ExactFlow p.s.a.

KNOW YOUR CUSTOMER (KYC) & KNOW YOUR BUSINESS (KYB) POLICY

Identity Verification, Onboarding, and Ongoing Due Diligence — ExactFlow SaaS Platform

Effective Date: 1 April 2026  |  Version 1.0  |  Legal Basis: Polish AML Act; GDPR; EU DSA; PSD2

DocumentDetails
Document TypeKYC / KYB Policy — ExactFlow p.s.a. SaaS Platform
Applies ToAll Marketplace Sellers, Platform Clients, Authorized Users (where applicable), Buyers (above thresholds)
KYC Teamkyc@exactflow.com
AML Officercompliance@exactflow.com
Data Protectionprivacy@exactflow.com
Legal FrameworksPolish AML Act (Dz.U. 2018 poz. 723); GDPR; EU DSA Art. 30; PSD2; EU AML Directives

This Policy governs how ExactFlow verifies the identity and business legitimacy of Sellers, Platform Clients, and (where required) Buyers. KYC/KYB is mandatory before any Seller is permitted to list products or receive Payouts. ExactFlow will not onboard or continue to serve any Seller or Client who fails to complete KYC/KYB to the required standard.

1. Purpose and Scope

ExactFlow's KYC/KYB programme serves three complementary purposes:

  • AML/CFT compliance: to fulfil ExactFlow's obligations as an Obligated Institution under the Polish AML Act and EU AML Directives — verifying that Sellers and Platform Clients are who they claim to be, and that their activities do not involve ML/TF
  • Consumer protection (DSA compliance): to comply with Article 30 of the EU Digital Services Act (Regulation (EU) 2022/2065) — verifying that Marketplace Sellers are genuine traders before they can sell to consumers
  • Fraud prevention: to prevent identity fraud, account takeover at onboarding, and fictitious Seller registrations designed to harvest Payouts

This Policy applies to: all Marketplace Sellers (mandatory); all Platform Clients subscribing to SaaS services (mandatory); Marketplace Buyers above transaction thresholds (triggered CDD — see AML Policy Section 4.3); and third-party integration partners (risk-based).

2. KYB — Business Verification (Sellers and Platform Clients)

2.1 Standard KYB Requirements

All Sellers and Platform Clients must complete Standard KYB before Account activation. The following information and documentation must be provided:

Information CategoryRequired Data / DocumentsVerification MethodAcceptable Sources
Legal Entity IdentityFull legal name; trading name; legal form (sp. z o.o., S.A., p.s.a., Ltd, GmbH, etc.); date and country of incorporationAutomated registry lookup + document verificationKRS / CEIDG (Poland); Companies House (UK); Handelsregister (Germany); equivalent national registry for EU/non-EU entities
Registered AddressRegistered office address (must be physical — PO Box not accepted)Document verification + optional address confirmationCertificate of registration; utility bill dated within 90 days; bank statement dated within 90 days
Tax IdentificationNIP / VAT number (Poland); VAT number (EU); equivalent for non-EU entitiesAutomated tax authority database lookupPolish KAS database; EU VIES; national tax authority database
Business ActivityDescription of main business activities; product categories to be listed; anticipated transaction volumesSelf-declaration + risk-based verification of product category claimsSeller declaration; website; professional licences where applicable
Beneficial OwnershipNames, nationalities, dates of birth, and ownership percentages of all Beneficial Owners holding more than 25% of shares or voting rightsIdentity verification of each Beneficial Owner (see Individual Identity Requirements below)KRS / CEIDG (for registered entities); Central Register of Beneficial Owners (CRBR — Poland); self-declaration with supporting documents
Signatory AuthorityConfirmation that the Account Administrator has authority to bind the entityBoard resolution or excerpt from KRS confirming authorised signatories; or signed authorisation letterKRS; power of attorney; board resolution
Regulatory LicencesAny licences, permits, or certifications required to sell the listed products (food, pharma, financial services, weapons, etc.)Document verification + registry check where availableRegulatory authority licence registers; official certificate copies

2.2 Individual Identity Requirements (Beneficial Owners and Account Administrators)

Each natural person who is a Beneficial Owner (above 25% threshold) or Account Administrator must be individually verified. Verification requires:

Verification ElementRequirementAcceptable Documents
Government-issued photo IDOne primary identity documentPolish ID card (dowód osobisty); Passport; National ID card from EU/EEA country; Driving licence (supplementary only — not sole ID)
Proof of current addressAddress must match stated address; document dated within 90 daysUtility bill; bank statement; tax document; government correspondence
Liveness checkBiometric liveness verification to confirm the person is live and matches the photo IDAutomated biometric liveness check via KYC provider; or video call verification by ExactFlow KYC team
PEP and Sanctions screeningCross-reference against PEP databases and all sanctions lists listed in AML Policy Section 9.1Automated screening at onboarding; ongoing daily batch screening
Adverse media checkCheck for negative news stories indicating criminal activity, fraud, or regulatory sanctionsAutomated adverse media monitoring via specialist provider; reviewed by KYC team for High risk profiles

3. KYC Tiers — Risk-Based Verification Levels

TierProfileVerification RequirementsPayout Limit Before Full KYCReview Cycle
Tier 1 — LiteNewly registered Seller; monthly GMV below PLN 5,000 / €1,150Standard KYB (automated); basic liveness check for Account Administrator; sanctions screeningPLN 5,000 / €1,150 cumulative before upgrade requiredAutomated — event-triggered
Tier 2 — StandardEstablished Sellers; monthly GMV PLN 5,000–50,000 / €1,150–11,500; standard risk profileFull Standard KYB; full individual identity verification for all Beneficial Owners; full sanctions and PEP screening; document verificationPLN 50,000 / €11,500 per monthAnnual re-verification
Tier 3 — EnhancedHigh-volume Sellers (GMV > PLN 50,000/month); High-risk product categories; non-EU Sellers; complex ownership structuresFull Standard KYB + EDD — source of funds documentation; enhanced beneficial ownership verification; Senior Management approval required; ongoing enhanced monitoringNo limit — subject to ongoing EDDQuarterly + event-triggered
Tier 4 — Refused / ExitedSanctions match; confirmed fraud; failed EDD; High-Risk Third Country with no adequate EDD mitigationRelationship not established or terminated; all held funds reviewed for freezing or returnZeroN/A — no relationship

4. The KYC / KYB Onboarding Process

4.1 Step-by-Step Onboarding Flow

StepActionActorTimelineOutcome if Not Completed
1Account registration — Seller provides basic business information and accepts TermsSellerDay 0Account created in pending state — no Listing or Payout access
2Automated KYB — registry lookup, VAT verification, sanctions screeningExactFlow KYC SystemMinutes (automated)Auto-flag for manual review if lookup fails; Seller notified of data discrepancy
3Document submission — Seller uploads identity and business documents via secure portalSellerSeller has 5 business daysReminder sent at Day 3; Account suspended at Day 10 if not completed
4Automated document verification — AI-assisted ID document authenticity check; biometric liveness checkExactFlow KYC System + Third-party providerMinutes to 4 hoursEscalated to manual review if confidence score below threshold
5Manual KYC review (where triggered by automation or risk profile)ExactFlow KYC Team1–3 business daysSenior KYC officer reviews and approves or escalates to AMLCO
6AMLCO approval (for High-risk / EDD profiles and PEPs)ExactFlow AMLCO1–2 business days additionalRelationship refused if EDD cannot be satisfied
7Account activation — Seller permitted to publish ListingsExactFlow KYC SystemImmediate upon approvalActivation email sent; Payout account requires separate bank verification
8Bank account verification — Seller bank account verified before first PayoutExactFlow Payments Team1–3 business days after first OrderPayout held until bank account verified; micro-deposit method or bank statement verification
9Ongoing monitoring — regular re-verification and continuous transaction monitoringExactFlow AML/KYC SystemContinuousAccount suspended if re-verification fails or monitoring flags are not resolved

5. Re-Verification and Ongoing KYC

5.1 Scheduled Re-Verification

ExactFlow re-verifies all Seller KYB records on the following schedule:

  • Tier 1 Sellers: re-verification triggered when approaching the Payout limit or annual period — whichever comes first
  • Tier 2 Sellers: full re-verification annually, including refresh of identity documents and CRBR check
  • Tier 3 Sellers: re-verification quarterly; enhanced ongoing monitoring continuously

5.2 Event-Triggered Re-Verification

Immediate re-verification is triggered by any of the following events:

  • Change of Beneficial Owner (any ownership change above 5%)
  • Change of legal form, company name, or jurisdiction of registration
  • Change of Account Administrator
  • Change of Payout bank account
  • Identification in adverse media reports
  • Receipt of a law enforcement enquiry or court order relating to the Account
  • Detection of a sanctions or PEP hit in ongoing screening
  • Significant unexplained change in transaction volume or pattern
  • Regulatory inspection request by GIIF or other competent authority

5.3 Seller Obligations — Ongoing

Sellers must notify kyc@exactflow.com within 5 business days of any change to: company name; registered address; Beneficial Ownership structure; regulatory licences; Account Administrator; bank account details. Failure to notify constitutes a material breach of the Seller Agreement and may result in Account suspension.

6. Buyer KYC (Triggered CDD)

Marketplace Buyers are not subject to mandatory upfront KYC. However, triggered CDD applies to Buyers in the following circumstances, as required by the Polish AML Act and ExactFlow's AML Policy:

TriggerCDD Action RequiredHow Collected
Single transaction PLN 10,000 / €2,300 or aboveName, address, ID document verification, date of birthRequested at checkout; Order held pending verification
Cumulative linked transactions PLN 10,000 / €2,300 or aboveName, address, ID document verificationAccount verification request sent; transactions held pending
Transaction to/from High-Risk Third Country (any amount)Enhanced verification — source of funds documentationRequest sent before Order confirmation
Buyer identified as PEP or close associate of PEPEDD — source of funds and source of wealth; Senior Management approvalComprehensive EDD process; Order held pending completion
Transaction flagged by fraud scoring above high-risk thresholdIdentity verification — ID document + liveness checkIn-session verification challenge at checkout

7. Refusal and Termination

7.1 Grounds for Refusing Onboarding

ExactFlow will refuse to onboard a Seller or Client where:

  • The Seller cannot provide satisfactory identity or business verification documentation
  • A Beneficial Owner or Account Administrator is subject to sanctions or is identified as a PEP with no adequate EDD mitigation
  • The Seller is registered or substantially operating in a FATF-identified high-risk jurisdiction with no adequate EDD mitigation
  • The business activity involves Prohibited Items or regulated activities for which no appropriate licence is held
  • The Seller has been previously terminated by ExactFlow or is listed on an industry fraud or negative database
  • ExactFlow has reasonable grounds to believe the business is a shell company, front for criminal activity, or designed to facilitate ML/TF

7.2 Grounds for Terminating an Existing Relationship

ExactFlow may terminate an existing Seller or Client relationship where:

  • Re-verification fails and the Seller cannot provide updated compliant documentation within 10 business days
  • A Beneficial Owner change introduces a sanctioned party or an unmitigable EDD risk
  • A SAR has been filed and, following AML Compliance Officer review, continuing the relationship presents unacceptable ML/TF risk
  • The Seller provides false or materially misleading information during KYC/KYB (past or present)
  • A court order or regulatory direction requires termination

7.3 Data on Termination

Upon termination, ExactFlow retains all KYC/KYB documentation and records for 5 years from the date of termination, as required by Article 49 of the Polish AML Act. Where a SAR has been filed, retention is extended to 5 years from the date of the SAR. Personal data is processed only to the extent required by AML law during the retention period and deleted securely thereafter.

8. Data Protection in KYC/KYB

8.1 Legal Basis for KYC Data Processing

ExactFlow processes personal data collected during KYC/KYB on the following GDPR legal bases:

  • GDPR Article 6(1)(c) — Legal obligation: processing required by the Polish AML Act and EU AML Directives
  • GDPR Article 6(1)(b) — Contract performance: processing necessary to assess whether to enter into the Seller Agreement
  • GDPR Article 9(2)(g) — Substantial public interest: for biometric data used in liveness verification, where applicable under national law

8.2 Special Category Data

Biometric data (facial geometry derived from liveness checks) may constitute special category data under GDPR Article 9. Where used, ExactFlow:

  • Relies on GDPR Article 9(2)(g) — substantial public interest — and Article 9(2)(b) — legal obligation in employment/social security — where applicable
  • Minimises processing to only what is necessary for identity verification — biometric templates are deleted within 30 days of verification completion
  • Does not use biometric data for any purpose other than identity verification at onboarding

8.3 Data Subject Rights and AML Limitations

Data subjects (Sellers, Beneficial Owners, Account Administrators) have GDPR rights in relation to KYC data. However, certain rights are restricted by the Polish AML Act:

  • Right of access (GDPR Art. 15): may be restricted where disclosure would prejudice an AML investigation — ExactFlow will inform the data subject of the restriction without revealing its reason
  • Right to erasure (GDPR Art. 17): cannot be exercised during the mandatory 5-year AML retention period
  • Right to object (GDPR Art. 21): does not apply to processing based on a legal obligation (Art. 6(1)(c))

All other GDPR rights apply in full. Data subjects may contact privacy@exactflow.com to exercise their rights.

9. KYC Quality Standards and Governance

9.1 KYC Team

ExactFlow's KYC team is responsible for:

  • Managing the end-to-end KYC/KYB onboarding process
  • Reviewing and approving identity verification results that fall below automated confidence thresholds
  • Escalating complex or high-risk profiles to the AMLCO
  • Maintaining the KYC document management system
  • Conducting ongoing training on document fraud and identity verification best practices

9.2 Acceptable Document Standards

The following minimum standards apply to all identity and business documents submitted for KYC/KYB:

  • Documents must be current and not expired at the time of submission
  • Documents must be government-issued originals — notarised copies accepted for company documents where originals cannot be submitted
  • Documents must be in clear, legible condition — blurred, cropped, or altered documents are rejected
  • Documents in languages other than Polish or English must be accompanied by a certified translation
  • Digital copies submitted via the secure upload portal must be unmodified image files (JPEG, PNG, PDF) — screenshots of screenshots or PDF printouts of scans are not accepted

9.3 Third-Party KYC Providers

ExactFlow uses specialist third-party KYC/KYB verification providers for automated document verification, biometric liveness checks, registry lookups, sanctions screening, and adverse media monitoring. All third-party KYC providers:

  • Are listed in ExactFlow's Subprocessor List
  • Are bound by GDPR Article 28-compliant DPAs
  • Are assessed for AML regulatory compliance on an annual basis

10. Contact

ContactDetails
KYC Teamkyc@exactflow.com
AML Officercompliance@exactflow.com
Data Protectionprivacy@exactflow.com
Registered AddressExactFlow p.s.a., Stanisława Bodycha 87, 05-816 Reguły, Poland
GIIF (Poland)Generalny Inspektor Informacji Finansowej | www.gov.pl/giif
UODO (Poland)Urząd Ochrony Danych Osobowych | www.uodo.gov.pl
CRBR (Poland)Centralny Rejestr Beneficjentów Rzeczywistych | crbr.podatki.gov.pl

This KYC/KYB Policy complies with: Polish AML Act (Dz.U. 2018 poz. 723); EU 4AMLD (2015/849); EU 5AMLD (2018/843); EU 6AMLD (2018/1673); EU AML Regulation (2024/1624); FATF Recommendations 10 and 22; GDPR (Regulation (EU) 2016/679); EU Digital Services Act Art. 30 (Regulation (EU) 2022/2065); EU PSD2 (Directive 2015/2366); and Polish CRBR obligations. Annual legal review by a licensed Polish attorney with AML and data protection specialisation is mandatory.

— END OF KYC / KYB POLICY — EXACTFLOW P.S.A. —

KYC & KYB Policy | ExactFlow