your mobile operating system, the type of mobile Internet browser You use, unique device identifiers and other diagnostic data.

We may also collect information that Your browser sends whenever You visit Our Service or when You access the Service by or through a mobile device.

For more information about the cookies we use, and Your choices regarding cookies, please see our Cookies Policy below.

6. Use of Your Personal Data
   • Processing Data on Behalf of Your Organization

All data collected as part of the assessment is processed solely on behalf of your organization using the Platform. Our solution applies integrity testing methodologies to assist Controllers in evaluating responses objectively and efficiently. For recruitment, insurance, or financial assessments, your organization determines the necessity, scope, and use of the results.

• Employee Recruitment: Your organization may request that you complete an integrity/reliability assessment as part of the hiring process. The assessment follows your organization’s instructions, and the results are returned to them for further decisions.

• Insurance Underwriting: Your insurance provider may require an assessment to verify details in your application. The assessment is conducted per their instructions, and results are sent back to them.
• Financial Statements: If you apply for financial services, your institution may request an assessment to confirm the accuracy of provided financial details. The results are returned to them for review.

In all cases, Valid.it does not make any decisions regarding your assessment—your organization, as the Data Controller, determines how to proceed.

• Service Operation and Compliance

Valid.it processes user and usage data only on behalf of your organization to operate, maintain, and improve the service. This includes:

• Ensuring proper platform functionality.
• Providing technical and customer support.
• Securing the platform and fulfilling regulatory obligations.

• Aggregated and Anonymized Data

We may create anonymized, aggregated data for analytical purposes, such as service improvements and business development. This data does not contain any personally identifiable information and is used to understand overall platform usage trends.

7. The Purposes of The Processing Of Personal Data

As explained above, we process certain Personal Data as a Data Controller, based on a relevant legal basis under applicable laws. The specific legal basis depends on the applicable jurisdiction, but the following primarily apply to individuals covered under the General Data Protection Regulation (GDPR):

• Legitimate Interests – We process data when it is necessary for our legitimate business purposes, provided it does not override your rights and interests. For example:

• • Improving our services, Platform and Website, including user experience, based on aggregated usage data.
  • Ensuring security and fraud prevention.
  • Exercising or defending legal claims.

• Consent – In cases where required by law, we will obtain your explicit consent before processing your data. For example:

• • If you sign up for marketing communications (where applicable).

• Performance of a Contract – We process data when necessary to fulfill a contract with you. For example:

• • Providing services you requested.
  • Addressing technical issues or support requests.

8. Sharing Of Personal Data To Third Parties
   • We will not disclose Personal Data about You to third parties except as detailed in this Policy:

• With Our Group: We may transfer Personal Data to entities that control Us, entities that are under Our control and/or to entities under common control or ownership with Us, as shall be from time to time (collectively the “Group”). Such entities may use the Personal Data to support the needs of the Group
• With Service Providers: for the purpose of tracking and analyzing how our services are being used, We might disclose e Your personal information to the Service Providers such as hosting and server co-location services, cloud storage service providers, communication, content delivery networks, data and cyber security services, fraud detection and prevention services, and web analytics and any other relevant services.
• With Affiliates:We may disclose Your information with Our affiliates, in which case we will require them to follow this Privacy Policy. Information shared as needed only serves to allow us to fulfill our legal obligations towards our customers, and to ensure that our solution performs optimally.
• With our customers:We share Your information with Your organization, in such case, Your accounts Admin may access it on behalf of Your organization, and will be able to monitor, analyze and process Your personal data. Your Organization can determine whether Your account or part of it shall be available to others or not.
• Law enforcement: Under certain circumstances, the Company may be required to disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).
• Due diligence process: In the event that we will be subject to an audit or a Due diligence process;
• Legal status: In the event that We sell, assign or transfer some or all of Our business or assets to a successor or acquirer, or if We are acquired by or merge with a third party, or if We file for bankruptcy or become insolvent, or any other situation where Personal Data may be sold, assigned or transferred to a successor or acquirer;
• Other legal requirements: The Company may disclose Your Personal Data in the good faith belief that such action is necessary to:
• Comply with a legal obligation
• Protect and defend the rights or property of the Company
• Prevent or investigate possible wrongdoing in connection with the Service
• Protect the personal safety of Users of the Service or the public
• Protect against legal liability.
  • In the preceding twelve (12) months, We have not sold any Personal Data.

9. Data Location and Transfer
   • Personal Data about You may be transferred to a third country (i.e. jurisdictions other than the one You reside in) or to international organizations. In such circumstances, the Company shall take appropriate safeguards to ensure the protection of Personal Data about You and to provide that enforceable data subject rights and effective legal remedies for data subjects are available.
   • The Company will take all steps reasonably necessary to ensure that Your data is treated securely and in accordance with this Privacy Policy for End Users, contractual terms with Your organization, and appropriate lawful mechanisms, and no transfer of Your Personal Data will take place on behalf of Your organization, to a country unless there are adequate controls in place including the security of Your data and other personal information, as follows:

• Internal transfers: Transfers within the Valid.it group will be covered by an internal processing agreement entered by members of the Valid.it Group (an intra-group agreement) which contractually obliges each member to ensure that personal data receives an adequate and consistent level of protection wherever it is transferred to.
• External transfers: Where we transfer Your Personal Data outside of the EU/EEA (for example to third parties who provide us with services), we will do so with a third country or an international organization that the commission has determined is an adequate level of protection. If not, We will obtain relevant contractual framework commitments from them to protect Your Personal Data, such as Standard Contractual Clause (SCC) or Data Transfer Agreement (DTA)/Data Processing Addendum (DPA) depending on which country receiving the data.
  • Your consent to this Privacy Policy followed by Your submission of such information represents Your agreement and consent to that transfer.

10. Retention of Personal Data

The Company will retain Your Personal Data on behalf of Your organization and in accordance with its instructions. Additionally, we may retain Your personal data only for as long as is necessary for the purposes set out in this Policy as well as to comply with our legal obligations (for example, if we are required to retain Your data to comply with applicable laws of and regulation.

11. Security of Your Personal Data

The security of Your Personal Data is important to Us, and for that purpose, We have implemented technical, organizational, and security measures designed to protect Your Personal Data. However, remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While We strive to use commercially acceptable means to protect Your Personal Data, We cannot guarantee its absolute security. As the security of information depends in part on the security of the computer, device, or network You use to communicate with us and the security You use to protect Your user IDs and passwords, please make sure to take appropriate measures to protect this information.

12. Your rights Under the GDPR and the CCPA, CPRA
    Under applicable law and specifically the GDPR, You have several rights to be practiced regarding Your personal data, and We-the Data Processor shall comply with the GDPR and do our best to assist the Data Controller-Your organization in fulfilling Your request for practicing Your rights, under legal obligations and restrictions. Any request for practicing Your rights regarding personal data processed via our platform on behalf of Your organization, please contact Your organization, Admin.  For the purpose of brief acknowledgment, Your rights under the GDPR are as follows: 

• The right to be informed;
• The right to access Your Data;
• The right to rectification of Your Data;
• The right to erasure, “right to be forgotten”;
• The right to restrict processing;
• The right to data portability;
• The right to object to the processing of Your personal data;
• The right not to be subject to automated decision-making;
• You have a right to lodge a complaint with Your local data protection supervisory authority; and
• The right to not be discriminated by Us because You exercised any of Your rights under the CCPA or CPRA.
  
  

13. Your rights Under the PIPEDA.
    Under applicable law, specifically the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), you have certain rights regarding your personal data. We comply with PIPEDA and will assist your organization in fulfilling requests related to your rights, subject to legal obligations and restrictions. Under PIPEDA, your rights include:

• The right to access your personal data – You can request to see what personal data an organization holds about you and how it is used.
• The right to correct inaccurate data – You can request corrections to personal information that is incomplete, inaccurate, or outdated.
• The right to withdraw consent – If your data is processed based on consent, you can withdraw that consent at any time, subject to legal or contractual limitations.
• The right to challenge compliance – You can file a complaint with the organization handling your data and, if unsatisfied, escalate it to the Office of the Privacy Commissioner of Canada (OPC).

14. Interaction With Third-Party Products
    
    
    • Our platform may contain third-party links and You We may thus be able to interact with third-party websites, mobile software applications, and products or services that are not owned or controlled by us (each a “Third Party Service”). Therefore, If You click on a third-party link, You may be directed to that third party’s site, which may not be operated by Us, and We thus cannot assume responsibility for the privacy practices or the content of such Third-Party Services. We strongly advise You to review the Privacy Policy of every site You visit.
    • We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

15. Cookies and Trackers
    • We may use certain third party services, such as analytics companies or companies delivering advertisements, which may also use cookies or other technologies, and those practices and providers are subject to their own policies.
    • Cookie (which is a small text file) is installed on the device via which You visit or access the Platform. The cookies allow Us to collect information about You and Your behavior, in order to improve Your user experience, to remember Your preferences and settings, and to customize and offer You products and services that may interest You. Cookies are also used to collect statistics and perform analytics.
    • Some of the cookies We use are session cookies, which are downloaded temporarily to Your device and last until You close Your web browser, while others are persistent cookies, which last on Your device after You cease browsing the Service and are used to help the Service remember You as a returning visitor when You return to the Service.
    • Types of cookies: The cookies We may use have been classified according to their functionality, as follows:

Blocking and removal of cookies. You can change Your browser settings to block and delete some or all cookies. Please see below links to instructions on how to do this in respect of some of the most popular web browsers:

• Firefox
• Edge
• Internet Explorer
• Google Chrome
• Safari

Please note, however, that if You do so, some or all of the Service’s features and functionalities might not perform as intended.

Online tracking notice: at this time, this service does not support do-not-track signals.

16. Links to Other Websites
    • The Website may contain links to websites and/or applications of third parties. Other websites and applications may also reference or link to Our Website. We do not control such websites and applications, nor the collection and/or processing of Personal Data about You by such websites and applications, and thus We are not responsible for the privacy practices. This Policy does not apply to any actions taken via such websites and/or applications. Whenever You access such third parties’ websites and/or applications, We recommend that You carefully review their privacy policies prior to using such websites and/or applications and prior to disclosing any Personal Data about You.
17. Changes to the Policy. We may amend, from time to time, the terms of this Policy. When We make significant amendments to this Policy, we will strive to inform You about such amendments via means of communication We believe are reasonably appropriate. Unless stated otherwise, all amendments will enter into force upon publication of the updated Policy.
18. Contact us. If you have any comments or questions regarding your privacy or the use of your Personal Data under this Policy:

• For assessment-related data and employer-related usage: Please contact your organization’s administrator, as they are the Data Controller responsible for your information.
• For data processed by Valid.it as a Controller (e.g., website usage, customer inquiries): You may contact our support team at support@validit.ai.