K-Connect Privacy Notice

Scope and Application

This Privacy Notice explains the collection, processing, retention, and protection of personal data in connection with K-Connect, the official authentication, identity verification, and single sign-on service of the Principality of Kaharagia.

This Notice applies exclusively to identity and authentication data processed by K-Connect. It does not apply to administrative, governmental, civic, or transactional data processed by Connected Services, including the Kaharagian ePortal, which are governed by their respective privacy notices.

This Privacy Notice forms an integral part of, and shall be read in conjunction with, the K-Connect Terms of Service.

Data Controller and Responsible Authority

The data controller for personal data processed through K-Connect is the Principality of Kaharagia, acting through its competent sovereign institutions. Day-to-day oversight of identity data processing is exercised by the Office of Digital Government & Cybersecurity, Secretariat of State, in coordination with institutional authorities responsible for identity management.

Nature and Purpose of K-Connect

K-Connect is a digital identity and authentication infrastructure service established to provide secure, unified access to authorised digital services of the Principality of Kaharagia. K-Connect is designed to:

• Authenticate users and verify identity claims
• Issue, manage, and revoke authentication credentials
• Establish, maintain, and terminate authenticated sessions
• Provide federated identity services across Connected Services
• Enforce access control policies and authorisation requirements

K-Connect operates solely as identity infrastructure. It does not make substantive administrative decisions, process applications, issue official documents, or confer any legal status or entitlement. Authentication through K-Connect serves exclusively to verify that a user is who they claim to be and to authorise access to Connected Services.

Principles of Data Processing

K-Connect adheres to the following fundamental principles in the processing of personal data:

Data Minimisation K-Connect processes only the minimum personal data strictly necessary to provide authentication and identity verification services. Data that is not essential to these functions is not collected.

Purpose Limitation Data collected by K-Connect is used exclusively for authentication, identity verification, and access control purposes. It is not used for administrative decision-making, profiling, behavioural analysis, or purposes unrelated to identity verification.

Security by Design Security considerations are embedded in the design, development, and operation of K-Connect. Protecting the confidentiality, integrity, and availability of identity data is treated as a paramount responsibility.

Proportionality Processing activities are proportionate to the legitimate purposes served and do not exceed what is necessary to achieve those purposes.

Categories of Personal Data Processed

K-Connect processes the following categories of personal data:

Account Identification Data

• Unique account identifier (user ID)
• Username or login identifier
• Email address associated with the account
• Account registration date and status

Authentication Credentials

• Passwords and passphrases (stored only in securely hashed form using industry-standard algorithms)
• Multi-factor authentication tokens and device registrations
• Recovery codes and backup authentication methods
• Credential change history and password reset records

Session and Access Data

• Session identifiers and authentication tokens
• Login timestamps and session duration
• IP addresses from which authentication was attempted
• Device identifiers and browser fingerprints
• Geolocation data derived from IP addresses (approximate location only)

Security and Audit Data

• Authentication success and failure records
• Security event logs (failed login attempts, password changes, unusual activity)
• Anomaly detection alerts and security incident records
• Audit trails of account changes and administrative actions

Connected Services Access Data

• Records of which Connected Services were accessed
• Timestamps of access to each Connected Service
• Authorisation grants and consent records

K-Connect expressly does not process:

• Content of communications or messages
• Administrative records, applications, or submissions
• Sensitive personal data (health, biometric, political, religious, or similar data) unless strictly necessary for authentication
• Data from Connected Services beyond what is necessary to facilitate access

Legal Basis for Processing

Personal data is processed by K-Connect on the following legal bases, as applicable:

Performance of Identity Management Functions Processing is necessary for the performance of official identity management and authentication functions carried out in the exercise of sovereign authority.

Security and Fraud Prevention Processing is necessary for the protection of the security and integrity of K-Connect, the prevention of fraud and unauthorised access, and the enforcement of Terms of Service.

Compliance with Legal Obligations Processing is required to comply with legal obligations under Kaharagian law, including security logging, audit requirements, and law enforcement cooperation.

Legitimate Interests Processing is necessary for the legitimate interests of operating a secure authentication service, maintaining system integrity, and protecting users and Connected Services from security threats.

All processing is conducted in accordance with principles of lawfulness, necessity, proportionality, and purpose limitation as established under Kaharagian data protection law.

Purpose Limitation and Restrictions on Use

Data processed by K-Connect is used exclusively for:

• Verifying user identity and authenticating access requests
• Establishing, maintaining, and terminating authenticated sessions
• Enforcing access control policies for Connected Services
• Detecting, preventing, and responding to security threats and fraud
• Maintaining security logs and audit trails as required by law
• Investigating suspected violations of Terms of Service or applicable law
• Complying with lawful legal process and law enforcement requests

Identity and authentication data processed by K-Connect:

• Is not used for substantive administrative decision-making
• Is not used to determine eligibility for benefits, services, or status
• Is not used for behavioural profiling, targeted advertising, or marketing
• Is not shared with Connected Services for purposes beyond access control
• Is not sold, rented, or traded to third parties

Data Retention

Authentication and identity data is retained in accordance with the following principles:

Active Account Data Account identification data and current credentials are retained for the duration of the account's existence plus any legally mandated retention period following account closure.

Session Data Session identifiers and tokens are retained only for the duration of the session and are securely deleted upon session termination.

Security and Audit Logs Security event logs, authentication records, and audit trails are retained for a period determined by Kaharagian security and archival law, which may extend beyond account closure to enable investigation of security incidents and compliance with legal requirements.

Inactive Accounts Accounts that have been inactive for an extended period may be suspended or deleted in accordance with institutional policies, following appropriate notice where practicable.

Upon expiration of the applicable retention period, data is securely deleted or anonymised using industry-standard methods.

Security Measures

The Principality of Kaharagia implements comprehensive technical and organisational security measures to protect identity data processed by K-Connect:

Cryptographic Protection

• All credentials are stored using strong, salted cryptographic hashes (never in plaintext)
• All data transmission occurs over encrypted channels using current TLS standards
• Authentication tokens are generated using cryptographically secure methods

Access Controls

• Strict role-based access controls limit access to identity data
• Administrative access is logged and audited
• Principle of least privilege is applied throughout

Monitoring and Detection

• Continuous monitoring for suspicious authentication patterns
• Automated detection of credential stuffing, brute force, and other attacks
• Real-time alerting for high-risk security events

Infrastructure Security

• Secure hosting infrastructure with appropriate physical and environmental controls
• Network segmentation and firewall protection
• Regular security assessments and penetration testing

Incident Response

• Established procedures for security incident detection and response
• Defined escalation paths and notification procedures
• Post-incident analysis and remediation processes

Notwithstanding these measures, no authentication system can be guaranteed to be absolutely secure. Users acknowledge the inherent risks of digital identity systems.

Data Sharing and Disclosure

Identity and authentication data processed by K-Connect may be shared or disclosed only in the following circumstances:

Connected Services Authentication confirmations, session tokens, and basic identity claims are shared with Connected Services as necessary to enable authenticated access. Connected Services receive only the minimum information necessary to verify the user's authenticated status.

Intra-Governmental Sharing Data may be shared between competent Kaharagian institutions where necessary for security coordination, fraud prevention, or compliance with legal requirements.

Legal and Law Enforcement Requirements Data may be disclosed where required by Kaharagian law, judicial order, or lawful law enforcement request.

Security Incidents In the event of a security incident affecting user accounts, relevant data may be shared with security responders, forensic investigators, or affected parties as appropriate.

K-Connect does not sell, rent, trade, or otherwise commercially exploit personal data. Third parties do not have independent access to authentication data.

International Hosting and Data Transfers

K-Connect may be hosted on technical infrastructure located outside Kaharagian territory, including within the European Union or other jurisdictions.

Such hosting arrangements are made for technical, operational, and resilience reasons and do not alter the governing law applicable to personal data, which remains subject exclusively to Kaharagian data protection law and sovereign jurisdiction.

Where personal data is transferred to or processed in a foreign jurisdiction, the State implements appropriate safeguards to protect the data, including contractual protections, access limitations, and security requirements.

Rights of Data Subjects

Rights relating to personal data processed by K-Connect exist only to the extent provided under Kaharagian law. Subject to applicable legal provisions and permissible restrictions, data subjects may have the right to:

• Request confirmation of whether personal data concerning them is being processed
• Access personal data held concerning them
• Request correction of inaccurate personal data
• Request deletion of personal data in limited circumstances

These rights may be limited or excluded where necessary for:

• Security and integrity of K-Connect systems
• Prevention and detection of fraud or unauthorised access
• Compliance with legal obligations
• Protection of the rights of other users
• Public administration or law enforcement purposes

Requests relating to data subject rights should be submitted in writing to the appropriate contact authority as set forth below.

Relationship to Connected Services

Administrative, governmental, civic, and transactional data processed through Connected Services—including the Kaharagian ePortal—is governed by the privacy notices applicable to those services, not this Notice.

Users of K-Connect who access Connected Services should review the applicable privacy notices for those services to understand how their data is processed within each service.

Contact and Enquiries

External and Cross-Border Legal Matters

All enquiries and correspondence relating to external legal matters, including data protection requests from foreign jurisdictions, international regulatory enquiries, cross-border data access requests, and correspondence from foreign data protection authorities, shall be directed exclusively to:

Office of Legal Affairs
legal@state.kaharagia.org

The Office of Legal Affairs is the sole competent authority for engagement with foreign data protection authorities, international legal processes, and cross-border legal matters.

Internal Law, Enforcement, and Administrative Matters

All enquiries and correspondence relating to Kaharagian data protection law, data subject rights requests, internal complaints, enforcement matters, and administrative data protection issues shall be directed exclusively to:

Office of Laws & Justice
justice@state.kaharagia.org

Effect of Correspondence

Submission of correspondence does not create any obligation upon the State to respond within any particular timeframe, does not suspend or toll any proceedings, and does not replace formal legal procedures or applications.

Amendment and Revision

This Privacy Notice may be amended, supplemented, or replaced at any time without prior notice. The current version shall be published and shall supersede all prior versions.

Continued use of K-Connect following publication of an amended Privacy Notice constitutes acceptance of the amended terms.

Governing Law

This Privacy Notice is governed exclusively by the laws of the Principality of Kaharagia. Any dispute arising from or relating to this Notice shall be resolved in accordance with Kaharagian law and by the competent authorities of the Principality of Kaharagia.