K-Connect Privacy Notice
Scope and Application
This Privacy Notice explains the collection, processing, retention, and protection of personal data in connection with K-Connect, the official authentication, identity verification, and single sign-on service of the Principality of Kaharagia.
This Notice applies exclusively to identity and authentication data processed by K-Connect. It does not apply to administrative, governmental, civic, or transactional data processed by Connected Services, including the Kaharagian ePortal, which are governed by their respective privacy notices.
This Privacy Notice forms an integral part of, and shall be read in conjunction with, the K-Connect Terms of Service.
Data Controller and Responsible Authority
The data controller for personal data processed through K-Connect is the Principality of Kaharagia, acting through its competent sovereign institutions. Day-to-day oversight of identity data processing is exercised by the Office of Digital Government & Cybersecurity, Secretariat of State, in coordination with institutional authorities responsible for identity management.
Nature and Purpose of K-Connect
K-Connect is a digital identity and authentication infrastructure service established to provide secure, unified access to authorised digital services of the Principality of Kaharagia. K-Connect is designed to:
- Authenticate users and verify identity claims
- Issue, manage, and revoke authentication credentials
- Establish, maintain, and terminate authenticated sessions
- Provide federated identity services across Connected Services
- Enforce access control policies and authorisation requirements
K-Connect operates solely as identity infrastructure. It does not make substantive administrative decisions, process applications, issue official documents, or confer any legal status or entitlement. Authentication through K-Connect serves exclusively to verify that a user is who they claim to be and to authorise access to Connected Services.
Principles of Data Processing
K-Connect adheres to the following fundamental principles in the processing of personal data:
Data Minimisation K-Connect processes only the minimum personal data strictly necessary to provide authentication and identity verification services. Data that is not essential to these functions is not collected.
Purpose Limitation Data collected by K-Connect is used exclusively for authentication, identity verification, and access control purposes. It is not used for administrative decision-making, profiling, behavioural analysis, or purposes unrelated to identity verification.
Security by Design Security considerations are embedded in the design, development, and operation of K-Connect. Protecting the confidentiality, integrity, and availability of identity data is treated as a paramount responsibility.
Proportionality Processing activities are proportionate to the legitimate purposes served and do not exceed what is necessary to achieve those purposes.
Categories of Personal Data Processed
K-Connect processes the following categories of personal data:
Account Identification Data
- Unique account identifier (user ID)
- Username or login identifier
- Email address associated with the account
- Account registration date and status
Authentication Credentials
- Passwords and passphrases (stored only in securely hashed form using industry-standard algorithms)
- Multi-factor authentication tokens and device registrations
- Recovery codes and backup authentication methods
- Credential change history and password reset records
Session and Access Data
- Session identifiers and authentication tokens
- Login timestamps and session duration
- IP addresses from which authentication was attempted
- Device and browser metadata transmitted by the client (user agent, language, etc.)
Security and Audit Data
- Authentication success and failure records
- Security event logs (failed login attempts, password changes, unusual activity)
- Anomaly detection alerts and security incident records
- Audit trails of account changes and administrative actions
Connected Services Access Data
- Records of which Connected Services were accessed
- Timestamps of access to each Connected Service
- Authorisation grants and consent records
K-Connect expressly does not process:
- Content of communications or messages
- Administrative records, applications, or submissions
- Sensitive personal data (health, biometric, political, religious, or similar data) unless strictly necessary for authentication
- Data from Connected Services beyond what is necessary to facilitate access
Legal Basis for Processing
Personal data is processed by K-Connect on the following legal bases, as applicable:
Performance of Identity Management Functions Processing is necessary for the performance of official identity management and authentication functions carried out in the exercise of sovereign authority.
Security and Fraud Prevention Processing is necessary for the protection of the security and integrity of K-Connect, the prevention of fraud and unauthorised access, and the enforcement of Terms of Service.
Compliance with Legal Obligations Processing is required to comply with legal obligations under Kaharagian law, including security logging, audit requirements, and law enforcement cooperation.
Legitimate Interests Processing is necessary for the legitimate interests of operating a secure authentication service, maintaining system integrity, and protecting users and Connected Services from security threats.
All processing is conducted in accordance with principles of lawfulness, necessity, proportionality, and purpose limitation as established under Kaharagian data protection law.
Purpose Limitation and Restrictions on Use
Data processed by K-Connect is used exclusively for:
- Verifying user identity and authenticating access requests
- Establishing, maintaining, and terminating authenticated sessions
- Enforcing access control policies for Connected Services
- Detecting, preventing, and responding to security threats and fraud
- Maintaining security logs and audit trails as required by law
- Investigating suspected violations of Terms of Service or applicable law
- Complying with lawful legal process and law enforcement requests
Identity and authentication data processed by K-Connect:
- Is not used for substantive administrative decision-making
- Is not used to determine eligibility for benefits, services, or status
- Is not used for behavioural profiling, targeted advertising, or marketing
- Is not shared with Connected Services for purposes beyond access control
- Is not sold, rented, or traded to third parties
Data Retention
Authentication and identity data is retained in accordance with the following principles:
Active Account Data Account identification data and current credentials are retained for the duration of the account's existence plus any legally mandated retention period following account closure.
Session Data Session identifiers and tokens are retained only for the duration of the session and are securely deleted upon session termination.
Security and Audit Logs Security event logs, authentication records, and audit trails are retained for a period determined by Kaharagian security and archival law, which may extend beyond account closure to enable investigation of security incidents and compliance with legal requirements.
Inactive Accounts Accounts that have been inactive for an extended period may be suspended or deleted in accordance with institutional policies, following appropriate notice where practicable.
Upon expiration of the applicable retention period, data is securely deleted or anonymised using industry-standard methods.
Security Measures
The Principality of Kaharagia implements technical and organisational security measures to protect identity data processed by K-Connect:
Cryptographic Protection
- All credentials are stored using strong, salted cryptographic hashes (never in plaintext)
- All data transmission occurs over encrypted channels using current TLS standards
- Authentication tokens are generated using cryptographically secure methods
Access Controls
- Strict role-based access controls limit access to identity data
- Administrative access is logged and audited
- Principle of least privilege is applied throughout
Monitoring and Detection
- Continuous monitoring for suspicious authentication patterns
- Automated detection of credential stuffing, brute force, and other attacks
- Real-time alerting for high-risk security events
Infrastructure Security
- Secure hosting infrastructure with appropriate physical and environmental controls
- Network segmentation and firewall protection
- Regular security assessments and penetration testing
Incident Response
- Established procedures for security incident detection and response
- Defined escalation paths and notification procedures
- Post-incident analysis and remediation processes
Notwithstanding these measures, no authentication system can be guaranteed to be absolutely secure. Users acknowledge the inherent risks of digital identity systems.
Data Sharing and Disclosure
Identity and authentication data processed by K-Connect may be shared or disclosed only in the following circumstances:
Connected Services Authentication confirmations, session tokens, and basic identity claims are shared with Connected Services as necessary to enable authenticated access. Connected Services receive only the minimum information necessary to verify the user's authenticated status.
Intra-Governmental Sharing Data may be shared between competent Kaharagian institutions where necessary for security coordination, fraud prevention, or compliance with legal requirements.
Legal and Law Enforcement Requirements Data may be disclosed where required by Kaharagian law, judicial order, or lawful law enforcement request.
Security Incidents In the event of a security incident affecting user accounts, relevant data may be shared with security responders, forensic investigators, or affected parties as appropriate.
K-Connect does not sell, rent, trade, or otherwise commercially exploit personal data. Third parties do not have independent access to authentication data.
International Hosting and Data Transfers
K-Connect is currently hosted on technical infrastructure located in the Federal Republic of Germany, alongside the broader Kaharagian digital infrastructure. Hosting arrangements may change over time as operational and resilience requirements evolve.
Such arrangements are made for technical, operational, and resilience reasons and do not alter the governing law applicable to personal data, which remains subject exclusively to Kaharagian data protection law and sovereign jurisdiction.
Where personal data is transferred to or processed in a foreign jurisdiction, the State implements appropriate safeguards to protect the data, including contractual protections, access limitations, and security requirements.
Rights of Data Subjects
Rights relating to personal data processed by K-Connect are those conferred by the Data Protection Code of the Principality of Kaharagia. Subject to the lawful restrictions identified below, data subjects have the right to:
- Confirmation and access (Data Protection Code, Art. 10): obtain confirmation as to whether personal data concerning them is being processed and, where it is, access that data together with the information specified in Art. 10(1). The first copy of personal data undergoing processing shall be provided free of charge.
- Rectification (Art. 11): obtain, without undue delay, the rectification of inaccurate personal data concerning them and the completion of incomplete personal data. The Office will communicate any rectification to each recipient of the data, unless this proves impossible or involves disproportionate effort.
- Erasure (Art. 12): obtain the erasure of personal data concerning them where one of the grounds in Art. 12(1) applies. Erasure shall be complete and irreversible across all copies and backups, except where retention is required by law or falls within the exceptions set out in Art. 12(3).
- Information about cross-border transfers (Art. 10(2)): be informed of the safeguards applied to any transfer of personal data to a foreign jurisdiction.
These rights may be limited only where, and to the extent that, such limitation is lawful and necessary for:
- Security and integrity of K-Connect systems
- Prevention and detection of fraud or unauthorised access
- Compliance with legal obligations
- Protection of the rights of other users
- Public administration or law enforcement purposes
In accordance with Art. 10(5), the controller shall respond to a request without undue delay and in any event within thirty days of receipt. That period may be extended by a further thirty days where necessary, taking into account the complexity and number of the requests, and the data subject will be informed of any such extension and the reasons for it. A request that is manifestly unfounded or excessive may be refused or charged a reasonable fee in accordance with Art. 10(6); the controller bears the burden of demonstrating that character.
Requests relating to data subject rights should be submitted in writing to the appropriate contact authority as set forth below.
Relationship to Connected Services
Administrative, governmental, civic, and transactional data processed through Connected Services, including the Kaharagian ePortal, is governed by the privacy notices applicable to those services, not this Notice.
Users of K-Connect who access Connected Services should review the applicable privacy notices for those services to understand how their data is processed within each service.
Contact and Enquiries
External and Cross-Border Legal Matters
All enquiries and correspondence relating to external legal matters, including data protection requests from foreign jurisdictions, international regulatory enquiries, cross-border data access requests, and correspondence from foreign data protection authorities, shall be directed exclusively to:
Office of Legal Affairs
legalkaharagiaorg
The Office of Legal Affairs is the sole competent authority for engagement with foreign data protection authorities, international legal processes, and cross-border legal matters.
Internal Law, Enforcement, and Administrative Matters
All enquiries and correspondence relating to Kaharagian data protection law, data subject rights requests, internal complaints, enforcement matters, and administrative data protection issues shall be directed exclusively to:
Office of Laws & Justice
legalkaharagiaorg
Effect of Correspondence
Correspondence exercising rights under the Data Protection Code (Articles 9 to 14) shall be answered within the period prescribed by Art. 10(5): without undue delay and in any event within thirty days of receipt, extendable by a further thirty days in accordance with that Article.
Other correspondence does not, of itself, suspend or toll any administrative or legal proceedings and does not replace formal legal procedures or applications.
Amendment and Revision
This Privacy Notice may be amended, supplemented, or replaced at any time without prior notice. The current version shall be published and shall supersede all prior versions.
Continued use of K-Connect following publication of an amended Privacy Notice constitutes acceptance of the amended terms.
Governing Law
This Privacy Notice is governed exclusively by the laws of the Principality of Kaharagia. Any dispute arising from or relating to this Notice shall be resolved in accordance with Kaharagian law and by the competent authorities of the Principality of Kaharagia.