EU GDPR Terms and Privacy Notice for iProov ID
Version 1.0 dated 7th October 2024
iProov Limited (“iProov,” “we” or “us”) are committed to protecting privacy when we process our users’ data. These Terms set out what personal information we collect and process when you use the iProov ID application (“iProov ID”), your data rights and how to exercise them, and some limited obligations you have when using iProov ID.
Our Relationship With You
We are a controller of your facial authentication data and the identity document data (we collectively call this your “digital credential”) that you provide when using iProov IDand we process it:
- for your contract with iProov and adherence and these Terms;
- for uniquely identifying you when you apply for or use a service using iProov ID, with your consent; and
- for our legitimate interest in preventing fraud
You can’t proceed to use iProov ID unless you both agree to these Terms and give us your consent to processing your facial imagery and your identity document in order to identify you – by clicking each of the buttons at the bottom of these Terms.
If you don’t agree with something you see in these Terms or feel uncomfortable about allowing the use of your digital credential to authenticate your identity, then you should not click those buttons, and use other channels for authenticating yourself
Once you have given your consent you can withdraw it (see Your Consent below), but if you do so after you apply for or use a service that uses iProov ID (see The Process below), your digital credential will have already been sent to iProov along with the credentials that you authorised the application to share with the service.
The copyright and other intellectual property in iProov ID is either owned by or licensed to us. You have certain obligations that are intended to protect our rights (see Your Obligations below). We licence you the limited, personal right to use iProov ID in the manner and for the purposes stated in these Terms.
Our Responsibilities
iProov is responsible for adhering to applicable data protection law and for protecting your privacy and data in line with these Terms.
Your Consent
In order to use iProov ID for identifying you, you must provide us with your consent by clicking on the appropriate consent button.
You are given the opportunity to consent to iProov processing your digital credential for the purposes described in these Terms. If you wish not to share your data or if you wish to withdraw your consent, you can do so by deleting your digital credential from iProov ID by opening iProov ID and following the instructions given there.
Other Uses of Your Personal Data
When you enrol with iProov ID to create your digital credential, an image is taken of your MRZ-code, and the NFC chip on your passport or national ID card is scanned by the app to link it to your legal identity. These checks may continue for up to 30 days after enrolment for learning and fraud purposes.
If you have deleted your digital credential or if you would like this data deleted from iProov’s systems, you can send an email to deletemydata@iproov.com where we will delete your data if we can identify you.
The Process
When you use iProov ID for enrolment and creation of your digital credential
- We capture an image of the photo page of your passport, and we scan the MRZ (Machine Readable Zone) – which is the alphanumeric data at the bottom of your passport photo page. We use the information from the MRZ to unlock an NFC microchip that is embedded within your passport to access your passport data and passport photo imagery. The chip generally contains the following data:
- Document type,
- issuing state,
- your full name,
- data of birth,
- passport or document number,
- passport or document expiry date,
- your gender,
- country / nationality of birth
- image file with photo of holder
- we also collect this data so we can confirm that your passport and identity are genuine.
- The following data is also collected if available from the NFC chip
- Personal identification number, tax identification number or a similar official identification number,
- Image file of signature,
- place of birth,
- address,
- phone number
- profession,
- title
- date of issue
- iProov then scans your face to take a reliable image of it and authenticates this image against your passport or national identity document photo image. Data collected includes:
- photos of your face
- video data of your face
- geographic location data of where you scanned your face
- Following this image authentication, iProov creates a biometric profile of your face – for use later in the process where it will be used to identify you.
- You then capture a selfie image using the iProov ID application. This image is used for fraud prevention purposes and is compared against your passport image.
- Additional data provided by you can also include:
- mobile phone number
- email address
- address data
- All the above data is used to create your digital credential – which is stored on your mobile device, but is deleted from our systems after 30 days after enrolment (except for the facial scan taken by iProov and your passport’s facial image – see how long your Biometric data is kept below)
How Long Is Your Biometric Data Kept?
- On your mobile device: Your digital credential is stored on your mobile device upon its creation. The data stored on your device is controlled by you and you can remove it at any time by deleting the iProov ID application.
- On iProov’s and its processors’ remote systems: We continue to process your selfie scan and your passport’s facial image for up to 30 days after you enrol to check for fraud (such as an attempt to deceive our systems), and if a fraud attempt is reasonably suspected we may use it to train our systems for up to one year for fraud prevention purposes. The data taken from your NFC chip is stored for a period of 30 days within iProov’s systems after which time it is deleted. Your credentials will remain on your mobile device even when the data used to create the credentials by iProov have been deleted after the 30 day period.
- The storage retention times of the services that use iProov ID can vary. It is recommended that you confirm the retention times and the use of your data by reviewing the service provider’s own privacy notice and terms that will differ from iProov’s.
Our Legal Basis for Processing Your Data
Consent
We process your biometric and identity document data used to identify you and to create your digital ID based upon your consent. You can withdraw that consent at any time using the information provided in these Terms.
Contract
We process some of your personal data to help facilitate your enrolment and identity verification with the service that uses iProov ID.
The acceptance of these Terms and Privacy Notice construe a contract between you and iProov for the use of iProov ID and the transfer of your data from it to your chosen service provider.
Legitimate Interests
iProov has a legitimate interest in fraud prevention and detection, and processes some of your personal data for these purposes.
Data Transfer
Your data is not transferred outside of the UK or EU.
iProov and its business partners host all the data they collect in the United Kingdom and countries located within the European Union. Data is not transferred anywhere else.
Our Obligations and How We Support You
You can contact iProov to provide access to your data if we hold any data about you and we’re able to associate this data with you. You can also ask us to restrict or suspend any processing we undertake if our processing outweighs your rights and freedoms as a data subject.
You can withdraw consent, delete, or correct your data held within iProov ID yourself by following the instructions that are given within iProov ID.
Under data protection legislation you have a range of rights:
- Request access to the personal data iProov holds on you. Note that we minimise the data we hold about you and delete it as and when we don’t need to process it any longer, so we may have deleted or anonymised your personal data at that time.
- Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where you believe our use of your data is unlawful but you do not want us to erase it; or (c) where you need us to hold on to the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
- Request correction of your personal information that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us. Note: you can affect this yourself by deleting and re-entering your information in iProov ID – see Correct Data below.
If you wish to exercise any of the rights set out above, please contact us at the email address specified below. You will not have to pay a fee to exercise any of your legal rights as specified above. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the relevant personal information (or to exercise any of your other legal rights). This is in part a security measure we take to help avoid your personal information being disclosed to a person who has no right to receive it, but also because we hold very limited information from which we can identify users. We try to respond to all legitimate requests within one month. However, it may take us longer than a month if your request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated.
Note that iProov ID gives you a lot of control over your data. Where you wish to exercise the following rights, you can do so in iProov ID yourself:
- Correct Data. You can delete and re-enter your information.
- Withdraw consent to the processing of your personal data. You can do this by deleting the data held within iProo ID. This will not affect the lawfulness of any processing carried out before you withdraw your consent. Delete your data stored on your mobile device. You can delete the data contained within iProov ID by following the instructions detailed within iProov ID. If you delete iProov ID without following the instructions data may still be retained on your mobile device and you may not be able to access it.
How Is My Personal Data Secured?
Your data is securely stored on your mobile device if possible in the secure enclave of the device and is encrypted wherever it is transferred or stored by iProov.
iProov has implemented several key security and privacy policies, controls, and measures to adhere to and to meet the requirements of the GDPR, the UK Data Protection Act 2018 and other applicable data protection and cyber security legislation across the EU. These security and privacy policies include regular security tests, independent assessment and certification of security and privacy measures to certain international information security standards that meet the requirements of data protection law.
iProov regularly tests security to ensure your data is always protected.
Data Sharing
Your data is held on your mobile device, and you can decide what information you share with the service provider using the iProov ID service by choosing what data to share from within the application.
No data is shared with a third party by iProov unless there is a legitimate and lawful reason to share this data. Lawful and legitimate reasons could include a request from law enforcement or government authorities under applicable law, for fraud prevention purposes or for the preparation and defence of a legal claim.
The iProov ID Service
The iProov ID service is provided as is and may be updated from time to time. Where an update materially varies these terms or requires acceptance by you, new terms may be provided for your agreement via iProov ID. Where you do not agree with the terms, you can terminate the service by deleting your data from the mobile device.
Children
Children under the age of 16 should not attempt to use iProov ID
Contacting Us
If you want to contact us about data protection or privacy, please send an email to deletemydata@iproov.com.
If you have any questions about these Terms or about any requests to exercise your legal rights, please send an email to DPO@iproov.com.
Questions or Complaints
If you would like to ask a question or make a complaint, please send an email to DPO@iproov.com If you feel we cannot help you, you can contact the ICO or a supervisory authority in your country.
If you have any questions about these Terms or about any requests to exercise your legal rights, please send an email to this address DPO@iproov.com and we will assist you.
You also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection issues (www.ico.org.uk) if you are based in the UK. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so would request that you contact us in the first instance.
We are registered with the ICO under number ZA441165.
If you live in the EU, iProov’s EU representative can be contacted at:
IProov Netherlands B.V.
Siriusdreef 17 Transpolispa,
Hoofddorp,
213WT
Company number 74408259
Email: eurepresentative@iproov.com
If you are not happy with the way that iProov has dealt with your data or your rights, you canmake a complaint at any time to a Data Protection Supervisory Authority in your country. A list of EU Supervisory Authorities can be found here: https://edpb.europa.eu/about-edpb/about-edpb/members_en
Your Obligations
In order to protect our and third parties’ rights in the iProov ID application, you must not:
- modify, alter, duplicate, tamper with iProov ID;
- reverse engineer, disassemble, or decompile iProov ID or apply any other process or procedure to derive the source code of any software included in the iProov ID application (except to the extent applicable legal requirements don’t allow this restriction, and then only after you have given us notice and an opportunity to resolveany interoperability issues);
- access all or any part of iProov ID in order to build or facilitate the build of another product or service;
- introduce any infringing, obscene or otherwise unlawful data or material into iProov ID;
- introduce into iProov ID any imagery or other content that does not meet iProov’s stated guidelines or requirements, is sexually explicit or indecent, or is capable of causing damage or injury to any person or property;
- interfere with or disrupt the integrity or performance of iProov ID;
- knowingly generate artificial iProov ID transactions that are prevented from completing verification or that can increase application or network load, causing iProov systems to become overloaded or fail;
- attempt to deceive iProov ID;
- attempt to probe, penetrate, or test the vulnerability of iProov ID;
- attempt to test the throughput, performance, latency, simultaneous transaction
- capacity or other performance parameters of iProov ID;
- publish or publicly disclose iProov ID or information about iProov ID or its performance; or
- access or use iProov ID in a way other than as expressly permitted by these Terms