Yoti Business Users Privacy Notice

Yoti collects and processes personal information in the course of our business activities with you for the following products:

1. Hub
2. Yoti ID Checker
3. Credentials Portal
4. IDV Portal
5. Verified Video Calls
6. Yoti Sign
7. Community Management
8. IAM

Yoti Hub is a tool that enables organisations to create their Yoti organisational accounts, onboard and verify themselves, manage users, and configure the Yoti products and services they wish to utilise. It also allows account administrators to control billing and contact information. Organisations can access Yoti Hub here: https://hub.yoti.com/iam/login. 

Services you can setup on Hub include:

• IDV No code/portal
• IDV integration
• Digital ID No code – Pages
• Digital ID Integration
• Age verification
• Age estimation

We also have some FAQs on Yoti Hub here: https://yoti.force.com/yotisupport/s/topic/0TO4L0000001J6yWAE/yoti-hub-for-businesses

We hold Hub account data only for as long as an individual remains a Hub user or member. Individuals can contact their admins if they wish to be removed as members on Hub. 

We may in some instances keep data for longer where we have a legal reason to keep it for a longer period of time e.g. for billing purposes.

Yoti will carry out due diligence which may involve checking organisational information you provide against third parties. Yoti uses an internal KYB agent that utilises automated decision-making during the verification process. Yoti manually checks any organisations that may be rejected. Should you dispute the results of our verification process, you can contact us at hello@yoti.com.

Understanding how people use Hub is essential. We need to know what’s working and what isn’t, so we can improve. As a business, we need to know how many people are using it, where they are in the world, and which features are most popular. The specific analytics we collect in Hub are set out in the cookie management tool on the website.

We collect information about your device and your use of Yoti Hub using third-party analytics. We de-identify and aggregate the information we collect so we can’t identify you personally. Unlike most other companies, we don’t build individual profiles of the people who use Hub. We simply look for trends and patterns to inform business decisions. See the following for more details:

Google Analytics provides us with statistics on things like:

• numbers of users;
• browser version;
• device make, model and operating system.

This information helps us prioritise and de-prioritise bug fixes for specific browsers and versions.

Yoti ID Checker is a solution that enables relying businesses to verify an individuals’ digital Proof of Age (PoA). ID Checker is available as a native app (iOS & Android) or web app. Businesses and their employees will be able to create an account, log in and then scan an individual’s QR code and verify whether they are of the appropriate age. Once logged in, businesses will be able to see a log of historic transactions that have been performed and whether they were successful or not. 

We hold ID Checker account data only for as long as an individual user holds an account. Accounts can be deleted at any time.

We may in some instances keep your data for longer where we have a legal reason to keep your data for a longer period of time e.g. for billing purposes. Under these circumstances you would not be able to exercise your right to erasure.

Credentials Portal is a self-serve platform that enables organisations to issue digital credentials (ID cards, memberships, etc.) to individual Yoti Digital ID app accounts. This means, for example, an individual can have their ID card details issued by their employer visible on their Yoti and shareable if their employer requests it or shareable on a peer to peer level via QR code.

We hold account data only for as long as an individual user holds an account. Individual user accounts can be deleted at any time by an account Admin.

We may in some instances keep your data for longer where we have a legal reason to keep your data for a longer period of time e.g. for billing purposes. Under these circumstances you would not be able to exercise your right to erasure.

The IDV Portal is a no-code portal that enables organisations to use Yoti’s Identity Verification service without any technical integration. Individual business users can create an account and use this to create and send identity verification sessions or to view results of identity or age sessions.

We hold account data only for as long as an individual user holds an account. Individual users can be deleted from the portal at any time by admins. Individuals can contact their admins if they wish to be removed as users on IDV Portal.

Yoti Verified Calls is a way for you to verify individuals’ identity in a virtual meeting (at your request as the meeting host). You can integrate Yoti Verified Video Calls (VVC) with platforms such as Zoom, Microsoft Teams and Google Meet.

For more information about the information processed about individuals using VVC see our product privacy notice here: https://www.yoti.com/privacy/verified-calls/.

We hold VVC account data only for as long as an individual user holds an account. Individual user accounts can be deleted at any time by Admins. Individuals can contact their admins if they wish to be removed as users.

Yoti Sign is Yoti’s solution to document signing. It allows you to electronically send and sign documents. 

We have some FAQs on Yoti Sign here: https://support.yoti.com/yotisupportsite/category?type=Businesses&product=eSignatures  and we also have a dedicated Yoti Sign web page here: https://www.yotisign.com.

You should contact your account admin to request deletion of your account if required. The organisation account admin can also contact us to delete their Yoti Sign account. However before contemplating account deletion you should export your executed documents and should not rely on Yoti continuing to store documents for you. See our Yoti Sign T&Cs for more information.

Understanding how people use Yoti Sign is essential. We need to know what’s working and what isn’t, so we can improve. As a business, we need to know how many people are using it, where they are in the world, and which aspects are most popular.

We collect information about your device and your use of our websites using in-house and third-party analytics. We de-identify and aggregate the information we collect so we can’t identify you personally. We don’t build individual profiles of the people who use Yoti Sign. We simply look for trends and patterns to inform business decisions.

Using our in-house software and using Google Analytics, we collect some information from users and some information on when certain things happen as you use Yoti Sign. This information includes information about your phone, such as make and model, operating system, app version and screen size information. 

Examples of information created when you take actions on your device.

• Clicking buttons or links
• Viewing documents
• Uploading documents
• Error messages when things don’t work

We use a cookie to implement these analytics so you can opt out by changing your browser settings to refuse cookies.

The information from our in-house analytics and Google Analytics provides us with statistics on things like:

• how many users we have in total and for each price plan;
• the numbers of documents uploaded, sent and signed in a given time period;
• how many users sign documents with email only and how many use Yoti;
• aggregate types and numbers of data fields and attributes used;
• aggregate time taken at each stage and where users drop out of the process;
• whether we have a lot of unsigned documents across the product or only a few senders with lots of unsigned documents;
• aggregate numbers of emails delivered and opened;
• percentage of users who sign after a first reminder, a second reminder and so on;
• what advertising campaigns people clicked through from to get to our website.

Yoti’s Community Management Tool ( the “CM Tool”) is a product that facilitates the process of analysing user-generated content by users of online platforms to help Yoti clients (i.e. platform owners) assess whether that content meets their internal content policies or standards or whether the content is appropriate for a given context. The precise content and the analysis of such content may trigger subsequent action to be taken by the clients, such as removal of the content or application of a content warning.

We hold account data only for as long as an individual maintains an account. Individuals have the ability to delete individual user accounts from the “My Account” section.

It is essential for us to understand how people are using the CM Tool. We need to know what’s working and what isn’t, so we can improve on user experience. As a business, we need to know how many people are using it, where they are in the world, and which aspects are most popular.

We collect the following information from you for analytics:

• Usage Data – IP address, browser type, device information, login activity, and pages viewed.
• Cookies – Session identifiers and authentication cookies required to make the CM Tool function as it should. The cookies we currently use are:
  • cookie_banner_dismissed – This records if the user has already provided information about their cookie choices and chosen to no longer see the cookie banner.
  • trust-and-safety-store – This holds information about the entity the currently logged in user is operating under. E.g. which company and what permissions the user has when performing actions on behalf of the entity.

Yoti’s Identity & Access Management (IAM) layer is an integration that manages authentication and verifies that you are the right user logging into a Yoti product that integrates with IAM. The Yoti products that currently integrate with IAM are:

• Hub
• IDV Portal
• Credentials Portal
• Verified Video Calls
• Web Account
• Digital ID Connect

We hold account data only for as long as an individual user holds an account in the respective Yoti product that integrates with IAM.

Yoti processes your personal information for marketing purposes when you are a prospect and as an existing client.

We use various third party providers to help us with our marketing and business development activities. These include:

• Hubspot: We use Hubspot to collect and manage client/prospect contact details and send emails. You can view Hubspot’s Privacy Notice here: https://legal.hubspot.com/privacy-policy 
• Apollo: We also use Apollo, a third-party B2B sales intelligence platform, to identify and connect with relevant business professionals who may have an interest in our services. You can view Apollo’s Privacy Notice here for more information on how they process your personal information: https://www.apollo.io/privacy-policy 
• Google: We use Google for various purposes, including to help us understand how individuals are interacting with our advertisements and our site. For example, when a business user submits a form on our website, we may use Google’s advertising features (such as conversion tracking or enhanced conversions) to better understand which advertisements led to that interaction. This may involve sharing limited personal data (such as an email address), which is hashed before being transmitted to Google. Google uses this information to provide aggregated insights and reporting on advertising performance. You can view Google’s Privacy Notice here: https://policies.google.com/privacy?hl=en-GB  
• Salesforce: We use Salesforce for client and prospect relationship management, including storing and responding to prospect and customer support queries. You can view the Salesforce Privacy Notice here: https://www.salesforce.com/company/legal/privacy/
• Fireflies AI tool: We use Fireflies to record and transcribe meetings with prospects and clients. You can view the Fireflies Privacy notice here: https://fireflies.ai/privacy-policy

We retain inactive contact details in our marketing database, Hubspot, for 36 months. If you opt out of marketing, Yoti will add your email to a ‘do not contact’ list on Hubspot which is retained indefinitely to ensure we do not contact you again.

Business contacts that do not go on to become Yoti clients are deleted from Salesforce after 6 months. Yoti deletes your business contact information from Salesforce after 1 year following the end of an existing contract.

Information from any complaints or queries you may have lodged with Yoti is deleted from Salesforce after 6 months.

We use a third-party payment provider, Stripe, for invoicing and billing. We provide relevant organisation and individual billing contact details, transaction and pricing information to Stripe for your account so they can correctly invoice you. We store this information for the duration of the contract and delete this after 8 years to fulfill our legal obligations.

Where you have the opportunity to provide card details directly within Hub, we do not store these and they are sent directly to Stripe.

Under data protection laws we need to have a reason or lawful basis for using your personal information. These reasons or lawful bases are as follows:

• Performance of a contract: To provide you with an account and login for us to deliver a product or service to you.
• Legitimate Interests: To improve, secure, and maintain our products and services while ensuring a positive user experience, to perform KYB where required and to send B2B marketing. We only rely on legitimate interest when we are using your data in a way that you might expect, where it is in our interest and where this use doesn’t outweigh your right to privacy.
• Consent: Where required, for optional features such as our newsletter.

Where you have an account with us, we process and keep all the account data securely encrypted on Yoti servers within the UK. Our marketing data is stored with our third party database providers Hubspot and Salesforce. 

We always ensure any transfers of data follow the relevant legal requirements, such as entering into standard contractual clauses (SCCs) and completing transfer impact assessments to ensure that any data transferred is protected to an adequate standard. 

We are audited annually by KPMG against the SOC2 Type 2 Security control standards and we also maintain our ISO 27001, ISO9001 and ISO27701 certification. You can see more about Yoti’s technical and organisational measures at https://www.yoti.com/security/.

Individuals are entitled to data protection rights which are listed below:

• Right of Access: You are entitled to know what personal information we hold about you and to receive a copy of it. 
• Right to Correction: You are entitled to correct personal information we hold about you that is inaccurate.
• Right to Deletion: You are entitled to ask us to delete the personal information we hold about you. 
• Right to Objection: In certain circumstances you are entitled to object to Yoti processing your personal information including unsubscribing to our marketing communications.
• Right to Restriction: In certain circumstances you are entitled to ask us to restrict our processing of your personal information. 
• Right to Portability: In certain circumstances, you are entitled to receive the personal information you have provided us in a structured, commonly used and machine-readable format.

If you want to ask us any questions about any of your rights, please email privacy@yoti.com. 

If you have a complaint about Yoti’s products or how Yoti processes data you can contact us at help@yoti.com and you can read more about our process for handling complaints here.

As a UK company we are regulated by the Information Commissioner (ICO) who is responsible for making sure that organisations comply with the law on handling personal information. You can submit a complaint here: https://ico.org.uk/global/contact-us/. 

If you are not in the UK, you can complain to your local regulator: https://globalprivacyassembly.com/participation-in-the-assembly/members-online/. 

If you have any questions about Yoti or what is included in this privacy notice, you can contact Yoti using the below:

• Email us at: privacy@yoti.com 
• Visit our Individual Rights Portal at: https://support.yoti.com/yotisupportsite/individual-privacy-form 
• Write to us at: Yoti Ltd, 6th Floor, 107 Leadenhall St, London, EC3A 4AF

If you are in the EU, you can contact our GDPR Representative, the European Data Protection Office (EDPO) by 

• writing to the EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium; or 
• using the EDPO’s online request form available here: https://edpo.com/gdpr-data-request/