Special Biometric Data Notice for Illinois, Washington and Texas Residents
For residents of Illinois, Washington or Texas, if our clients require you to authenticate your identity by providing a photograph or video of yourself, the data derived from your face that we collect and process on behalf of our clients to provide the authentication service may be considered biometric data in some jurisdictions. We will only use your data for the purpose of authenticating your identity and the prevention of fraud, and for no other purpose. Your data will be stored as long as required for these purposes, but no longer than three years.
1. What information do we process, how do we collect it and how long do we keep it?
To provide the authentication service we collect a selfie image from the liveness video that we ask you to complete. Our client will also provide us with another picture of you (either from their database or we will take it from the database we manage for them). We will create biometrics of each image and try and match them.
We collect and retain your consent confirmation (if provided directly to us).
We also collect information like IP address and device information to help with anti-fraud checks by us and our clients.
We retain the data for as long as a client requests us to. Biometric data is always deleted within three years at the very latest.
2. Why and how do we use your data?
Our clients are asking you to perform the authentication check so that they can be sure it is really you returning to use their services. We also collect the IP address and device information and pass to our client so that they can use for fraud checks.
We may also use de-identified, aggregated information to understand and share insights about users of our services.
If we think you are impersonating someone, using a synthetic identity or using a stolen identity then we may retain unique identifiers in a fraud database to allow us to identify if you try to commit fraud against us or our clients again. We check each entry onto our fraud database manually to ensure no victims of fraud are put into it. Please contact if you think your identifier is in our fraud database and should not be.
3. Other circumstances where we may disclosure of your personal or sensitive information
Other legal requirements
We may disclose your personal and sensitive information in the good faith belief that such action is necessary to:
- comply with a legal obligation, or if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency);
- protect and defend our rights or property, protect against our legal liability;
- prevent or investigate possible wrongdoing in connection with our services; and
- protect the personal safety of users of the services or the public.
4. Overseas transfer
We use localised instances of cloud hosting so that overseas transfers are limited.
- European and Middle Eastern clients – all data is processed within the EU or the UK
- Americas – all data is processed within the USA
- Asia-Pacific – all data is processed within Australia or Singapore
5. Security and storage
6. Your rights
- Request access, deletion or correction of your personal data. If you wish to access, delete or correct data we are holding on you then please contact the entity which asked you to use our services.
- Withdraw your consent. You have the right to withdraw your consent on using your personal data. If you withdraw your consent, our client may not be able to provide you with same service. You should contact the entity that asked you to use this service or by emailing .
You have the right to complain to a Data Protection Authority about Our collection and use of your personal data. For more information, if you are in the European Economic Area (EEA) or the UK, please contact Your local data protection authority in the EEA or the UK.
7. Making a complaint
If you think we have breached applicable data protection laws, or you wish to make a complaint, you can contact us using the details set out below. Please include your name and email address and clearly describe your complaint.
We will acknowledge your complaint and respond to you within a reasonable period of time.
If you think that we have failed to resolve the complaint satisfactorily, we will provide you with information about the further steps you can take, one of which is to lodge a complaint with the applicable privacy regulator.
8. Contact us
9. IDVerse Group
- OCR Labs Pty Ltd (NSW, Australia company)
- OCR Labs Global Ltd (English company)
- OCR Labs Global (USA) Inc (Delaware company)