Yoti Identity Verification within the UK Digital Identity and Attribute Trust Framework (UKDIATF)

• We collect information from those using Yoti’s Identity Verification service to send our clients an assertion of identity so that they can conduct digital DBS, Right to Work or Right to Rent checks on you. 
• Yoti’s Identity Verification service is a one off verification journey, so we do not create an account for you.
• We also collect some device information as part of our analytics.
• If we suspect your document is fraudulent we may keep it in an internal database to ensure that (a) this document is never accepted by us and (b) is used to improve our anti-fraud techniques.
• If we find a suspected fraudulent document we may share this with relevant law enforcement and anti-fraud bodies.  
• We do not process your data: (i) for any marketing purposes; (ii) to create aggregate data sets which can identify you; or (iii) in any way that you have not agreed to or is not explained in this privacy policy.

We delete your data in line with the requesting companies (the company asking you to perform the checks) retention period. 

The maximum amount of time that Yoti will have access to your data is 28 days; after which we either: 

1. delete your data completely or
2. delete your data in line with the requesting company’s privacy notice.

We will hold your data for 28 days following the completion of the Identification Verification session and do not have access to view the data after this time.

We may in some instances keep your data for longer than 28 days where there are legal, regulatory or anti-fraud reasons to keep your data for a longer period of time. Under these circumstances you would not be able to exercise your right to erasure.You can contact us to delete your data by emailing privacy@yoti.com. You can find more about your data protection rights below.

Other companies’ use of your personal information

We will put your data into a report and send that report to our client. Our client is the entity who requested that you undergo Yoti’s Identity Verification. The form of the report is dictated by the DBS or UK Home Office requirements for DBS, Right to Work and Right to Rent.

Credit Reference Agencies

If we need to use a credit reference agency to verify your address or other part of your identity then we simply send the relevant details to the credit reference agency or fraud prevention database and use the response in our identity verification.

Fraud Bodies

If we suspect you are committing identity fraud or a criminal offence when using Yoti’s Identity Verification, we may have to share a copy of your information with the appropriate authorities. 

We may pass a copy of your information or an image of the false document to the relevant fraud prevention agencies, law enforcement agencies or the third party company who issues the genuine version of the false document.

If, after investigation, we determine that there has been fraud that meets the criteria for reporting to Cifas, we will pass on the details to prevent further fraud and money laundering.

Cifas keeps fraud reports for six years. Other Cifas members may use the information we report to refuse to provide you with services, financing or employment. You can find the Cifas privacy information here: https://www.cifas.org.uk/fpn 

We also work with the Metropolitan Police Service Amberhill Identity Team in relation to false identity documents / information. Where we find that there is a match to their database, we will share the document and information with the Police.

Law Enforcement of other official body

We have an internal policy and process to make sure that, where we are able to share information, the request is valid, the information requested is no more than necessary, and that we think it’s the right thing to do.

We may have a legal obligation to share the information if we receive a court or similar legal order ordering us to disclose it.

We keep the Identity Verification data encrypted in our UK datacentres and occasionally the data could be sent to our security centre in India for further checks. We are audited annually by KPMG against the SOC2 Type 2 Security control standards and we also maintain our ISO 27001 certification.

Yoti has the decryption keys for your encrypted data, but we have access controls in place to limit which staff have access to the server. Our staff may need access data to troubleshoot problems and manage the server in emergency events.

If we decide or are obliged to send or store your personal information in another country, we will update this section to describe the protections we have put in place.

Please see below for the data protection rights that apply to Yoti Identity Verification personal information. 

Please send any rights requests to: privacy@yoti.com

You are entitled to know what personal information we hold about you and to receive a copy of it. 

Please note that we do not have to share information about fraudulent indicators. You may contact the relevant fraud prevention agency for further information. 

If you spot an error in the data we have processed then please re-submit your document again. 

You are entitled to correct personal information we hold about you that is inaccurate.

In certain circumstances you are entitled to ask us to delete the personal information we hold about you. We may keep your data for longer than 28 days where there are legal or regulatory reasons to do so. 

In certain circumstances you are entitled to object to Yoti processing your personal information.

There are unlikely to be any circumstances when this right applies to Yoti Identity Verification service personal information. If you want to contact us about your objection rights, please email: privacy@yoti.com 

In certain circumstances you are entitled to ask us to restrict our processing of your personal information.

You can ask us to do this if:

• you dispute the accuracy of your personal information; 
• our processing is unlawful but you prefer restriction to deletion;  
• we no longer need the information but you need it for legal reasons; or 
• you have objected to our processing and we are still dealing with this objection.

If you want to contact us about your restriction rights, please email: privacy@yoti.com

In certain circumstances, you are entitled to receive the personal information you have provided us in a structured, commonly used and machine-readable format.

You have the right to object to automated decisions made about you and have a person within our business to review this decision. Please email cs@yoti.com and our Customer Support can help you with your request. 

You can also complain to the Information Commissioner’s Office (ICO) who is responsible for making sure that organisations comply with the law on handling personal information. https://ico.org.uk/global/contact-us/

Understanding how people use the Yoti Identity Verification service is essential. We need to know what’s working, and what isn’t, so we can improve. As a business, we need to know how many people are using it, where they are in the world, and which aspects are most popular.

We collect information about your device and your use of our websites using in-house analytics. We de-identify and aggregate the information we collect so we can’t identify you personally. Unlike most other companies, we don’t build individual profiles of the people who use the Yoti Identity Verification service. We simply look for trends and patterns to inform business decisions.

Using our in-house software, we collect some information from users and some information on when certain things happen as you use Yoti Identity Verification service. This information includes information about your phone, such as make and model, operating system, app version and screen size information. Our in-house software does not identify you personally.

We perform analytics on information created automatically by our internal systems when things happen. Our analytics looks at, on an aggregated and anonymous basis, the actions performed on our own servers, for example: how many sessions are created, how many of a particular document type are uploaded and the outcomes for particular checks (but without recording personal data). 

We do not perform any analytics on actions you take on your own device, such as clicking buttons. 

We do not store device IDs or any other unique device identifiers.  

We do not use any personal data, such as your mobile phone number or IP address, to identify you in our analytics. All we do is note your country location based on your IP address (but we do not store the full IP address).  

From January 2019, we changed how we present our privacy information to distinguish between general information and product-specific information. We no longer present our past versions on our website. 

This is the first version of this privacy notice. For all future versions please contact  privacy@yoti.com. 

• We updated our section on data retention to make this more clearer to the customer and organisations using this service. Our retention time has not changed.