Yoti Identity Verification

Yoti Clients will direct you to complete an identity verification using Yoti technology. At this point we will collect information from you to send our Clients a report with the results of any checks requested by them.

Information	Use
Identity Document including available ID Document fields	We use your ID Document to check it’s a genuine document, establish your identity and check for fraud, including by checking your ID Document against our internal fraud database.  We extract your details from the document such as your name, date of birth, address (if present), document number, nationality, type of document, gender, data of issue, date of expiry and photo in order to perform the identity checks requested by the Client and provide the results back to the Client. If requested by the Client, we will also share an image of the ID Document with our Client.
Selfie	Liveness: We use your selfie to check that you are a real person.  Face match: We compare your selfie with the photo on your ID Document and against our internal fraud database to make sure you only upload your own document. Clients may also ask us to retain and check your selfie against their own database/users to confirm genuine users or detect fraud. In some countries your selfie used for face matching may be considered biometric data and Yoti and/or our Client may ask for your consent to this processing. If you do not wish to consent then you should contact the Yoti Client (the Organisation that asked you to complete the check) and ask for an alternative way to verify your identity.
Address	Where requested by our Client, we check your address (your address is either provided directly by you, the Client or extracted from your ID or supplementary document) against the records held by the Credit Reference Agency in order to verify the information. This check will be in the name of Yoti Limited.
Name, DoB, address and other ID Document fields	We send your information to trusted third parties, such as Credit Reference Agencies, to look for other information about you that helps us verify your identity on behalf of our Client that has requested the check.
Information on how we verified your identity	We create a report stating how Yoti verified your identity, what checks we did and the results of those checks. This information includes your IP address when using Yoti’s Identity Verification service. This report is sent to the Organisation that requested you complete the check.  The results sent to the Client are recommendations only – it is up to our Clients to decide what to do with the results. If you have any questions or concerns about this report, you should contact the Organisation that asked you to complete the check.

The maximum amount of time that Yoti has access to your personal data to perform the check and perfrom troubleshooting on behalf of our Clients is 28 days – in some cases Clients will configure Yoti identity verification so that personal data is deleted immediately following the check. This will depend on the Client and their specific requirements. 

After 28 days Yoti will continue to store the data on behalf of the Yoti Client (including for checking against the Yoti Client’s own database/users if the Yoti Client has requested this), according to the retention period set by them. Yoti does not have access to the data following the initial 28 days. 

Where Yoti is under a legal or statutory obligation to retain your data, for example due to a valid request from law enforcement, we will keep your data for longer.

Our Clients

We will put your data into a report with the results of your check and send that report to our Client who has requested you complete the identity check.

 

Credit Reference Agencies & third party providers

If we need to use a credit reference agency to verify your address or other part of your identity, as requested by our Client, then we send the relevant details to the credit reference agency or third party provider and use the response in our identity verification report sent to Clients.

We also use the following third party providers to assist with these checks:

• Experian: We will share your data (ID document and relevant data fields such as name, DoB, address) with Experian in order to check your identity and prevent criminal activity such as fraud and money laundering. More information about Experian and the ways in which it uses and shares personal information can be found in its privacy notice at https://www.experian.co.uk/legal/crain/
• Aristotle: We will share your information with Aristotle if requested as part of our Client’s identity check on you. You can find more information about how Aristotle processes your personal information at https://integrity.aristotle.com/privacy-policy/
• ComplyAdvantage:We will share your information (name, DoB, address) with ComplyAdvantage if requested as part of our Client’s identity check on you. You can find more information about how ComplyAdvantage processes your personal information at https://complyadvantage.com/privacy-notice/
• IDVerse: In some cases we will share ID documents with IDVerse in order to assist in verifying and authenticating the document.
• CitizenCard: When you upload a CitizenCard we will validate your information with them as the issuing authority. You can find more information about how CitizenCard processes your personal information at https://www.citizencard.com/cookie-privacy-policy
• FRS Labs:When you upload an AADHAAR card or an Indian PAN card we will validate your information with FRS Labs. You can find more information about FRS Labs at https://docs-frslabs.gitbook.io/frslabs/privacy-policy

 

Fraud Checks

As part of the identity verification checks Yoti performs on behalf of Yoti Clients, Yoti conducts fraud checks on ID documents. In some cases, for example where we suspect you are committing identity fraud when using Yoti’s Identity Verification, we will share a copy of your information with the appropriate authorities. For example, we will share the relevant information with the Metropolitan Police Service Amberhill Identity Team where we find that there is a match to their database of false identity documents/information, where we have the Client’s permission. You can read more about Amberhill here.

 

Law Enforcement of other official body

We will have a legal obligation to share the information if we receive a court order, warrant, subpoena or similar legal order ordering us to disclose it.

Where we are required to share information with law enforcement or other government authority we will ensure

• The request is lawful and valid;
• The information requested is no more than necessary;
• That, where possible, we have tried to redirect the request to the relevant Client; and
• That, where possible, we have informed the relevant Client of the request.

We keep the data encrypted in our UK data centres and, if configured by the Clients, the data could be accessed from our security centre in India for manual checks. 

We always ensure any transfers of data follow the relevant legal requirements, such as entering into standard contractual clauses (SCCs) and completing transfer impact assessments to ensure that any data transferred is protected to an adequate standard. 

We are audited annually by KPMG against the SOC2 Type 2 Security control standards and we also maintain our ISO 27001, ISO9001 and ISO27701 certification. You can see more about Yoti’s technical and organisational measures at https://www.yoti.com/security/

If you want to exercise your rights in relation to your check, you should contact the Organisation that requested you complete the check as they are responsible as controller. 

For general questions on Yoti or the IDV product: hello@yoti.com  

For questions about your rights: Contact the Organisation that requested you do the identity check