Yoti Privacy Centre

Welcome to the Yoti Privacy Centre

From here you can find the following: 

General Privacy Information

Look out for these information boxes for a simple summary of each section.

Use the Contents section to navigate your way through to see how Yoti uses your information and keeps it safe.

What’s new?

  • We made some changes to the general layout of our Privacy Centre to make navigation clearer
  • We have added a Product Privacy Notice for Identity Verification (IDV)
  • We have added information about our use of publically available licensed data, such as Vimeo, for our internal research purposes

Updated: 21 June 2024

1. What is this?

This information is here to explain to you how Yoti uses your personal data. This is a general notice and contains high-level information that applies across all of our business. For privacy information on specific Yoti products, please see below.

2. Product Privacy Notices

Digital ID

How we handle your data when you use a Digital ID app.

Last updated: 02/04/2023

 

Identity Verification

How we handle your data when you use our Identity Verification solution

Last updated: 12/08/2024

Read here

 

Identity Verification within the UKDIATF

How we handle your data when you use our Identity Verification for the UK Digital Identity and Attribute Trust Framework (UKDIATF).

Last updated: 12/08/2024

 

Age Verification (AVS)

How we handle your data when you use our Age Verification solution (AVS).

Last updated: 24/03/2022

Web Account

How we handle your data when you use the Web Account

Last updated: 12/05/2023

Read here

 

Hub

How we handle your data when you use the Hub.

Last updated: 19/09/2019

 

eSignatures

How we handle your data when you use our eSignatures solution.

Last updated: 10/09/2021

 

Yoti Password Manager

How we handle your data when you use Yoti Password Manager.

Last updated: 14/01/2019

3. Key definitions

  • Analytics: The careful study of something, by breaking it down into smaller pieces. Yoti looks at trends and patterns in the app to inform our business decisions. Yoti performs analytics on how users interact with the app using anonymous and aggregated data.
  • Biometrics:  A study of people’s unique physical and behavioural characteristics, which aims to identify or recognise people as a unique individual based on traits they have. At Yoti we use biometrics. For example when you set up a Digital ID we take a face scan (also known as a selfie photo), which we store securely and use for the purpose of checking if it’s really you.
  • Data Protection Officer: The person who is responsible for overseeing a company’s data protection implementation to ensure compliance with data privacy law.
  • Encryption: This allows information to be hidden so that it cannot be read without special knowledge such as a key or a password. 
  • GDPR / UK GDPR: The General Data Protection Regulation is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the UK & European Union (EU). It protects people and lays down rules about how data about people can be used.
  • ISO 27001 and SOC 2 : These are information security controls and standards, designed against a set of defined tests that the organisation has to be assessed on.
  • Third Parties: These are companies that we may have interactions with outside of Yoti. For example this could be other apps, software and partner companies. Where we say ‘third party’ this means anyone who is not you or us. This could be another person or an organisation.

4. Who we are

Yoti is a digital identity and age verification company, which means Yoti allows its users to have their ID or age confirmed. For example, you can show how old you are when you want to buy age restricted goods or would like to sign into an app, where age checks would need to be carried out.

  • We are a digital identity and age verification company and we design our software and services with privacy at their heart, guided by a set of principles.
  • We are monitored by a Guardian Council who make sure that we always seek to do the right thing.
  • We are certified as a B Corp company, meaning that we consider the impact of our decisions on employees, consumers, the community and the environment. 

Company details

We are Yoti Ltd, 6th Floor, 107 Leadenhall St, London, EC3A 4AF (company number 08998951), but you can call us ‘Yoti’. Our general email address is hello@yoti.com

Our principles

We take your privacy very seriously. We design our software and services with privacy at their heart, guided by a set of principles which you can read here: https://www.yoti.com/ethical-framework.

We are monitored by a Guardian Council, who are respected and influential individuals who make sure that Yoti always seeks to do the right thing, and that we are transparent about what we are doing and why. Read more about them here: https://www.yoti.com/ethical-framework .

We are also certified as a B Corp company, meaning that we consider the impact of our decisions on employees, consumers, the community and the environment. Read more about it here: https://www.bcorporation.net/

5. Information collection and use

We collect different types of your information for different reasons. We explain why we collect this information below. This is our general privacy notice where you can find out general privacy information about Yoti. For each of our products, we have a product privacy notice. The product-specific privacy notices provide more specific information on how we collect and use personal data for that product.

Lawful bases

The lawful bases are what we rely on in order to have a valid reason to collect personal data. Below is a summary of all the lawful bases we rely on across our products.

Data protection law requires an organisation to have a lawful basis for its personal information collection and use, and there are several lawful bases available. Our products and services are available globally, so in some cases our choice of lawful basis reflects the need to comply with different laws in different countries.

Performance of a contract

  • When you set up and use our app and associated products and services, almost all the personal information collection and use is necessary to provide the app, product or service.
  • If you provide us your contact details to ask us a question, request more information or contact our Customer Support, we use your details to reply and resolve any issues.

Consent

  • We ask you to consent to us using your biometrics. This is because biometric data is sensitive or special category data under the GDPR and the lawful bases available for this data are very limited. There are also biometrics laws in other countries that require consent. 
  • See the section on biometrics in our app privacy policy for more information about the biometrics we use and why.

Legitimate interests

  • Some personal data collection and use is in our legitimate business interests. To use this lawful basis we assess both our interests and yours, to make sure that what we’re doing does not cause any unjustified privacy intrusion.
  • Fraud reporting: some fraud prevention bodies we work with require us to report identity fraud we discover.
  • Research and Development: we use non-sensitive data to continually improve and test our fraud prevention measures. 
  • Vimeo videos for internal research and development: We use CC0 licensed videos uploaded by registered individuals onto the Vimeo platform in order to help train our anti-spoofing technology. We only use these internally within our R&D team and delete this data after 6 months. Individuals can opt-out of this processing by emailing privacy@yoti.com 
  • Analytics: we de-identify and aggregate the metrics information we get from users to understand how our website and app are performing, to identify bugs and to identify where we need to focus our efforts to improve.
  • B2B Marketing campaign records: we keep information so we know who was sent what marketing information and when.
  • Invoice and billing: for corporate customers.

Legal obligation

  • If you have provided us your contact details to hear about Yoti, its products and services and you no longer want to hear from us, we are obliged by law to stop contacting you. To meet this legal obligation we will add your details to a suppression list so you no longer hear from us.
  • If you are a potential customer, we are obliged to carry out some due diligence.

Retention

We provide specific retention information in the Product Privacy Notices. 

If you have a Digital ID, we will keep your information until you delete your account. Inactive accounts are deleted after three years of inactivity. 

If you send a question to our customer support team via email or through our chatbot, we will keep a record of the query for 6 months.

If you volunteer for user testing with Yoti, we will keep the related information for 12 months.

6. Information sharing

You are able to share your information with third parties using the Digital ID app and Yoti can also share your information where we suspect or find fraudulent activity. Yoti will never sell your information.

As a Digital ID app user, you choose if you want to use your app to share your information with other individuals or with companies. As an organisation using Yoti for age or identity verification, you choose what information to request from individuals. 

Where Yoti has access to your information, we may share it in specific circumstances, such as:

  • suspected or confirmed identity fraud or other offences;
  • valid and legally binding requests for information from third parties;
  • to verify your details with trusted third parties.

We do not sell your information.

This section describes the kind of circumstances where we may have to share personal information. The Product Privacy Notices  will set out what, if any, information sharing may take place for that product / service.

When Yoti shares your personal information

Yoti’s core privacy principles are that it is not our business model to sell, transfer or share outside the company any of the personal information used to set up your account or your user activity information. 

However there are some situations where we will share or will have to share some information, and we list these below:

If we suspect identity fraud, a national security threat, legal infringement or a criminal offence

  • We may have to share a copy of your information with the appropriate authorities.

 If you provide false information

  • If, after investigation, we determine that there has been fraud that meets the criteria for reporting, we will pass the details to relevant crime and fraud prevention agencies to prevent further fraud and money laundering.
  • One of these agencies is Cifas. Cifas keeps fraud reports for six years. Other Cifas members may use the information we report to refuse to provide you with services, financing or employment. You can find the Cifas privacy information here: https://www.cifas.org.uk/fpn

If we get a request for information from law enforcement or other official authority

We will have a legal obligation to share the information if we receive a court or similar legal order ordering us to disclose it.

Where we are required to share information with law enforcement or other government authority we will ensure

  • The request is valid;
  • The information requested is no more than necessary;
  • That, where possible, we have tried to redirect the request to the relevant Client; and
  • That, where possible, we have informed the relevant Client of the request.

To verify your details:

  • For some of our products and services we check certain details, including against a third party, as part of verifying identity and carrying out due diligence.
  • The Product Privacy Notices will set out when and how this happens.

To verify details on behalf of other companies

  • Some of our products and services may include the option to request an identity check against credit reference agency or other fraud prevention data.
  • In these circumstances Yoti simply sends the relevant details to the credit reference agency or fraud prevention database on behalf of the company, and sends the response back to the company.
  • The Product Privacy Notices will set out when and how this happens.

We may use the services of trusted suppliers to help us, for example, for data storage, online payment providers and other identity providers:

  • Because of how we have designed the system, in most situations we won’t need to share your information with third parties.

If we do, we will encrypt your data and / or it will be properly protected by the terms of our contract with these third parties.

When you share your personal information

You will decide when you want to use a Yoti product or service to identify yourself to a third party, or to send and request information. You choose whether to agree or not to share the information that a third party requests from you. 

Yoti encourages companies to only ask for the information they actually need, for example, your age, or confirming you are over 18, rather than a full date of birth. If you choose to share your information with a third party using Yoti, those third parties may choose to use that information to communicate with you or they may share that information with others. Where you choose to share your information with a third party organisation, you should read the privacy notice of that organisation so that you can  understand how they manage and use your personal information.

7. Security and data location

We store your information securely in our UK data centres. In some cases we may need to transfer your data outside of the UK to be able to deliver our products. For example, we sometimes transfer data to our sister company Yoti India, for the purpose of conducting manual ID document checks. In this case we always take additional security measures to protect your data.

Security is a core business principle. Our products and services do different things, so the specific security details for each one are listed in the relevant product sections. We always keep personal information in secure locations with strict access controls. 

We continually test our systems to ensure that we are compliant and to ensure that we follow top industry standards for information security. Several times a year external audits are carried out on us to check that our security arrangements are compliant. These auditors follow internationally recognised standards for best practice in security, these are known as ISO  27001 and SOC2. 

The Product Privacy Notices have more information on where we keep data and the security measures relevant to that product.

Where we use other organisations to support our business we have contract terms in place that contain obligations on the other organisation to safeguard your information. Some of these organisations have their servers in other countries. We have contract terms with these third parties and measures in place to cover any transfers of personal information and use other legal measures such as adequacy decisions, the Data Privacy Framework and Standard Contractual Clauses.

8. Your rights and choices

You have rights under data protection law. These are rights such as, the right to find out what information we hold about you and the right to have access to this information. You can exercise your data privacy rights by contacting privacy@yoti.com or by using the contact us information below.

You have different rights with regard to your personal information. Some rights only apply in certain circumstances or to certain information. There are also exemptions from some rights in some circumstances.

Please click the link below to see information about all the rights. Each Product Privacy Notice sets out what rights apply for that particular product / service. If there is no rights and choices section, this information here applies.

For the purposes of the California Consumer Protection Act, we do not sell your data.

Access rights

You have the right to find out what information we hold about you and ask for copies of the information we hold about you.

You are entitled to know what personal information we hold about you and to receive a copy of it.

For our Digital ID app, you can access your personal data  by going into the app and using the export function in the app settings.

If you want to make an access request for other personal information Yoti may hold about you, please email: privacy@yoti.com.

For some of our products we are acting as processor and have no ability to access your data. In this case you will need to contact the organisation that asked you to complete the age or identity check to exercise your access rights.

In-house analytics

The information we collect is de-identified and aggregated, so it is not possible to search or get the information using your name or your phone’s identifiers (for example, the IMEI number which is like a serial number for your phone). We cannot provide you with this information as it is not linked to any of your identifying details.

Google Analytics information

We use Google Analytics for some products or websites. Google creates and shares with us an identifier (such as, 76c24efd-ec42-492a-92df-c62cfd4540a3). The information that we collect through Google Analytics is linked only to this identifier, and so it is not possible to search or get the information using your name or your device’s other identifiers (for example, the IMEI number which is like a serial number for your phone). We cannot provide you with this information as it is not linked to any of your identifying details. 

You can make an access request to Google here: https://support.google.com/policies/contact/sar

Correction rights

You have the right to ask us to make changes to your information if we have made a mistake.

You are entitled to correct personal information we hold about you that is inaccurate.

For most of our products and services you have the ability to correct or replace inaccurate personal information.

If you have contacted our Customer Support or had other contact with us and want to make a correction request, please email: privacy@yoti.com.

Deletion rights

You have the right to ask us to delete your information.

In certain circumstances you are entitled to ask us to delete the personal information we hold about you.

For some of our products and services you can delete your account or certain information from within the product / service.

If you have any other deletion request, please email: privacy@yoti.com.

Objection rights

  You have the right to change your mind about us holding your information.

In certain circumstances you are entitled to object to Yoti processing your personal information.

If you receive any marketing, there will always be an unsubscribe option.

If you want to contact us about your objection rights, please email: privacy@yoti.com.

Restriction rights

  You have the right to ask us to stop using any of your personal information.

In certain circumstances you are entitled to ask us to restrict our processing of your personal information.

You can ask us to do this if:

  • you dispute the accuracy of your personal information; 
  • our processing is unlawful but you prefer restriction to deletion;  
  • we no longer need the information but you need it for legal reasons; or 
  • you have objected to our processing and we are still dealing with this objection.

If you want to contact us about your restriction rights, please email: privacy@yoti.com.

Portability rights

  You have the right to request your information to be used for another purpose across different services.

In certain circumstances you are entitled to receive the personal information you have provided us in a structured, commonly used and machine-readable format. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.

For some of our products and services you can download your personal information from within the product / service.

If you have contacted our Customer Support or had other contact with us and want to make a portability request, please email: privacy@yoti.com.

Complain to the ICO

As a UK company we are regulated by the Information Commissioner’s Office (ICO) who is responsible for making sure that organisations comply with the law on handling personal information. You can complain to them here: https://ico.org.uk/global/contact-us/

Or you can complain to your local regulator:  https://globalprivacyassembly.org/participation-in-the-assembly/members-online/

9. Analytics

Analytics are looking at trends and/or breaking down things into smaller parts to analyse them in detail and make conclusions about the data. Yoti looks at trends and patterns in the app to inform our business decisions. We collect information about your device and your use of the app using our in-house and third-party analytics.
The information does not directly identify you; we de – identify and aggregate the information to make sure that it does not. We also combine information so that no analytics report is ever about you. You can choose not to allow some types of analytics.

We collect information about your device and your use of our products using in-house analytics and third-party tools. The information we collect is de-identified and aggregated so we can’t identify you personally. We use it to understand how our products are being used and to improve them. 

You can opt out of certain analytics in the Digital ID app and by changing browser settings for web-based products that use a cookie to implement the analytics. This section provides general information, please see the ‘Analytics’ sections of the Product Privacy Notices for more details on analytics used in specific products.

What are analytics and why do we use them?

Analytics means collecting and analysing information about activity on our website and in our app. None of our analytics provide information about you personally. The statistics we get from this data allow us to understand how people are using our products and websites, and things like what works and what doesn’t, how long it takes to complete critical tasks and where we have users. Unlike most other companies, we don’t build individual profiles of the people who use our products and services. We simply look for trends and patterns to inform business decisions.

All these statistics are essential to understanding how our products and websites are performing and identify where we need to focus our efforts to improve.

Your choices for analytics

You have some control over analytics information collected through settings available in your website browser and on your phone, as well as in the Digital ID app settings. You can access this by going to your Digital ID App > More > Account Settings > Analytics to make changes. 

Website

You can review and change your pixels and cookies  at any time by clicking on the ‘Cookie Settings’ link in the footer of our website and adjusting the toggles. Alternatively you can clear your cache or browsing history and  set your browser to refuse cookies and pixels.

You can also get more information from the Digital Advertising Alliance and change ad settings using their ‘Your Ad Choices’ tool here: http://www.aboutads.info/consumers 

Phone

Both Android and iOS phones have privacy settings to limit the collection of the Advertising ID.

Apple: https://support.apple.com/en-gb/HT202074 

Android: https://support.google.com/ads/answer/2662922?hl=en-GB

10. Contact us

There are many different ways to contact Yoti if you wish to exercise your privacy rights or make a complaint, the main ones are listed below. You can also contact us from within the Yoti Digital ID app.

Email: privacy@yoti.com; hello@yoti.com 

Website: https://www.yoti.com/contact