Privacy policy

Thank you for taking the time to familiarize yourself with our policy for privacy (the Privacy Policy). Veriff is specialized in providing online identification services. We consider ourselves the new standard in identity verification, and we allow our contractual parties to verify your identity document e.g. driver’s license, passport or ID card (defined below).

1. Our Privacy Policy in a nutshell

Here is information on this policy in a nutshell.

1.1 In this Privacy Policy we explain how and on what basis we collect, store and Process Personal Data of Data Subjects i.e. our client’s representatives, Users, Visitors and Office Visitors (see definitions below). We also explain what Data Subjects’ rights are and our obligations and liabilities.

1.2 Veriff mainly Processes Users’ information as directed by our clients for the provision of our Services. Our Clients are the data controllers who determine the purpose of Processing Personal Data and, accordingly, Veriff is a Data Processor of User information with respect to those services. In other cases, Veriff is a Data Controller of User information (e.g. regards to visitors of Veriff’s web page). We may also Process certain Data Subjects’ information in anonymized form for the development and improvement of our Services and in other forms and purposes set forth in this Privacy Policy.

1.3 In order to fully understand how Personal Data is Processed, Data Subjects should review privacy notices shared with the Users by Veriff and privacy policies of those Clients’, for whose services they are getting verified for.

1.4 Please review this Privacy Policy carefully and contact our data protection officer (DPO) at legal@veriff.com if you have any comments, questions or concerns. Contact details are in chapter 15.

1.5 Content of Privacy Policy:

1.5.1 Our Privacy Policy in a nutshell

1.5.2 Definitions

1.5.3 Our main privacy principles

1.5.4 The content of Personal Data we Process

1.5.5 Purpose of processing and legal ground of processing for provision of services

1.5.6 Service process (automated processing)

1.5.7 Data Subject’s rights in relation to Personal Data

1.5.8 Disclosure and transfer of Personal Data

1.5.9 Security of Personal Data

1.5.10 Retention of Personal Data

1.5.11 Children's Personal Data

1.5.12 Jurisdiction specific notices

1.5.13 Veriff's Demo app and testing Veriff's session flow

1.5.14 Important documents, guidelines and procedures

1.5.15 Contact details and information

1.5.16 Availability of and changes to the Privacy Policy

---------------------------------------------------

2. Definitions

Here you can find the meanings of the most important terms in this Privacy Policy to help you understand how and for what we are Processing your Personal Data.

  • Agreement – the service agreement entered into with the Client, including service agreements for trials.
  • Data Providers – these are third-party service providers or public authorities who we use to collect additional information for verification. For example, we may check the User-provided information against the official public registry or other fraud prevention services.
  • Data Controller – a legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data and gives instructions regarding processing activities to Veriff, unless Veriff is acting as the Data Controller.
  • Data Processor – Veriff Processes Personal Data on behalf of the Data Controller, unless Veriff is acting as the Data Controller.
  • Data Subject / you – a natural person about whom we have information or data enabling the identification of the natural person. Data Subjects are our Client’s representatives, Users, our (potential) employees, Visitors, Office Visitors, natural persons who provide us feedback (including other research and inquiry-related data) and other natural persons whose Personal Data we may process (to the extent such natural persons are aware or made aware of such processing).
  • Demo app - the app owned by Veriff, which can be downloaded in App Store or Google Play, which allows to test Veriff’s verification flows as a natural person.
  • EEA - European Economic Area (the European Union Member States, Norway, Iceland and Liechtenstein).
  • GDPR - EU General Data Protection Regulation no 2016/679.
  • Client - the legal entity to whom we provide our Services under the Agreement, Veriff’s customer.
  • Personal Data - any information relating to an identified or identifiable natural person (the Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Privacy Policy - this privacy policy.
  • Processing - any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing may be done manually or using automated systems.
  • Processor / our / us / we - Veriff OÜ, registry code 12932944, Niine 11, Tallinn, 10414, e-mail: info@veriff.com and our data protection officer legal@veriff.com.
  • Service(s) - personal identity verification service and connected services provided by us.
  • User - the natural person regarding whom we provide the Service at the request of the Client and natural person who contacts us as the representative of Client prior to conclusion of the Agreement.
  • Visitor - is any person using the Veriff Website.
  • Office Visitor - is any person visiting the office premises of Veriff.
  • Politically exposed person (PEP) – politically exposed person including their family members and close associates in accordance with the applicable legal acts regards to prevention of money laundering or terrorist financing (such as a natural person who is or who has been entrusted with prominent public functions, e.g member of parliament or of a similar legislative body, a member of a governing body of a political party, a member of a supreme court).
  • Website - https://www.veriff.com/.

3. Our main privacy principles

Here you can find the privacy principles we follow when Processing Personal Data.

We follow what we call the “Fundamental Six”, that is, six principles regarding Veriff’s data Processing activities:

(1) First, we Process Personal Data in a reliable and confidential way. We respect each person's right to the protection of their Personal Data and we shall do our best to ensure that Personal Data collected by us is well protected. We regularly evaluate the risks associated with the Processing of Personal Data and shall apply appropriate mitigation strategies to hedge risks.

(2) Second, data protection is an integral part of our Service. All our services are developed and deployed by enshrining the principles of privacy by design and privacy by default that is overseen by our data protection officer. Compliance with Privacy Policy is integrated into our day-to-day activities, services and processes, and our development efforts. We understand that compliance with data protection rules takes place through our employees. Therefore, we consider it important and we must ensure that our employees know and comply with the requirements thereof. We expect, instruct and train our employees to respect our privacy requirements.

(3) Third, we Process Personal Data lawfully and purposefully. We set clear goals for the Processing of Personal Data and Process Personal Data for these purposes only. We do not collect or Process the data that we do not need. Veriff has the right to delete/blur or make other ways unreadable data/documents presented in the session that are not necessary for Veriff’s service provision. This also means we never sell Personal Data and all transfers of Personal Data must have a valid legal basis.

(4) Fourth, we Process Personal Data in a transparent and fair way. We ensure an appropriate secure, honest and lawful manner of processing the Personal Data to prevent the unauthorized disclosure or inappropriate use of Personal Data. We also work to eliminate the possibility of discrimination or bias in our Service.

(5) Fifth, we store Personal Data only for as long as the retention of data is required by law, a contract or is necessary for the provision of our Services or required for protecting us against legal claims. At the end of the retention period, we shall permanently erase the Personal Data or anonymize it.

(6) Sixth, we do our best to make sure that the Personal Data we Process is accurate and limited to what is necessary.

4. The content of Personal Data we process

Here you can find what Personal Data we Process about Users, Client's representatives, Visitors and Office Visitors.

4.1 Personal Data we Process about Users. We provide personal identity verification services to Clients. This means we verify Users and for that you (i.e. the User) have acknowledged data Processing according to the Client’s privacy policy and data Processing by us in accordance with this Privacy Policy. We may collect and Process, among other data, the following Personal Data:

(1) personal information concerning the User, which mainly consists of information extracted from the User’s document, for example name, sex, personal identification code, BSN number, date of birth, legal capacity, nationality, citizenship, organ donor status, eye color, weight and height, as well as the historic data of that User that may have been stored with us during previous interactions within the retention periods;

(2) document details, such as the name of the document, issuing country, number, expiration date, information embedded to document barcodes (may vary depending on the document) and security features;

(3) facial recognition data, such as photos, videos and sound recording, photographs taken from you and your document and video and sound recording of the verification process;

(4) contact details, such as address, e-mail address, telephone numbers, IP address and, if relevant, presented document type (e.g. utility bill);

(5) technical data (Device Signature)including but not limited to information about the date, time and your activity in the Services, your IP address and domain name, your software and hardware attributes as well as your general geographic location (e.g. city, state, country);

(6) biometric data, such as facial identifiers;

(7) publicly available relevant data, e.g. information about being a politically exposed person (PEP) and checks in public sanction lists;

(8) personal information provided by the User, e.g. data from communications with us, feedback data;

(9) personal information provided by natural persons who have participated in our product and market research initiatives;

(10) personal information that we have received from the Client, e.g. contact details;

(11) in cases where having a legal basis, e.g. a consent or a written release, for Processing certain Personal Data about a User is a prerequisite for providing the Services, then evidence and records, including connected Personal Data, that such legal basis has been obtained by us.

4.2 How we obtain User’s Personal Data. We may obtain Personal Data directly from you as well as from the Client. We will also look to identify signs of fraud based on our internal fraud framework and advanced fraud prevention and detection techniques. Based on an authorisation we receive from the Client, we also collect your Personal Data independently from Data Providers, e.g. to offer our Services within a trust-based relationship and to prevent fraud. For example, if we need to verify the validity of your identification document, we may inquire for additional information from the appropriate registrar or from other fraud prevention services at the direction of the Client.

4.3 In some cases, we may also further check whether we have previously verified a User on behalf of the same or a different Client by comparing the session with the previous session. This helps our Clients not only verify identities but further protects them and their Users by helping them understand when a User may be generating multiple identities, tampering documents or manipulating device or network information. To do all of this, we closely examine the information provided by the User, including machine-readable data, metadata and device and network information.

4.4 Similarly, for fraud prevention and detection purposes, we may also collect information about compromised identities, for example images or device or network information which have been leaked or used to commit repetitive fraud via Veriff's service (global greylist).

4.5 Clients may have access to your Personal Data. We may share your Personal Data, foremost the biometric data and facial recognition data with the Client through which you used our identity verification service.

4.6 Please note that providing your Personal Data is voluntary. However, the decision not to do so may mean that we are not able to verify your identity.

4.7 Personal Data we Process about the representative of the Client. To enter into the Agreement, to provide our Service, to communicate with the representative of our Client and for other lawful reasons we need to Process the data of Client’s representative. This means we may Process, among other information, the following Personal Data of the representative of the Client:

(1) personal information of the representative of the Client, such as name, job title, position, and contact information;

(2) personal information in connection with provision of the Service, such as data from communication with us;

(3) technical data (Device Signature)including but not limited to information about the date, time and your activity in the Services, your IP address and domain name, and your software and hardware attributes as well as your general geographic location (e.g. city, country);

(4) publicly available relevant data.

4.8 How we obtain Client’s representative’s Personal Data. We collect this data either from you directly when you communicate with us directly, e.g. by sending us an email, providing us with your Personal Data on the phone or through our customer support tools. We may also collect some of your Personal Data in the course of provision of Service to your employer. We also check information about the Client (including about relevant representatives of the Client) from publicly available sources. We only gather relevant and necessary data in order to validate the right of representation e.g. this may include verification of your identity, Processing of your Personal Data for introducing the Service (demo) etc.

4.9 Please note, the provision of Personal Data is voluntary. However, if you do not provide your Personal Data, the Client may not be able to make use of the full range of our Services.

4.10 Personal Data we Process about Visitors to our Website and/ or Users of our Service. We may collect data when you visit our Websites and/ or Service by using Cookies (see Cookie Policy) or other similar technologies (e.g. IP address, equipment information, location information, beacons) and Process the data gathered by them. This data, among other information, may be as follows:

(1) personal information, such as IP address, time, and location;

(2) information on usage of the Website and/or Service and other web log data, such as the pages you visit on the Website, the date and time of your visit, the files that you download and the URLs from the websites you visit before and after navigating to the Website;

(3) technical data (Device Signature)including but not limited to information about your IP address and domain name, your software and hardware attributes (including device IDs) and your general geographic location (e.g. city, country);

(4) e-mail addresses, when you subscribe to Veriff's newsletters or download Veriff's content.

4.11 Personal Data we Process related to responsible disclosure. If you decide to contact Veriff related to reporting an issue mentioned in our responsible disclosure policy, we only process the following Personal Data about you:

(1) name;

(2) e-mail address;

(3) picture, if you consent to disclosing it on our Hall of Fame.

4.12 Purpose of Processing with the help of Cookies and similar technologies. We use the collected data to enable the provision of the Service in accordance with the habits of a Visitor/ User, to ensure the best Service quality, to inform the Visitor about the contents and give recommendations, and to update advertisements and make marketing efforts more efficient. The collected data shall also be used for counting the Visitors/ Users and recording their habits. Read more from the Cookie Policy.

4.13 Personal Data we Process related to the Demo app and testing Veriff’s session flow. If you decide to download and use Veriff’s Demo app or test Veriff's session flow in our website, we may record session audio, video and technical information as mentioned in clause 4.1(for more details see section 13 of this Privacy Policy).

4.14 Personal Data we Process related to our Office Visitors. If you visit the office premises and workplaces of Veriff, this means we may Process, among other information, the following Personal Data about You:

(1) name;

(2) e-mail address;

(3) photo;

(4) visuals captured via video surveillance equipment;

(5) during the spread of COVID-19, proof of vaccination against COVID-19, valid negative test result or recovery certificate.

5. Legal grounds and Purposes of processing

Here you may read why and on what grounds we Process your Personal Data.

5.1 Provision of Services. Regarding Personal Data about Users, Veriff's main purpose for processing is to verify your identity for our Clients, and for this purpose we capture photos and video (if applicable) of the verification session, the document(s) provided for verification, and biometric data (i.e. identifiers and information). In addition, for verification, we conduct fraud prevention and detection checks that are integral part of our Service. Identification process results with information about the completed checks are categorized as “Approved”, “Resubmission needed” or “Declined”.

5.2 We or our Client may ask you to grant us consent for Processing. Please note that we cannot provide the Service in respect of an anonymous User, and therefore the use of our Service is subject to the disclosure of Personal Data to us and consenting to the Processing of Personal Data by the Client and us. However, giving consent is voluntary, but failure to do so may mean that we may not be able to provide you with the Service. For example, we will not be able to verify your identity. In some circumstances, e.g. for the purpose of automated decision-making, you may be asked to provide us with explicit consent. If you have granted the Client and/or us a consent to Process Personal Data, the details of such processes and purposes thereof will be outlined in the consent itself.

5.3 Your consent is the legal basis for processing Personal Data when you share your findings related to responsible disclosure. Please note that giving consent is voluntary and you have the opportunity to withdraw your consent at any time. Publishing your name and/or picture on our website is only done under your written consent. More about responsible disclosure can be read here.

5.4 Veriff asks Client representative's consent before recording audio and video of the Client representative call. The recording is used solely for Veriff's analytical purposes and improvement of Veriff's services and processes. Please note that giving consent is voluntary and you have the opportunity to withdraw your consent at any time. This does not apply in case of recording different communications (including video) for product and market research (see as described in p 5.7(10)).

5.5 If you would like to download and use Veriff’s demo app or test Veriff's session flow in our website, Veriff asks consent before we verify your identity. This is for the purpose of testing Veriff’s verification flow. Please note that giving consent is voluntary and you have the opportunity to withdraw your consent at any time. More information about Veriff’s Demo app can be found in chapter 13.

5.6 We mainly Process your Personal Data as a Processor for the benefit of the Client in order to fulfil the Agreement entered into with the Client for:

(1) performance of the Agreement (including for the provision of the Service);

(2) performance of the obligations arising from the Agreement (including the realization of rights arising from the provision of the Service);

(3) the purpose of realization of rights and fulfilment of obligations deriving from legal acts;

(5) processing your inquiries and requests.

5.7 We also Process your Personal Data if Processing is necessary in our legitimate interests, meaning our interest in the management and direction of our business in order to be able to offer the best possible services on the market. For our legitimate interest, we may Process data for the following purposes:

(1) for analysing the use of our Service, and using research and analysis results, among other methods, for carrying out satisfaction surveys, feedback questionnaires and developing our products and services, including development of autonomous and automated decision-making processes;

(2) for the transmission of information about our Service;

(3) for sending out newsletters, for marketing and developing and promoting our Services, for organisation of campaigns, including personalised and targeted campaigns, and measuring the effectiveness of the performed marketing activities. Please note that for sending out newsletters, we only Process your contact details;

(4) for ensuring a trust-based relationship with Clients and Users, for example, Personal Data Processing that is strictly necessary to determine the ultimate beneficiaries, being PEP and/or to prevent fraud, e.g. and checks in public sanction lists or our own Service history;

(5) for administration and analysis of the Client base to improve the availability, selection and quality of Services and products, and to make our Services more personalised and the best possible;

(6) for analysis of identifiers and Personal Data collected upon the use of websites, mobile applications and other Services. We may use the collected data for web analysis or for the analysis of mobile and information society services, for ensuring and improving functioning, for statistical purposes and for analyzing Visitor and Client representative behavior, and for improving the experience of Visitors and Client representatives and for providing better and more personalised Services;

(7) for monitoring the Services. We may record the messages and instructions given in our premises or by means of communication (e-mail, telephone, etc.), as well as information and other operations carried out by us, and shall use those recordings as needed to evidence instructions or other operations;

(8) for network, information and cyber security considerations, for example, for fighting against piracy and for ensuring the security of the Websites and Service, as well as for the measures taken for making and storing backup copies;

(9) for the establishment, exercise or defence of legal claims;

(10) for conducting product and market research for purposes of quality assurance, product improvements, developments and assessing its market fit, this includes contacting and communication, interviews, making conclusions, recording of such communications for a limited period of time, etc. with Users, Client’s representatives and other relevant data subjects. This includes creating anonymised or aggregated overviews and summaries of the aforementioned;

(11) for obtaining the, and retaining Personal Data to prove the obtaining of, relevant legal basis for Processing certain Personal Data (e.g. biometric information and identifiers) concerning certain Users, as required under laws applicable to such Users (e.g. Users originating from the states of Texas and Illinois). Obtaining and maintaining records that such legal basis has been obtained by us is important for us to be able to prove that we comply and adhere to our legal obligations outside of and in the European Union;

(12) for fraud prevention and detection purposes;

(13) for machine learning purposes, as specified in chapter 6 below.

5.8 In addition, we may provide status information on our web pages and Service with the help of a third party service provider.

5.9 Pursuant to our “Fundamental Six” principles for data Processing, we only Process Personal Data on this legal basis (legitimate interest) after careful assessment in order to ascertain that the legitimate interest is in compliance with the interests and rights of a Data Subject (after carrying out the so-called three-step test).

5.10 Processing for a new purpose. When Personal Data Processing is carried out for a new purpose different from those for which the Personal Data was originally collected or is not based on the consent given by the Data Subject, we shall carefully assess the permissibility of such new Processing. In order to determine whether the Processing for the new purpose follows the purpose for which the Personal Data was originally collected, Veriff shall take into consideration, inter alia, the following:

(1) any link between the old and new purposes for which the Personal Data was collected and the intended further purposes of Processing;

(2) the context of collecting the Personal Data, in particular regarding the relationship between the Data Subject and us;

(3) the nature of the Personal Data, in particular whether any special categories of Personal Data are processed;

(4) possible consequences of the intended further Processing for the Data Subjects;

(5) existence of appropriate protection measures which may consist in, for example, encryption and pseudonymization.

5.11 More about disclosure of your Personal Data can be found on chapter 8.

5.12 Processing related to Office Visitors. When you visit the office premises and workplaces, we Process your Personal Data if Processing is necessary in our legitimate interests. For our legitimate interest in detecting and preventing harmful or unlawful actions, ensuring safety of Veriff’s property, confidential information and employees and establishing, exercising or defending of legal claims we may Process Personal Data for the following purposes:

(1) registering your visit to the office;

(2) conducting regular video surveillance in the marked areas.

5.13 We may ask you to grant us consent for Processing. During the spread of COVID-19, for the purpose of ensuring adequate protection of the health and safety of Veriff’s employees in the workplace, you are required to provide proof of vaccination against COVID-19, valid negative rest result or recovery certificate. In case you have no proof to provide, or you present medical contraindication to vaccination as proof, you will be offered on-site rapid testing. Health related data contained in the presented information belongs to special categories of Personal Data. Before presenting any such Personal Data you are asked to provide us with explicit consent to visually assess your admissibility to the office premises and workplaces. In any case, no information presented to Veriff is retained, meaning that no Personal Data will be accessible to Veriff after the moment you present the information. Please note that giving consent is voluntary and you have the opportunity to withdraw your consent at any time, however if you refuse to provide the proof, conduct the rapid testing or if the rapid test result is positive, you must leave the office immediately.

6. Service development, process and provision (Automated processing and decision making)

To verify your identity in a secure and less error-prone way, we use automatic algorithms and machine learning in our Service. Read about it in this section.

6.1 Machine learning helps to recognize specific patterns in information and make predictions about new sets of information based on those patterns. Algorithms are built, trained and tested on training sets, which comprise of real data. No biometric data such as “biometric identifiers” or “biometric information” is used to train Veriff's machine learning training. Such processing is only done for internal use to improve and develop our services and done only based on the contractual mandate received from our Clients under the precondition that a valid legal basis has been obtained.

6.2 Veriff also uses machine learning to provide Services to our Clients. Read more about Veriff's verification process in clause 6.8.

6.3 Veriff stands for the concept that machine learning is conducted in an ethical and trustworthy way that respects human rights and freedoms.

6.4 Machine learning as a tool will enable Users to receive better, more secure and faster services provided by Veriff's Clients and help to prevent and detect fraud. Datasets used to develop, test and train are kept in separate, monitored and highly secure data research environments.

6.5 Machine learning is also the driving engine for Veriff's innovation when improving our Services, testing new features and ensuring quality Services.

6.6 For fraud prevention and detection purposes, Veriff also checks whether facial images show signs of fraud. To provide this check quickly, in a secure and accurate way, numerical biometric data is extracted from previously collected facial images and device and network information is retained for a limited amount of time as agreed with Veriff's Clients. For each verification session, Veriff captures a new facial image from the User and compares the data derived from the capture to the data we have retained for them.

6.7 For further improvement of our Services, Service performance and features testing (A/B tests) is used to analyze the User experience and response regarding changes to the structure, text or any other feature of Veriff's Service.

6.8 The verification process is either automated, semi-automated or done by a human:

(1) Semi-automated verification process. A human will be involved if the automated verification tool (the Robot) is not able to reach a decision on its own. This may occur, when the picture is blurry or the Robot runs into some other difficulty in analysing the verification session. The Robot is constantly learning to correctly give meaning to information and to detect identification fraud or theft, and does its best to make sure you are you even in the online world. We hope that together with the combined power of the Robot and humans, we can make your identification and verification process as easy and safe as possible. 

(2) In the case of fully automated decision-making, where the decision has a significant effect on you, we will be transparent about such processing. When performing fully automated decision-making, our Client asks for your explicit consent to do this and informs you of the automated processing. In some cases, where the Client has other legal grounds for such Processing e.g. obligations under applicable law – consent may not be needed. You have the right to ask for information and an explanation regarding the logic behind the decision the Robot has made; at any time, you will have the right to request human intervention or object to the decision made on grounds relating to your particular situation.

(3) We may have different solutions for Processing with different Clients, e.g. in some cases the verification session will only be analysed by a human.

6.9 We would like to point out that the decision on whether the Client provides its service to the User is made by the Client. Meaning, even if the verification flow has been fully automated, the verification result will be taken into account by the Client for the decision on whether to provide its service or not. The verification results itself - “Approved”, “Resubmission needed” or “Declined” - are not determinative for whether the Client’s service is provided to the User.

7. Data Subject’s rights in relation to Personal Data

Read about your data protection rights.

7.1 If you wish to exercise any of your rights regarding Personal Data or ask questions about the Privacy Policy, please read further about your rights in chapter 3 of the GDPR or submit a corresponding request to us at legal@veriff.com. We will respond to your request by e-mail as a rule no later than within one month. Please note that before we can provide you with the requested information regarding your Personal Data, we may need to verify your identity. Please also note that if your request concerns data we have Processed as a Processor (i.e. in the course of Service provision) you must submit your request to the Client who is the Data Controller of Processing of your Personal Data may fulfill the request. We will inform you if this is the case.

7.2 You as a Data Subject have the following rights in relation to your Personal Data:

(1) Right of access to Personal Data - you have the right to know which of your Personal Data we store and how we Process it, including the right to know the purpose of the Processing, the persons to whom we will disclose your Personal Data, information about automated decision-making and the right to receive copies of Personal Data.

(2) Right to rectification of Personal Data - you have the right to request the rectification of inadequate, incomplete and/or misleading Personal Data.

(3) Right to withdraw the consent given for the Processing of Personal Data - you have the right at any time to withdraw the consent given to us for the Processing of Personal Data. Please note that withdrawal of your consent shall not affect the legality of the Processing that was made on the basis of consent before the withdrawal.

(4) Right to erasure of Personal Data (“right to be forgotten”) - you have the right to request that we erase your Personal Data (for example, if you take back consent for the Processing of Personal Data, or if Personal Data is no longer needed for the purpose for which it was collected). We have the right to refuse the erasure of Personal Data if the Processing of Personal Data is necessary for the fulfilment of our legal obligation, to exercise the right to freedom of expression and information, for the preparation, presentation and protection of legal claims, or in the public interest.

(5) Right to restriction of Processing - in certain cases, you have the right to prohibit or restrict Processing of your Personal Data for a certain period of time (e.g., if you have filed an objection to Personal Data Processing).

(6) Right to object - you have the right to file an objection if your Personal Data Processing takes place on the basis of our legitimate interest or public interest. You shall have the right to object at any time to Processing of Personal Data for direct marketing purposes, and we shall respond promptly. If we perform automated decision-making (including profiling) that will produce legal effects for you or have a significant effect on you, then you may file an objection and require human intervention in the decision-making process.

(7) Right to data portability - If your Personal Data Processing is based on your consent and Personal Data is Processed automatically, you shall be entitled to receive Personal Data about you that you submitted to us as the Data Controller, in a structured, commonly used and machine-readable format, and you shall have the right to transmit or request us to transfer this Personal Data to another Data Controller, where technically feasible and the Personal Data has not been deleted by that time.

(8) Submission of complaint - If you find that your rights have been breached, you have the right to complain to a Data Protection Authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority in the EEA. The Estonian Data Protection Inspectorate is the lead data protection supervisory authority for Veriff (registered office at 19 Väike-Ameerika St., 10129 Tallinn, phone nr + 372 627 4135, e-mail info@aki.ee).

7.3 Our UK General Data Protection Regulation (UK GDPR) representative in the UK is EDPO UK Ltd. You can contact EDPO UK regarding matters pertaining to the UK GDPR:

(1) by using EDPO’s online request form: https://edpo.com/uk-gdpr-data-request/;

(2) by writing to EDPO UK at 8 Northumberland Avenue, London WC2N 5BY, United Kingdom.

8. Disclosure and transfer of Personal Data

In this section you will find information about possible disclosure and transfer of your Personal Data.

8.1 Disclosure of Personal Data to authorities. Please note that due to legal requirements, we may be obliged to disclose or grant access to your Personal Data to the authorities and the supervisory authority (e.g. a court or a government agency).

8.2 Disclosure to Data Controllers and Data Processors. Unless stated otherwise in this Privacy Policy or noted otherwise to you separately, we may disclose your Personal Data to Data Controllers for whom we are Data Processors (e.g. Clients) and to our authorized processors (sub-processors), as well as to persons who are legally entitled to receive your Personal Data. For example, a User’s Personal Data can be shared with such authorized sub-processors who are providing identity verification core services to Veriff, our IT partners; Client representative’s Personal Data can be shared with our advertising and marketing partners, companies carrying out satisfaction surveys, debt collection agencies, credit registers, authorities and organisations intermediating or providing (electronic) mail, compliance or payment services and the like, Office Visitors Personal Data can be shared with IT and security partners, provided that:

(1) the respective purpose and the Processing are lawful;

(2) we have diligently assessed that the authorized processor will comply with the data protection requirements;

(3) the Personal Data Processing is carried out in accordance with our guidelines and on the basis of a valid agreement.

(4) If you have questions about our authorized processors, please contact us at legal@veriff.com.

8.3 Please note, that User's Personal Data can only be shared with Veriff's sub-processors as well as to persons who are legally entitled to receive your Personal Data, if there is a valid legal basis.

8.4 Transfer of Personal Data. We Process your Personal Data within the EEA. In the event that we need to transmit your Personal Data outside the EEA (e.g. for utilising the sub-processors’ services and technical infrastructure provided from or located in the US or the UK), the transmission shall be in accordance with the requirements, principles and safeguards as stated in the GDPR, such as relying on adequacy decisions issued by or standard contractual clauses approved by the European Commission. In cases where Veriff acts as the Data Controller, we make available further information on the safeguards applied (if relevant) upon your request.

9. Security of Personal Data

Security is of utmost importance to us. We do our best to protect Personal Data in our hands.

9.1 We apply various commercially reasonable measures (physical, technical, organizational) to protect your Personal Data from unauthorized or arbitrary modifications, disclosure, acquisition, destruction, loss, theft, misuse, alteration or unauthorized access.

9.2 However, please note that electronic transmission or storage of information is not always 100% secure. Therefore, despite the security measures that we have put in place to protect Personal Data about you, we cannot guarantee that loss, misuse, or alteration of data will never occur. If you have any information about an actual or suspected data breach, please inform us immediately at legal@veriff.com. We will deal with the issue immediately and inform the Data Protection Inspectorate (if applicable).

10. Retention of Personal Data

Here you can find our data retention principles that is the length of the period for which we keep Personal Data.

10.1 To determine the appropriate retention period, we consider the amount, nature and sensitivity of the Personal Data and the purposes for which we Process it. We must also consider periods for which we may need to retain Personal Data in order to meet our legal obligations or to deal with complaints or queries and to protect our legal rights in the event of claims being made. Any data retention periods referenced herein which would be more than 3 years are not applicable to Personal Data qualified as biometric identifiers or biometric information for the purposes of the laws of the state of Illinois. Regarding the state of Texas, the foregoing is limited to a period of 1 year, dated from the collection of the said information.

10.2 We shall store your Personal Data for as long as required by law or in accordance with the law, or for the purposes stated in this Privacy Policy.

10.3 We store the data of Users during the period set forth in the Agreement (we may have different data retention periods agreed upon with the Client lasting up to 3 years) or as long as it is necessary for possible establishment, exercise or defence of legal claims of Users, Clients or ourselves.

10.4 We may store your Personal Data, for a longer period than the Agreement duration if we have a lawful basis do to so, e.g. you have given us consent to use your Personal Data for the development of our Services or we have assessed that we have legitimate aim to do so, e.g. in pseudonymized form or for the purpose of the Service history log.

10.5 Personal Data processed via Veriff’s Demo app or via Veriff's session flow in our website, is stored for up to 1 day. More information about Veriff’s Demo app and testing Veriff’s session flow can be found in chapter 13.

10.6 After the expiration of the Personal Data storage period, we shall anonymize or permanently erase your Personal Data.

11. Children's Personal Data

Here you can find information on how we deal with children's Personal Data.

We may Process the Personal Data of children (i.e. persons under 16* years of age; *depending on jurisdiction), the Data Controller shall take steps to ensure that there is a consent for such Processing from a guardian of that child. If we learn that we have collected the Personal Data of a child without the guardian’s consent, we will take steps to delete the information as soon as possible.

12. Jurisdiction specific notices

You may have different rights depending on where you reside. Read about them in this section.

12.1 High quality Services are provided to Users all around the world by Veriff. Should there be any inconsistency or ambiguity between the terms of this section and any other part of this document, these terms shall prevail.

12.2 Notice to Individuals Who are Residents of the State of California

12.3 For Users who reside in the State of California, we must provide some additional information mentioned in this Privacy Policy:

(1) Veriff collects basic information from visitors to our website and from Users regarding whom we provide the Service at the request of our Clients. Veriff only requires the minimum amount of personal information necessary from you. Chapter 4 of Veriff's Privacy Policy gives more details about the personal information Veriff processes about you;

(2) As regarding to the Data Subject Rights, California law permits California residents to request information about the categories of personal information, specific personal information collected and the business purpose for collecting this information by contacting legal@veriff.com or submitting it online;

(3) Veriff does not disclose any of your personal information or the verification of your identity to any other party with the exception of our Clients who are providing services to you and Veriff's sub-processors who are essential to provide our services;

(4) Moreover, Veriff does not sell your personal information as defined by the California Consumer Privacy Act to third parties;

(5) Any questions or requests regarding Veriff’s processing of your personal information in respect of your rights under the California Consumer Privacy Act regarding Services will be directed to Veriff's Client who is acting as the Data Controller for Personal Data about you.

12.3 Notice to Individuals Who are Residents of the State of Illinois and the State of Texas

(1) The Illinois Biometric Information Privacy Act and the Business Code of Texas on the Capture or Use of Biometric Identifiers regulates the collection, storage, use, and retention of “biometric identifiers'' and “biometric information.” “Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. “Biometric information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.

(2) Veriff collects certain biometric identifiers and biometric information, namely face scan information (face geometry information and information based on that), during the identity verification process. Collection of this information is required to prevent fraud, verify your identity or authenticate your identity against data already obtained about you based on instructions from Veriff’s Client. This information is only retained for the period required for the verification and authentication process or for fraud prevention systems to work or the period required by the Client, but this data will not be retained for more than 3 years after your last interaction with Veriff for the residents of the State of Illinois and more than 1 year after your last interaction with Veriff for the residents of the State of Texas. By providing your consent for the verification process, you consent to providing Veriff with biometric information and identifiers and for Veriff to use and store that information for the purpose of verifying and authenticating your identity, fraud prevention and as otherwise required by the Client and disclosure of your biometric information to its service providers in order to provide the service.

(3) Veriff uses the reasonable standards of care within its industry to store, transmit, and protect from disclosure your facial scan information, in a manner that is the same as or more protective than the manner in which it stores, transmits, and protects other confidential and/or sensitive information. Veriff will not sell, lease, trade or otherwise profit from the biometric information and identifiers than to provide the services to its Client.

(4) For disclosures of the foregoing information, please see section 8 of this Privacy Policy.

13. Veriff's Demo app and testing Veriff's session flow

Read about testing Veriff’s session flow.

13.1 Veriff’s Demo app and website session flow allows to test and experience Veriff’s verification flow as an end user. The flow provides the experience End Users will get when Veriff’s Client is integrated with Veriff.

13.2 Data processing categories, which are processed by Veriff through the Demo app and by Veriff’s Website session flow, are mentioned in clause 4.11, data processing purposes are mentioned in clause 5.5 and data retention conditions are explained in clause 10.5.

14. Important documents, guidelines and procedures

Here we set out all the documents, procedures and Registers, through which you will be able to exercise your rights in the best way, and know how we store and Process your Personal Data.

14.1 Our Privacy Policy is implemented on the basis of the following documents, guidelines and procedures:

(1) Register of processing operations which sets out the purposes and manners of Personal Data Processing, types and categories of the Personal Data being Processed, and the respective bases for Processing;

(2) Cookie Policy lays down the rules on how we use cookies and other web technologies;

(3) Processing specifics for our (Potential) Employees sets forth privacy principles for recruits and employees. If you are a (potential) employee, please read about your rights and our principles;

(4) Policy of the organisational and technical measures which sets out various measures taken by us to always maintain the confidentiality and security of Personal Data;

(5) Responsible Disclosure sets forth our principles regards to security vulnerabilities.

14.2 In case you have questions about these, please contact us.

15. Contact details and information

Here you find our contact details.

Please review this Privacy Policy carefully and contact our data protection officer (DPO) at legal@veriff.com if you have any comments, questions or concerns.

16. Availability of and changes to the Privacy Policy

Here you can find information about changes made to the Privacy Policy and informing you about the changes.

16.1 This Privacy Policy is available on our Website.

16.2 Kindly note that we may modify the Privacy Policy from time to time. The modified Privacy Policy will be uploaded to our Website and we may notify Clients and Users whose contact information we have about major changes in the Privacy Policy.

16.3 You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

  • Valid from: July 30, 2020
  • Last update: October 20, 2021