Internal Fraud Database Privacy Notice
Last updated on: 24 June 2025
Who is Yoti?
Yoti is an identity and age verification provider, specialising in helping organisations safely and securely verify the identity and age of individuals. As identity specialists, Yoti invests considerably in identity fraud prevention and detection, through its 24×7 identity verification specialist team, its use of third party software tools, as well as its investment in research and development to develop various anti-spoofing and fraud detection techniques. Yoti takes identity fraud very seriously and will enforce steps to prevent and detect both through all of its products.
What is the Internal Fraud Database?
Yoti’s Internal Fraud Database is our internal record of instances of fraud detected in the everyday use of Yoti products. It is managed and maintained by Yoti’s specialist Counter Fraud Team.
Information Collection and Use
Where Yoti suspects an instance of fraud within the use of our app and identity products (and where we have the permission of Yoti clients if applicable) we collect the following categories of information, to the extent these categories of data are available:
- Image of the ID document submitted
- Selfies submitted
- Data fields extracted from the ID document (the precise fields will depend on the type of ID document i.e. name, date of birth, document number, address, gender)
- Email address
- Phone number
Our identity verification specialists will manually review the incoming data and verify any instances of fraud, which will then be added to the Internal Fraud Database and used for the purposes listed below. In cases where fraud is initially suspected but following investigation by our Counter Fraud Team it is determined there is no actual instance of fraud present, no data relating to that individual or suspected instance of fraud are retained in the Internal Fraud Database.
Where a new incoming ID document or other details are matched to an existing record in the Internal Fraud Database, the new incoming details are also automatically added to that corresponding fraudulent record.
As mentioned above, where Yoti is acting as a processor on behalf of the Yoti client for the original reason for you using Yoti (for example the Yoti client may have originally asked you to verify your identity using Yoti technology), we will only add your data to the Internal Fraud Database where we have permission from the Yoti client as the controller.
Once the data is added to our Internal Fraud Database it is used for the following purposes:
- To screen against all new incoming ID documents and users to check for repeat instances of fraud/repeat offenders in Yoti products;
- To train and upskill our identity verification specialists to be able to improve Yoti’s fraud detection capabilities relating to specific verified instances of fraud; and
- To inform Yoti’s understanding of patterns of fraud and further develop and improve Yoti’s counter-fraud techniques.
Lawful basis for processing
Our lawful basis for processing personal data for fraud prevention is our legitimate interest. Specifically:
- As an identity company Yoti has a legitimate interest to ensure individuals using our products are genuine users and are not using our products to commit fraud.
- This processing is also in the interests of individuals whose identities are being misused for identity theft and impersonation.
- Fraud prevention is also in the interest of the general public – it is important for individuals to have access to goods and services, which may otherwise be unavailable or limited in the event that widespread fraud occurs.
Yoti has conducted a legitimate interest assessment in relation to our processing for the Internal Fraud Database – this is available upon request by emailing privacy@yoti.com.
International Transfers
We host all data in the Internal Fraud Database on our UK servers. Occasionally the data in our Internal Fraud Database may be remotely accessed by our identity verification specialists in India for the purpose of spot-checking and training in order to improve our ability to identify and detect specific verified instances of fraud.
We have conducted a Transfer Impact Assessment (also known in the UK as a Transfer Risk Assessment) for this transfer to ensure all data is subject to adequate safeguards.
Information Sharing
Yoti will only share information in the Internal Fraud Database with third parties outside of Yoti for limited purposes.
Where Yoti shares data in accordance with the below, we will always ensure that such sharing is secure and we will only share the minimum data required for the specific purpose:
| Circumstances when Yoti will share your data | Purpose of sharing | Third Party | Privacy Information | Location of third party processing |
|---|---|---|---|---|
| An instance of verified fraud meets the criteria for reporting to Cifas | To meet Yoti’s obligations as a Cifas member and to prevent further instances of fraud | Cifas |
Cifas keep fraud reports for six year. Other Cifas members may use the information we report to refuse to provide you with services, financing or employment.
Read more here: https://www.cifas.org.uk/fpn |
UK |
| An instance of verified fraud meets the criteria for reporting to Synectics | To meet Yoti’s obligations as a Synectics partner and to help prevent further instances of fraud | Synectics | Read more here: | UK |
| An instance of verified fraud meets the criteria for reporting to Amberhill | To meet Yoti’s obligations as an Amberhill partner and assist the prevention of fraud | Metropolitan Police Service Amberhill Identity Team | Read more here: | UK |
| A valid and lawful request from a law enforcement or government authority | To comply with Yoti’s legal obligations | Dependent on requestor e.g. Metropolitan Police | Dependant on requestor e.g. | Dependant on requestor e.g. UK |
Retention
Data that has been identified as fraud is kept in the Internal Fraud Database for 6 years after which it is permanently deleted.
The justification for this retention period are as follows:
- Fraudulent documents stay in circulation for many years and are often re-used and re-sold
- Maintaining coherence with industry standards for fraud-related processing
Security
The Internal Fraud Database information is stored securely on Yoti servers hosted in the UK. We continually test our systems to ensure that we are compliant and to ensure that we follow top industry standards for information security. Several times a year external audits are carried out on us to check that our security arrangements are compliant. These auditors follow internationally recognised standards for best practice in security, these are known as ISO 27001 and SOC2.
Please see our Security Centre for more information: https://www.yoti.com/security/
Your Rights
Right of Access
You are entitled to request a copy of information held about you in our Internal Fraud Database. In order to process such a request we will need additional information from you to
- Verify it is actually you making the request; and
- Locate your data in the database.
You can email your request to privacy@yoti.com
Right to deletion
The right to deletion is not an absolute right and only applies in certain circumstances. Given the purpose of this processing, and our legitimate interest in preventing fraud in our products, you do not automatically have the right to delete your data within the Internal Fraud Database.
However we will consider all requests for deletion on a case-by-case basis. Further, we have a process in place for individuals to dispute information contained about them in the Internal Fraud Database – see below.
Right to Rectification
The right to rectify data we hold about you is not an absolute right and only applies in certain circumstances. We will consider all requests for rectification on a case-by-case basis. Further, we have a process in place for individuals to dispute information contained about them in the Internal Fraud Database – see below.
Automated-Decision Making
Yoti does not make any automated-decisions when deciding to add data to the Internal Fraud Database – one of our counter-fraud specialists will always conduct a manual review of any suspected fraud.
However, in some cases where you are asked by an organisation (a Yoti client) to complete an identity check, you may upload an ID document and our technology may automatically register a match between your document and an existing fraud record in our Internal Fraud Database. This will occur where the Yoti client has requested that there be no manual review by Yoti of your check. In this case Yoti will send the results of the check (including if there was a match to the Internal Fraud Database) back to the Yoti client and the Yoti client will make a final decision on the outcome of the check based on their internal process and any manual review of the ID document they choose to undertake. If you think that a mistake has been made or if you would like clarity on the results of your check, you should i in the first instance contact the Yoti client i.e. the organisation that asked you to do the identity check and request a manual review of your identity. This is because in this scenario the Yoti client is acting as controller and is responsible for the processing of your data.
Disputing or challenging information held about you
In some circumstances you may wish to dispute or challenge information held about you in the Internal Fraud Database – for example in cases where you believe we have incorrectly identified your ID document as fraudulent.
Yoti has a formal appeals procedure in place to manage any disputes relating to records in our Internal Fraud Database. As a first step you should email help@yoti.com and provide us with as much information as you can to help us understand and manage your request.
Our Customer Support Team, along with our specialist Counter Fraud Team, will then request additional details from you in order to
- Ensure it is really you making the request; and
- Allow us to find your data in our Internal Fraud Database to conduct a review of any fraud record relating to you.
Your request will be reviewed by our Counter Fraud Team. We will investigate and provide you with a response within one month.
Contact us
If you have any questions about this notice, you can contact Yoti using the below:
- For privacy requests: privacy@yoti.com
- For general queries or complaints: help@yoti.com
For requests in writing:
Yoti DPO
c/o Yoti Ltd
6th Floor, 107 Leadenhall St
London, EC3A 4AF