Welcome to our privacy centre.
Here you can find:
- General privacy information that applies across our whole business.
- A privacy notice for children and young adults.
- Product-specific privacy information, which covers the specific data collection and use for our different products and services.
We regularly update our policies to reflect new features and functionality, which you can find summarised in the ‘What’s New’ section.
We will also tell you when there’s a new version of the privacy information for the app when you update to the latest version in the app store.
Look out for these information boxes for a simple summary of each section.
Use the content section to navigate your way through to see how Yoti keeps your information safe. Our privacy information section will give you all the content you need about data privacy at Yoti.
You can read our privacy information for children and young adults here.
- We added a privacy notice for children and young adults.
- We made some changes to the general layout of our privacy information page to make navigation clearer.
- We also updated the wording in the definitions section, to make things clearer and to be in line with the ICO Childrens’ Code.
Previous version: 01/09/2021
1. What is this?
Our general privacy notice is here to explain to you how Yoti manages your personal data. This general section contains high-level information that applies across all our business. For privacy information on our specific products, please see below.
2. Product-specific privacy information
High-level privacy information that applies across all our business.
Last updated: 22/11/2021
How we handle your data when you use our eSignatures solution.
Last updated: 23/07/2020
Yoti Password Manager
How we handle your data when you use Yoti Password Manager.
Last updated: 14/01/2019
3. Key definitions
- Analytics: The careful study of something, by breaking it down into smaller pieces. Yoti looks at trends and patterns in the app to inform our business decisions. Yoti performs analytics on how users interact with the app using anonymous and aggregated data.
- Biometrics: A study of people’s unique physical and behavioural characteristics, which aims to identify or recognise people as a unique individual based on traits they have. At Yoti we use biometrics to create a Biometric Template of your face so that we can confirm it is really you.
- Cookies: A small file which asks permission to be placed on your computer. Cookies help us know who you are when you visit our website. Cookies do not contain any information that identifies you personally. This helps us to provide you with a good experience when you visit our website, and allows us to improve our website.
- Data Protection Officer: The person who is responsible for overseeing a company’s data protection implementation to ensure compliance with data privacy law.
- Encryption: This allows information to be hidden so that it cannot be read without special knowledge such as a key or a password.
- GDPR: The General Data Protection Regulation is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the UK & European Union (EU). It protects people and lays down rules about how data about people can be used.
- ISO 27001 and SOC 2 : These are information security controls and standards, designed against a set of defined tests that the organisation has to be assessed on.
- Third Parties: These are companies that we may have interactions with outside of Yoti. For example this could be other apps, software and partner companies. Where we say ‘third party’ this means anyone who is not you or us. This could be another person or an organisation.
4. Who we are
Yoti is a digital identity platform, which means Yoti allows its users to have their ID confirmed so that they have the ability to demonstrate their age to others without the need to carry a physical ID document. For example, you can show how old you are when you want to buy age related goods or would like to sign into an app, where age checks would need to be carried out. You are able to prove your age using our app.
- We are a digital identity platform and we design our software and services with privacy at their heart, guided by a set of principles.
- We are monitored by a Guardian Council who make sure that we always seek to do the right thing.
- We are certified as a B Corp company, meaning that we consider the impact of our decisions on employees, consumers, the community and the environment.
We are Yoti Ltd, Fountain House, 130 Fenchurch Street, London, EC3M 5DJ (company number 08998951), but you can call us ‘Yoti’. Our general email address is firstname.lastname@example.org.
We take your privacy very seriously. We design our software and services with privacy at their heart, guided by a set of principles which you can read here: https://www.yoti.com/ethical-framework.
We are monitored by a Guardian Council, who are respected and influential individuals who make sure that Yoti always seeks to do the right thing, and that we are transparent about what we are doing and why. Read more about them here: https://www.yoti.com/ethical-framework .
We are also certified as a B Corp company, meaning that we consider the impact of our decisions on employees, consumers, the community and the environment. Read more about it here: https://www.bcorporation.net/
5. Information collection and use
We collect different pieces of your information for different reasons. We explain why we collect this information below. This is our overall privacy notice where you can find out general privacy related information about Yoti. For each of our products, we have a product specific privacy notice. The product-specific privacy notices provide information for each product on personal information collection and use.
The lawful bases are what we rely on in order to have a valid reason to collect personal data, essentially they are the reasons why we collect personal data. Below is a summary of all the lawful bases we rely on across our products. For product specific lawful bases, please refer to our product specific privacy notices.
EU data protection law requires an organisation to have a lawful basis for its personal information collection and use, and there are several lawful bases available. Our products and services are available globally, so in some cases our choice of EU lawful basis reflects the need to comply with different laws in different countries.
Performance of a contract
- When you set up and use our app and associated products and services, almost all the personal information collection and use is necessary to provide the app, product or service.
- If you provide us your contact details to ask us a question, request more information or contact our Customer Support, we use your details to reply and resolve any issues.
- In the UK we can also use a ‘preventing or detecting unlawful acts’ lawful basis for our use of biometrics that is for fraud prevention purposes.
- Some personal data collection and use is in our legitimate business interests. To use this lawful basis we assess both our interests and yours, to make sure that what we’re doing does not cause any unjustified privacy intrusion.
- Identity checks: where we check your details with a third party to make sure only verified identities can get a Yoti.
- Fraud reporting: some fraud prevention bodies we work with require us to report identity fraud we discover.
- Research and Development: we use non-sensitive data to continually improve and test our fraud prevention measures.
- Analytics: we de-identify and aggregate the metrics information we get from users to understand how our website and app are performing, to identify bugs and to identify where we need to focus our efforts to improve.
- Marketing campaign records: we keep information so we know who was sent what marketing information and when.
- Invoice and billing: for corporate customers.
- If you have provided us your contact details to hear about Yoti, its products and services and you no longer want to hear from us, we are obliged by law to stop contacting you. To meet this legal obligation we will add your details to a suppression list so you no longer hear from us.
- If you are a corporate customer, we are obliged to carry out some due diligence.
We provide retention information in the product-specific privacy notices.
In most cases, the information you add to your account or provide as part of using a product or service remains until you delete the account.
If you volunteer for user testing, we will keep the related information for six months.
6. Information sharing
You are able to share your information with third parties using the app and Yoti can also share your information where we suspect or find fraudulent activity. Yoti will never sell your information.
As a Yoti user, you choose if you want to use Yoti to share your information with other individuals or with companies. As an organisation using Yoti for age or identity verification, you choose what information to request from individuals.
Where Yoti has access to your information, we may share it in specific circumstances, such as:
- suspected or confirmed identity fraud or other offences;
- valid and legally binding requests for information from third parties;
- to verify your details.
We do not sell your information.
This section describes the kind of circumstances where we may have to share personal information. The product-specific sections will set out what, if any, information sharing may take place for that product / service.
When Yoti shares your personal information
Yoti’s core principles are that it is not our business model to sell, transfer or share outside the company any of the personal information used to set up your account or your user activity information.
However there are some situations where we will share or will have to share some information, and we list these below:
If we suspect identity fraud, a national security threat, legal infringement or a criminal offence
- We may have to share a copy of your information with the appropriate authorities.
If you provide false or inaccurate information
- If, after investigation, we determine that there has been fraud that meets the criteria for reporting, we will pass the details to relevant crime and fraud prevention agencies to prevent further fraud and money laundering.
- One of these agencies is Cifas. Cifas keeps fraud reports for six years. Other Cifas members may use the information we report to refuse to provide you with services, financing or employment. You can find the Cifas privacy information here: https://www.cifas.org.uk/fpn
- You can get more information about our approach to fraud and misuse by emailing email@example.com.
If we get a request for information from law enforcement or other official authority
- Where your personal information is encrypted in our database, and we do not have the decryption key, we cannot provide any information.
- For information that we do have access to, we have an internal policy and process to make sure that we only disclose personal information where:
- the request is valid;
- the information requested is no more than necessary;
- we can disclose it compliantly; and
- Where we may have a legal obligation to share the information if we receive a court we must disclose this or a similar legal order and we think it’s the right thing to do.
To verify your details:
- For some of our products and services we check certain details, including against a third party, as part of verifying identity and carrying out due diligence.
- The product-specific sections will set out when and how this happens.
To verify details on behalf of other companies
- Some of our products and services may include the option to request an identity check against credit reference agency or other fraud prevention data.
- In these circumstances Yoti simply sends the relevant details to the credit reference agency or fraud prevention database on behalf of the company, and sends the response back to the company.
- The product-specific sections will set out when and how this happens.
We may use the services of other businesses to help us in certain areas, for example, for data storage, online payment providers and identity providers who we use to help with identity verification:
- Because of how we have designed the system, in most situations we won’t need to share your information with third parties.
- If we do, we will encrypt your data and / or it will be properly protected by the terms of our contract with these third parties.
If Yoti sells its assets
- Yoti will only agree to the sale if the new business commits to the core Yoti principles of data privacy.
- While we are negotiating with the company buying or combining Yoti with their own business, they won’t be able to access your encrypted personal information at all but Yoti may provide anonymised statistical information.
When you share your personal information
You alone will decide when you want to use a Yoti product or service to identify yourself to a third party, or to send and request information. You choose whether to agree or not to share the information that a third party requests from you.
7. Security and data location
We store your information securely in our UK data centres. Your personal information does not leave the UK unless you approve a share with a third party who could be based outside of the UK. For example, where you would like to share your ID to prove your age with a company based in Spain, your data would be sent electronically from our data centre to the receiving organisations data centre based in Europe.
Security is a core business principle. Our products and services do different things, so the specific security details for each one are listed in the relevant product sections. We always keep personal information in secure locations with strict access controls.
We continually test our systems to ensure that we are compliant and to ensure that we follow top industry standards for information security. Several times a year external audits are carried out on us to check that our security arrangements are compliant. These auditors follow internationally recognised standards for best practice in security, these are known as ISO 27001 and SOC2.
The product-specific privacy notices have more information on where we keep data and the security measures relevant to that product.
Where we use other organisations to support our business we have contract terms in place that contain obligations on the other organisation to safeguard your information. Some of these organisations have their servers in other countries. We have contract terms with these third parties and measures in place to cover any transfers of personal information. The measures used are EU-approved model contract clauses, Privacy Shield for some US companies, and some have Binding Corporate Rules. We are currently looking into suppliers who use Privacy Shield to move to an alternative, given the recent CJEU decision that invalidated Privacy Shield.
In future we may send your personal information to countries outside the UK. If those countries are in the European Union, Switzerland, Iceland, Liechtenstein and Norway, or countries with an EU adequacy decision, there are equivalent laws on handling personal information and so your information is protected in the same way as it is in the UK.
If we send your personal information to any other countries (for example, we may in the future have other databases and servers in other countries), some of these countries may not have equivalent laws on handling personal information. However, we will make sure that your personal information is properly protected.
In some countries, for legal or practical reasons, Yoti may have to store personal information in that country.
If we decide or are obliged to send or store your personal information in another country, we will update the relevant product privacy notice to describe the protections we have put in place.
8. Your rights and choices
You have many rights given to you under data privacy law. These are rights such as, the right to find out what information we hold about you and the right to have access to this. You can exercise your data privacy rights by contacting our data protection officer directly by email firstname.lastname@example.org and using the contact us information below.
You have several different rights with regard to your personal information. Some rights only apply in certain circumstances or to certain information. There are also exemptions from some rights in some circumstances.
Please click the link below to see information about all the rights. Each product-specific privacy notice sets out what rights apply for that particular product / service. If there is no rights and choices section, this information here applies.
For the purposes of the California Consumer Protection Act, we do not sell your data.
Please send any rights requests to: email@example.com
You have the right to find out what information we hold about you and ask for copies of the information we hold about you.
For most of our products and services, you provide your personal information and can access it by going into the product / service.
If you want to make an access request for personal information not contained in a product / service you are using, please email: firstname.lastname@example.org.
With regard to the cookies and analytics we use, this information is collected and stored automatically through in-house and third-party tools, as set out in the sections on cookies and analytics. The product-specific sections will set out if there is any analytics information that is linked to any of your personal information.
The information we collect is de-identified and aggregated, so it is not possible to search or get the information using your name or your phone’s identifiers (for example, the IMEI number which is like a serial number for your phone). We cannot provide you with this information as it is not linked to any of your identifying details.
Google Analytics information
We use Google Analytics for some products or websites. Google creates and shares with us an identifier (such as, 76c24efd-ec42-492a-92df-c62cfd4540a3). The information that we collect through Google Analytics is linked only to this identifier, and so it is not possible to search or get the information using your name or your device’s other identifiers (for example, the IMEI number which is like a serial number for your phone). We cannot provide you with this information as it is not linked to any of your identifying details.
You can make an access request to Google here: https://support.google.com/policies/contact/sar
You have the right to ask us to make changes to your information if we have made a mistake.
You are entitled to correct personal information we hold about you that is inaccurate.
For most of our products and services you have the ability to correct or replace inaccurate personal information.
If you have contacted our Customer Support or had other contact with us and want to make a correction request, please email: email@example.com.
You have the right to ask us to delete your information.
In certain circumstances you are entitled to ask us to delete the personal information we hold about you.
For some of our products and services you can delete your account or certain information from within the product / service.
If you have any other deletion request, please email: firstname.lastname@example.org.
You have the right to change your mind about us holding your information.
In certain circumstances you are entitled to object to Yoti processing your personal information.
If you receive any marketing, there will always be an unsubscribe option.
If you want to contact us about your objection rights, please email: email@example.com.
You have the right to ask us to stop using any of your personal information.
In certain circumstances you are entitled to ask us to restrict our processing of your personal information.
You can ask us to do this if:
- you dispute the accuracy of your personal information;
- our processing is unlawful but you prefer restriction to deletion;
- we no longer need the information but you need it for legal reasons; or
- you have objected to our processing and we are still dealing with this objection.
If you want to contact us about your restriction rights, please email: firstname.lastname@example.org.
You have the right to request your information to be used for another purpose across different services.
In certain circumstances you are entitled to receive the personal information you have provided us in a structured, commonly used and machine-readable format. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
For some of our products and services you can download your personal information from within the product / service.
If you have contacted our Customer Support or had other contact with us and want to make a portability request, please email: email@example.com.
Complain to the ICO
As a UK company we are regulated by the Information Commissioner’s Office (ICO) who is responsible for making sure that organisations comply with the law on handling personal information. You can complain to them here: https://ico.org.uk/global/contact-us/
Or you can complain to your local regulator: https://globalprivacyassembly.org/participation-in-the-assembly/members-online/
What’s a cookie?
It’s an online technology to collect information about you and to store your online preferences. Cookies are small pieces of information sent by a web server to a web browser which allows the server to uniquely identify the browser on each page.
Types of cookie
These expire when you close your browser and do not remain on your computer.
These are stored on your computer until they expire or you delete them from your cache. They are normally used to make sure the site remembers your preferences.
Categories of cookies
Strictly necessary cookies
These cookies are essential for you to move around our website and Dashboard and use their features. Without these cookies we cannot provide services you have asked for, such as access to secure areas.
These cookies collect anonymous information on how people use our Dashboard and website.
These cookies remember choices you make, such as your last action, language and search preferences. We can use these to provide you with a better experience based on your preferences. The information from these cookies is anonymous and they cannot track your browsing activity on other websites.
Our web-based products use a cookie to implement our in-house analytics for actions you take on your device when using the product. These analytics report at aggregate not individual user level and we use the information to understand how our products are being used and to improve them, as set out in the ‘Analytics’ section.
How do I delete cookies?
Go to the help and support area on your internet browser for instructions.
Information on deleting or controlling cookies is also available at www.allaboutcookies.org
If you delete or disable our cookies you may not be able to access certain areas or features of our site.
Analytics are looking at trends and/or breaking down things into smaller parts to analyse them in detail and make conclusions about the data. Yoti looks at trends and patterns in the app to inform our business decisions. We collect information about your device and your use of the app using our in-house and third-party analytics.
The information does not directly identify you; we de – identify and aggregate the information to make sure that it does not. We also combine information so that no analytics report is ever about you. You can choose not to allow some types of analytics.
We collect information about your device and your use of our products using in-house analytics and third-party tools. The information we collect is de-identified and aggregated so we can’t identify you personally. We use it to understand how our products are being used and to improve them.
You can opt out of certain analytics in the app and by changing browser settings for web-based products that use a cookie to implement the analytics. This section provides general information, please see the ‘Analytics’ sections of the product-specific information for more details on analytics used in specific products.
What are analytics and why do we use them?
Analytics means collecting and analysing information about activity on our website and in our app. None of our analytics provide information about you personally. The statistics we get from this data allow us to understand how people are using our products and websites, and things like what works and what doesn’t, how long it takes to complete critical tasks and where we have users. Unlike most other companies, we don’t build individual profiles of the people who use our products and services. We simply look for trends and patterns to inform business decisions.
All these statistics are essential to understanding how our products and websites are performing and identify where we need to focus our efforts to improve.
Your choices for analytics
You have some control over analytics information collected through settings available in your website browser and on your phone, as well as in the Yoti app settings. You can access this by going to your Yoti App > More > Account Settings > Analytics to make changes.
You can also get more information from the Digital Advertising Alliance and change ad settings using their ‘Your Ad Choices’ tool here: http://www.aboutads.info/consumers
Both Android and iOS phones have privacy settings to limit the collection of the Advertising ID.
You can opt out of certain analytics through the app settings.You can access this by going to your Yoti App > More > Account Settings > Analytics to make changes.
11. Contact us
There are many different ways to contact Yoti if you wish to exercise your privacy rights or make a complaint, the main ones are listed below. Please also see the ‘Yoti websites and social media’ section for other ways to contact us and our information collection and use practices when you do so. You can also contact us from the Yoti app and there is more information on that in the ‘Yoti app’ privacy notice.
12. Past versions
We changed how we present our privacy information in January 2019 to distinguish between general information and product-specific information. You can find previous versions of the entire privacy information at the link below, as well as previous versions of this general section if it has been updated.
Past versions of general section
Privacy information (2016-2018)
- Privacy and Cookies Policy v2.6 – Nov 2018
- Privacy and Cookies Policy v2.5 – Sep 2018
- Privacy and Cookies Policy v2.4 – Aug 2018
- Privacy and Cookies Policy v2.3 – May 2018
- Privacy and Cookies Policy v2.2 – April 2018
- Privacy and Cookies Policy v2.1 – Feb 2018
- Privacy and Cookies Policy v2.0 – Nov 2017
- Privacy and Cookies Policy v1.5 – Oct 2017
- Privacy and Cookies Policy v1.4 – Jun 2017
- Privacy and Cookies Policy v1.3 – Jan 2017
- Privacy and Cookies Policy v1.2 – Dec 2016
- Privacy and Cookies Policy v1.1 – Nov 2016
- Privacy and Cookies Policy v1.0 – Oct 2016