iProov Harness App – Privacy Policy

1. Introduction

 This Privacy Policy describes how iProov Limited (“iProov”, “we”, “us”, or “our”) collects, uses, stores, and processes personal data when you use the iProov Harness application (the “Harness App” or “App”). The App is intended solely for use by authorised personnel within iProov and is designed to facilitate the internal testing, training, and evaluation of biometric technologies, including those involving fingerprint recognition.

The Harness App is not a public product offering and is not intended for consumer use. It is a tool for non-production testing and evaluation under controlled conditions. This Privacy Policy is to be read alongside the Harness Terms of Use. Capitalised Terms used but not defined in this Policy shall have the meaning assigned to them in the Terms of Use.

2. Who We Are

iProov Limited is the controller of the personal data processed via the Harness App. This means that we determine the purposes and means of the processing of your personal data. Our contact details are as follows:

iProov Limited
 Email: dpo@iproov.com 

3. Scope of This Policy

This Policy applies to all users of the Harness App and covers the collection and use of personal data during and through your use of the App. The App is designed for internal biometric data capture and analysis, and as such it may process personal and special category data, including biometric identifiers. The App may be installed and used by authorised iProov users on both company-managed and personal devices, subject to applicable internal access controls.

4. Categories of Data Collected 

The types of data collected through the App include, but are not necessarily limited to:

  • Authentication data, including your @iproov.com email address, used to verify your identity via Firebase Authentication. 
  • User identification data, such as your HiBob User ID. 
  • Biometric data, specifically fingerprint images collected via the device sensor. This data is used solely for algorithmic training, testing, and research purposes. 
  • Device and technical metadata, including the model and operating system of your device, session timestamps, and system-level crash logs. 
  • App usage data, including interaction logs and application performance metrics to support testing and debugging.

5. Purposes of Processing 

Personal data collected through the Harness App is processed strictly for internal research and development purposes. These include:

  • The testing and refinement of biometric recognition technologies.
  • The training and evaluation of machine learning models, including neural networks and classifiers used in biometric authentication.
  • The diagnosis and resolution of technical issues and defects through debugging and performance monitoring.
  • The enhancement of accuracy, security, and robustness of biometric systems under development.
  • The expansion of internal datasets used for improving model generalisability and fairness.

Your data will not be used for live biometric authentication, production deployment, or public-facing services.

6. Lawful Basis for Processing 

iProov processes your personal data on the following lawful bases, as permitted under the UK General Data Protection Regulation (UK GDPR):

  • Consent (Article 6(1)(a) and Article 9(2)(a)): Where applicable, we rely on your explicit consent to collect and process your biometric data. Consent is obtained through the Harness App prior to data collection and is recorded with timestamped logs in our backend systems. You may withdraw your consent at any time; however, please note that this may affect your continued use of the App. 
  • Legitimate Interests (Article 6(1)(f)): We process other categories of data, such as device metadata and usage logs, based on our legitimate interest in ensuring the security, stability, and performance of our technologies and infrastructure. 
  • Contractual Necessity (Article 6(1)(b)): Where your use of the App is necessary to fulfil internal development objectives under your role, processing may also be carried out under a functional or implied internal contractual arrangement. 
  • Scientific or Statistical Research Purposes (Article 9(2)(j)): To the extent the biometric data is used for research and evaluation, such processing is subject to appropriate safeguards as required under Article 89(1), including pseudonymisation, access control, and internal usage limitations.

We will not use your personal data for any purpose incompatible with those stated in this Policy.

7. Data Retention 

Your personal data will be retained only for as long as necessary to fulfil the purposes outlined in this Policy. This may include retaining biometric data and pseudonymous identifiers for the duration of ongoing model development and internal testing activities.

Data will be deleted or anonymised once it is no longer required for its original purpose, unless retention is necessary to comply with legal obligations or internal audit requirements. Where consent has been withdrawn and the data remains linkable to an individual, reasonable steps will be taken to fulfil erasure requests, subject to legal and technical feasibility.

In accordance with our internal data governance policy, as part of the leaver’s offboarding process, you will be reminded and given the option to request deletion of your data. If you elect not to retain your data with iProov, it will be deleted insofar as practicable following the termination of your engagement with iProov.

8. Data Sharing and Disclosure 

iProov does not sell, rent, or commercially exploit your personal data.

Access to data collected through the Harness App is strictly limited to authorised personnel within iProov who require access for technical, research, or operational purposes. This may include members of the product, R&D, and engineering teams.

In certain circumstances, data may be hosted or processed on third-party infrastructure, such as Firebase by Google. Where this is the case, all vendors are contractually bound by appropriate data processing agreements and are subject to technical and organisational safeguards.

Data may also be disclosed where required by law or in response to valid legal process.

9. Data Security 

We implement and maintain appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk presented by the processing. These include:

  • Pseudonymisation of user data.
  • Encryption of data in transit and at rest.
  • Secure authentication and session management using Firebase Authentication.
  • Role-based access controls with audit trails.
  • Continuous monitoring of access to data stores and developer environments.

While no system is entirely immune to security risk, we actively mitigate vulnerabilities in accordance with industry best practices.

10. International Transfers 

Your data will not be stored or processed in jurisdictions outside the United Kingdom or the European Economic Area (EEA). If this changes, we will  ensure that appropriate safeguards are in place to comply with UK data protection requirements, including the use of the UK Addendum to the EU Standard Contractual Clauses or other legally recognised mechanisms.

You may request a copy of these safeguards by contacting us using the contact details provided below.

11. Your Rights

Under applicable data protection law, you may have the right to:

  • Request access to your personal data and obtain a copy of it.
  • Request rectification of inaccurate or incomplete data.
  • Request erasure of your data where it is no longer needed, or where consent has been withdrawn.
  • Object to or request restriction of processing, particularly where based on legitimate interests.
  • Lodge a complaint with the UK Information Commissioner’s Office (ICO) or another competent supervisory authority. 

Please note that in cases where your data has been pseudonymised or delinked, these rights may no longer be exercisable unless you are able to re-establish your identity through your user identifier. iProov may not be able to accommodate deletion or access requests if it no longer has the ability to re-identify the relevant records.

To exercise your rights, please contact the iProov Privacy Team at: [Insert email]

12. Changes to this Privacy Policy 

We may update this Privacy Policy from time to time to reflect operational changes, legal developments, or refinements to how the Harness App processes data. Where material changes are made, we will provide appropriate notice, which may include in-App messaging, internal notifications, or email.

You are responsible for reviewing any changes. Continued use of the App after an updated Privacy Policy is made available constitutes your acknowledgement of the updated terms.

13. Contact Us 

If you have any questions about this policy or about any requests to exercise your legal rights, please send an email to this address DPO@iproov.com and we will assist you. 

You also have the right to raise concerns with the UK Information Commissioner’s Office (www.ico.org.uk).

We are registered with the ICO under number ZA441165.
Company Name:  iProov Limited
Registered Address:  14, Bank Chambers 25, Jermyn Street, London, England, SW1Y 6HR
Email: dpo@iproov.com