Global Privacy Policy
This Privacy Policy explains how we process the data of people who use our verification or authentication services. There are separate sections at the end of the policy covering how we process data of job applicants and business contacts.
1. Introduction
Privacy is a fundamental human right. Your personal information is exactly that, yours. At IDVerse, we want to keep it that way. That is why privacy is paramount to us, in everything we do, and we are committed to respecting your privacy.
Our Privacy Policy sets out how we collect, hold, use, store and disclose your personal and sensitive information. We may change our Privacy Policy from time to time by publishing changes to it on our website. We encourage you to check our website periodically to ensure that you are aware of our current Privacy Policy.
For the purposes of this Privacy Policy, ‘us’ ‘we’ or ‘our’ means the IDVerse’s different businesses (listed at the end of this Policy). We are bound by different global data protection legislation depending on where you live, including the EU and UK GDPR, various US state laws (including the Californian Consumer Privacy Act) and the Australian Privacy Principles in the Privacy Act 1988.
Personal information includes information about an individual that is reasonably identifiable. For example, this may include your name, age, gender, postcode and contact details.
Sensitive information includes biometric information we process when we perform face matching.
2. Special Biometric Data Notice for Illinois, Washington and Texas Residents
For residents of Illinois, Washington or Texas, if our clients require you to provide us with any document that contains your photograph or if you need to verify or authenticate your identity by providing a photograph or video of yourself, the data derived from your face that we collect and process on behalf of our clients to provide the verification or authentication service may be considered biometric data. We will only use your data for the purpose of verifying or authenticating your identity and the prevention of fraud, and for no other purpose. We do not transfer your biometric data to anyone else. Your biometric data will be stored as long as required for these purposes, but no longer than three years.
3. What personal and sensitive information do we collect and hold?
We may collect and hold the following types of personal information and sensitive information:
- name;
- mailing or street address;
- mobile telephone number;
- email address;
- age or date of birth;
- nationality;
- government related identifiers, such as your licence number and class, Medicare number, state or national ID card number, passport number, and birth or marriage certificate number;
- indicators of fraudulent activity;
- other information identifiable from scanned documents you provide, such as your organ donor status, health information or other sensitive data on the document;
- biometric information, such as our ‘Feature ID’ (a one way hash) we create from video footage or photographs of your face;
- information obtained from fraud-prevention services and document verification services;
- your device ID, device type, geo-location information, computer and connection information, IP address and standard web log information; and
- any other personal information that may be required in order to provide our services to our clients.
4. How do we collect your personal and sensitive information?
We may collect these types of personal or sensitive information either directly from you, or from third parties when you use our verification or authentication services.
We automatically receive and record certain information from your mobile device. This may include such information as the third-party website or application into which the services are integrated, the date and time that you use the services, your IP address and domain name, your software and hardware attributes (including operating system, device model, and hashed device fingerprint information), and your general geographic location (e.g., your city, state, or metropolitan region).
Where you provide us with personal or sensitive information on behalf of someone else, you must ensure you are permitted to provide us with their personal or sensitive information. You also need to tell them how to find a copy of this Privacy Policy.
We may receive personal, sensitive or anonymised information about you from our clients where they make use of our services. This information may include a client ID that identifies you in a database, as well as the categories of information set out above.
Retention of your personal and sensitive information
We will retain your personal and sensitive information only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your personal and sensitive information to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.
5. Why do we collect, hold, use and disclose personal and sensitive information?
Purpose
We may collect, hold, use and disclose your personal and sensitive information for the following purposes:
- to provide verification or authentication services, where you are seeking to access one of our clients’ products or services (or the products or services of third parties, where our clients act as brokers, resellers, referrers or representatives of such parties);
- to prevent fraudulent behaviour being undertaken on our products for any of our clients;
- to operate, protect, improve and optimise our website or apps, business and our clients’ and users’ experience, such as to perform analytics, conduct research and create new products. We use synthetic data or information about the characteristics of documents (with no personal data) to train our algorithms; and
- to comply with our legal obligations, and perhaps to resolve any disputes that we may have with any of our clients or users.
We may also be entitled to use personal information for any purpose which is related to the above purposes.
We do not use your personal data or biometric data to train our algorithms.
We do not transfer your biometric data to any other party (with the exception of the client for whom we are verifying your identity for).
We may use de-identified, aggregated information to share insights about users of our services, such as by publishing a report on trends in the usage of such services.
How we process your data
As soon as we have collected data from you we perform fully automated checks on the evidence on behalf of our clients. Our fully automated checks could include some or all of the following:
- extraction of the data from the provided documents using OCR technology;
- a visual assessment of the provided documents for signs of fraud; including tampering, photocopying, deepfakes, replacing photos etc;
- ensuring that the selfie presented is of a real person in a live environment. We can detect when screens, photos, masks and deepfakes are submitted; and
- a biometric face match between your selfie and the photo image on the documents.
We return to our client the evidence collected and an indication of whether our technology has detected any issues. We are looking for signs of identity fraud in the evidence you provide to us. Our client will then decide what its next steps will be. Our clients configure how long we store your personal data for, which could be as short as one week, and there is a maximum period of three years for biometric data.
If we think you are impersonating someone, using a synthetic identity or using a stolen identity then we may retain unique identifiers in a fraud database to allow us to identify if you try to commit fraud against us or our clients again. Please contact moc.e1733766315srevd1733766315i@yca1733766315virp1733766315 if you think your identifier is in our fraud database and should not be.
6. Other circumstances where we may disclosure of your personal or sensitive information
Business Transactions
If we are involved in a merger, acquisition or asset sale, your personal and sensitive information may be transferred. We will endeavour to provide notice before your personal and sensitive information is transferred and becomes subject to a different Privacy Policy.
Law enforcement
Under certain circumstances, we may be required to disclose your personal and sensitive information if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).
Other legal requirements
On occasion in certain limited circumstances we may disclose your personal and sensitive information in the good faith belief that such action is necessary to:
- comply with a legal obligation;
- protect and defend the rights or property of the Company;
- prevent or investigate possible wrongdoing in connection with our services;
- protect the personal safety of users of the services or the public; and
- protect against legal liability.
7. Do we use your personal information for direct marketing?
We do not use personal information provided to us or collected as part of our identity verification or authentication services for marketing purposes.
8. To whom do we disclose your personal information?
We may disclose personal information (but not sensitive or biometric data) for the purposes described in this Privacy Policy to:
- companies within the IDVerse group where necessary to provide our services to our clients;
- our clients and third parties (where our clients act as resellers or representatives of such parties), where you are seeking to access their products and/or services and are required to verify your identity in order to do so. We do not sell any of your data to any third party;
- our employees and contractors, for the purposes of managing our products and systems and providing our services;
- third party suppliers and service providers (including providers of document verification services to help us verify the validity of identity documents you disclose to us, and other providers for the operation of our websites and/or our business or in connection with providing our products and services to you);
- specific third parties authorised by you to receive information held by us;
- other persons, including government agencies, regulatory bodies and law enforcement agencies, or as required, authorised or permitted by law; and
- as otherwise required or permitted by law.
9. Overseas transfer of personal and sensitive information
We use localised instances of cloud hosting so that overseas transfers are limited.
- European, UK and Middle Eastern clients – all data is processed within the EU or the UK
- Americas – all data is processed within the USA
- Asia-Pacific – all data is processed within Australia or Singapore
We may make limited transfers of personal data within our group companies to Australia or the USA from the UK or the EU in order to provide support and customer success services to our clients. The transfers are made under the EU approved Standard Contractual Clauses (with the UK addendum).
To send you an SMS message to start the verification journey your mobile number only is processed in the USA (other than Australian residents for whom we use an Australian supplier). Our SMS provider (Twilio Inc) exports the mobile number under its European Commission approved Binding Corporate Rules. To check that your address is in the right format we send your address only to a supplier in either the UK, the USA or Australia. Our suppliers all export the address under the EU approved Standard Contractual Clauses (with the UK addendum). Those suppliers are ISO 27001 and SOC2 certified.
10. Security and storage
We take data security very seriously and are externally audited against the ISO 27001 and SOC2 Type 2 standards each year. We take reasonable physical, electronic, and procedural measures to protect your personal and sensitive information against loss or unauthorised access, use, interference, modification, or deletion. User data is hosted by AWS in cloud environments which we manage and control.
Among other things, we encrypt personal and sensitive information both in transit and at rest and we implement robust disaster recovery and business continuity procedures.
Personal and sensitive information will be held in a secure environment. We have security measures in place which are intended to protect personal and sensitive information. The key methods of securing the storage of personal and sensitive information include:
- Secure access to electronic and physical records containing personal and sensitive information, via password protected access permissions to systems and security-protected access to filing cabinets and storage;
- Access only to authorised OCR Labs employees and contractors that require access to perform their daily duties; and
- Varying access levels depending on the level of the authority and the type of personal and sensitive information required to be accessed.
Controls relating to how personal and sensitive information is extracted from the secure environment and how it is used and distributed. We also regularly conduct security audits, vulnerability scans, and penetration tests to ensure compliance with security best practices and standards.
We do not hold any contact details for you. In the unlikely event your personal data is compromised whilst in our possession we will inform our client for whom we are holding your data, and they are likely to inform you in line with their own privacy obligations.
11. Unsolicited personal and sensitive information
There may be circumstances where an individual provides us with the personal or sensitive information about another person. Where we receive unsolicited personal information which we do not require for the purposes we have outlined above, we will destroy or de-identity that information as soon as practicable (if it is lawful and reasonable to do so).
12. Accessing and correcting your information
You can access the personal information we hold about you by contacting us using the contact information below.
Sometimes, we may not be able to provide you with access to all of your personal information and, where this is the case, we will provide you with a written notice explaining why. We may also need to verify your identity when you request your personal information.
We note that we may not have stored your personal information where it was collected by us to perform verification services and such services have been completed.
If you think that any personal information we hold about you is inaccurate, outdated, incorrect or incomplete, please contact us promptly and we will take reasonable steps to ensure that it is corrected.
13. Your Rights
Legal Basis for Processing Personal Data under GDPR
When we are providing our services to our clients we act as a processor to our clients (who are the controllers). It is up to our clients to establish the legal basis of processing, but it will be under one of the following conditions:
- Consent: you have given your consent for processing biometric data for identification or authentication purposes. This is the only ground under which we will process your biometric information.
- Performance of a contract: processing of personal data is necessary for the performance of an agreement between you and our clients.
- Legitimate interests: processing of your personal data is necessary for the purposes of the legitimate interests pursued by our client which does not unduly prejudice you.
Your Rights
We undertake to respect the confidentiality of your personal data and to guarantee you can exercise your rights.
You have the right under this Privacy Policy, and by law depending on your jurisdiction, to:
- Request access to your personal data. The right to access, update or delete the information we have on you.
- Request correction of the personal data that we hold about you. You have the right to have any incomplete or inaccurate information we hold about you corrected. We offer individuals we are verifying the opportunity to amend incorrectly captured data as part of the identity verification journey.
- Object to processing of your personal data. This right exists where our client is relying on a legitimate interest as the legal basis for its processing and there is something about your particular situation, which makes you want to object to its processing of your personal data on this ground.
- Request erasure of your personal data. You have the right to ask our clients to delete or remove personal data that we are holding when there is no good reason for us to continue processing it.
- Request the transfer of your personal data. We give the ability to our clients to export your personal data in a structured, commonly used, machine-readable format. You can ask them for a copy of the data we hold on their behalf about you.
- Automated Decision Making. The service we provide is fully automated in providing to our clients an indication of the risk of fraud, and our clients will use our results as part of their overall decision as to your identity. You will need to contact our client if you want to ask for information about how it uses the results of our fraud checks.
- Withdraw your consent. You have the right to withdraw your consent on using your data. If you withdraw your consent, we may not be able to provide you with access to certain specific functionalities of the service.
Exercising of Your Data Protection Rights
You may exercise your rights of access, rectification, cancellation and opposition by contacting us. Please note that we may ask you to verify your identity before responding to such requests. If you make a request, we will try our best to respond to you as soon as possible. Where our client is the data controller we will pass on the request to them.
You have the right to complain to a Data Protection Authority about Our collection and use of your personal data. For more information, if you are in the European Economic Area (EEA) or the UK, please contact Your local data protection authority in the EEA or the UK.
14. Using our website and cookies
When you visit our website (but not when you use our verification services) we may drop cookies.
What are cookies? Cookies are small files that are stored on your computer or other device by your web browser.
A cookie allows us to recognize whether you have used our services before and may store user preferences and other information.
How are cookies used? For example, cookies can be used to collect information about your use of our services during your current session and over time, your computer or other device’s operating system and browser type, your Internet service provider, your domain name and IP address, and your general geographic location.
How do you avoid cookies? If you are concerned about having cookies on your computer or device, you can set your browser to refuse all cookies or to indicate when a cookie is being set, allowing you to decide whether to accept it.
You can also delete cookies from your computer.
However, if you choose to block or delete cookies, certain features of our services may not operate correctly.
15. Links
Our website or apps may contain links to websites operated by third parties. Those links are provided for convenience and may not remain current or be maintained.
Unless expressly stated otherwise, we are not responsible for the privacy practices of, or any content on, those linked websites, and have no control over or rights in those linked websites.
The privacy policies that apply to those other websites may differ substantially from our Privacy Policy, so we encourage individuals to read them before using those websites.
16. Making a complaint
If you think we have breached the Privacy and/or applicable data protection laws, or you wish to make a complaint about the way we have handled your personal information, you can contact us at moc.e1733766315srevd1733766315i@yca1733766315virp1733766315.
Please include your name and clearly describe your complaint.
We will acknowledge your complaint and respond to you regarding your complaint within a reasonable period of time.
If you think that we have failed to resolve the complaint satisfactorily, we will provide you with information about the further steps you can take, one of which is to lodge a complaint with your local privacy regulator.
17. Contact us
For further information about our Privacy Policy or practices, or to access or correct your personal information, or make a complaint, please contact us promptly using the details set out below:
Privacy Officer
a: 1st Floor Healthaid House, Marlborough Hill, Harrow, Middlesex, England, HA1 1UD
For EU citizens our EU based authorised representative is Prighter.com (Maetzler Rechtsanwalts GmbH & Co KG (“PRIGHTER”)). The easiest way to contact us with a privacy related issue is to email us at moc.e1733766315srevd1733766315i@yca1733766315virp1733766315. But you can also contact Prighter.com at moc.r1733766315ethgi1733766315rp@op1733766315d1733766315.
18. IDVerse, part of the OCR Labs Group
This Privacy Policy covers the following entities, which form part of the OCR Labs Group:
- OCR Labs Pty Ltd (NSW, Australia company)
- OCR Labs Global Ltd (English company)
- OCR Labs Global (USA) Inc (Delaware company)
19. Job Applicants
When you apply for a job or position with us, we may collect certain information from you (including your name, contact details, title, working history and relevant records checks) from any recruitment consultant, your previous employers and others who may be able to provide information to us to assist in our decision on whether or not to make you an offer of employment or engage you under a contract.
We process that data under the lawful ground of: Legitimate interests – processing of your personal data is necessary for the purposes of the legitimate interests pursued by us which does not unduly prejudice you.
Please contact our Privacy Officer (moc.e1733766315srevd1733766315i@yca1733766315virp1733766315) if you wish to enforce any of your rights under the applicable law that applies to us as data controller.
20. Business contacts
If you are a client or prospect of ours then we may collect certain information from you in the ordinary course of a sale to you (including your name, contact details and title).
If we have collected your personal information because you are a representative of one of our current or prospective partners or clients, we may send you direct marketing communications and information about services and products offered by members of OCR Labs. This may take the form of emails, SMS, mail or other forms of communication, in accordance with the Privacy Act. You may opt-out of receiving marketing materials from us by contacting us using the details set out below or by using the opt-out facilities provided (e.g. an unsubscribe link). If we use your personal information for direct marketing, we will ensure we comply with our legal obligations.
For individuals working for our clients or prospective clients your personal data is processed within the jurisdiction you operate in and may also be transferred to the USA by our partner Salesforce.
If you work at a prospective client of ours then we may transfer your contact details to a sales’ partners for that entity to get in touch with you about using IDVerse.
We process that data under the lawful ground of: Legitimate interests – processing of your personal data is necessary for the purposes of the legitimate interests pursued by us which does not unduly prejudice you.
Please contact our Privacy Officer (moc.e1733766315srevd1733766315i@yca1733766315virp1733766315) if you wish to enforce any of your rights under the applicable law that applies to us as data controller.
Version 6.2
Effective Date: 1 November 2024
This Privacy Policy is reviewed and updated at least annually.