SafeTravellers App – Privacy Notice

Effective Date: 18 August 2025

1. Introduction

This Privacy Policy describes how iProov Limited (“iProov”, “we”, “us”, or “our”) collects, uses, stores, and processes personal data when you participate in our product demonstrations using the SafeTravellers application (the “SafeTravellers App” or “App”).

The SafeTravellers App provides two modes of operation:

  1. Traveller (holder) – allows you to assume the simulated role of a Traveller, whereby you create a set of digital travel credentials by scanning your document, face, and fingerprints. You can also present these credentials to a Border Guard (verifier) as described below in (2), or with other verification services.
  2. Border Guard (verifier) – allows you to assume the simulated role of a Border Guard, whereby you can verify the digital credentials created in step (1) above.

The SafeTravellers App is intended solely for limited demonstration and evaluation purposes and is not a commercial product offering. The App is designed to support live demonstrations of iProov’s biometric face liveness detection and fingerprint-scanning capabilities and the capabilities of other SafeTravellers consortium members (or “partners”) in a non-production environment. It enables participants to experience how the technology functions during a simulated use case.

2. Our Relationship with You

iProov Limited and the other members of the SafeTravellers consortium act as joint controllers of the personal data processed via the SafeTravellers App. This means that we jointly determine the purposes and essential means of processing your personal data when you participate in our testing activities.

Each consortium member is responsible for the personal data processing activities it carries out as part of the SafeTravellers project. For example:

  • iProov Limited – enrols you into the App, performs document scanning, biometric verification (facial and fingerprint recognition), and manages the creation of your digital credentials.
  • IDEMIA – also provides document scanning technology to capture your identity document information and perform quality and fraud checks.
  • Other SafeTravellers consortium members – perform anti-fraud checks and other project-specific tasks.

As a joint controller, each consortium member has its own policies and procedures governing the way it handles your personal data. You should review the privacy notice of each relevant consortium member to understand how they process your data and the rights available to you in respect of their processing.

3. Scope of the Policy

This Policy applies to all participants who use the SafeTravellers App during testing and evaluation conducted by or on behalf of the SafeTravellers consortium (including iProov Limited). It covers the collection and use of personal data during and through your use of the App.

The SafeTravellers App is designed to simulate smart border and identity verification technology in a controlled, non-production environment. The App enables the enrolment and creation of a digital credential consisting of your biometric data and identity document data. It is used to evaluate technology performance, fraud prevention capabilities, and user experience as part of the SafeTravellers project.

The SafeTravellers App is not intended for operational, production, or real-world identity verification scenarios, and is not connected to any live production system.
The personal data processed is used solely for testing and evaluation purposes as described in this Notice.

4. Categories of Data Collected

The SafeTravellers App may collect and process the following types of personal data:

  1. Biometric data: Facial imagery (photos and video imagery) captured during enrolment and verification, used for identity matching and liveness checks; fingerprint imagery for quality, matching, and Presentation Attack Detection (PAD) checks.
  2. Identity Document Data: During enrolment, IDEMIA technology may capture data from your passport or national identity document, including Machine Readable Zone (MRZ) data and iProov will collect information from the embedded NFC chip such as your full name, date of birth, nationality, gender, document number, document type and expiry date, and the portrait photo image. Where available, this may also include address, personal identification number, signature image, place of birth, and other official identifiers. This data is used by iProov and IDEMIA to perform quality and fraud checks as part of the SafeTravellers project.
  3. Device Information: Technical information about your device (such as device type and operating system) is collected to ensure the App functions as intended.
  4. Optional contact details: Mobile number, email address, and postal address, if you choose to provide them.

5. Purpose of Data Collection

Personal data processed by iProov through the SafeTravellers App is used solely for the following purposes:

  • To enrol you in the App and capture biometric data (facial imagery, fingerprint imagery) for test identity verification and liveness detection in a controlled, non-production environment.
  • To match biometric data against the facial image contained in your digital credential to demonstrate secure verification.
  • To perform fraud prevention checks and support the secure operation of the App during testing.
  • To carry out system functionality, security, and diagnostic checks for quality assurance.
  • To demonstrate the technical capabilities of iProov and other SafeTravellers consortium members as part of the SafeTravellers project.

Where other SafeTravellers consortium members are involved, for example, IDEMIA, they may capture and process identity document data (such as MRZ information from your passport or ID) to perform quality and fraud checks as part of the project.

No operational, production, or real-world identity verification occurs via the SafeTravellers App. The App is not intended for commercial use or decision-making about individuals.

6. Lawful Basis for Processing

iProov processes your personal data in accordance with the UK GDPR and, where applicable, the EU GDPR, relying on the following lawful bases:

  • Consent (Article 6(1)(a) and Article 9(2)(a)) – iProov relies on your explicit consent to collect and process your biometric data for the purposes set out above. Consent is collected in-app prior to biometric capture. You may withdraw your consent at any time, although doing so will prevent continued participation in SafeTravellers testing.

  • Legitimate Interests (Article 6(1)(f)) – iProov processes certain technical and security-related data to support our legitimate interest in ensuring the safe, secure, and effective operation of the SafeTravellers App during testing.

Where other SafeTravellers consortium members process your personal data, they do so as joint controllers with their own lawful bases. You should refer to their privacy notices for details of their processing operations.

7. Data Retention

iProov retains the personal data it processes through the SafeTravellers App only for as long as necessary to fulfil the purposes described in this Policy.

On your mobile device:

Your digital credential (including biometric and identity document data) is stored locally upon its creation. You control this data and can delete it from within the SafeTravellers App.

On iProov’s remote systems:

The data collected from your enrolment, including your document data, facial scan, and fingerprints is processed and stored for up to 30 days.

If a fraud attempt is reasonably suspected, we may use your biometric data to train our fraud prevention systems for up to one year.

Where other consortium members collect identity document data, their own retention periods will apply, as set out in their respective privacy notices.

8. Data Sharing and Disclosures

iProov does not sell or commercially exploit your personal data.

As part of the SafeTravellers project, iProov shares certain data with other consortium members for project-specific purposes like quality assurance and fraud prevention. These members act as joint controllers and process the data in line with their own privacy notices.

Within iProov, access to personal data is strictly limited to authorised personnel involved in delivering or supporting the SafeTravellers App testing.

Where technology service providers are used by iProov (for example, hosting or infrastructure providers), they act as data processors on behalf of iProov and are contractually bound to process data only in accordance with iProov’s instructions and with appropriate technical and organisational safeguards.

Personal data may also be disclosed where required to comply with applicable laws or respond to lawful requests from public authorities.

9. Data Security

We implement and maintain appropriate technical and organisational security measures to ensure a level of security appropriate to the risk presented by the processing of personal data through the Demo App. These measures are designed in alignment with recognised industry standards, including the principles of ISO/IEC 27001:2022, the international standard for information security management.

Key safeguards include:

  • Encryption of data in transit and at rest;
  • Role-based access controls to restrict access to personal data to authorised personnel only;
  • Segregated demo environments hosted in secure, access-controlled infrastructure managed by iProov;
  • Automated deletion mechanisms to ensure that personal data is erased within 7 days of the demonstration;
  • Hardened configuration of all supporting systems, including video processing and storage infrastructure;
  • Regular monitoring and review of access logs and system alerts to detect unauthorised activity.

iProov actively maintains its security posture in accordance with best practices and continuously improves its controls to mitigate emerging threats.

10. International Transfers

iProov stores and processes the personal data it collects through the SafeTravellers App exclusively within the United Kingdom and the European Union. No transfers to countries outside the UK or EU are made by iProov.

Where other SafeTravellers consortium members process your personal data, they may host it within their own infrastructure. You should refer to each consortium member’s privacy notice for details of their hosting locations and transfer arrangements.

If the hosting location changes and a transfer outside the UK or EU becomes necessary, iProov will implement appropriate safeguards in line with the UK GDPR and EU GDPR, such as the UK Addendum to the EU Standard Contractual Clauses or other approved transfer mechanisms. You may request a copy of these safeguards by contacting us.

11. Your Rights

Under applicable data protection law, you have the right to:

  • Request access to your personal data and receive a copy;
  • Request rectification of inaccurate or incomplete data;
  • Request deletion of your data, including withdrawal of consent;
  • Object to or request restriction of processing in certain circumstances;
  • Lodge a complaint with the UK Information Commissioner’s Office (ICO) or another competent data protection authority.

If your request relates to personal data processed by another consortium member, we will help direct your request to the appropriate organisation.

To help confirm your identity and ensure that your rights are exercised securely, iProov may request specific information from you before fulfilling your request. This is a necessary security measure to prevent unauthorised access or disclosure. We may also need to contact you for additional details to clarify or expedite our response.

We aim to respond to all legitimate requests within one month. For complex or multiple requests, we may require more time to respond and will inform you of any delay.

Note that the SafeTravellers App gives you a lot of control over your data. Where you wish to exercise the following rights, you can do so in the App yourself:

  • Correct Data – You can delete and re-enter your information.
  • Withdraw consent to the processing of your personal data – You can do this by deleting the data held within the App. This will not affect the lawfulness of any processing carried out before you withdraw your consent.

Additionally, if your data has already been deleted or anonymised (for example, after the 30-day retention period in iProov’s systems), we may no longer be able to fulfil your request unless the data remains identifiable and retrievable.

To exercise your rights, please contact the iProov Privacy Team at dpo@iproov.com.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect operational changes, legal developments, or refinements to how the Demo App is delivered. Where material changes are made, we will provide appropriate notice. This may include messaging at the start of the demo or updates to publicly available documentation.

You are responsible for reviewing any changes. Participation in a demo session after an updated Privacy Policy is made available constitutes your acknowledgement of the updated terms.

13. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact:

Email: dpo@iproov.com
 ICO Registration Number: ZA859100
 Company Name: iProov Limited
 Registered Address: 14, Bank Chambers, 25 Jermyn Street, London, England, SW1Y 6HR
 Supervisory Authority: UK Information Commissioner’s Office (www.ico.org.uk)