iProov Processor Privacy Notice for Private Demonstration Application

iProov is committed to protecting privacy when we process our customers data. This Privacy Notice explains what personal information we collect from you when you use our Private Demonstration Application and how we use it. The notice also explains each parties’ responsibilities when using the iProov Private Demonstration Application.

Our Relationship with You

When you use the iProov Private Demonstration Application, iProov is a Processor of your data and you are a Controller. You make certain decisions on what data is uploaded to our application and who can use it. WE process this data upon your request and instructions.

Your Responsibilities 

When you use the iProov Private Demonstration Application you are responsible for collecting any consent necessary from your users for iProov to process your data. You are responsible for all of the data entered into the iProov Private Demonstration Application and for adhering to any applicable law relating to you being a Data Controller.

Our Responsibilities

iProov is responsible for adhering to applicable law relating to Data Processors.

What Personal Data We Collect from Your Users

The personal data we collect from your users is:

  • Your users’ biometric image, collected via image streaming (User Image) as a part of the demonstration
  • Your users IP Address to help identify their device
  • Unique Identifier. The demonstration application creates a unique identifier that is only associated with your users and that is stored with your user’s identity. 

Other Data Collected from Your Users

iProov also collects other data when the iProov Private Demonstration Application is used. This data is not personal data but is shown here for transparency purposes.

  • Data from the gyros and accelerometers of your user’s device
  • Aggregated data for statistical analysis purposes 

How We Use Your Data

Each time your users submit imagery for the purposes of authentication (an “authentication attempt”) iProov uses automated imagery analysis and biometric matching technology to verify them as a living person, to detect impersonation and spoofing attempts. 

iProov processes facial imagery (we call this “enrolment imagery”) when enrolling a user in the service. This allows us to perform face-matching during subsequent authentication attempts. We process the enrolment imagery to create a biometric template which can be used for face-matching against authentication attempts. This biometric template is linked to a user’s unique user identifier “User ID”.  iProov may update and change the biometric template over time to improve the performance of the matching.

For the purposes of identifying that the person performing the authentication attempt is the same as in the enrolment imagery, iProov compares the biometric template from imagery taken in the authentication attempt with the biometric template taken from the user’s enrolment imagery. The resulting probability of a match between the two biometric templates determines whether iProov issues a pass or fail result for the authentication attempt.

To perform anti-spoofing, which allows us to detect fraud or fake imagery in authentication attempts, we use sophisticated machine-learning algorithms. These algorithms automatically combine the data from the authentication attempt, including imagery and other sensor data “Combined User Data”. The resulting values these algorithms produce enable the system to determine whether the authentication attempt is likely to be bona fide or an attempted spoof. 

For your benefit (as a user of iProov services), we monitor and analyse data on authentication attempts, where it is determined to be potentially fraudulent, to improve the accuracy of our authentications. We process imagery from authentication attempts to train, update and improve the accuracy of iProov’s biometric testing. 

Our Legal Basis for Processing Your Personal Data

When iProov collects your user’s personal information, we use the data for the following purposes:

1. To Fulfil a contract between you and iProov. This includes:

  • Providing you with the service for which you have registered as a part of the free trial
  • To enrol your users and team members on the Private Demonstration Application
  • To respond to any requests, that you may send us

2. To conduct our business and fulfil a legitimate interest. In particular:

  • The analysis and ongoing improvement of our services
  • For the detection and prevention of fraud

Data Transfer

iProov hosts its demonstration application in the United Kingdom and EEA and does not transfer data to other countries.

How Long Does iProov Keep my Data?

iProov keeps your data for a maximum of sixty (60) days after your last use of the iProov Private Demonstration Application. After this point your user’s data is permanently deleted unless you request iProov to retain it for a longer period as a part of the demonstration or evaluation.

If iProov receives data that it believes to be fraudulent it will use system and manual processes to determine whether it is or not. If data is determined to be fraudulent, iProov will retain this data indefinitely.

Your Obligations and How we Support You

Under the law of certain countries, your users have rights around iProov’s use of their data. It is your obligation to manage any requests from your users to exercise their rights under data protection laws in the first instance. Where you are unable to service the requests of your users directly, iProov will

  • Provide Access to the personal data iProov holds on your users.  
  • Correct Data. If your users believe that iProov hold inaccurate data about them, you can ask iProov to correct it. Where you make request data to be corrected, we may ask you to verify the accuracy of any correction for your user. 
  • Right to be Forgotten. You can ask iProov to delete any personal data it holds about your users that you have provided to iProov as a part of the trial.
  • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your users personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where you believe our use of the data is unlawful but you do not want us to erase it; or (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims. 
  • Withdraw consent to the processing of your users personal data, However, this will not affect the lawfulness of any processing carried out before you withdraw your users consent.

Where you make a request, iProov will try to respond to all requests within thirty (30) days. Where it is not possible to do this, we will write to you to inform you that it will take longer to meet your request and will aim to respond within ninety days (90). Where we cannot respond within this time period, we will notify you of why and of your user’s rights.

Contacting Us

iProov has a data protection officer who can be contacted at DPO@iproov.com. If you have any questions about this Privacy Notice or about any requests to exercise your legal rights, please send an email to this address.

Complaints

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so would request that you contact us in the first instance.

We are registered with the ICO under number ZA441165.

iProov Limited (we, us or iProov) is a company incorporated in England & Wales under company number 07866563 whose registered office is at 14 Bank Chambers, 25 Jermyn Street, London SW1Y 6HR, England.