Our privacy information explains how we will handle your personal information when you sign up and / or use our app, websites, products and services. Where we say ‘we’ and ‘us’ we mean Yoti. Where we say ‘third party’ this means anyone who is not you or us. This could be another person or an organisation.
This general section contains information that applies across all our business. The product-specific sections cover our different products and services, so you can easily find the information you need for the specific product or service you use. If a product-specific section doesn’t have a topic you are looking for, then the right information will be in the general section.
As transparency and privacy are Yoti core values, we regularly check and update this policy to reflect new features and functionality. We have a lot of new features and functionality planned, so to avoid having to issue new privacy information every month, there may be information about things that aren’t quite in place yet, but they will be soon. Regularly reviewing our privacy information makes sure that you are always aware of what information we collect, how we use it and how we might share it. The ‘What’s new’ section summarises the changes made to the latest version. For the app, we will also tell you there is a new version in the information on what’s new when you go into your app store to update the app to the latest version.
We are a digital identity platform and we design our software and services with privacy at their heart, guided by a set of principles.
We are monitored by a Guardian Council who make sure that we always seek to do the right thing.
We are certified as a B Corp company, meaning that we consider the impact of our decisions on employees, consumers, the community and the environment.
We are Yoti Ltd, Fountain House, 130 Fenchurch Street, London, EC3M 5DJ (company number 08998951), but you can call us ‘Yoti’. Our general email address is email@example.com.
We take your privacy very seriously. We design our software and services with privacy at their heart, guided by a set of principles which you can read here: https://www.yoti.com/ethical-framework.
We are monitored by a Guardian Council, who are respected and influential individuals who make sure that Yoti always seeks to do the right thing, and that we are transparent about what we are doing and why. Read more about them here: https://www.yoti.com/ethical-framework.
We are also certified as a B Corp company, meaning that we consider the impact of our decisions on employees, consumers, the community and the environment. Read more about it here: https://www.bcorporation.net
The product-specific sections provide information for each product on personal information collection and use.
In general, we use your personal information to provide our identity app and its associated products and services. You can find more information on our lawful bases and retention below.
EU data protection law requires an organisation to have a lawful basis for its personal information collection and use, and there are several lawful bases available. Our products and services are available globally and so in some cases our choice of EU lawful basis reflects the need to comply with different laws in different countries.
We provide retention information in the relevant product-specific section.
In most cases, the information you add to your account or provide as part of using a product or service remains until you delete the account.
If you volunteer for user testing, we will keep the related information for six months.
What we collect and what we do with it
Performance of a contract
When you set up and use our app and associated products and services, almost all the personal information collection and use is necessary to provide the app, product or service.
If you provide us your contact details to ask us a question, request more information or contact our Customer Support, we use your details to reply and resolve any issues.
We ask you to consent to us using your biometrics. This is because biometric data is sensitive data under the EU GDPR and the lawful bases available for this data are very limited. There are also biometrics laws in other countries that require consent.
See the section on biometrics for more information about the biometrics we use and why.
In the UK we can also use a ‘preventing or detecting unlawful acts’ lawful basis for our use of biometrics that is for fraud prevention purposes.
Some personal data collection and use is in our legitimate business interests. To use this lawful basis we assess both our interests and yours, to make sure that what we’re doing does not cause any unjustified privacy intrusion.
Identity checks: where we check your details with a third party to make sure only verified identities can get a Yoti.
Fraud reporting: some fraud prevention bodies we work with require us to report identity fraud we discover.
R&D: (non-sensitive data) to continually improve and test our fraud prevention measures.
Analytics: we de-identify and aggregate the metrics information we get from users to understand how our website and app are performing, to identify bugs, and to identify where we need to focus our efforts to improve.
Marketing campaign records: we keep information so we know who was sent what marketing information and when.
Invoice and billing: for corporate customers.
If you have provided us your contact details to hear about Yoti, its products and services and you no longer want to hear from us, we are obliged by law to stop contacting you. To meet this legal obligation we will add your details to a suppression list so you no longer hear from us.
If you are a corporate customer, we are obliged to carry out some due diligence.
As a Yoti user, you choose if you want to use Yoti to share your information with other individuals or with companies. As an organisation using Yoti for age or identity verification, you choose what information to request from individuals.
Where Yoti has access to your information, we may share it in specific circumstances, such as:
- suspected or confirmed identity fraud or other offences;
- valid and legally binding requests for information from third parties;
- to verify your details.
When you share your personal information
You alone will decide when you want to use a Yoti product or service to identify yourself to a third party, or to send and request information. You choose whether to agree or not to share the information a third party requests.
Yoti incentivises companies to only ask for the information they actually need, for example, your age, or confirming you are over 18, rather than a full date of birth. If you choose to share your information with a third party using Yoti, those third parties may choose to use that information to communicate with you or they may share that information with others. We suggest you read the privacy policies of any organisation you share your information with to understand how they will use your personal information.
When Yoti shares your personal information
Yoti’s core principles are that it is not our business model to sell, transfer or share outside the company any of the personal information used to set up your account or your user activity information.
Please see below for the only cases in which we will share or will have to share some information.
1. If we suspect identity fraud, a national security threat, legal infringement, or a criminal offence
We may have to share a copy of your information with the appropriate authorities.
2. If you provide false or inaccurate information
If, after investigation, we determine that there has been fraud that meets the criteria for reporting, we will pass the details to relevant crime and fraud prevention agencies to prevent further fraud and money laundering.One of these agencies is Cifas. Cifas keeps fraud reports for six years. Other Cifas members may use the information we report to refuse to provide you with services, financing or employment. You can find the Cifas privacy information here: https://www.cifas.org.uk/fpn
3. If we get a request for information from law enforcement or other official authority
Where your personal information is encrypted in our database, and we do not have the decryption key, we cannot provide any information. For information that we do have access to, we have an internal policy and process to make sure that we only disclose personal information where:
- the request is valid
- the information requested is no more than necessary
- we can disclose it compliantly
- we think it’s the right thing to do
We may have a legal obligation to share the information if we receive a court or similar legal order ordering us to disclose it.
4. To verify your details
For some of our products and services we check certain details, including against a third party, as part of verifying identity and carrying out due diligence.The product-specific sections will set out when and how this happens.
5. To verify details on behalf of other companies
Some of our products and services may include the option to request an identity check against credit reference agency or other fraud prevention data.In these circumstances Yoti simply sends the relevant details to the credit reference agency or fraud prevention database on behalf of the company, and sends the response back to the company.
The product-specific sections will set out when and how this happens.
6. We may use the services of other businesses to help us in certain areas, for example, for data storage; online payment providers; and identity providers who we use to help with identity verification
Because of how we have designed the system, in most situations we won’t need to share your information with third parties. If we do, we will encrypt your data and / or it will be properly protected by the terms of our contract with these third parties.
7. If Yoti sells its assets
Yoti will only agree to the sale if the new business commits to the core Yoti principles of data privacy. While we are negotiating with the company buying or combining Yoti with their own business, they won’t be able to access your encrypted personal information but Yoti may provide anonymised statistical information.
Security is a core business principle. Our products and services do different things, so the specific security details for each one are listed in the relevant product sections. We always keep personal information in secure locations with strict access controls.
We continually test our systems and are ISO 27001 and SOC 2 compliant, which means we follow top industry standards for information security.
The product-specific sections have more information on where we keep data and security measures.
Where we use other organisations to support our business we have contract terms in place that contain obligations on the other organisation to safeguard your information. Some of these organisations have their servers in other countries. We have contract terms with these third parties and measures in place to cover any transfers of personal information. The measures used are EU-approved model contract clauses, Privacy Shield for some US companies, and some have Binding Corporate Rules.
In future we may send your personal information to countries outside the UK. If those countries are in the European Union, Switzerland, Iceland, Liechtenstein and Norway, there are equivalent laws on handling personal information and so your information is protected in the same way as it is in the UK.
If we send your personal information to any other countries (for example, we may have other databases and servers in other countries), some of these countries may not have equivalent laws on handling personal information. However, we will make sure that your personal information is properly protected.
In some countries, for legal or practical reasons, Yoti may have to store personal information in that country.
If we decide or are obliged to send or store your personal information in another country, we will update the relevant sections to describe the protections we have put in place.
You have several different rights with regard to your personal information. Some rights only apply in certain circumstances or to certain information. There are also exemptions from some rights in some circumstances.
Please click the link below to see information about all the rights. Each product-specific section sets out what rights apply for that particular product / service. If there is no rights and choices section, this information here applies.
Please send any rights requests to firstname.lastname@example.org
You are entitled to know what personal information we hold about you and to receive a copy of it.
For most of our products and services, you provide your personal information and can access it by going into the product / service. If you want to make an access request for personal information not contained in a product / service you are using, please email email@example.com.
With regard to the cookies and analytics we use, this information is collected and stored automatically through in-house and third-party tools, as set out in the sections on cookies and analytics. The product-specific sections will set out if there is any analytics information that is linked to any of your personal information.
The information we collect is de-identified and aggregated and it is not possible to search or get the information using your name or your phone’s identifiers (for example, the IMEI number which is like a serial number for your phone). So we cannot provide you with this information as it is not linked to any of your identifying details.
Google Analytics information
We use Google Analytics for some products or websites. Google creates and shares with us an identifier (such as, 76c24efd-ec42-492a-92df-c62cfd4540a3). The information that we collect through Google Analytics is linked only to this identifier, and so it is not possible to search or get the information using your name or your device’s other identifiers (for example, the IMEI number which is like a serial number for your phone). So we cannot provide you with this information as it is not linked to any of your identifying details.
You can make an access request to Google here: https://support.google.com/policies/contact/sar
You are entitled to correct personal information we hold about you that is inaccurate.
For most of our products and services you have the ability to correct or replace inaccurate personal information.
If you have contacted our Customer Support or had other contact with us and want to make a correction request, please email: firstname.lastname@example.org.
In certain circumstances you are entitled to ask us to delete the personal information we hold about you.
For some of our products and services you can delete your account or certain information from within the product / service.
If you have any other deletion request, please email: email@example.com.
In certain circumstances you are entitled to object to Yoti processing your personal information.
If you receive any marketing, there will always be an unsubscribe option.
If you want to contact us about your objection rights, please email: firstname.lastname@example.org.
In certain circumstances you are entitled to ask us to restrict our processing of your personal information.
You can ask us to do this if:
- you dispute the accuracy of your personal information
- our processing is unlawful but you prefer restriction to deletion
- we no longer need the information but you need it for legal reasons
- you have objected to our processing and we are still dealing with this objection
If you want to contact us about your restriction rights, please email: email@example.com.
In certain circumstances you are entitled to receive the personal information you have provided us in a structured, commonly used and machine-readable format.
For some of our products and services you can download your personal information from within the product / service.
If you have contacted our Customer Support or had other contact with us and want to make a portability request, please email: firstname.lastname@example.org.
Complain to the ICO
You can also complain to the Information Commissioner’s Office (ICO) who is responsible for making sure that organisations comply with the law on handling personal information – https://ico.org.uk/global/contact-us/.
What’s a cookie?
It’s an online technology to collect information about you and to store your online preferences. Cookies are small pieces of information sent by a web server to a web browser which allows the server to uniquely identify the browser on each page.
These expire when you close your browser and do not remain on your computer.
These are stored on your computer until they expire or you delete them from your cache. They are normally used to make sure the site remembers your preferences.
Strictly necessary cookies
These cookies are essential for you to move around our website and Hub and use their features. Without these cookies we cannot provide services you have asked for, such as access to secure areas.
These cookies collect anonymous information on how people use our Hub and website.
These cookies remember choices you make, such as your last action, language and search preferences. We can use these to provide you with a better experience based on your preferences. The information from these cookies is anonymous and they cannot track your browsing activity on other websites.
How do I delete cookies?
Go to the help and support area on your internet browser for instructions.
Information on deleting or controlling cookies is also available at https://www.aboutcookies.org/
If you delete or disable our cookies you may not be able to access certain areas or features of our site.
We collect information about your device and your use of our products using in-house analytics and third-party tools. The information we collect is de-identified and aggregated so we can’t identify you personally. We use it to understand how our products are being used and to improve them. You can opt out of certain analytics in the app. This section provides general information, please see the ‘Analytics’ sections of the product-specific information for more details on analytics used in specific products.
What are analytics and why do we use them?
Analytics means collecting and analysing information about activity on our website and in our app. None of our analytics provide information about you personally. The statistics we get from this data allow us to understand how people are using our products and websites, and things like what works and what doesn’t, how long it takes to complete critical tasks and where we have users. Unlike most other companies, we don’t build individual profiles of the people who use our products and services. We simply look for trends and patterns to inform business decisions.
All these statistics are essential to understanding how our products and websites are performing and identify where we need to focus our efforts to improve.
Your choices for analytics
You have some control over analytics information collected through settings available in your website browser and on your phone, as well as in the Yoti app settings.
Both Android and iOS phones have privacy settings to limit the collection of the Advertising ID.
You can opt out of certain analytics through the app settings.
There are many different ways to contact us. The main ones are listed below. Please also see the ‘Yoti websites and social media’ section for other ways to contact us and our information collection and use practices when you do so. You can also contact us from the Yoti app and there is more information on that in the ‘Yoti app’ section.
We changed how we present our privacy information in January 2019 to distinguish between general information and product-specific information. You can find previous versions of the entire privacy information at the link below, as well as previous versions of this general section if it has been updated.
Past versions of general section
No past versions of general section yet.
Past versions of privacy information (2016-2018)
We have streamlined the information in this general section by putting product-related information into the section for that product.
We have clarified that Cifas is one of the fraud prevention agencies we may report fraud to, and added some information about Cifas and other member retention and use of fraud reports. (Section: Information sharing > When Yoti shares your personal information).
General – 14/01/2019
Yoti App – 04/05/2020
Yoti Hub – 19/09/2019
Yoti Sign – 18/11/2019
Yoti Password Manager – 14/01/2019
Yoti Websites and social media – 16/12/2019
UPDATE: Organisations are using Yoti for initiatives to deal with Covid-19. This means we have a sharp increase in users on-boarding the app. To deal with this increase we will need to temporarily extend the amount of time our Security Centre have to carry out fraud checks from 7 to 30 days.