Products
XyloTrust XyloNorm Soon XyloDocs
Resources
Pricing NIS2 & GDPR Agent SOP Onboarding Onboarding Kit 10-Minute Live Guarantee Freshworks Direct Sales Blog FAQ Documentation Status Contact
🌐 Nederlands Login

Legal

Privacy Policy

How Clear Solutions BV processes personal data in the context of the XyloSnap applications and xylosnap.com — drawn up in accordance with the GDPR.

Last updated: 2 June 2026

This Privacy Policy explains how Clear Solutions BV ("we", "us", "our") collects, uses and protects personal data in the context of the XyloSnap applications (the "Apps") — a suite of Freshdesk add-ons (including XyloTrust for SMS-based identity verification of ticket requesters) — and in the context of our website xylosnap.com.

We are committed to protecting personal data in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and applicable Belgian data-protection law.

Note on our roles. Depending on the data involved, we act either as a controller or as a processor. Section 2 explains this distinction, which is important for understanding your rights and our obligations. Where we act as a processor on behalf of our business customers, the privacy policy of that customer and our data-processing agreement with that customer also apply.

01Who we are

Controller details:

Entity
Clear Solutions BV
Registered office
Bosdreef 8, 2910 Essen, Belgium
Company number (CBE)
0668.982.670
Privacy contact
privacy@xylosnap.com

For any question about this Privacy Policy or about the way your personal data is handled, please contact us at privacy@xylosnap.com.

02Our two roles: controller vs. processor

Data-protection law distinguishes between the party that decides why and how personal data is processed (the controller) and the party that processes data on behalf of a controller (the processor).

a) We act as controller for:

  • the account and contact data of our business customers (e.g. company name, login email address, encrypted password); and
  • data about visitors to our website xylosnap.com (analytics).

This Privacy Policy is our primary transparency notice for those processing activities.

b) We act as processor for:

  • the personal data of end users (ticket requesters) processed when our business customer uses the App to verify the identity of a requester.

For that activity, our business customer (the organisation that manages the Freshdesk account) is the controller: it decides to use identity verification and determines the purpose and legal basis. We process that data exclusively on the documented instructions of the customer, under a separate Data Processing Agreement (DPA). If you are an end user, the privacy policy of the controller applies to that processing; section 4 below nonetheless explains, for transparency, what happens to your data.

03Personal data we process as controller

3.1 Business-customer account data

When an organisation subscribes to or uses the App, we process:

DataPurposeLegal basis
Company name Account management, billing, support Performance of a contract (Art. 6(1)(b) GDPR)
Login email address Access to the account, service-related communications Performance of a contract (Art. 6(1)(b) GDPR)
Password (stored encrypted) Securing access to the account Performance of a contract (Art. 6(1)(b)); legitimate interest in account security (Art. 6(1)(f))
Billing & usage data Invoicing, financial administration, statutory retention obligations Legal obligation (Art. 6(1)(c)); performance of a contract (Art. 6(1)(b))

3.2 Website visitors

We use analytics on xylosnap.com to understand how the website is used and to improve it. Depending on the tools used, this may involve cookies or similar technologies, and limited technical data such as a truncated IP address, browser type and pages visited.

  • Legal basis: your consent, where required for non-essential cookies/analytics (Art. 6(1)(a) GDPR); otherwise our legitimate interest in maintaining and improving our website (Art. 6(1)(f)).
  • See section 9 (Cookies) for details and how to manage your preferences.

04End-user verification data (processed on behalf of our customers)

When a business customer uses the App, the following happens. We describe this here for transparency, even though our customer is the controller for this activity and we act as processor.

4.1 What happens

  1. A Freshdesk agent (working for our customer) starts a verification for a ticket requester and provides the requester's mobile phone number.
  2. Our identity-verification service, iDenfy (UAB iDenfy, Lithuania), generates a unique verification link. AWS SNS (via AWS Pinpoint, in our AWS eu-central-1 environment) then delivers the SMS containing that link to the end user. If AWS SNS is temporarily unavailable, traffic automatically fails over to Twilio (EU infrastructure) as a geo-failover.
  3. The end user completes the verification directly with iDenfy (including, where applicable, a check of a passport/ID document and a selfie). The biometric and document data are processed and retained by iDenfy, not by us.
  4. iDenfy returns to us a limited set of result data, namely: name, mobile phone number, country (location), IP address (with the last octet/segment masked on all customer-facing surfaces), and whether the verification of the passport and selfie succeeded (yes/no).
  5. We store this result data in our database and post it as a private note on the relevant Freshdesk ticket.

4.2 Automatic deletion of the Freshdesk note

Based on a setting chosen by the customer's Freshdesk administrator, the private note can be automatically deleted between 1 and 24 hours after creation. Once deleted, the customer's agents no longer have access to that data within Freshdesk.

4.3 What we do not receive

We do not pull or store any other ticket content from Freshdesk. We do not receive the underlying biometric data, the selfie image, or the passport image — these remain with iDenfy. We receive only the limited result fields listed in section 4.1.

4.4 Sensitivity

Identity verification is inherently sensitive. The verification result we receive is a simple pass/fail indicator together with limited identification data; we do not process the biometric data itself. Customers using the App are responsible for establishing a valid legal basis for the verification (and, where the underlying processing involves special categories/biometric data, an appropriate basis under Art. 9 GDPR) and for informing their end users.

05Recipients and sub-processors

We share personal data only with the following categories of recipients:

RecipientRolePurposeLocation
iDenfy (UAB iDenfy) Sub-processor (identity verification) Generates the verification link and performs the identity check (document OCR + biometric selfie–passport comparison) after the end user clicks the link. iDenfy does not send the SMS itself. EU (Lithuania / Ireland)
Amazon Web Services (AWS) Sub-processor (hosting + SMS) Hosting our database and application infrastructure, and primary SMS delivery of the verification link via AWS SNS (Pinpoint). EU — region eu-central-1 (Frankfurt, Germany)
Twilio Inc. Sub-processor (SMS geo-failover) Geo-failover for SMS delivery when AWS SNS is temporarily unavailable. Twilio's EU region is used; data does not leave the EEA. EU (Twilio EU region, Ireland/Germany)
Freshworks / Freshdesk Platform Platform our App integrates with; the private note is written into the customer's Freshdesk environment Per Freshworks' own terms

We may also share data with professional advisers, or with authorities where required by law. We do not sell personal data.

A complete up-to-date list of sub-processors (including Brevo, Stripe, Sentry and Freshworks alongside those listed above) is maintained in Annex III of our Data Processing Agreement (DPA) and is available on request via privacy@xylosnap.com.

06International transfers

We host all data for which we are responsible within the EU (AWS region eu-central-1, Frankfurt). Our identity-verification sub-processor iDenfy processes and retains data within the EU. As a result, we do not routinely transfer personal data outside the European Economic Area (EEA).

Should a transfer outside the EEA nevertheless become necessary, we put in place an appropriate safeguard, such as the European Commission's Standard Contractual Clauses (SCCs). Information about such safeguards can be requested at privacy@xylosnap.com.

07How long we keep data

DataRetention period
End-user verification result data (in our database)Retained for the duration of the agreement, for billing and reporting purposes. Upon termination of the agreement, all personal data is erased within 30 days (automated TTL purge in DynamoDB), in accordance with the DPA.
Freshdesk private noteAutomatically deleted between 1 and 24 hours after creation, if the customer enables this setting; otherwise retained within the customer's Freshdesk environment, under the customer's control
Business-customer account dataFor the duration of the customer relationship
Billing dataFor as long as required to comply with statutory accounting and tax obligations under Belgian law
Website analytics dataFor the period determined by the analytics tool's configuration / lifetime of the cookie

To the extent that iDenfy retains data as a separate matter, iDenfy's own retention policy applies; please consult iDenfy for details.

08Security

We implement reasonable technical and organisational measures to protect personal data, including:

  • Encryption in transit of data via TLS;
  • Encryption of passwords at rest;
  • hosting on AWS infrastructure within the EU (eu-central-1);
  • access restrictions to our systems.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. Our business customers remain responsible for their own internal security, access control and compliance obligations, including the configuration of the App and access management within their Freshdesk environment.

09Cookies and analytics

Our website xylosnap.com uses analytics technologies, which may place cookies or similar identifiers. Non-essential cookies are placed only where required with your consent, which you can grant or refuse (and later change) via the cookie banner/settings on our website. You can also manage cookies via your browser settings.

10Your rights

Under the conditions of the GDPR, you have the right to:

  • access your personal data (Art. 15);
  • rectification of inaccurate data (Art. 16);
  • erasure ("right to be forgotten") (Art. 17);
  • restriction of processing (Art. 18);
  • data portability (Art. 20);
  • object to processing based on legitimate interests (Art. 21); and
  • withdraw consent at any time, where processing is based on consent (without affecting prior processing).

To exercise these rights, contact us at privacy@xylosnap.com.

Are you an end user (ticket requester)? Because we act as a processor for verification data, we will normally forward your request to the relevant controller (the organisation that requested your verification) and support them in handling it. You can also contact that organisation directly.

You also have the right to lodge a complaint with the Belgian Data Protection Authority:

Data Protection Authority (Belgium) Drukpersstraat 35, 1000 Brussels
contact@apd-gba.be · www.dataprotectionauthority.be

11Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top indicates when it was last revised. Material changes will be communicated through appropriate channels.

12Contact

Entity
Clear Solutions BV
Address
Bosdreef 8, 2910 Essen, Belgium
Company number (CBE)
0668.982.670

Question about your data?

Our privacy team replies within one working day at privacy@xylosnap.com.

Contact us →

Ready for €500 extra margin? Claim your 10 free verifications + rollout kit.

Start free now