Yoti Web Account – privacy information

• We collect information from those using the Web Account Service to send our clients an assertion of identity. Our clients could use this to conduct digital DBS, Right to Work or Right to Rent checks on you or to conduct general identity verification on you. 
• Once you have verified your identity the first time then your details will be stored in the Web Account Service so that you can verify your identity more quickly next time you use the Web Account Service.
• Once verified, you can use the information to create a Yoti digital identity app account. The Yoti app is a quick, convenient and secure way of sharing your identity.
• We also collect some device information as part of our analytics.
• If we suspect your document is fraudulent we may keep it in an internal database to ensure that (a) this document is never accepted by us and (b) is used to improve our anti-fraud techniques. 
• If we find a suspected fraudulent document we may share this with relevant law enforcement and anti-fraud bodies.  
• We do not process your data: (i) to create aggregate data sets which can identify you; or (ii) in any way that you have not agreed to or is not explained in this privacy policy. 
• We may send you emails explaining the benefits of the Web Account Service and how you can upgrade to a mobile based account with greater functionality. You can opt out at any time from these emails.

You can delete your Web Account Service account whenever you like and we will delete all the data in that account.

We may in some instances keep your data for longer where there are legal, regulatory or anti-fraud reasons to keep your data for a longer period of time. Under these circumstances you would not be able to exercise your right to erasure.

You can contact us to delete your data by emailing privacy@yoti.com. You can find more about your data protection rights below.

When you choose to share data with a company we will put your data into a report and send that report to that company. Where you attempt to share data with a company that has requested this and this attempt fails for some reason, the company may be able to view your data in order to troubleshoot and fix the problem.

If we need to use a credit reference agency to verify your address or other part of your identity then we simply send the relevant details to the credit reference agency or fraud prevention database and use the response in our identity verification.

If we suspect you are committing identity fraud or a criminal offence when using the Web Account Service we may have to share a copy of your information with the appropriate authorities. 

We may pass a copy of your information or an image of the false document to the relevant fraud prevention agencies, law enforcement agencies or the third party company who issues the genuine version of the false document.

If, after investigation, we determine that there has been fraud that meets the criteria for reporting to Cifas, we will pass on the details to prevent further fraud and money laundering.

Cifas keeps fraud reports for six years. Other Cifas members may use the information we report to refuse to provide you with services, financing or employment. You can find the Cifas privacy information here: https://www.cifas.org.uk/fpn 

We also work with the Metropolitan Police Service Amberhill Identity Team in relation to false identity documents / information. Where we find that there is a match to their database, we will share the document and information with the Police.

We have an internal policy and process to make sure that, where we are able to share information, the request is valid, the information requested is no more than necessary, and that we think it’s the right thing to do.

We may have a legal obligation to share the information if we receive a court or similar legal order ordering us to disclose it.

We keep the data encrypted in our UK datacentres and occasionally the data could be sent to our security centre in India for further checks. We are audited annually by KPMG against the SOC2 Type 2 Security control standards and we also maintain our ISO 27001 certification.

Yoti has the decryption keys for your encrypted data, but we have access controls in place to limit which staff have access to the server. Our staff may need access data to troubleshoot problems and manage the server in emergency events.

If we decide or are obliged to send or store your personal information in another country, we will update this section to describe the protections we have put in place.

Please see below for the data protection rights that apply to the Web Account Service personal information. 

Please send any rights requests to: privacy@yoti.com

You are entitled to know what personal information we hold about you and to receive a copy of it. 

Please note that we do not have to share information about fraudulent indicators. You may contact the relevant fraud prevention agency for further information.

If you spot an error in the data we have processed then please re-submit your document again. 

You are entitled to correct personal information we hold about you that is inaccurate.

In certain circumstances you are entitled to ask us to delete the personal information we hold about you. We may keep your data for longer than 28 days where there are legal or regulatory reasons to do so.

In certain circumstances you are entitled to object to Yoti processing your personal information.

There are unlikely to be any circumstances when this right applies to the Web Account Service personal information. If you want to contact us about your objection rights, please email: privacy@yoti.com

In certain circumstances you are entitled to ask us to restrict our processing of your personal information.

You can ask us to do this if:

• you dispute the accuracy of your personal information; 
• our processing is unlawful but you prefer restriction to deletion;  
• we no longer need the information but you need it for legal reasons; or 
• you have objected to our processing and we are still dealing with this objection.

If you want to contact us about your restriction rights, please email: privacy@yoti.com

In certain circumstances, you are entitled to receive the personal information you have provided us in a structured, commonly used and machine-readable format.

You have the right to object to automated decisions made about you and have a person within our business to review this decision. Please email cs@yoti.com and our Customer Support can help you with your request. 

You can also complain to the Information Commissioner’s Office (ICO) who is responsible for making sure that organisations comply with the law on handling personal information. https://ico.org.uk/global/contact-us/

Understanding how people use the Web Account Service is essential. We need to know what’s working, and what isn’t, so we can improve. As a business, we need to know how many people are using it, where they are in the world, and which aspects are most popular.

We collect information about your device and your use of our websites using in-house analytics. We de-identify and aggregate the information we collect so we can’t identify you personally. Unlike most other companies, we don’t build individual profiles of the people who use the Web Account Service. We simply look for trends and patterns to inform business decisions.

Using our in-house software, we collect some information from users and some information on when certain things happen as you use Web Account Service. This information includes information about your phone, such as make and model, operating system, app version and screen size information. Our in-house software does not identify you personally.

We perform analytics on information created automatically by our internal systems when things happen. Our analytics looks at, on an aggregated and anonymous basis, the actions performed on our own servers, for example: how many sessions are created, how many of a particular document type are uploaded and the outcomes for particular checks (but without recording personal data). 

We do not perform any analytics on actions you take on your own device, such as clicking buttons. 

We do not store device IDs or any other unique device identifiers.  

We do not use any personal data, such as your mobile phone number or IP address, to identify you in our analytics. All we do is note your country location based on your IP address (but we do not store the full IP address).