Privacy Policy

This Privacy Policy outlines how KRDPass, the official digital identity application developed for the citizens of the Kurdistan Regional Government (KRG), collects, uses, protects, and shares your personal data. KRDPass is designed to provide secure access to government services and digital identity verification.

1. Information We Collect

Biometric Data:

• 3D facial data captured during the liveness check for onboarding
• Face images captured for verification and identity recovery

Device Information:

• Operating system version
• Device name and identifier

App Usage Data:

• Language selection
• Time and date of access
• Interactions with specific features (e.g., enabling biometrics, notifications, onboarding status)

Media Access:

• Optional gallery access if the user chooses to scan their Digital ID from an image

2. How We Use Your Data

Identity Verification and Onboarding:

• To authenticate and verify your identity using the Digital ID and liveness check
• To generate cryptographic key pairs and establish a secure identity link with the KRG servers

Authentication and Security:

• To issue and validate secure tokens (JWTs) using device-generated private keys
• To secure access to services using PIN or biometric authentication

User Support:

• Face data may be temporarily reviewed to assist with onboarding issues or ID recovery

Audit and Compliance:

• Security logs are maintained and reviewed as part of our audit and regulatory requirements
• Unauthorized access attempts are investigated and reported to the affected user and relevant authorities

3. Face Data Processing and Retention

• Face data is used only during the onboarding or digital ID recovery processes
• It is stored encrypted at the KRG Department of Information Technology (DIT) data center
• Access is limited to authorized personnel under strict audit controls
• Face data is permanently disposed of six months after successful liveness verification or identity recovery

4. Data Sharing

Internal Government Use:

• Your data may be accessed by authorized governmental entities for verification or service provisioning

Third Parties:

• We do not share your personal or biometric data with any third parties unless required by law or with your explicit consent

5. User Controls and Rights

• You can choose your preferred language at app launch
• You may opt to disable future onboarding from the settings to enhance your account's security
• You can enable or disable biometric authentication and notifications at any time
• You may view and edit certain data (e.g., device name) directly within the app

6. Security Measures

• All communication between the app and servers is encrypted
• Private keys remain on your device, encrypted by your PIN
• Face data and other sensitive information are stored under high security in DIT's infrastructure
• Only authorized personnel can access sensitive user data

7. Retention Policy

• Personal data is retained as long as required to provide services or comply with legal requirements
• Biometric data (face data) is deleted six months after successful onboarding or verification

8. Incident Response

• All instances of unauthorized access or suspected fraud are promptly investigated
• Affected users and the appropriate government bodies will be notified immediately in accordance with regulations

9. Contact

For questions or concerns about this Privacy Policy or your data, please contact:
reports@dit.gov.krd

By using the KRDPass Application, you confirm that you have read, understood, and agree to the terms of this Privacy Policy.