iProov Controller Privacy Notice for iProov Application Use

iProov is committed to protecting your privacy and your rights when we process your data. This Privacy Notice explains what personal information we collect when you use our Application and how we use it. The notice also explains your rights and how to exercise them should you wish to do so.

Our Relationship with You

When you use the iProov Application, iProov is a Controller of your data as we make certain decisions within our application on how your data is used and processed. We are asking you to assist in iProov demonstrating our products so we can showcase our capabilities and the services we offer to our customers.

Consent to Collect Your Data

When you use the iProov Application you must provide us with your consent to collect and use your data. You can withdraw your consent at any time.

What Personal Data We Collect

The personal data we collect is:
● Your email address, so we can identify you as an iProov Application participant
● Your biometric image, collected via image streaming (User Image) as a part of the iProov application use
● User Image frames of your face that correspond to the biometric template
● Palm print data (if the iProov Application is the palm reader application)
● Your IP Address to help identify your device (if an IP Address is used)
● Unique Identifier. The iProov Application creates a unique identifier that is only associated with you and that is stored with your identity.
● Details of whether you are right or left handed
● Information from an identity document such as a passport or driving licence is processed by a third party on iProov’s behalf so that a positive identification of you can be made to test the end to end processing of the iProov Application.
● Your motion data (how you hold or use your phone when using the iProov Application) so that we can identify your biometric signature from your motion.
● Your location data (if requested) so that we can verify use within a given region

Other Data Collected

iProov also collects other data when you use the iProov Application. This data is not personal data but is shown here for transparency purposes.
● Data from the gyros and accelerometers of your device
● Mobile device type, model and identifier
● Aggregated data for statistical analysis purposes
● Camera attributes that could include f number, ISO, aperture value, brightness value, focal length, pixel x and y dimension
● Time stamp
● Survey data to assess your experience of the iProov Application and any suggested improvements

How We Use Your Data

Genuine Presence and Liveness Assurance
Each time that you submit imagery for the purposes of authentication (an “authentication attempt”) iProov uses automated imagery analysis and biometric matching technology to verify you as a living person, to detect impersonation and spoofing attempts.

iProov processes your facial imagery (we call this “enrolment imagery”) when enrolling a user in the service. This allows us to perform face-matching during subsequent authentication attempts. We process the enrolment imagery to create a biometric template which can be used for face-matching against authentication attempts. This biometric template is linked to a user’s unique user identifier “User ID”. iProov may update and change the biometric template over time to improve the performance of the matching.

For the purposes of identifying that the person performing the authentication attempt is the same as in the enrolment imagery, iProov compares the biometric template from imagery taken in the authentication attempt with the biometric template taken from the user’s enrolment imagery. The resulting probability of a match between the two biometric templates determines whether iProov issues a pass or fail result for the authentication attempt.

Palm Print
Each time that you submit palm print imagery for the purposes of authentication (an “authentication attempt”) iProov uses automated imagery analysis and biometric matching technology to verify you as a living person, to detect impersonation and spoofing attempts.

iProov processes your palm print imagery (we call this “enrolment imagery”) when enrolling a user in the service. This allows us to perform palm print-matching during subsequent authentication attempts. We process the enrolment imagery to create a biometric template which can be used for palm print-matching against authentication attempts. This biometric template is linked to a user’s unique user identifier “User ID”.

iProov may update and change the biometric template over time to improve the performance of the matching.

For the purposes of identifying that the person performing the authentication attempt is the same as in the enrolment imagery, iProov compares the biometric template from imagery taken in the authentication attempt with the biometric template taken from the user’s enrolment imagery.

The resulting probability of a match between the two biometric templates determines whether iProov issues a pass or fail result for the authentication attempt.

Anti Spoofing
To perform anti-spoofing, which allows us to detect fraud or fake imagery in authentication attempts, we use sophisticated machine-learning algorithms. These algorithms automatically combine the data from the authentication attempt, including imagery and other sensor data “Combined User Data”. The resulting values these algorithms produce enable the system to determine whether the authentication attempt is likely to be bona fide or an attempted spoof.

For your benefit, we monitor and analyse data on authentication attempts, where it is determined to be a potentially fraudulent attempt as a part of the demonstration authentication process, to improve the accuracy of our authentications. We process imagery from authentication attempts to train, update and improve the accuracy of iProov’s biometric testing.

Algo Training
Where data is collected from you it can be used to train the iProov algorithms to improve accuracy and efficacy. When your data is used for algo training it is deidentified so that it cannot be traced back to you as a data subject.

Our Legal Basis for Processing Your Personal Data

When iProov collects your personal information, we use the data for the following purposes:
A) Consent to process your data

● As iProov collects a biographic image as a part of the service, we need your explicit consent to do so.

B) To conduct our business and fulfil a legitimate interest. In particular:

● The analysis and ongoing improvement of our products and services
● For the detection and prevention of fraud
● To train iProov’s algorithms to increase accuracy and efficacy

C) To fulfil a contract between iProov and the organisation taking part in this demonstration or trial

Data Transfer

iProov hosts its demonstration and trial application in the United Kingdom and does not transfer data to other countries.

How Long Does iProov Keep my Data?

iProov keeps your data for a maximum of thirty (30) days after your last use of the iProov Application. After this point your data is permanently anonymised so it cannot be used to identify you.

Sub Processors

iProov uses third party suppliers as a part of the iProov Application. Depending on what is being demonstrated or trialled, the following third party vendors are used. These companies have separate privacy notices to iProov and we would request that you review and agree to their terms also. iProov has no control over their terms and they are different to the ones in this document.
MicroBlink https://microblink.com/privacy-policy/
ReadID https://www.readid.com/privacy

Your Legal Rights and How to Use Them

Under the law of certain countries, you have the following rights around iProov’s use of your data.
These rights include:
● You may Request Access to the personal data iProov holds on you.

● To Request Data Correction. If you believe that iProov hold inaccurate data about you, you can ask iProov to correct it. Where you request data to be corrected, we may ask you to verify the accuracy of any correction.

● The Right to be Forgotten. You can ask iProov to delete any personal data it holds about you that you have provided as a part of the trial.

● You can Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms. The right to object to processing does not apply where Our basis is something other than legitimate interest – such as where we have your consent to the relevant processing.

● Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where you believe our use of the data is unlawful but you do not want us to erase it; or (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.

● Withdraw consent to the processing of your personal data, However, this will not affect the lawfulness of any processing carried out before you withdraw your consent.

Where you make a request, please do so via an email to compliance@iproov.com. iProov will try to respond to all requests within thirty (30) days. Where it is not possible to do this, we will write to you to inform you that it will take longer to meet your request and will aim to respond within ninety days (90) or alternatively to confirm that we hold no data about you as it has been deleted. Where we cannot respond within this time period, we will notify you of why and of your rights.

Contacting Us

iProov has a data protection officer who can be contacted at DPO@iproov.com. If you have any questions about this Privacy Notice or about any requests to exercise your legal rights, please send an email to this address.

Complaints

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so would request that you contact us in the first instance.

We are registered with the ICO under number ZA441165.

iProov Limited (we, us or iProov) is a company incorporated in England & Wales under company number 07866563 whose registered office is at 14 Bank Chambers, 25 Jermyn Street, London SW1Y 6HR, England.

Acceptable Use Policy for iProov Application Users

This Acceptable Use Policy (“Acceptable Use Policy”) sets forth guidelines for acceptable use of the iProov Services which are provided by iProov Limited or a member of its group of companies (“iProov” “we” or “us”), including software and any associated documentation provided by iProov in connection therewith (as used herein, collectively the “Services”).

By using the Services, you acknowledge that you have read, understood, and agreed to comply with the terms of this Acceptable Use Policy.
You agree to ensure that there is no breach of this Acceptable Use Policy by you or (where relevant) your employees, consultants or other trial users, and you acknowledge that you will be liable and responsible for any such breach. For the purposes of this Acceptable Use Policy, references to “you” includes any natural person or entity that uses or accesses the Services.

About the iProov Application

The iProov Application is considered to be a test system provided by iProov to approved users to enable them to evaluate iProov’s products.
As a user of the iProov Application you are responsible for all data that is entered and used within the application. iProov takes this data and undertakes various processing activities and acts as a Data Controller for this data.

Restrictions, Limitations, Misuse

The following restrictions and limitations shall apply to your access to and use of the Services, and your breaches of any of the following shall be deemed a misuse of the Services and a breach of your obligations:
1. You agree to use the Services for lawful purposes only.
2. You agree to use your own identity when using the service.
3. You agree to minimising the data that could be collected by the iProov Application by not using the application in an area where other data may be collected in the video stream when using your camera. This data could be other people, documents or other information that may be used to identify other people who are not part of the iProov Application use.
4. Your users or participants are a minimum 18 years of age.
5. You will not, and will not allow a third party to:

a. copy, modify, sell, sub-license, rent, or transfer the Services to any third party;

b. attempt to defeat, circumvent or disable any copy protection mechanism in the Services;

c. modify, distribute, alter, or tamper with the Services;

d. reverse engineer, disassemble, or decompile the Services or apply any other process or procedure to derive the source code of any software included in the Services (except to the extent applicable legal requirements don’t allow this restriction, and then only after you have given us notice and an opportunity to resolve any interoperability issues);

e. introduce any infringing, obscene, libellous, or otherwise unlawful data or material into the Services;

f. access all or any part of the Services in order to build or facilitate the build of a product or service which competes with the Services;

g. remove, obscure, or alter any intellectual property right or confidentiality notices or legends appearing in or on any aspect of any of the Services;

h. introduce or attempt to introduce any form of computer virus, malware, worm or other form of malicious software to any part of the Services; or

i. introduce into or distribute through the Services any imagery or other content that: (a) does not meet iProov’s stated guidelines or requirements; (b) is sexually explicit or indecent; (c) is discriminatory based on race, gender, colour, religious belief, sexual orientation or disability; (d) may infringe iProov’s intellectual property rights, or is capable of causing damage or injury to any person or property.

6. In addition to the restrictions set out above, the below is conduct deemed by us to be inappropriate, improper or harmful to our reputation, network, or the Services and therefore prohibited when using the Services:

a. causing, aiding, encouraging, or facilitating any end user to point to or otherwise direct traffic to any material in breach of any applicable legal requirements;

b. accessing or using the iProov Services other than as expressly permitted by your Agreement;

c. knowingly generate Transactions that are prevented from completing;

d. attempt to spoof the Services, including by means of images or by injecting digital data into the iProov APIs, without iProov’s specific written approval;

e. probe or attempt to penetrate Service, either through access to Services or other online methods, by communication with iProov staff, by attempted physical access to iProov facilities or sites of third party servers hosting the Services or elements of it, without iProov’s specific written approval;

f. submit Transactions or TCP/IP traffic to iProov at a sustained rate faster than that agreed in writing with, or in the absence of such agreement specified from time to time by, iProov;

g. test the throughput, performance, latency, simultaneous Transaction capacity or other performance parameters of the Services without the written agreement of iProov;

h. publish or publicly disclose statistical measures of the performance of the Services, nor existence or details of any spoof attempts made against the Services, without the written agreement of iProov;

i. indicate or suggest that the Services are provided without the involvement of iProov;

j. using, encouraging, aiding or facilitating the use of the Services to (including by pointing to web sites or locations that) create, transmit, distribute or store material that: violates trademark, patent, copyright, trade secret or other intellectual property laws, violate the privacy, publicity or other personal rights of others, include tools designed for compromising security (including but not limited to password guessing programs, cracking tools or network probing tools), violate any applicable legal requirements related to export control, data protection or anti-terrorism, or impair the privacy of communications; or

k. attempting to penetrate or manipulate, or encourage, aid or facilitate the penetration or manipulation of, the security features of the Services or any other system (including but not limited to unauthorized access to or use of data, systems or networks, probing, scanning or testing the vulnerability of a system or network, breaching security authentication measures, unauthorized monitoring of data or traffic, interfering with the service of any user, host or network by any means; forging any TCP/IP packet header or any part of a message header).
In addition to the other rights or remedies available to us, we may (i) immediately, temporarily suspend Services where continued use of Services (a) breaches applicable legal requirements, (b) will have an adverse impact on our network or systems, or (c) we reasonably believe suspension is necessary to mitigate any damage or liability resulting from breach of this Acceptable Use Policy; and (ii) notify the appropriate law-enforcement agencies of any breach of this Acceptable Use Policy.

We reserve the right to modify or replace this Acceptable Use Policy at any time and at our sole discretion. We will indicate at the top of this Acceptable Use Policy the date such document was last updated.

Get a demo