Yoti Web Account – privacy information

What is it?

Yoti’s Web Account Service allows verification of a living person’s identity and then the creation of a reusable web based digital identity. In the UK the verification is conducted under the rules set out in the Department for Culture, Media and Sport’s UK digital identity and attributes trust framework (known as the “UKDIATF“). In Australia verification is conducted under the TDIF rules. 

Yoti uses the Web Account Service to assist its clients conduct digital DBS, Right to Work and Right to Rent checks, and can also assist clients for other use cases.  You do not have to pay Yoti for use of the Web Account Service, but Yoti will charge its clients. 

Yoti’s Identity Verification service is explained on our web page here: www.yoti.com/business/identity-verification  

The information in this privacy notice relates to the Web Account Service. We also have general information that applies across all our business here: https://www.yoti.com/privacy/ That page provides information about Yoti, our business principles, our Guardian Council, contact details and general personal information collection and use practices. The page also has links to all the product-specific privacy notices.

Information collection and use

  • We collect information from those using the Web Account Service to send our clients an assertion of identity. Our clients could use this to conduct digital DBS, Right to Work or Right to Rent checks on you or to conduct general identity verification on you. 
  • Once you have verified your identity the first time then your details will be stored in the Web Account Service so that you can verify your identity more quickly next time you use the Web Account Service.
  • Once verified, you can use the information to create a Yoti digital identity app account. The Yoti app is a quick, convenient and secure way of sharing your identity.
  • We also collect some device information as part of our analytics.
  • If we suspect your document is fraudulent we may keep it in an internal database to ensure that (a) this document is never accepted by us and (b) is used to improve our anti-fraud techniques. 
  • If we find a suspected fraudulent document we may share this with relevant law enforcement and anti-fraud bodies.  
  • We do not process your data: (i) to create aggregate data sets which can identify you; or (ii) in any way that you have not agreed to or is not explained in this privacy policy. 
  • We may send you emails explaining the benefits of the Web Account Service and how you can upgrade to a mobile based account with greater functionality. You can opt out at any time from these emails.

Account Information

Information Use
Email and password We use your email address and password to allow secure log in into the Web Account Service.
Yoti app RememberMe ID If you choose to log in using the Yoti app then we use the RememberMe ID functionality to allow secure log in.

Identity Verification

Information Use
Identity Document We extract data from your identity document to establish your identity. We extract your name, date of birth, address (if present), document number, type of document, document expiry date and photo.

We may also share an image of the identity document with our client if they need it.

Selfie We capture images of your face to conduct liveness tests to check that you are a real person and not someone trying to impersonate you. We take a scan of your face to create a biometric template of your face, which we store securely. A biometric template is a digital map of your face.

We perform face matches to compare your selfie with the photo on your identity document. When you add a document we compare its photo with the face template to make sure users only upload their own documents.

As we are capturing your biometrics, we ask you to consent to this. If you do not want to consent then you will not be able to complete the digital identification process. You will need to speak to the company you are interacting with for other ways to verify your identity.

Address You may assert your address to us, and we may check it against the records held by a Credit Reference Agency. The check will be in the name of Yoti Limited. 
Or we may take your address from an identity document that you have submitted to us.
Third party data sources We may send your information to trusted third parties, such as Credit Reference Agencies, to look for other information about you that helps us verify your identity..
Information on how we verified your identity This information creates an audit trail stating how we verified your identity. It is sent to our client as part of their digital service for or about you. 

This information includes your IP address when using Yoti’s Identity Verification service.

Feedback and email If you send feedback to our Customer Support we will use that information to get in touch with you to resolve your issue or to acknowledge your feedback.

Data Retention

You can delete your Web Account Service account whenever you like and we will delete all the data in that account.

We may in some instances keep your data for longer where there are legal, regulatory or anti-fraud reasons to keep your data for a longer period of time. Under these circumstances you would not be able to exercise your right to erasure.

You can contact us to delete your data by emailing privacy@yoti.com. You can find more about your data protection rights below.

Information sharing

Other companies’ use of your personal information

When you choose to share data with a company we will put your data into a report and send that report to that company. Where you attempt to share data with a company that has requested this and this attempt fails for some reason, the company may be able to view your data in order to troubleshoot and fix the problem.

Credit Reference Agencies

If we need to use a credit reference agency to verify your address or other part of your identity then we simply send the relevant details to the credit reference agency or fraud prevention database and use the response in our identity verification.

Fraud Bodies

If we suspect you are committing identity fraud or a criminal offence when using the Web Account Service we may have to share a copy of your information with the appropriate authorities. 

We may pass a copy of your information or an image of the false document to the relevant fraud prevention agencies, law enforcement agencies or the third party company who issues the genuine version of the false document.

If, after investigation, we determine that there has been fraud that meets the criteria for reporting to Cifas, we will pass on the details to prevent further fraud and money laundering.

Cifas keeps fraud reports for six years. Other Cifas members may use the information we report to refuse to provide you with services, financing or employment. You can find the Cifas privacy information here: https://www.cifas.org.uk/fpn 

We also work with the Metropolitan Police Service Amberhill Identity Team in relation to false identity documents / information. Where we find that there is a match to their database, we will share the document and information with the Police.

Law Enforcement of other official body

We have an internal policy and process to make sure that, where we are able to share information, the request is valid, the information requested is no more than necessary, and that we think it’s the right thing to do.

We may have a legal obligation to share the information if we receive a court or similar legal order ordering us to disclose it.

Security and data location

We keep the data encrypted in our UK datacentres and occasionally the data could be sent to our security centre in India for further checks. We are audited annually by KPMG against the SOC2 Type 2 Security control standards and we also maintain our ISO 27001 certification.

Yoti has the decryption keys for your encrypted data, but we have access controls in place to limit which staff have access to the server. Our staff may need access data to troubleshoot problems and manage the server in emergency events.

If we decide or are obliged to send or store your personal information in another country, we will update this section to describe the protections we have put in place.

Your rights and choices

Please see below for the data protection rights that apply to the Web Account Service personal information. 

Please send any rights requests to: privacy@yoti.com

Access rights

You are entitled to know what personal information we hold about you and to receive a copy of it. 

Please note that we do not have to share information about fraudulent indicators. You may contact the relevant fraud prevention agency for further information.

Correction rights

If you spot an error in the data we have processed then please re-submit your document again. 

You are entitled to correct personal information we hold about you that is inaccurate.

Deletion rights

In certain circumstances you are entitled to ask us to delete the personal information we hold about you. We may keep your data for longer than 28 days where there are legal or regulatory reasons to do so.

Objection rights

In certain circumstances you are entitled to object to Yoti processing your personal information.

There are unlikely to be any circumstances when this right applies to the Web Account Service personal information. If you want to contact us about your objection rights, please email: privacy@yoti.com

Restriction rights

In certain circumstances you are entitled to ask us to restrict our processing of your personal information.

You can ask us to do this if:

  • you dispute the accuracy of your personal information; 
  • our processing is unlawful but you prefer restriction to deletion;  
  • we no longer need the information but you need it for legal reasons; or 
  • you have objected to our processing and we are still dealing with this objection.

If you want to contact us about your restriction rights, please email: privacy@yoti.com

Portability rights

In certain circumstances, you are entitled to receive the personal information you have provided us in a structured, commonly used and machine-readable format.

Automated Decisions

You have the right to object to automated decisions made about you and have a person within our business to review this decision. Please email cs@yoti.com and our Customer Support can help you with your request. 

Complain to the ICO

You can also complain to the Information Commissioner’s Office (ICO) who is responsible for making sure that organisations comply with the law on handling personal information. https://ico.org.uk/global/contact-us/

Analytics

Understanding how people use the Web Account Service is essential. We need to know what’s working, and what isn’t, so we can improve. As a business, we need to know how many people are using it, where they are in the world, and which aspects are most popular.

We collect information about your device and your use of our websites using in-house analytics. We de-identify and aggregate the information we collect so we can’t identify you personally. Unlike most other companies, we don’t build individual profiles of the people who use the Web Account Service. We simply look for trends and patterns to inform business decisions.

In-house analytics

Using our in-house software, we collect some information from users and some information on when certain things happen as you use Web Account Service. This information includes information about your phone, such as make and model, operating system, app version and screen size information. Our in-house software does not identify you personally.

We perform analytics on information created automatically by our internal systems when things happen. Our analytics looks at, on an aggregated and anonymous basis, the actions performed on our own servers, for example: how many sessions are created, how many of a particular document type are uploaded and the outcomes for particular checks (but without recording personal data). 

We do not perform any analytics on actions you take on your own device, such as clicking buttons. 

We do not store device IDs or any other unique device identifiers.  

We do not use any personal data, such as your mobile phone number or IP address, to identify you in our analytics. All we do is note your country location based on your IP address (but we do not store the full IP address).