Thank you for taking the time to familiarize yourself with Veriff OÜ’s (“Veriff”, “we”, “us”, “our”) privacy notice (the “Privacy Notice”) which describes how we collect, use, and disclose information about you. This Privacy Notice applies to information we collect from Data Subjects when you access or use our Services or otherwise interact with us, such as by using our demo app, or visiting our Website or offices.
Please note that Veriff’s employees and job applicants are not included in the Data Subject definition of this Privacy Notice, as relevant processing activities are mainly covered by other policies. If you are interested in the data processing activities during our recruitment process, please review our Recruitment Privacy Notice.
Veriff is specialized in providing online identification services. We consider ourselves the new standard in identity verification, and we allow our contractual parties to verify your identity document e.g. driver’s license, passport or ID card. We mainly process End-User Personal Data as a Data Processor for the benefit of the Customer in order to provide our Services to our Customers. Therefore, you should always read both this Privacy Notice and the information about data processing according to the Customer’s privacy notice (i.e., the privacy notice of the company for whom you identify yourself).
1.1 In this Privacy Notice, we explain how and on what basis we collect, store and process Personal Data of Data Subjects. We also explain what Data Subjects’ rights are and our obligations and liabilities.
1.2 Except as otherwise described in this Privacy Notice, Veriff processes End-Users’ information as directed by our Customers for the provision of our Services. Our Customers who are the Data Controllers of End-User Personal Data determine the purpose of processing End-User Personal Data and, accordingly, Veriff is a Data Processor of End-User Personal Data with respect to those Services. Veriff is always a Data Controller for Personal Data of other Data Subjects, such as Visitors and Office Visitors. For End-Users to fully understand how Personal Data is processed in connection with the Service, End-Users should review both privacy notices, i.e., this Privacy Notice shared with the End-Users by Veriff and the privacy notices of those Customers’, whose services the End-Users are getting verified for.
1.3 You can find jurisdiction specific notices below in section 12, such as the Notice of Collection and Additional Information for Residents of California (see section 12.1) and Notice to Individuals Who are Residents of the State of Illinois and the State of Texas (see section 12.2).
1.4 For information about verifying your identity by the Customer using the UKDIATF Certified Identity Verification Solution (Medium Level), please see section 13.
1.5 Please review this Privacy Notice carefully and contact us if you have any comments, questions or concerns. You can reach our Data Protection Officer (DPO) via email at firstname.lastname@example.org or by submitting a form via the link here.
Agreement – the service agreement entered into between Veriff and Customers, including service agreements for trials and partnership agreements.
Customer – the legal entity to whom we intend to provide or already provide our Services under the Agreement, including Veriff’s partners under a partnership agreement.
Customer Representative – natural person representing the Customer, including any natural person with whom we communicate (i) as the representative of a potential Customer prior to conclusion of the Agreement, (ii) during the Agreement term as the representative of our Customer, and (iii) after the Agreement term as a representative of former Customer, as relevant.
Data Controller – a legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. Except as otherwise provided in this Privacy Notice, Customers are Data Controllers for End-User Personal Data and give instructions regarding processing to Veriff.
Data Processor – a legal person, public authority, agency, or other body which processes personal data on behalf of a Data Controller. Except as otherwise provided in this Privacy Notice, Veriff processes End-User Personal Data as a Data Processor on behalf of Customers who are the Data Controllers. For all other Data Subjects, Veriff is acting as the Data Controller.
Data Providers – these are entities, such as public authorities or our Data Processors, from whom we may collect Personal Data for verification purposes. For example, we may check the End-User-provided information against the official public registry or other fraud prevention services.
Data Subject / you – a natural person or individual about whom we have Personal Data, including Customer Representatives, End-Users, Visitors, Office Visitors, natural persons who provide us feedback (including research and inquiry-related data) and other natural persons whose Personal Data we may process.
Demo app – the app owned by Veriff, which can be downloaded in App Store or Google Play, which allows you to test Veriff’s verification flows as a Data Subject.
EEA – European Economic Area (the European Union Member States, Norway, Iceland and Liechtenstein).
End-User – the natural person regarding whom we provide the Service at the request of the Customer or any other natural person accessing or using the Service.
Office Visitor – is any person visiting the office premises of Veriff.
Personal Data or Personal Information – any information relating to an identified or identifiable natural person (the Data Subject), subject to applicable data protection laws; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Anonymized data is de-identified and not Personal Data.
Politically exposed person (PEP) – politically exposed person including their family members and close associates in accordance with the applicable legal acts regards to prevention of money laundering or terrorist financing (such as a natural person who is or who has been entrusted with prominent public functions, e.g. member of parliament or of a similar legislative body, a member of a governing body of a political party, a member of a supreme court).
Privacy Notice – this privacy notice, made available at https://www.veriff.com/privacy-notice.
Service(s) – personal identity verification service and connected services (such as any ongoing authentication services, assisting services, fraud prevention and other similar services) provided by us to Customers.
Visitor – is any person visiting Veriff’s Website.
Website or Veriff’s Website – https://www.veriff.com/, including its subpages and subdomains, operated by Veriff.
We follow what we call the “Fundamental Six”, that is, six principles regarding Veriff’s data processing activities:
(1) First, we strive to process Personal Data in a reliable and confidential way. Each person’s right to the protection of their Personal Data is important to us and we shall do our best to ensure that Personal Data collected by us is adequately protected. We will do our best efforts to regularly evaluate the risks associated with the processing of Personal Data and apply appropriate mitigation strategies to hedge risks.
(2) Second, data protection is an integral part of our Service. We care about developing and deploying services that take into account privacy by design and privacy by default principles. Compliance with our Privacy Notice is integrated into our day-to-day activities, services and processes, and our development efforts. We understand that compliance with data protection rules takes place through our employees. Therefore, we consider it important and we seek to ensure that our employees know and comply with the requirements thereof. We expect, instruct and train our employees to respect our privacy requirements.
(3) Third, we process Personal Data lawfully and purposefully. We set clear goals for the processing of Personal Data and process Personal Data for these purposes only. We refrain from collecting or processing the data that we do not need. Veriff aims to delete/blur or make in other ways unreadable any data or documents presented in the session that are not necessary for Veriff’s service provision. This also means all transfers of Personal Data must have a valid legal basis.
(4) Fourth, we process Personal Data in a transparent and fair way. We strive for an appropriate, secure, honest and lawful manner of processing the Personal Data to prevent the unauthorized disclosure or inappropriate use of Personal Data. We also work to eliminate the possibility of discrimination or bias in our Service.
(5) Fifth, we store Personal Data only for as long as the retention of data is required by law, a contract or is necessary for the provision of our Services or required for protecting us against legal claims. At the end of the retention period, we shall permanently erase the Personal Data or anonymize it.
(6) Sixth, we do our best to make sure that the Personal Data we process is accurate and limited to what is necessary for the purpose for which it was collected.
Personal Data we process about End-Users
4.1. We provide personal identity verification services to Customers. This means we verify End-Users, i.e., you. For that you have acknowledged data processing according to the Customer’s privacy notice and data processing by us in accordance with this Privacy Notice. We may collect and process, among other data, the following Personal Data collected either directly from you or from the Customer:
(1) personal information concerning the End-User, which mainly consists of information on the End-User’s document and/or extracted from the document, for example name, sex, personal identification number or national equivalent, date of birth, estimated age, legal capacity, nationality, citizenship, organ donor status, eye color, weight and height, as well as the historic data of that End-User that may have been stored with us during previous interactions within the retention periods;
(2) document details, such as the name of the document, issuing country, number, expiration date, information embedded to document barcodes (may vary depending on the document) and security features;
(3) identity verification data, such as photographs taken from you and your document, and video and sound recording of the verification process (of the whole session, if such recording is enabled by the Customer), the checks results;
(4) contact details, such as address, e-mail address, telephone numbers, IP address and, if relevant, presented document type (e.g. utility bill);
(5) technical data (Device Signature), including but not limited to information about the date, time and your activity in the Services, your IP address and domain name, your software and hardware attributes as well as your general geographic location (e.g. city, state, country);
(6) machine-readable data, metadata and device and network information;
(7) photos and videos as well as data, such as face scans and other measurements, extracted from the same which are used to authenticate the End-User or compare the End-User’s face to identity document photos - some of this extracted data may be considered biometric data and/or sensitive Personal Data (also "special category of personal data", hereinafter referred to as “sensitive Personal Data”) under applicable data protection laws in certain jurisdictions;
(8) publicly available relevant data and data from external registries, e.g. information about being a politically exposed person (PEP), checks in public sanction lists and other information from such registries, as determined by the Customer;
(9) personal information provided by the End-User, e.g. data from communications with us, feedback data;
(10) personal information provided by natural persons who have participated in our product and market research initiatives;
(11) personal information that we have received from the Customer, e.g. contact details;
(12) evidence and records of legal basis (including consents), for example in cases where we are required or have elected to obtain a consent or a written release or another legal basis prior to processing certain Personal Data.
4.2 We also offer ongoing authentication services to our Customers. This means that we may use the above mentioned data, but in particular the End-User’s photos and videos as well as data extracted from the same, such as face scans and other measurements, and other documents to verify End-User’s identity on an ongoing basis, for example, to grant the End-User access to our Customer’s services, among other authentication use-cases as determined by our Customer. Such extracted data may be biometric data and/or sensitive Personal Data under applicable data protection laws in certain jurisdictions. We only use such extracted data for the provision of the Service and related business purposes, such as maintaining, improving, upgrading or enhancing the Service. We do not use such extracted data for the purpose of inferring characteristics about you for any other reasons.
4.3 How we obtain End-User’s Personal Data. We provide our Services to Customers and collect your data from the Customer and/or as you go through the Service flow. This means our Customers are responsible for disclosing to you their privacy notice and any information about the collection of your Personal Data by us on their behalf. Based on an authorisation we receive from the Customer, we also collect your Personal Data independently from Data Providers, e.g. to offer our Services within a trust-based relationship and to prevent fraud. For example, if we need to verify the validity of your identification document, we may inquire for additional information from the appropriate registrar or from other fraud prevention services at the direction of the Customer. For fraud prevention and detection purposes, subject to applicable laws, we may also collect information about compromised identities, for example images or device or network information which have been leaked or used to commit repetitive fraud via Veriff’s service. List of Data Providers is available here.
4.4 Customers may have access to your Personal Data. We may share your Personal Data including identity verification data with the Customer through which you used our identity verification service.
4.5 Please note that providing your Personal Data is voluntary. However, the decision not to do so may mean that you are not able to verify your identity via our Service.
Personal Data we process about the Customer Representatives
4.6 We need to process Customer Representative data to engage new Customers, enter into the Agreement, to provide our Service, to communicate with the representative of our Customer and for other lawful reasons. This means we may process, among other information, the following data of the Customer Representative:
(1) information of the representative, such as name, job title, position, and contact information;
(2) information in connection with provision of the Service, such as data from communication with us;
(3) data from Customer Representative calls, such as video, image and sound recordings;
(4) technical data (Device Signature), including but not limited to information about the date, time and your activity in the Services, your IP address and domain name, and your software and hardware attributes as well as your general geographic location (e.g. city, country);
(5) publicly available relevant data;
(6) if the Customer is subject to Veriff’s KYB procedure, identity verification data of Customer Representative, including the data categories listed in Section 4.1 of this Privacy Notice.
4.7 How we obtain Customer Representative’s Personal Data. We collect this data either from you directly when you communicate with us directly, e.g. by sending us an email, providing us with your Personal Data on the phone or through our customer support tools. The identity verification data is collected when the Customer Representative completes the identity verification step as may be required before granting full access to the Service to the Customer. We may also collect some of your Personal Data in the course of provision of Service to your employer. We collect information about the Customer (including about relevant representatives of the Customer) from publicly available sources. We only gather relevant and necessary data in order to validate the right of representation e.g. this may include verification of your identity, processing of your Personal Data for introducing the Service (demo) etc.
4.8 Please note, the provision of Personal Data is voluntary. However, if you do not provide your Personal Data, the Customer may not be able to make use of the full range of our Services.
Other Personal Data we process about Visitors, Customer Representatives with an account on our Website and/or End-Users of our Service
(1) information, such as IP address, time, and location inferred from IP address;
(2) information on usage of the Website and/or Service and other web log data, such as the pages you visit on the Website, the date and time of your visit, the files that you download and the URLs from the websites you visit before and after navigating to the Website;
(3) technical data (Device Signature), including but not limited to information about your IP address and domain name, your software and hardware attributes (including device IDs) and your general geographic location (e.g. city, country);
(4) e-mail addresses, when you subscribe to Veriff’s newsletters or download Veriff’s content.
Personal Data we process related to responsible disclosure.
4.11 If you decide to contact Veriff related to reporting an issue mentioned in our Responsible Disclosure Policy, we only process the following Personal Data about you:
(2) e-mail address;
(3) picture, if you consent to disclosing it in our Hall of Fame.
Personal Data we process related to the Demo app and testing Veriff’s session flow.
4.12 If you decide to download and use Veriff’s Demo app or test Veriff’s session flow on our Website, we may record identity verification data (see section 4.1(3)) and technical data (see section 4.1(5)).
Personal Data we process related to our Office Visitors.
4.13 If you visit the office premises and workplaces of Veriff, this means we may process, among other information, the following Personal Data about you:
(2) e-mail address;
(4) visuals captured via video surveillance equipment;
(5) if you use Veriff’s office WiFi network, then the source ip addresses and ports, destination addresses and ports, source MAC addresses;
(6) during the widespread of infectious diseases (e.g., COVID-19), subject to applicable laws, proof of vaccination, valid negative test result, recovery certificate or other relevant data to ensure a safe visit.
5.1 We process Personal Data for the provision of our Services. Regarding Personal Data about End-Users, Veriff's main purpose for processing is to provide our Services to our Customers.
(1) Generally, the main purpose of the Service is to verify your identity, and for this purpose we capture photos and video (if applicable) of the verification session as well as data extracted from the same, such as face scans and other measurements (such extracted data may be biometric data and/or sensitive Personal Data in certain jurisdictions), and the document(s) provided for verification. In addition, for verification, we conduct fraud prevention and detection checks that are an integral part of our Service. Identification process results with information about the completed checks are categorized as “Approved”, “Resubmission needed” or “Declined”.
(2) In some cases, we may also further check whether we have previously verified an End-User on behalf of the same or a different Customer by comparing the session with the previous session. This helps our Customers not only to verify identities but further protects them and their End-Users by helping them understand when an End-User may be generating multiple identities, tampering documents or manipulating device or network information. To do all of this, we closely examine the information provided by the End-User, including machine-readable data, metadata and device and network information.
(3) We mainly process End-User Personal Data as a Data Processor for the benefit of the Customer in order to fulfill the Agreement entered into with the Customer for (i) performance of the Agreement (including for the provision of the Service, and performance of any obligations or realization of any rights arising from the Agreement; (ii) the purpose of realization of rights and fulfillment of obligations deriving from legal acts; and (iii) processing your inquiries and requests.
(4) The legal basis for the processing depends on the Customer as the use cases and related legal requirements vary from Customer to Customer. The legal basis is selected and ensured by the Customer. In some cases we or our Customer may ask you to grant us consent for processing. Veriff may, as determined and as appropriate, choose to collect the consent itself, however, the relationship between the End-User and the Customer remains unaffected for such collection of consent by Veriff. Please note that we cannot provide the Service in respect of an anonymous End-User, and therefore the use of our Service is subject to the disclosure of Personal Data to us and allowing the processing of Personal Data by the Customer and us. However, giving consent is voluntary, but failure to do so may mean that we may not be able to provide the Service. For example, we will not be able to verify your identity. If you have granted the Customer and/or us a consent to process Personal Data, the details of such processes and purposes thereof will be outlined in the consent itself.
(5) To the extent permitted by law and the Agreement, Veriff may also use Personal Data for other reasonably necessary operational purposes as part of provision of the Service, or rely on its legitimate interest for such processing as described in the next section.
5.2 We also may process Personal Data of Data Subjects, including End-Users, as a Controller if processing is necessary in our legitimate interests in compliance with applicable data protection laws, meaning our interest in the management and direction of our business in order to be able to offer the best possible services on the market. Pursuant to our “Fundamental Six” principles for data processing, we only process Personal Data on this legal basis (legitimate interest) after careful assessment in order to ascertain that the legitimate interest is in compliance with the interests and rights of a Data Subject (after carrying out the so-called three-step test) and to the extent it is permitted by law and the Agreement, as applicable. For our legitimate interest, we may process data for the following purposes:
(1) for analyzing the use of our Service, and using research and analysis results, among other methods, for carrying out satisfaction surveys, feedback questionnaires and developing our products and services, including development of autonomous and automated decision-making processes;
(2) for sending out newsletters, for marketing and developing and promoting our Services, for organization of campaigns, including personalized and targeted campaigns, and measuring the effectiveness of the performed marketing activities, as noted above, we will only rely on our legitimate interest to the extent this is permitted by law and the Agreement. Please note that for sending out newsletters, we only process your contact details;
(3) for ensuring a trust-based relationship with Customers and End-Users, this includes for example, identity verification of Customer Representative, determining the ultimate beneficiaries and PEP status, as well as other activities necessary to prevent fraud, including checks in public sanction lists or our own Service history;
(4) for administration and analysis of the Customer base to improve the availability, selection and quality of Services and products, and to make our Services more personalized and the best possible;
(5) for building and managing of our Customer relationships;
(6) for analysis of identifiers and Personal Data collected upon the visit of websites, mobile applications and other Services. We may use the collected data for web analysis or for the analysis of mobile and information society services, for ensuring and improving functioning, for statistical purposes and for analyzing Visitor and Customer Representative behavior, and for improving the experience of Visitors and Customer Representatives and for providing better and more personalized Services;
(7) for monitoring the Services. We may record the messages and instructions given on our premises or by means of communication (e-mail, telephone, etc.), as well as information and other operations carried out by us, and shall use those recordings as needed to evidence instructions or other operations;
(8) for network, information and cyber security considerations, for example, for fighting against piracy and for ensuring the security of the Websites and Service, as well as for the measures taken for making and storing backup copies;
(9) for the establishment, exercise or defense of legal claims; and ensuring compliance with applicable regulations, including retaining proof of evidence of such for compliance with our legal obligations;
(10) for conducting product and market research for purposes of quality assurance, product improvements, developments and assessing its market fit, this includes contacting and communication, interviews, making conclusions, recording of such communications for a limited period of time, etc. with End-Users, Customer Representatives and other relevant data subjects. This includes creating anonymised data or anonymized or aggregated overviews and summaries of the aforementioned. Please note that Veriff processes, maintains, and uses aggregated or de-identified information only in a de-identified fashion and will not attempt to re-identify such information, except as permitted by law;
(11) for satisfying our legal obligations with respect to the processing and retention of Personal Data, including for obtaining the relevant legal basis for processing certain Personal Data concerning certain End-Users. Obtaining and maintaining records that such legal basis has been obtained by us is important for us to be able to prove that we comply and adhere to our legal obligations outside of and in the European Union;
(12) for fraud prevention and detection purposes, to identify signs of fraud based on our internal fraud framework and advanced fraud prevention and detection techniques and to conduct certain checks against third party sites, e.g., checks against authority databases;
(13) for developing, testing, improving and altering the functionality of the Service, including for machine learning (as specified in section 6 below), data annotation, testing and training, and producing anonymised or anonymised and aggregated statistical reports and research;
(14) for reasons of substantial public interest on the basis of law, including but not limited to activities relating to fraud prevention and non-discrimination (e.g., bias mitigation).
5.3 We may ask you to give us your consent for processing. Veriff can process your Personal Data if you have given consent to the processing of your Personal Data for one or more specific purposes. Please note that giving consent is voluntary and you have the right to withdraw your consent at any time. For example, you can ask us to stop using your personal data for direct marketing purposes by using the unsubscribe function at the end of the marketing email. However, we remind you that the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. These are some of the cases where Veriff processes your data based on your consent.
(1) Your consent is the legal basis for processing Personal Data when you share your findings related to responsible disclosure. Publishing your name and/or picture on our website is only done under your written consent. More about responsible disclosure can be read here.
(2) Based on your consent, we may use your Personal Data to send you marketing information about our Service which you have requested from us. Including, if you have submitted a request and/or filled out a relevant form on the Website.
(3) Veriff asks Customer Representative's consent before recording audio and video of the Customer Representative call. The recording is used solely for Veriff's analytical purposes and improvement of Veriff's services and processes. However, please note that the processing may not be based on your consent and the withdrawal of your consent may not be applicable in case of recording different communications (including video) for product and market research (see as described in p 5.2(10)).
(4) Veriff asks for Customer Representative’s consent to process some data for Customer Representative’s identity verification, such as the data described in Section 4.1(7) of this Privacy Notice. In case you as the Customer Representative want to withdraw your consent or need assistance with alternative identity verification options, please submit your request to email@example.com.
(5) Veriff asks for your consent before you use Veriff’s demo app or test Veriff's session flow on our website. This is for the purpose of testing Veriff’s verification flow. More information about Veriff’s Demo app can be found in section 14.
(6) We may use your consent as the basis for the processing of personal data also in other cases. The purpose is then specified at the time of the collection of the consent.
5.4 Processing related to Office Visitors. When you visit the office premises and workplaces, we process your Personal Data if processing is necessary in our legitimate interests. For example, our legitimate interest in detecting and preventing harmful or unlawful actions, ensuring safety of Veriff’s property, confidential information and employees and establishing, exercising or defending of legal claims we may process Personal Data for the following purposes:
(1) registering your visit to the office;
(2) conducting regular video surveillance in the marked areas;
(3) monitoring the use of Veriff's office WiFi network and logging the traffic in the network. Such data is processed if you connect any of your devices to Veriff's office WiFi network during your visit;
(4) ensuring the health and safety during emergency situations such as in case of widespread infectious diseases subject to applicable laws. During the spread of infectious diseases (e.g., COVID-19), for the purpose of ensuring adequate protection of the health and safety of Veriff’s employees in the workplace, you may be required to provide proof of vaccination, valid negative test result, recovery certificate or other relevant data. In case you have no proof to provide, or you present medical contraindication to vaccination as proof, you will be offered on-site rapid testing, if available. Health related data contained in the presented information may be sensitive Personal Data. Before presenting any such Personal Data you are asked to provide us with explicit consent to visually assess your admissibility to the office premises and workplaces. In any case, no information presented to Veriff is retained, meaning that no Personal Data will be accessible to Veriff after the moment you present the information. Please note that giving consent is voluntary and you have the opportunity to withdraw your consent at any time, however if you refuse to provide the proof, conduct the rapid testing or if the rapid test result is positive, you must leave the office immediately.
5.5 Processing for a new purpose. When Personal Data processing is carried out for a new purpose different from those for which the Personal Data was originally collected or is not based on the consent given by the Data Subject, we shall carefully assess the permissibility of such new processing under applicable laws. In order to determine whether the processing for the new purpose follows the purpose for which the Personal Data was originally collected, Veriff shall take into consideration, inter alia, the following:
(1) any link between the old and new purposes for which the Personal Data was collected and the intended further purposes of processing;
(2) the context of collecting the Personal Data, in particular regarding the relationship between the Data Subject and us;
(3) the nature of the Personal Data, in particular whether sensitive Personal Data are processed;
(4) possible consequences of the intended further processing for the Data Subjects;
(5) existence of appropriate protection measures which may consist in, for example, encryption and pseudonymization.
6.1 Machine learning means the use and development of computer systems that are able to learn and adapt without following explicit instructions, by using algorithms and statistical models to analyze and draw inferences from patterns in data. Using machine learning helps us to recognize specific patterns in information and make predictions about new sets of information based on those patterns. The main aim of teaching our models is to have more precise (i.e. accurate, less error-prone) and safe models that also avoid bias. All models are constantly reviewed by the model itself and by humans, and adjustments for more precise and error-free results are made, as necessary. As a result of such machine learning processes Veriff's service improves.
6.2 It is important that algorithms are built, trained and tested on training sets, which consist of real data (see description of data categories above in Section 4.1). All machine learning models are highly dependent on the quality of input data. Such processing is only done for internal use to improve and develop our services and done only based on the contractual mandate received from our Customers under the precondition that a valid legal basis has been obtained.
6.3 Veriff stands for the concept that machine learning is conducted in an ethical and trustworthy way that respects human rights and freedoms. Machine learning as a tool will enable End-Users to receive better, more secure and faster services provided by Veriff's Customers and help to prevent and detect fraud. Datasets used to develop, test and train are kept in separate, monitored and highly secure data research environments.
6.4 Veriff uses a verification engine trained with machine learning to provide Services to our Customers. The verification process is either automated, semi-automated or done by a human:
(1) Semi-automated verification process. This means that a human will be involved if the automated verification algorithm (the Verification Engine) is not able to reach a decision on its own. Simply put the verification engine checks the input data against the predetermined decision profile and based on that reaches a decision. The Verification Engine is constantly learning to correctly classify and match information, detect identity fraud or theft, and to verify identity, however the assistance of a human could be needed if the picture is blurry, confidence of the quality of extracted information is low or the Verification Engine runs into some other difficulty in analyzing the verification session.
(2) Fully automated verification process. This means that the Verification Engine verifies your identity without human involvement. When performing a fully automated verification process, our Customer informs you of the automated processing and may ask your explicit consent to do this. However, in some cases, where the Customer has other legal grounds for such processing e.g. obligations under applicable law – consent may not be needed. You have the right to ask for information and an explanation regarding the logic behind the decision the Verification Engine has made; at any time, you will have the right to request human intervention or object to the decision made on grounds relating to your particular situation.
(3) We may have different solutions for processing with different Customers, e.g. in some cases the verification session will only be analyzed by a human.
6.5 We would like to point out that the decision on whether the Customer provides its service to the End-User is made by the Customer. Meaning, even if the verification flow has been fully automated, the verification result will be taken into account by the Customer for the decision on whether to provide its service or not. The verification results itself - “Approved”, “Resubmission needed” or “Declined” - are not determinative for whether the Customer’s service is provided to the End-User.
6.6 Machine learning is also the driving engine for Veriff's innovation when improving our Services, testing new features and ensuring quality Services. For further improvement of our Services, Service performance and features testing (A/B tests) is used to analyze the End-User experience and response regarding changes to the structure, text or any other feature of Veriff's Service.
6.7 Fraud prevention and detection is a vital part of Veriff’s Service. Detection of activities matching a certain pattern may lead to profile generation, in particular for fraud prevention and detection purposes. In compliance with the instructions received from the Customer, Veriff may analyze and compare the data points available in relation to the End-User as part of the Service. For example, Veriff may compare if session media matches each other and if technical data indicates associations with previously occurred suspicious sessions. Such processing activity may be deemed as generating a profile of the End-User. Results of such analysis are displayed to the Customer.
7.1 Depending on where you reside, you may have the right to (1) request to know more about and access your personal information, (2) request deletion of your personal information, (3) request correction of inaccurate personal information; (4) object to certain processing, (5) withdraw your consent where we process your information on that basis, and (6) request we restrict certain processing. More detailed information about each right is provided below.
7.2 If you wish to exercise any of your rights regarding Personal Data or ask questions about the Privacy Notice, please submit a corresponding request to us at firstname.lastname@example.org or via the form accessible here. We will respond to your request by email as a rule no later than within one month or sooner if required by applicable law.
7.3 Please note that before we can provide you with the requested information regarding your Personal Data, we may need to verify your identity. Please also note that if your request concerns data we have processed as a Data Processor (i.e. in the course of Service provision), you must submit your request to the Customer who is the Data Controller. The Data Controller can fulfill your request, as relevant. We will inform you if this is the case.
7.4 Depending on where you reside, you as a Data Subject may have the following rights in relation to your Personal Data:
(1) The right to know: The right to get confirmation whether we are processing Personal Data about you and to obtain certain personalized details about the Personal Data we have collected about you, including:
(2) The right to access & portability: The right to obtain access to the Personal Data we have collected about you and the right to obtain a copy of the Personal Data in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the data to another entity without hindrance.
(3) The right to correction: The right to correct inaccuracies in your personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data.
(4) The right to deletion: The right to have us delete the personal data we maintain about you.
(5) The right to non-discrimination: The right to not receive retaliatory or discriminatory treatment in connection with a request to exercise the above rights. However, please note that if you exercise these rights it limits our ability to process Personal Data, we may no longer be able to engage with you in the same manner.
(6) The right to withdraw the consent: The right to take back the consent you have given to us for the processing of Personal Data. Please note that withdrawal of your consent shall not affect the legality of the processing that was made on the basis of consent before the withdrawal.
(7) The right to object: The Right to file an objection if your Personal Data processing takes place on the basis of our legitimate interest or public interest.
(8) The right to restriction of processing: The right which in certain cases allows you to direct us to limit the processing of your Personal Data for a certain period of time (e.g., if you have filed an objection to Personal Data processing).
(9) The right to submit a complaint and make appeals: If you find that applicable data protection laws have not been complied with, we would appreciate it if you contact us at email@example.com (including for any appeals of our decisions). However, you also have the right to complain directly to a data protection authority about our collection, use or other processing of your Personal Data. For more information, please contact your local data protection authority in the EEA or in the United Kingdom. The Estonian Data Protection Inspectorate is the lead data protection supervisory authority for Veriff (registered office at 39 Tatari St., 10134 Tallinn, phone nr + 372 627 4135, e-mail firstname.lastname@example.org). If you are in the United States and have concerns about the results of an appeal, you may contact the attorney general in the state where you reside.
(11) Authorized agents. You may have a right to submit a rights request via an authorized agent. If you are submitting a rights request as an authorized agent, you are required to submit proof of your authorization to make the request, such as a valid power of attorney or proof that you have signed permission from the individual who is the subject of the request. Please do not provide any sensitive personal information in connection with this request, such as a driver's license or other government-issued ID. In some cases, we may be required to contact the individual who is the subject of the request to verify his or her own identity or confirm you have permission to submit this request. If you are an authorized agent seeking to make a request, please contact us at email@example.com. Any questions or requests regarding Veriff’s processing of End-User Personal Data for the provision of Services to Veriff’s Customer should be directed to that Customer who is acting as the Data Controller for Personal Data about End-Users.
8.1 Disclosure of Personal Data to authorities. Please note that due to legal requirements, we may be obliged to disclose or grant access to your Personal Data to the authorities and the supervisory authority (e.g. a court or a government agency).
8.2 Disclosure to Data Controllers, Data Processors and authorized recipients. Unless stated otherwise in this Privacy Notice or noted otherwise to you separately, we may disclose your Personal Data to Data Controllers for whom we are Data Processors (e.g. Customers), to our authorized Data Processors (sub-processors) and authorized third party sites (e.g. external registries), as well as to persons who are legally entitled to receive your Personal Data. List of authorized Data Processors (sub-processors) engaged for the Service is available here. List of authorized third party sites engaged for the Service is available here. For example, a End-User’s Personal Data, including biometric data, can be processed by authorized sub-processors that provide identity verification core services to Veriff; Customer Representative’s Personal Data can be shared with our advertising and marketing partners, companies carrying out satisfaction surveys, debt collection agencies, credit registers, authorities and organizations intermediating or providing (electronic) mail, compliance or payment services and the like, Office Visitors Personal Data can be shared with IT and security partners, provided that:
(1) the respective purpose and the processing are lawful;
(2) we have diligently assessed that the authorized Data Processors or sub-processor will comply with the data protection requirements;
(3) the Personal Data processing is carried out in accordance with our guidelines and on the basis of a valid agreement.
(4) If you have questions about our authorized Data Processors or sub-processors, please contact us at firstname.lastname@example.org.
8.3 Please note that End-User’s Personal Data can only be shared with Veriff's sub-processors as well as to persons who are legally entitled to receive your Personal Data, if there is a valid legal basis.
8.4 Transfer of Personal Data. We process your Personal Data within the EEA. In the event that we need to transmit your Personal Data outside the EEA (e.g. for utilizing the sub-processors’ services and technical infrastructure), the transmission shall be in accordance with the requirements, principles and safeguards as stated in the applicable data protection laws, such as relying on adequacy decisions issued by or standard contractual clauses approved by the European Commission (or other relevant authority), or the compliance with applicable data transfer accountability requirements. While such Personal Data is outside of your country or province of residence, it may be subject to the laws of the country, province or state in which it is held, and may be subject to disclosure to the governments, courts or law enforcement or regulatory agencies of such other country, province or state pursuant to the laws of such territory. In cases where Veriff acts as the Data Controller, we make available further information on the safeguards applied (if relevant) or the extent of the transfer of Personal Data upon your request.
9.1 We apply various commercially reasonable measures (physical, technical, organizational) to protect your Personal Data from unauthorized or arbitrary modifications, disclosure, acquisition, destruction, loss, theft, misuse, alteration or unauthorized access.
9.2 However, please note that electronic transmission or storage of information is not always 100% secure. Therefore, despite the security measures that we have put in place to protect Personal Data about you, we cannot guarantee that loss, misuse, or alteration of data will never occur. If you have any information about an actual or suspected data breach, please inform us immediately at email@example.com. We will deal with the issue immediately and inform our lead data protection supervisory authority (if applicable).
10.1 To determine the appropriate retention period, we consider the amount, nature and sensitivity of the Personal Data and the purposes for which we process it. We must also consider periods for which we may need to retain Personal Data in order to meet our legal obligations or to deal with complaints or queries and to protect our legal rights in the event of claims being made.
10.2 We shall store your Personal Data for as long as necessary to carry out the purposes for which we originally collected it and for other business purposes explained in this Privacy Notice or as long as required by law or in accordance with the law, or for the purposes stated in this Privacy Notice. For example, there is often a statutory retention period for accounting documentation.
10.3 We store the data of End-Users during the period set forth in the Agreement (we may have different data retention periods agreed upon with the Customer) or as long as it is necessary for possible establishment, exercise or defense of legal claims of End-Users, Customers or ourselves, or for anti-fraud purposes. For more information about the data retention period, you should read the privacy notice provided to you by the Customer.
10.4 We may store your Personal Data, for a longer period than the Agreement duration if we have a lawful basis do to so, e.g. you have given us consent to use your Personal Data for the development of our Services or we have assessed that we have legitimate aim to do so, e.g., in pseudonymized form or for the purpose of the Service history log.
10.5 Information about the data retention in Veriff’s Demo app and testing Veriff’s session flow can be found in section 14.
10.6 After the expiration of the Personal Data storage period, we shall anonymize or permanently erase your Personal Data. Please note that Veriff processes, maintains, and uses aggregated or de-identified information only in a de-identified fashion and will not attempt to re-identify such information, except as permitted by law.
We may process the Personal Data of children (i.e., persons under 16* years of age; *depending on jurisdiction), the Data Controller shall take steps to ensure that there is a legal basis for such processing (e.g., a consent from a guardian of that child). If we learn that we have collected the Personal Data of a child without the guardian’s consent, we will take steps to delete the information as soon as possible.
You may have different rights depending on in which State of the USA you reside. Read about them in this section. If you are done reading this section or you are not from the USA, please click here or scroll up to start reading from the beginning of this Privacy Notice.
Should there be any inconsistency or ambiguity between the terms of this section and any other part of this document, these terms shall prevail.
12.1 Notice of Collection and Additional Information for Residents of California
If you are a California resident, California law requires us to disclose the following additional information with respect to our collection, use, and disclosure of personal information. If you reside in California, this section applies to you.
(1) In the preceding 12 months, we have collected the following categories of Personal Information identifiers, biometric information, demographic information, commercial information, internet or other electronic activity information, geolocation data, audio, electronic, or similar information, professional or employment-related information, inferences, and sensitive personal information. For more information about the data points we collect and the categories of sources of such collection, please see section 4 of Veriff's Privacy Notice
(2) We collect personal information for the business and commercial purposes described in section 5. In the preceding 12 months, we have disclosed personal information for the business and commercial purposes described in section 8 and we have made disclosures for business purposes to the following categories of recipients:
(3) As described in section 4 above, we process personal information to understand and improve your experience with our Services and to serve you advertisements on non-Veriff properties. Some of these activities may be considered “sales” or “sharing” of your personal information or “targeted advertising” under the law that applies to you. By using Cookies we may “share” or “sell” your personal information for analytics and advertising benefits. In the preceding 12 months, we have shared and sold the following categories of personal information to the following categories of third parties:
(4) Our “sale,” “sharing” and “targeted advertising” activities do not apply to personal information that we collect in the course of providing identity verification services to our Customers. Rather, we “sell” or “share” information relating to (1) individual visitors browsing our website and (2) the business contact information of our Customer Representatives for purposes such as serving advertisements to those audiences on non-Veriff properties. Moreover, Veriff does not knowingly sell or share personal information about consumers under the age of 16
(5) We do not use sensitive personal information for any purpose other than to perform the Services or to improve, upgrade, or enhance the Services.
(6) Your Privacy Rights
12.2 Notice to Individuals Who are Residents of the State of Illinois and the State of Texas
(1) The Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq., and the Business and Commerce Code of Texas on the Capture or Use of Biometric Identifiers, Tex.Bus.& Comm.Code § 503.001, regulates the collection, storage, use, and retention of “biometric identifiers'' and “biometric information”. “Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. “Biometric information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.
(2) Veriff collects certain biometric identifiers and biometric information, namely face scan information (face geometry information and information based on that), during the identity verification process. Veriff collects and uses this information to verify your identity, prevent fraud, and provide authentication Services to our Customers on an ongoing basis.
(3) For Illinois residents, we will permanently destroy their biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual’s last interaction with Veriff’s Customers, whichever occurs first.
(4) For Texas residents, we will permanently destroy their biometric identifiers the later of (1) one year after the purpose for collecting the identifier expires, or (2) one year after any recordkeeping obligations imposed by law in connection with the collection of the biometric identifier expires.
(5) Except where prohibited by law, your biometric data is accessible only to us and our service providers, which process your data only on our behalf to provide the Services. We do not share biometric data with any other third parties. The Customer on whose behalf Veriff processes your data may receive from us information about you, such as copies of the identification document and photo you provided us, and data indicating whether we were able to identify and authenticate your identity, but we do not disclose to Customers your biometric data.
(6) By clicking the relevant icons presented prior to the verification or authentication process, and choosing to continue, you acknowledge and agree that you have read the relevant disclosures, and that you voluntarily consent to Veriff’s collection, storage, retention, use, and disclosure of your biometric data.
(7) Veriff uses the reasonable standards of care within its industry to store, transmit, and protect from disclosure your biometric data, in a manner that is the same as or more protective than the manner in which it stores, transmits, and protects other confidential and/or sensitive information. Veriff does not sell, lease, trade or otherwise profit from the biometric data.
This section applies to the Personal Data processing related to UKDIATF Certified Identity Verification Solution (Medium Level). No specifications in this section apply to UKDIATF Certified Identity Verification Solution (Low Level).
For the purposes of this section, the Service entails biometric personal identity verification as described in section 5.1 and additional activity history and identity fraud checks as described in section 13.5. Should there be any inconsistency or ambiguity between the terms of this section and any other part of this document, these terms shall prevail.
13.1 The Service is used by Veriff’s Customers to verify your identity, for example for conducting digital DBS, Right to Work or Right to Rent checks. This identity verification is conducted under the requirements foreseen in the Department for Culture, Media and Sport’s UK Digital Identity and Attributes Trust Framework (UKDIATF).
13.2 In the context of the Service, Veriff processes End-User Personal Data as directed by our Customers for the provision of the Service, whereas our Customers are the Data Controllers and Veriff is the Data Processor. Veriff is a Data Controller for compiling and retaining reports. Veriff is jointly a Data Controller with Cifas, a company registered in England and Wales under company number 02584687 and with registered office at 6th Floor Lynton House, 7-12 Tavistock Square, London WC1H 9LT (Cifas) for conducting identity fraud checks against and filing reports to the databases operated by Cifas.
13.3 Personal Data processing activities and legal basis. For offering the Service to the Customer, including for sharing your identity verification details with the Customer, Veriff relies on the legal basis ensured by the Customer, as is described in section 5.1. On the basis of Veriff’s legitimate interest in fraud (or otherwise unlawful and dishonest conduct) prevention, detection and investigation, Veriff conducts identity fraud checks against database operated by Cifas, and if Veriff suspects fraudulent activity, then Veriff may compile and retain reports and file these to Cifas. In the context of the Service, Veriff does not process your Personal Data for marketing purposes or in any other way not described in this Privacy Notice.
13.4 For the purposes of the Service, the Personal Data described in section 4.1 are being collected and processed. The Personal Data is retained as described in section 10.
13.5 Personal Data disclosures and reporting. Possible Personal Data recipients are described in section 8.1-8.3. As a part of the Service, Veriff conducts activity history and identity fraud checks. To conduct the said checks, Veriff discloses a limited set of Personal Data to (i) electoral roll and credit reference sub-processor; (ii) politically exposed persons check sub-processor ComplyAdvantage, and (iii) Cifas as a fraud prevention agency.
13.6 If Veriff reasonably suspects that you are committing identity fraud (or otherwise unlawful and dishonest conduct) when using the Service and as a result of the investigation Veriff determines that the fraud meets the criteria for reporting to Cifas, Veriff will submit a report to Cifas.
13.7 The Personal Data we have collected from you will be shared with fraud prevention agencies, who will use it to prevent fraud and money laundering and to verify your identity. If fraud is detected, you could be refused with certain services, finance or employment. Further details of how your Personal Data will be used by us and fraud prevention agencies, and your data protection rights, can be found by https://www.cifas.org.uk/fpn.
13.8 Your rights in relation to Personal Data. Your Personal Data is protected by legal rights, which include your right to access your Personal Data, right to object to our processing of your Personal Data and to automated decisions made about you (see also section 6.4(ii)); request that your Personal Data is erased or corrected; right to complain to your local data protection authority. Please see further information about exercising your rights in section 7.
14.1 Veriff’s Demo app and website session flow allows to test and experience Veriff’s verification flow as an end user. The flow provides the experience End-Users will get when Veriff’s Customer is integrated with Veriff.
14.2 When you test the verification flow in the Demo app or on our Website, Veriff will process your data as mentioned in section 4.12. The Personal Data processed for the purpose of introducing our verification flow demo will be retained for up to 1 day.
Please review this Privacy Notice carefully and contact our Data Protection Officer (DPO) at firstname.lastname@example.org if you have any comments, questions or concerns. You can also contact us via an online form here.
16.1 This Privacy Notice is available on our Website.
16.2 Kindly note that we may modify the Privacy Notice from time to time. If we make changes, we will notify you of such as by revising the date of this Privacy Notice. If we make material changes, we may provide you with additional notice (such as by adding a statement to the Services or sending you a notification).
16.3 You are advised to review this Privacy Notice periodically for any changes. Changes to this Privacy Notice are effective when they are posted on this page.