Privacy information Yoti Sign

Last updated on: 10 September 2021

What is it?

Yoti Sign is Yoti’s solution to document signing. It allows you to electronically sign documents both with and without a Yoti.

We have some FAQs on Yoti Sign here: https://yoti.force.com/yotisupport/s/topic/0TO4L0000001J6xWAE/yoti-esignatures-for-businesses

We have a dedicated web page here: https://www.yotisign.com/

The information in this privacy notice relates to Yoti Sign. We also have general information that applies across all our business here: https://www.yoti.com/privacy/. That page provides information about Yoti, our business principles, our Guardian Council, contact details and general personal information collection and use practices. The page also has links to all the product-specific privacy notices.

Information collection and use

We collect information from those using Yoti Sign to send and sign documents so that the serviceworks as it is supposed to.
We also collect some device information as part of our analytics.

Setting up your Yoti Sign account

To set up and administer your Yoti Sign account or a free trial we may collect the following information:

Organisation name
Organisation address
Contact name and email address
Email addresses of the people you want to have access to your organisation’s account.
VAT number (optional)

Our team may use these details to contact you about taking part in user testing, to send you information on Yoti Sign features and how to use them, and to send you marketing. You will be able to unsubscribe from any marketing email.

Document senders

Information	Use
Email address Password (if using email login)	To calculate your age using your date of birth. To set up your Yoti Sign account and to log in.
Documents you upload	Store the document. Send it to those you want to sign the document.
Information about recipients you enter: Name Role (this field is only available for multiple people signing the same document) Email address Unique reference (for bulk signing)	To send the document to the recipients for signing. Only the name and email address are mandatory. The unique reference is optional and allows you to identify users individually, for example, if they have the same name.
Attributes (personal details) of recipients you can request: Email (compulsory) Name Gender Address Date of Birth Phone number Photo Nationality	To populate the document that you are sending to the recipient to sign and verify the personal details of the individual signees.
Reminders you set	Send reminder emails to those who haven’t signed the document.
Information on when documents are sent, viewed and signed. Information on when emails are delivered and opened.	This information creates an audit trail that the sender can access. This audit trail can be used in court if necessary. This information includes the IP address of the sender when they send the document, and the IP address of the person signing the document the first time they open the email, the first time they click on the email link to open the document, and when they sign the document.
Billing information	We use a third-party payment provider, Stripe, for invoicing and billing. We provide relevant organisation and billing contact details, transaction and pricing information to Stripe for your account so they can correctly invoice you. Where you have the opportunity to provide card details directly within Yoti Sign, we do not store these and they are sent directly to Stripe.

Document signees

Information	Use
Email address	Your email address is how you receive documents to sign using Yoti Sign. Where you are asked to sign documents using your Yoti (Yoti authentication) your verified email address from your Yoti is used to authenticate you. If the sender chooses not to require Yoti authentication they use your email address to send documents to you for signature. You then receive an email with a link to the document for you to view and sign (email authentication).
Attributes (personal details) specified by document sender	To populate the document with your details and sign it. Any attributes shared by you will also be displayed on the document cover sheet visible to any other signees of that document and the sender. These attributes are stored in our database and are used to update tags in the document. The sender can also use your details to search for particular users in a large document, for example, to check for runners in a liability waiver document.
Information on when documents are sent, viewed and signed. Information on when emails are delivered and opened. Information on the Yoti QR code scan to share details and sign the document.	This information creates an audit trail that the sender can access. This audit trail can be used in court if necessary. This information includes the IP address of the sender when they send the document, and the IP address of the person signing the document the first time they open the email, the first time they click on the email link to open the document, and when they sign the document.
Feedback and email	If you send feedback to our Customer Support we will use that information to get in touch with you to resolve your issue or to acknowledge your feedback.

Deleting your information

The organisation account administrator can contact us to remove individual users from their Yoti Sign account or to delete individual documents from the Yoti Sign platform, if required.

The organisation account administrator can also contact us to delete their Yoti Sign account. However before contemplating deletion you should export your executed Documents and should not rely on Yoti continuing to store Documents for you. Please also see our terms and conditions for more information on this.

Demo environment

This is a testing environment for those using our API.

During testing any information you share during a Yoti share will be your real personal information but we encourage you to use dummy data and documents for testing.

As it’s a testing environment, the logs will contain the document name (which they don’t in Yoti Sign production) so we can help you with troubleshooting. We will regularly delete all the data in the test environment.

Information sharing

You choose to share your personal information with an organisation when you use Yoti Sign to electronically sign a document.

Other companies’ use of your personal information

If you choose to share your information with a third party by signing documents using Yoti Sign, those third parties may choose to use that information to communicate with you or they may share that information with others. We advise you to read the privacy notices of any organisation you share your information with to understand how they will use your personal information.

Security and data location

We keep Yoti Sign data encrypted in two locations.

Recipient information and sender data are stored in our UK datacentre.

Logos and documents are stored in AWS EU datacentres.

Yoti has the decryption keys but we have access controls in place to limit which staff have access to the server. Our staff may need access to troubleshoot problems and manage the server in emergency events.

If we decide or are obliged to send or store your personal information in another country, we will update this section to describe the protections we have put in place.

Your rights and choices

Please see below for the rights that apply to Yoti Sign personal information.

Please send any rights requests to: privacy@yoti.com

Access rights

You are entitled to know what personal information we hold about you and to receive a copy of it.

You provide all the personal information we hold about you in Yoti Sign so you can access this at any time by logging into it.

You can get a copy of this data by by taking a screenshot or by using your browser’s ‘Save as’ function.

You can access and download Yoti attributes from within the app.

Correction rights

You are entitled to correct personal information we hold about you that is inaccurate.

You provide your email address when you use Yoti Sign and if you use Yoti to share personal information, these details come from your app.

If you have provided personal information as part of signing a document that is no longer accurate, please contact the person or organisation who sent you the document.

Deletion rights

In certain circumstances you are entitled to ask us to delete the personal information we hold about you.

If you want to stop using Yoti Sign and / or delete all the information you have provided, you can contact us. Please see ‘Deleting your information’ in the ‘Information collection and use’ section.

If you want to close your Yoti app account you can do so from within the app.

You may also find these FAQs helpful: https://yoti.force.com/yotisupport/s/topic/0TO4L0000001J6FWAU/yoti-app

Objection rights

In certain circumstances you are entitled to object to Yoti processing your personal information.

There are unlikely to be any circumstances when this right applies to Yoti Sign personal information. If you want to contact us about your objection rights, please email: privacy@yoti.com

Restriction rights

In certain circumstances you are entitled to ask us to restrict our processing of your personal information.

You can ask us to do this if:

you dispute the accuracy of your personal information;
our processing is unlawful but you prefer restriction to deletion;
we no longer need the information but you need it for legal reasons; or
you have objected to our processing and we are still dealing with this objection.

If you want to contact us about your restriction rights, please email: privacy@yoti.com

Portability rights

In certain circumstances, you are entitled to receive the personal information you have provided us in a structured, commonly used and machine-readable format.

This right is most likely to apply to information you have provided as part of using Yoti Sign to send or sign documents.

You can receive the Yoti app attribute information you provide to Yoti Sign by using the ‘download data’ function in the app.

Complain to the ICO

You can also complain to the Information Commissioner’s Office (ICO) who is responsible for making sure that organisations comply with the law on handling personal information.

https://ico.org.uk/global/contact-us/

Analytics

Understanding how people use Yoti Sign is essential. We need to know what’s working, and what isn’t, so we can improve. As a business, we need to know how many people are using it, where they are in the world, and which aspects are most popular.

We collect information about your device and your use of our websites using in-house and third-party analytics. We de-identify and aggregate the information we collect so we can’t identify you personally.

Unlike most other companies, we don’t build individual profiles of the people who use Yoti Sign. We simply look for trends and patterns to inform business decisions.

You can opt out of certain analytics in the app. Some information is shared automatically when you use our products, and we can’t turn this off.

See the ‘Analytics’ heading in the ‘General’ section for more information on what they are, why we use them, and what controls and choices you have.

See below for the specific analytics we use in Yoti Sign.

In-house and Google Analytics

Using our in-house software, and using Google Analytics, we collect some information from users and some information on when certain things happen as you use Yoti Sign. This information includes information about your phone, such as make and model, operating system, app version and screen size information. Our in-house software does not identify you personally.

We have two types of in-house analytics when you are using our products: information created when you take actions on your device; and information created automatically by our internal systems when things happen.

Examples of information created when you take actions on your device.

Clicking buttons or links
Viewing documents
Uploading documents
Error messages when things don’t work

Examples of information created automatically by our internal systems when things happen.

Documents sent / signed
Whether the e-mail was delivered
Whether documents are signed using e-mail authentication only or using Yoti authentication

We currently collect limited analytics for when you take actions on your device, as set out in the examples above. We use a cookie to implement these analytics so you can opt out by changing your browser settings to refuse cookies.

We cannot turn off the information that is created automatically, so you cannot opt out of this.

Our in-house analytics assigns a randomly generated identifier to each user, with a different identifier for each product used. This means we cannot cross-reference the identifiers to understand what Yoti products you are using. We use an identifier so we can understand things like whether a count of certain actions is one user repeating an action, or multiple users each doing the same action. This helps us to understand things like where many users are having problems.

Even with the identifier, we take steps to make sure that the information we collect is de-identified so that it is not associated with an identifiable user. For example, we receive a country location, but we do not keep the data that provided that information, such as any device data or your IP address.

The information from our in-house analytics and Google Analytics provides us with statistics on things like:

how many users we have in total and for each price plan;
the numbers of documents uploaded, sent and signed in a given time period;
how many users sign documents with email only and how many use Yoti;
aggregate types and numbers of data fields and attributes used;
aggregate time taken at each stage and where users drop out of the process;
whether we have a lot of unsigned documents across the product or only a few senders with lots of unsigned documents;
aggregate numbers of emails delivered and opened;
percentage of users who sign after a first reminder, a second reminder and so on;
what advertising campaigns people clicked through from to get to our website.

What’s new

We have changed the data location of some Yoti Sign data from AWS EU to our UK datacentres.