paiza
Yechimlare-IDImzoAPIIshonch

Privacy Policy

Last updated: 2026-05-08

This Privacy Policy describes how paiza collects, stores, protects, and uses the personal data of users of our service. It is built on principles consistent with Mongolia's Personal Data Protection Act (2021), the Electronic Signature Act, and international standards such as the GDPR.

1. Data Controller

paiza LLC ("we", "us", "our") is the official issuer of digital certificates for Mongolia's national electronic ID and is the data controller responsible for this Privacy Policy. Address: Ulaanbaatar, Mongolia. General contact: support@eidmongol.mn. Data Protection Officer (DPO): privacy@eidmongol.mn.

2. Data we collect

We collect the following personal data when you use our services:

  • Identity: national ID number, full name, date of birth (verified through DAN)
  • Device: install ID, operating system (iOS/Android), OS version
  • Push token: Apple APNs / Google FCM device token
  • Cryptographic: public key, PIN hash (PBKDF2-SHA256, 600,000 iterations), certificate metadata
  • Usage: signing session timestamps, requests received from relying parties (RPs)
  • Security signals (RASP): boolean flags only for abnormal device states (root, jailbreak, debugger)

3. Data we do NOT collect

We never collect or store the following data on our servers:

  • Plaintext PIN — only a one-way hash is stored
  • Private key — kept exclusively in your device's Secure Enclave (iOS) or Android Keystore. Our servers never see it.
  • Biometric data (Face ID, Touch ID, fingerprint) — managed entirely by your device's operating system
  • Location (GPS) data
  • Browsing or search history
  • Contacts, photos, files

4. How we use your data

We use the data we collect only for the following purposes:

  • To authenticate you via the DAN national identity system
  • To issue, revoke, and renew digital signature certificates
  • To process signing requests received from relying parties (RPs)
  • To send push notifications about pending signing requests
  • Security audit and fraud detection (the audit log is hash-chained, blockchain-style)

5. Sharing with third parties

We share your personal data with third parties only under the following conditions:

  • Relying Parties (RPs): only with RPs registered in the system (connecting directly over TLS and identified by a subsystem-ID header), AFTER YOU EXPLICITLY CONSENT to each individual signing request.
  • Push notification providers (Apple APNs / Google FCM) — only the device token. Payloads containing PII are never sent.
  • Law-enforcement authorities (court, prosecutor, police) — only upon a valid legal request

We will NEVER sell your data or use it for marketing or advertising purposes.

6. Security measures

We protect your data using industry-leading technical safeguards:

  • TLS 1.3 + HSTS preload (all traffic encrypted in transit)
  • PostgreSQL Row-Level Security (RLS) — each user can only access their own data
  • Hash-chained audit log across 16 shards (tamper-evident)
  • PIN: PBKDF2-SHA256, 600,000 iterations
  • Threshold ECDSA-2P signatures (the private key is never reconstructed in one place)
  • Secure Enclave (iOS) / Trusted Execution Environment (Android) hardware-backed keys
  • Biometric protection (device-level)

7. Retention periods

We retain your data for the following durations:

  • Active certificates: 5 years (until expiry or revocation)
  • Audit log: 10 years (per Mongolia's Electronic Signature Act)
  • Signing sessions: archived within 90 days
  • Push tokens: until you uninstall the app
  • On account deletion: all personal data is erased within 30 days, except audit-log entries we are legally required to retain

8. Your rights

Under Mongolia's Personal Data Protection Act, you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate or outdated data
  • Delete your account (via the in-app "Delete Account" button)
  • Receive your data in a machine-readable format (JSON export)
  • Lodge a complaint with the supervisory authority — Mongolia's National Human Rights Commission (NHRC) or the Communications Regulatory Commission

To exercise any of these rights, contact us at privacy@eidmongol.mn. We will respond within 30 days.

9. Children's privacy

The paiza service is restricted to citizens aged 18 and over (per Mongolia's Electronic Signature Act). We do not knowingly collect data from minors under 18. If we discover such data has been submitted, we will delete it immediately.

10. International data transfers

All servers storing your personal data are located in Mongolia. Push-notification delivery transits Apple (APNs) and Google (FCM) infrastructure — but only the device token is transmitted; payloads containing PII are never sent through these channels.

11. Policy updates

We will notify you at least 30 days in advance of any material change to this policy via the app and our website. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the service after changes take effect constitutes acceptance of the updated policy.

12. Contact us

If you have any questions or requests regarding this policy, please contact us:

  • Email (general): support@eidmongol.mn
  • Email (DPO): privacy@eidmongol.mn
  • Phone: +976 7000-1234
  • Address: paiza LLC, Ulaanbaatar, Mongolia
paiza

Raqamli shaxs, autentifikatsiya va elektron imzo ishonch xizmatlarini taqdim etuvchi litsenziyalangan Sertifikatlash Markazi.

Xizmatlar

  • e-ID
  • e-Imzo
  • Autentifikatsiya
  • Ishonch xizmatlari

Resurslar

  • OCSP
  • CRL
  • Adobe Reader ishonchi

Kompaniya

  • Yordam markazi
  • Qo'llab-quvvatlash
  • Maxfiylik
  • Foydalanish shartlari
  • Qo'llab-quvvatlash bilan bog'lanish

© 2026 paiza

Barcha huquqlar himoyalangan.