khmereid

Privacy Policy

Effective Date: May 19, 2026
Version: 1.0

General Department of Identification (GDI)
Ministry of Interior, Royal Government of Cambodia


1. Introduction

This Privacy Policy explains how the Khmer-eID platform (“Platform”, “we”, “us”) collects, uses, stores, shares, and protects the personal data of citizens (“you”) who use the Khmer-eID mobile application and related services.

By registering for and using Khmer-eID, you agree to the practices described in this Policy. If you do not agree, do not use the Platform.


2. Who We Are

Khmer-eID is operated by the General Department of Identification (GDI), Ministry of Interior, Royal Government of Cambodia.

GDI is the data controller for all personal data collected through the Platform.


3. Data We Collect

3.1 Identity Data

Collected during eKYC verification, sourced from and validated against the national Integrated Population Information System (IPIS):


3.2 Biometric Data

Collected during the eKYC process only:

Biometric data is processed by our eKYC verification provider (EKYC Solutions) solely for identity verification.

Raw biometric data is not retained after the verification decision is made.


3.3 Contact & Account Data


3.4 Document Images

Scanned images of your National ID card (front and back), stored in encrypted object storage.


3.5 Service Request Data

Data you voluntarily provide when applying for government services, including:


3.6 Family Profile Data

Names and details of family members you voluntarily add to your profile for pre-filling service applications.


3.7 Usage and Technical Data


4. How We Use Your Data

Purpose Data Used Legal Basis
Identity verification (eKYC) Identity, biometric, document data Legal obligation / Public task
Issuing digital identity credential (VC) Identity data from IPIS Public task
Account authentication & security Phone number, Passkey, session data Contract / Legitimate interest
Processing government service requests Service request data, identity data Public task
Identity sharing via QR code Identity data (only what you approve) Your explicit consent
Push notifications & announcements Phone number, device token Public task / Consent
Platform security & fraud prevention Usage and technical data Legitimate interest
Compliance and audit All data types Legal obligation

We do not use your data for commercial advertising and do not sell your data to any third party.


5. Identity Sharing and QR Codes

When you share your identity via QR code:


6. How We Share Your Data

Your data is only shared in the following circumstances.

6.1 Government Systems (Cambodia)

IPIS

Your identity data is validated against and sourced from IPIS, the authoritative national population database.

All identity reads and writes flow through IPIS.

GDI Online

Your service applications are forwarded to GDI Online for processing by GDI officers.

Application status is returned to you through Khmer-eID.

E-Service

Official announcements and communication hub content are sourced from E-Service.


6.2 Third-Party Service Providers

We engage the following processors who act under our instructions and are bound by data protection obligations.

Provider Purpose Data Shared
EKYC Solutions Co., LTD OCR and biometric verification Document images, live facial scan
Firebase (Google) Push notification delivery Device token, notification content

We may disclose data when required by:

We do not share your data with foreign governments or commercial third parties beyond what is listed above.


7. Data Storage and Security


8. Data Retention

Data Type Retention Period
Identity and credential data Duration of account, plus as required by Cambodian law
Biometric processing data Deleted immediately after verification decision
National ID card images Retained in digital vault while account is active
Service request records Per GDI record-keeping requirements
Session and access logs 90 days rolling
QR sharing logs (audit) 12 months
Account data after deletion Up to 30 days, then purged

9. Your Rights

Access

View all identity data held in your digital vault within the app at any time.

Correction

If your identity data is incorrect, contact GDI directly.

Data sourced from IPIS must be corrected at the national level.

Freeze / Disable

Freeze or disable your digital ID card at any time from within the app.

A frozen ID cannot be verified by third parties.

Account Deletion

Request deletion of your Khmer-eID account.

Identity records held by IPIS and GDI may still be retained under separate regulatory requirements.

Where processing relies on your consent (for example, identity sharing via QR), you may withdraw consent at any time by simply not approving share requests.

To exercise any of these rights, contact us using the information in Section 12.


10. Children’s Privacy

Khmer-eID is intended for Cambodian citizens of legal age to hold a National ID card.

We do not knowingly collect data from minors without parental or guardian authorization.

Service applications for minors must be submitted by a parent or guardian.


11. Changes to This Policy

We may update this Privacy Policy to reflect changes in:

We will notify you through push notifications and display the updated Policy in the app before changes take effect.

Continued use of the Platform after notification constitutes acceptance of the updated Policy.


12. Contact Us

For privacy inquiries, data access requests, or complaints:

General Department of Identification (GDI)

Ministry of Interior, Royal Government of Cambodia

Address

National Road No. 1
Sangkat Niroth
Khan Chbar Ampov
Phnom Penh

Email

info@gdi.gov.kh

Phone

1271