Privacy Policy

Last Updated: 16 January 2026

This Privacy Policy describes how IdenHQ, Inc. ("Iden," "we," "us," or "our") collects, uses, discloses, and otherwise processes Personal Information in connection with our websites, marketing activities, business operations, and our identity governance and automation platform and related services (the "Services").

This Privacy Policy is intended to serve as a comprehensive privacy notice and is designed to meet the transparency requirements of applicable data protection and privacy laws. Where Iden processes Personal Information on behalf of a customer pursuant to a written agreement, such processing is governed by that agreement and not by this Privacy Policy.

For enterprise customers, additional information regarding our security, privacy, and compliance practices is available through our Trust Center, which includes documentation such as security certifications, audit reports, and related materials.

1. Definitions

For purposes of this Privacy Policy:

• "Personal Information" means any information that identifies, relates to, describes, or could reasonably be linked, directly or indirectly, to an identified or identifiable individual.

• "Customer Data" means Personal Information processed by Iden on behalf of a customer in connection with the provision of the Services.

• "Enterprise Services" means the Services provided by Iden to customers pursuant to a written subscription, services, or master services agreement.

• "Usage Data" means data relating to the operation, performance, and use of the Services, including logs, metrics, and diagnostic information.

• "Technical Metadata" means system-generated information such as identifiers, timestamps, device attributes, and configuration data.

2. Scope of This Privacy Policy

This Privacy Policy applies to Personal Information that we collect or process when:

• You visit or interact with our websites;

• You create, administer, or use an Iden account;

• You communicate with us in a sales, marketing, recruiting, or support capacity; or

• We process Personal Information in connection with providing the Services.

This Privacy Policy does not replace or override any data protection terms agreed between Iden and its customers, including any data processing agreement, which govern our Processing of Customer Data on behalf of customers.

3. Our Role: Controller and Service Provider

Depending on the context in which Personal Information is processed, Iden acts either as a data controller or as a service provider / processor.

3.1 Controller Activities

Iden acts as a controller when processing Personal Information for its own business purposes, including:

• Operating and securing our websites;

• Managing customer, vendor, and partner relationships;

• Billing, invoicing, and account administration;

• Sales, marketing, and communications;

• Recruiting and human resources activities;

• Security, fraud prevention, and compliance with legal obligations.

3.2 Service Provider / Processor Activities

When providing the Enterprise Services, Iden processes Customer Data on behalf of and in accordance with the documented instructions of its customers. In these circumstances, customers determine the scope, purposes, and means of Processing Customer Data.

If you use the Services through an organization, that organization is responsible for responding to requests to exercise privacy rights relating to Customer Data.

4. Categories of Personal Information We Collect

4.1 Information You Provide Directly

We may collect Personal Information that you or your organization voluntarily provides, including:

• Identifiers and contact information (such as name, business email address, phone number, title, and company);

• Account credentials and administrative details;

• Billing and payment-related information;

• Communications and correspondence with us;

• Information submitted through forms, events, or surveys.

4.2 Information Processed Through the Services

In connection with providing the Services, we may process Customer Data, which may include:

• Business identity attributes (such as name, work email, role, and department);

• Identity lifecycle status and employment-related metadata;

• Access rights, roles, permissions, and entitlements;

• Workflow configurations, approvals, certifications, and audit records;

• Usage Data and Technical Metadata associated with operation of the Services.

Iden does not access application content and does not monitor end-user activity within customer systems.

4.3 Information Collected Automatically

When you visit our websites or use the Services, we may automatically collect certain information, including IP address, device and browser information, operating system details, usage logs, and information collected through cookies and similar technologies used to support functionality and service delivery.

5. Purposes and Legal Bases for Processing

We process Personal Information only where permitted by applicable law and for legitimate business purposes, including:

• Contractual necessity. To perform and administer contracts, including providing the Services, authenticating users, and providing support.

• Legitimate interests. To operate, secure, maintain, and improve our business and Services, prevent fraud, ensure reliability, and conduct analytics, provided such interests are not overridden by individual rights.

• Consent. Where required, to send marketing communications or use certain optional cookies, subject to your ability to withdraw consent.

• Legal obligations. To comply with applicable laws, regulations, lawful requests, and enforce legal rights.

Where Iden processes Customer Data as a service provider or processor, such Processing is limited to the purposes of providing and operating the Services in accordance with customer instructions and applicable agreements.

5.1 Artificial Intelligence and Machine Learning

Iden does not use Customer Data or Personal Information to train, fine-tune, or develop artificial intelligence or machine learning models for any purpose. The Services operate based on deterministic logic, rules, and workflows configured by customers and do not involve adaptive or self-learning models trained on Customer Data.

Iden does not sell Personal Information or use Customer Data for targeted advertising or profiling.

6. Disclosure of Personal Information

We may disclose Personal Information to the following categories of recipients, subject to appropriate safeguards:

• Service providers and subprocessors that support our business operations and delivery of the Services, including cloud hosting, analytics, customer support, monitoring, and payment processing providers;

• Authorized partners and resellers engaged by customers for implementation, integration, or support services;

• Affiliates within our corporate group for internal administrative purposes;

• Legal and regulatory authorities where disclosure is required to comply with law or protect rights, safety, or security;

• Business transferees in connection with corporate transactions such as mergers, acquisitions, or financings.

6.1 Subprocessors

Iden engages subprocessors to support delivery of the Services. All subprocessors are subject to contractual obligations requiring them to protect Personal Information, process it only on Iden's instructions, and implement appropriate security measures.

Information about our current subprocessors is available through our Trust Center or upon request.

Iden does not disclose Personal Information to third parties for their own independent marketing purposes.

7. International Data Transfers

Personal Information may be transferred to, processed in, or accessed from jurisdictions other than the one in which you reside. Where required by applicable law, Iden implements appropriate safeguards to ensure that such transfers are subject to adequate protections, including contractual and organizational measures.

8. Data Retention

Iden retains Personal Information only for as long as necessary to fulfill the purposes described in this Privacy Policy, including to:

• Maintain active accounts and relationships;

• Comply with legal and regulatory obligations;

• Resolve disputes and enforce agreements; and

• Maintain security and business records.

Retention of Customer Data processed as part of the Enterprise Services is governed by applicable customer agreements and, where supported by the Services, customer-configured retention settings.

9. Security Measures

Iden maintains a comprehensive information security program designed to protect Personal Information against unauthorized access, disclosure, alteration, or destruction. Our security program includes administrative, technical, and organizational safeguards such as access controls, encryption, logical isolation, monitoring, and incident response procedures, implemented in a manner appropriate to the nature of the data and the Services provided.

While Iden takes reasonable and appropriate measures to protect Personal Information, no system or method of transmission or storage is completely secure, and we cannot guarantee absolute security.

10. Individual Rights and Choices

Iden is committed to respecting individual privacy rights and seeks to apply the same core data protection principles to all individuals, regardless of location. Depending on your jurisdiction and applicable law, you may have the following rights with respect to your Personal Information, subject to certain limitations and exceptions:

• Right to Know / Transparency. The right to obtain information about the categories and specific types of Personal Information collected, the purposes of Processing, and the categories of recipients with whom Personal Information is shared.

• Right of Access. The right to request access to the Personal Information we Process about you, including information about how such data is used, stored, secured, and disclosed.

• Right to Correction. The right to request correction or updating of inaccurate or incomplete Personal Information.

• Right to Erasure (Deletion). The right to request deletion of your Personal Information, subject to applicable legal, contractual, or technical limitations. In some cases, fulfillment of a deletion request may require termination of your account or may limit your ability to use the Services.

• Right to Restrict Processing. The right to request restriction of certain Processing activities where permitted by law.

• Right to Object. The right to object to Processing of your Personal Information in certain circumstances, including where Processing is based on legitimate interests.

• Right to Data Portability. The right to receive your Personal Information in a structured, commonly used, and machine-readable format and to transmit such data to another controller, where applicable.

• Right Not to Be Subject to Automated Decision-Making. The right not to be subject to decisions producing legal or similarly significant effects based solely on automated Processing, except where such Processing is necessary for performance of a contract, authorized by law, or based on explicit consent.

• Right to Lodge a Complaint. The right to lodge a complaint with a competent data protection or supervisory authority if you believe that our Processing of your Personal Information does not comply with applicable law.

We will not discriminate against you for exercising any of the rights described in this section. However, the exercise of certain rights may, by necessity, affect the availability or functionality of the Services.

Requests relating to Customer Data processed by Iden on behalf of a customer must be directed to the relevant customer, as Iden acts as a service provider or processor in those contexts.

10.1 Additional Information for California Residents

If you are a California resident, you may have additional rights under applicable California privacy laws, including the right to know, access, correct, or delete Personal Information, and the right not to be discriminated against for exercising such rights. Iden does not sell or share Personal Information for cross-context behavioral advertising.

11. Cookies and Local Storage

Iden uses cookies and local storage technologies to operate its websites and Services, enhance functionality, understand usage, and ensure reliability.

11.1 Use by Context

• Public websites. Strictly necessary and analytics cookies are used to support functionality and measure performance.

• Product application. Cookies are used to support authentication, session management, analytics, and error monitoring within authenticated environments.

11.2 Categories

• Strictly necessary cookies required for operation and security;

• Functional cookies that store preferences and settings;

• Analytics cookies used in aggregated form to understand usage and improve Services;

• Error monitoring and performance cookies used to ensure reliability.

Iden does not use cookies or local storage for targeted advertising, cross-site tracking, behavioral advertising, or profiling.

11.3 Local Storage

Browser local storage is used solely to enable core functionality, maintain user sessions, and support delivery of the Services. Information stored in local storage is retained only as long as necessary to provide the Services and is not used for advertising or tracking.

11.4 Managing Preferences

You may manage cookie preferences through our cookie banner or browser settings. Disabling certain cookies may impact functionality of the websites or Services.

12. Changes to This Privacy Policy

Iden may update this Privacy Policy from time to time to reflect changes in practices, technologies, or legal requirements. When material changes are made, we will update the "Last Updated" date and provide additional notice where required.

13. Contact Information

If you have questions or concerns about this Privacy Policy or our privacy practices, please contact us at:

• General Privacy Inquiries: privacy@idenhq.com

• Data Protection Officer: dpo@idenhq.com

• EU Representative: eurep@idenhq.com