Yoti Age Verification Service – Privacy Notice

Yoti AVS has been designed to give you a quick, privacy-friendly way to prove your age online. The process works as follows:

1. You prove your age using your preferred age-checking method based on the age check method(s) chosen by the Yoti Client.
2. Yoti performs the age check on behalf of the Yoti Client using the preferred method (see detail of methods below) and deletes your personal information.
3. The Yoti Client receives either an ‘over’ or ‘under’ result or your age in years.

No directly identifiable personal information is shared back with the Yoti Client – they only receive the result of the age check.

AVS has various different methods that can be used to check age: 

1. Facial Age Estimation
2. Identity Document Verification (IDV)
3. Digital ID app (DID)
4. Credit card Check
5. Mobile Provider Check
6. Database Check
7. eID Check
8. US Mobile Driving licence (mDL)
9. Email Address Check
10. Partner Age Check
11. Reusable Age Checks
    1. Age Token
    2. Yoti Keys

The Yoti Client decides which of the above age-checking methods it wants to use and whether they want to receive your age in years or if you are ‘over’ or ‘under’ their specific age requirement. 

Depending on the age-checking method, the Yoti Client may also choose to enhance the security of the check and use your information to:

• check the document you add is genuine
• check you’re a real live person
• check for fraud

This check uses your selfie to analyse and estimate your age. You’ll be asked to take a selfie using the camera on your device. This captures facial image(s) which will be analysed by our age estimation technology to estimate whether you are over or under the required age. 

If requested by the Yoti Client, we will also analyse the image with liveness detection technology to ensure it is of a real person and not a 2D image, mask, or bot.

Yoti deletes the selfie image as soon as an age estimate is given – no facial images are shared with the Yoti Client or any other third party.

This check uses your ID document to determine your age. You’ll be asked to scan your ID document using the camera on your device. We extract the information from your ID document and calculate if you are over the Yoti Client’s age requirement using your date of birth.

If the Yoti Client wants extra security for their check, Yoti will ask you to take a selfie using the camera on your device. This is to make sure the ID document belongs to you and is how we stop fraudsters from impersonating you. Multiple images will be captured, and the clearest image will be compared to the photo on your ID document using face matching technology.

Yoti deletes the document images, ID document data and selfie as soon as an age is given – no data is shared with the Yoti Client or any other third party.

This check uses a DID app to determine your age.  You’ll be asked to scan a QR code with your app to share your date of birth as found in your ID document OR an estimated age from facial age estimation in the app. Prior to this, in order to use your ID document age from the app you’ll need to complete a one-time verification process with the app by uploading your ID document and a selfie.

Once you complete the share of your age attribute with the Client, you will have a share receipt in your app showing what you shared with Yoti AVS, and when. Yoti also has a share receipt that only contains a date and timestamp, and that a date of birth attribute was provided to the Yoti Client but Yoti doesn’t store the date of birth itself. We store this encrypted receipt securely in our UK data centre.

For more information on the DID app see the Privacy Notice: https://www.yoti.com/privacy/app/

This check uses your credit card details to infer your age. You’ll be asked to enter your credit card details and postcode with a payment provider (Stripe) and place a temporary £0.30 hold on your card. This is to verify that your card is current and valid. We use this to determine that you are over 18 and remove the £0.30 hold on your card once the age check is complete.

You will not be charged to verify your age. We never store or share your credit card details with anyone other than the payment provider.

This check uses your mobile number to infer your age. You’ll be asked to enter your name, date of birth, mobile number and address. Alternatively the Yoti Client may provide us with your details.  We send these details to one of our mobile checking providers. Depending on the Yoti Client configuration you will receive an SMS with a verification code that you will need to enter. This is to confirm you are in possession of the phone. The third party provider then confirms that the details entered match the details of the mobile phone provider account.

We never store or share your details with anyone other than the third party providers. Yoti deletes your data immediately following the check. The third party provider may retain a record of Yoti’s request for up to 2 years.

This check uses credit reference agency providers to verify your age. You’ll be asked to enter your name, address, DOB and social security number (depending on what the Yoti Client chooses) which will be shared with a third-party provider.

We never store or share your details with anyone other than the third party providers.

This check uses the eID schemes to verify your age. You’ll be asked to prove your age using one of the following eID schemes:

• Bank ID (Sweden)
• MitID (Denmark)
• Finnish Trust network (Finland)

Once you have chosen the eID scheme that you want to use, you will need to log in and share your details through our eID provider (Signicat AB).  We will receive your identity information such as name, date of birth and national ID number and use this to confirm your age. We never store or share your details with anyone other than the provider.

You’ll be asked to prove your age using one of the following US mobile driving licences:

• LA Wallet (Louisiana)

Once you have chosen the mDL scheme that you want to use, you will need to log in and share your details.  We will receive confirmation that you meet the age threshold defined by the Yoti Client.

This check uses your email address to infer your age. 

We check things such as the age of the email address i.e. how long it has been in use, whether it is attached to a recognised employer ot educational institution and spending patterns associated with the email address.

For US checks, we may share your email address with a third-party provider (Versium) that checks marketing and other databases for which advertising segments your email address is linked to and these are cumulatively used to estimate age. Such advertising segments may include ‘Home Own or Rent’, ‘Credit Card Holder Bank’, ‘Refinance Loan Type’, ‘Household Income’, ‘Number of Credit Lines’, etc.

For global checks, we also share with a different third-party provider (Equifax) that checks your email address against various fraud insight databases in order to infer that you are over a cartain age.

This check involves proving your age using your identity document via a third party identity verification provider. Under certain laws this is also known as a ‘Partner Anonymous Age Check’.

You will be redirected to a third party identity verification provider (or partner) and asked to scan your ID document using the camera on your device. The partner will extract the information from the ID document and calculate if you are over the Client’s age requirement using your date of birth. That information will be passed to Yoti and then sent to the Client.

For this check, Yoti never sees your ID document, only the results of the check and the third party identity verification partner will not know what service you are seeking to access and will never store or share the information used for the age check for any purpose other than to complete the check.

To reduce the number of times you need to verify your age online, we have developed a system of age tokens. These are optional so not all Yoti Clients will use them. Below, we explain how they work and where you would interact with them.

Age Tokens act as digital proof of an age check and allow you to reuse the result of an age check for as long as the Yoti Client allows.

An age token is created when you prove your age with Yoti and contains the result of the check plus information on how and when it was performed. Age tokens do not contain any directly identifiable personal information, they do not track you and do not know where you have been or where you have come from. Age tokens are stored in your browser like a cookie and are time limited. You can delete an age token by clearing your cache.

If you go to a website that’s using age tokens, you will click a button to verify your age. If you have an age token in your browser and that token meets the requirements set by the website, Yoti will return a result to confirm your browser has previously been verified and you’ll be given access to the website for as long as the token is valid.

If you don’t have an Age Token that meets the requirements, you’ll be asked to prove your age via the standard process.

You can store your Age Tokens using a passkey on your device using Yoti Keys. This allows you to access the Yoti Client’s platform that accepts Yoti Keys on another browser or device, without having to prove your age again.

You will only be able to create your Yoti Key if the specific Yoti Client is using Yoti keys as an age check method. Once you prove your age via one of the other age checking methods, you will be given the option to create a Yoti Key. If you go to a website that accepts Yoti Keys, you will see this as an option to verify your age. Yoti will check to see if there are any Age Tokens on your device or linked to the Yoti Key that meet the criteria defined by the Client, for example if you have proved your age successfully with facial age estimation according to the Client threshold. If so, Yoti returns a result to the Yoti Client to confirm you have previously been verified and your Age Token meets those criteria. 

If you don’t have any Age Tokens that meet the criteria, you will be asked to verify your age using one of the other available methods. When successful, a new Age Token will be created and stored in on your device. You can delete your Yoti Keys at any time on your device.

Yoti acts as the controller for the creation and ongoing storage of Yoti keys. You can read more about how your data is processed for Yoti Keys here: https://www.yoti.com/privacy/keys/

For most age-checking methods, the data is deleted as soon as the check is complete. In some cases, the Yoti Client will configure a manual review of an ID document age check in which case Yoti will process your data for 28 days.

The results of the age checks (see below for what these results contain) are stored by Yoti on behalf of the Client for 6 months unless deleted sooner by the Client. Yoti Clients may store the results of the checks for longer.

Where Yoti is under a legal or statutory obligation to retain your data, for example, due to a valid request from law enforcement, we will keep your data for longer.

Yoti shares the results of the age checks with the Yoti Client that has requested for you to complete an age check. These results include (depending on the Client’s configuration):

• If you are ‘over’ or ‘under’ the Client’s age requirement
• Your age in years

We also share information with:

• Third party providers (including Yoti affiliates) that assist Yoti with the conducting of the age checks (see full list below). Third parties do not know which Yoti Client requested an age verification.
• Law enforcement agencies, regulatory bodies or other legal authorities that have submitted a lawful request for data and which we have a legal obligation to provide

Third Party Providers

Identity Document Verification (IDV)

• Yoti India: We temporarily share your ID document and selfie with our India subsidiary to conduct manual fallback checks for ID document authentication and face match (if a manual check is requested by the Yoti Client).
• FRS Labs:  We share Indian ID documents with FRS Labs to conduct authentication checks.

Database Checks

• Experian: For UK checks, we share your name, address and DOB with Experian to check for a match against their database. Experian acts as an independent controller of their own database. See: https://www.experian.co.uk/consumer/privacy.html.
• Veratad: For US checks, we share your name, address, DOB and social security number (depending on what the Yoti client chooses) with Veratad to check against their database to determine if there is a match. For more info see: https://veratad.com/privacy-policy. 
• Aristotle: For rest of world checks, we share your name, address, DOB and social security number (depending on what the Yoti Client chooses) with Aristotle to check your data against their existing records to determine if there is a match. For more info see: https://integrity.aristotle.com/privacy-policy/.

E-ID Checks

• Signicat AB: We use Signicat AB to authenticate individuals via National Digital IDs. See their privacy notice here for more details on what data they collect from you: https://www.signicat.com/about/privacy-statement-assure. For MitID, see here: https://www.signicat.com/about/signicat-mitid-privacy-statement. For Finnish Trust Network, see here: https://www.signicat.com/about/identification-principles-ftn.

Credit Card Check

• Stripe: We use Stripe to collect your credit card details and postcode and ask Stripe to confirm whether you have a valid credit card. See: https://stripe.com/gb/privacy.

Mobile Provider Check

• Telesign: We share your name, DOB, mobile number and address with Telesign to confirm the data matches details from mobile network operators or other records. For more info see: https://www.telesign.com/privacy-notice. 
• TMT Verify: We share your name, DOB, mobile number and address with TMT Verify to confirm the data you provide us matches details from mobile network operators or other records. TMT acts as an independent controller of the mobile phone number – they also retain the encrypted mobile number following the check as a billing record. For more info see: https://tmtid.com/privacy-policy/
• Esendex: We share your mobile number with Esendex for you to receive an OTP SMS verification. For more info see: https://www.esendex.co.uk/privacy-policy/.
• Twilio: We share your mobile number with Twilio to provide OTP SMS verification. Twilio acts as an independent controller of the mobile phone number for OTP and may retain data for longer, see https://www.twilio.com/en-us/legal/privacy

Email Address Checks

• Versium: For US checks, we share your email address with Versium to check against relevant databases if there is a match. For more info see here: https://versium.com/privacy-policy.
• Equifax: For global checks, we also share your email address with Equifax to check against relevant databases if there is a match. Equifax, acts as an independent controller of the email address and re-uses pseudonymised data to enrich their consumer insights and other fraud identity products i.e. consumer identity graph/linking and fraud/insights features. For more info see here: https://www.equifax.com/privacy/.

Storage

• Amazon Web Services EMEA SARL: Yoti processes and/or stores data and results of checks (as applicable) with AWS.

Checks and results of checks are processed on Yoti servers in Yoti Tier 3 data centre(s) within the UK or in a US, EU, UK AWS region. 

Third-party providers may process data in different locations. Where this processing involves a cross-border transfer of data, Yoti ensures there are appropriate technical and organisational measures in place to protect the data, and that such transfers are made in accordance with legal requirements.