Yoti privacy policy


Last updated on: 6th November 2017 - what's new

In this policy, we explain how we will handle your personal information when you sign up and use our app, Yoti dashboard and website www.yoti.com. Where we say 'we' and 'us' we mean Yoti. Where we say 'third party' this means anyone who is not you or us. This could be another person or organisation.

As transparency and privacy are core values, we regularly check and update this policy to reflect new features and functionality. We have a lot of new features and functionality planned, so to avoid having to issue a new privacy policy every month, there may be information about things that aren't in place yet, but they will be soon. Regularly reviewing this policy makes sure that you are always aware of what information we collect, how we use it and how we might share it.

Who we are chevron
Information collection and use chevron
Information sharing chevron
Security chevron
Your rights and choices chevron
Cookies chevron
Analytics chevron
Contact us chevron
Past versions chevron

Who we are

We are a digital identity platform and we design our software and services with privacy at their heart, guided by a set of principles.

We are monitored by a Guardian Council who make sure that we always seek to do the right thing.

We are certified as a B Corp company, meaning that we consider the impact of our decisions on employees, consumers, the community and the environment.

Learn more

chevron
expand-dismiss

Company details

expand-dismiss

We are Yoti Ltd, Fountain House, 130 Fenchurch Street, London, EC3M 5DJ (company number 08998951), but you can call us ‘Yoti’. Our general email address is hello@yoti.com.

expand-dismiss

Our principles

expand-dismiss

We take your privacy very seriously. We design our software and services with privacy at their heart, guided by a set of principles which you can read here: https://www.yoti.com/about/journey/.

We are monitored by a Guardian Council, who are respected and influential individuals who make sure that Yoti always seeks to do the right thing, and that we are transparent about what we are doing and why. Read more about them here: https://www.yoti.com/about/council.

We are also certified as a B Corp company, meaning that we consider the impact of our decisions on employees, consumers, the community and the environment. Read more about it here: https://www.bcorporation.net/

expand-dismiss

Creating an account with Yoti

expand-dismiss

What we collect

What we do with it


Your mobile number

To create your account in the app

To check you do not already have an account with Yoti – users are only allowed to have one account.

We encrypt your mobile number (which means we can’t access it) and keep it until you or we close the account and delete the information.


Your photo

To create your account in the app

We securely store a biometric template of your photo to verify that it is always you trying to access your Yoti account. A biometric template is a digital map of your face created from your photo. Yoti also securely stores the actual photos.


Information from in-house and third-party analytics tools

See sections on cookies and analytics

expand-dismiss

Checking you are a real person

expand-dismiss

What we collect

What we do with it


Video of you saying some words

This helps us to make sure you are a real live person. We delete the video after 7 days, if not before.

expand-dismiss

Yoti Dashboard

expand-dismiss

This will let you see all your receipts from sharing your information. Organisations can also set up an account to create pages and applications to request and receive information from their customers.

For users

What we collect

What we do with it


Photo

To register you for an account with Yoti Dashboard and to login after that.

For organisations

What we collect

What we do with it


Photo, name, date of birth, email address and mobile number

To register you for an account with Yoti Dashboard and to login after that.


Organisation details, administrator and director details

To administer your account

To send you account information and updates

To confirm with the Director listed that the use of Yoti and the administrator are authorised.

expand-dismiss

Adding information to your Yoti

expand-dismiss

What we collect

What we do with it


Information from Government-issued identity documents (for example, passport, driving licence)

We use the information to verify your identity and check the document is valid, and check that you are over 12. You will not be able to add an expired passport or driving licence.

We check the document photo against the photo you took to set up the account, to check it’s your document. It may be sent to our Security Team for a manual check.

We use the photo and your date of birth (which we hash) to check if your identity already exists. Users can only have one account.

We may check your information against fraud prevention databases where your document fails our internal fraud prevention checks.

While we verify your identity the information is kept securely but our Security Team can access it. We can access this information up to 7 days after verification.

We then add the details to your Yoti account and keep this information encrypted on our servers (which means we can’t access it) until you or we close the account and delete the data.

We create general statistics and reports from some of this information to help us understand how people are using our app, and to allow us to improve the service. This information does not identify any specific user. See the sections on cookies and analytics for more information.

Where you provide a name, address and date of birth we will verify these details with credit reference agencies.

This will leave a footprint on your credit file, which does not affect your credit score.


Aadhaar (name, date of birth, Aadhaar number, gender and (optional) address).

We will redirect you to our tech partner and then onto our trusted KYC partner who are authorised to check your details against the Central Identities Data Repository (CIDR).

The KYC partner sends the details to the tech partner, who do the matching and provide Yoti with a yes or no and your photo.

The tech partner deletes all the information (except the photo) as soon as the check is complete. The photo is kept on a Yoti server in India for 7 days in case our Security Team need to manually check it.


Age attribute (for example, 18+)

We convert your date of birth into an age attribute so that in some circumstances you won’t need to share your date of birth to prove your age or eligibility for a product or service.

expand-dismiss

Yoti Password Manager

expand-dismiss

What we collect

What we do with it


Usernames, passwords, URLs, website names, and any login specific settings you choose to set

Passwords you generate using our password generator

Information you provide to use the auto-complete feature

We store the information so you can use Yoti Password Manager to log into websites without having to remember your login details, and so you can automatically fill in your information.


Information from in-house and third-party analytics tools

See sections on cookies and analytics

expand-dismiss

Backing up your account

expand-dismiss

We store an encrypted key in the cloud you choose for back up so that you can recover access to your account on a different phone.

expand-dismiss

If you lose access to your Yoti account

expand-dismiss

For example, you have lost your mobile phone, can’t log in and need to recover access to it

What we collect

What we do with it


The encrypted key from your cloud

We retrieve this to restore your link to your account.


PIN, photo and video

To verify your identity and check you are the true holder of the Yoti account and grant you access to it again or to reset your PIN.

If you forget your PIN we will ask you for your mobile number and date of birth (if you have added a document).

While we verify your identity we keep the information but our Security and Customer Support Teams can access it. We can access this information for up to 7 days after verification.

expand-dismiss

Using your Yoti

expand-dismiss

What we collect

What we do with it


App login details

To log you into your Yoti


Information from in-house and third-party analytics tools

See sections on cookies and analytics


Information about issues and problems you have with the app

If the app crashes, or you have some other issue, you can contact us about it by email, from within the app or through the website.

You can also choose to share certain data with us to help us find the server logs for your phone so that we can identify and fix the issue. The information you send comes to us by email and if you have an email address on your Yoti account, you will receive an acknowledgement email with a ticket number for your issue.

This creates a Yoti Customer service account for you so you can revisit your ticket(s) to see progress and contact us further about the issue or any other issue.

On the back end, we associate your server log information with a reference number (for example, 3bbf6e6fe414b40bf9fed99c8d36bd2c) but we do not connect it to you personally. This log information is deleted after 6 months.

Once we have resolved your issue and / or closed the ticket, we will send you an email asking for feedback. We only use this information to improve our services.


Anonymous information that does not identify any specific user about what types of information you have shared with third parties.

This information allows us to charge organisations for the information they get from you.

For example, we may charge an organisation more for receiving 5 pieces of information from you through Yoti, than we would charge an organisation who only received 3.

expand-dismiss

Yoti website

expand-dismiss

What we collect

What we do with it


Contact details when you fill in the ‘Contact us’ form

To reply to your query


Information from in-house and third-party analytics tools

See sections on cookies and analytics

expand-dismiss

When Yoti shares your personal information

expand-dismiss

While we verify your account, for a short period of time after you register or add information, your account will be pending and Yoti will be able to access your personal information.

Yoti’s core principles are that it is not our business model to sell, transfer or share outside the company any of the personal information used to set up your account or your user activity information.

There are though some situations where we will share or will have to share some information, and we list these below.

Situation

Who we share your data with


If we suspect a registration may involve identity fraud, a national security threat, legal infringement, a criminal offence

We may have to share a copy of your information with the appropriate authorities.


If you provide false or inaccurate information

If, after investigation, we determine that there has been fraud that meets the criteria for reporting, we will pass the details to relevant crime and fraud prevention agencies to prevent further fraud and money laundering.

You can get more information about our approach to fraud and misuse and explaining how the crime and fraud prevention agencies will use the information by emailing privacy@yoti.com.


If we get a request for user information from a law enforcement or other official authority

We cannot provide your information that is encrypted in our database unless either you, or a third party you shared your information with, provides us the receipt from your sharing activity, as this contains the decryption key necessary to access the personal information you shared with that third party.

We have an internal policy and process to make sure that, where we are able to share information, the request is valid, the information requested is no more than necessary, and that we think it’s the right thing to do.

We may have a legal obligation to share the information if we receive a court or similar legal order ordering us to disclose it.


If you have provided your name, address and date of birth

We will check this information against credit reference agency data as part of verifying your identity.

This check leaves a footprint on your credit file, which will reference an identity check by Yoti. This footprint does not affect your credit score.


Some companies using Yoti will request an identity check against credit reference agency data

If you agree, Yoti will send your name, address and date of birth to the credit reference agency on behalf of the company, and will send back to the company the response from the credit reference agency.

This check leaves a footprint on your credit file, which will reference an identity check by Yoti. This footprint does not affect your credit score.


When you create an organisation account on Dashboard and provide corporate details, including of one of your Directors

We will publish the company name and address, corporate contact details (that you provide for users) and director's name in our searchable database for Yoti users to find out where they can use their Yoti.

Users have to login to access the database and can only search on 5 organisations a day.


We may use the services of other businesses to help us in certain areas, for example, for data storage; online payment providers; and identity providers who we use to help with identity verification

Because of how we have designed the system, in most situations we won’t need to share your information with third parties.

If we do, we will encrypt your data and / or it will be properly protected by the terms of our contract with these third parties.


If Yoti sells its assets

Yoti will only agree to the sale if the new business commits to the core Yoti principles of data privacy.

While we are negotiating with the company buying or combining Yoti with their own business, they won’t be able to access your encrypted personal information but Yoti may provide anonymised statistical information.

expand-dismiss

When you share your personal information

expand-dismiss

You alone will decide when you want to use your Yoti to identify yourself to a third party, or to swap, send and request information. You choose whether to agree or not to share the information the third party requests. If you decide to share your information with a third party, you will both receive a receipt which will contain a copy of the information that each party shared.

Yoti encourages companies to only ask for the information they actually need, for example, your age, or confirming you are over 18, rather than a full date of birth. If you choose to share your information with a third party using Yoti, those third parties may choose to use that information to communicate with you or they may share that information with others. We suggest you read the privacy policies of any organisation you share your information with to understand how they will use your personal information.

Yoti creates and encrypts a master receipt which contains the details of what information was shared and who with. This master receipt is securely stored on our servers and we cannot access it unless either you or the third party provides us with their own receipt containing the encryption key we need to access the information.

expand-dismiss

Always allow

expand-dismiss

We provide a feature to some companies, for some scenarios, where you can choose to automatically share the same information each time you interact with them. Usually, you scan a QR code to see what information the company is asking for, and you are asked whether you want to allow the sharing of your information. With ‘Always Allow’ you can cut out the approval step. This may be useful to save time for some transactions you carry out often, where the same information is requested from you each time.

expand-dismiss

Your encrypted information

expand-dismiss

Except for the biometric template and photos mentioned in the 'Information collection and use' section', we do not have access to your personal information that we have verified and stored on our servers. The only way we can access the information is if you provide us with the encryption key (which is a set of unique numbers stored securely on your device). Only you hold the keys to decrypt your account information.

expand-dismiss

Sending your personal information to other countries

expand-dismiss

We currently keep your personal information in the UK.

In future we may send your personal information to countries outside the UK. If those countries are in the European Union, Switzerland, Iceland, Liechtenstein and Norway, there are equivalent laws on handling personal information and so your information is protected in the same way as it is in the UK.

If we send your personal information to any other countries (for example, we may have other databases and servers in other countries), some of these countries may not have equivalent laws on handling personal information. However, we will make sure that your personal information is properly protected.

In some countries, for legal or practical reasons, Yoti may have to store personal information in that country.

When we decide to send or store your personal information in another country, we will update this section to describe the protections we have put in place (unless they are already described in another relevant section).

expand-dismiss

Access rights

expand-dismiss

You are entitled to see the personal information we hold about you. We do not have access to your personal information that we have verified and stored on our servers. The only way we can access the information is if you provide us with the encryption key (which is a set of unique numbers stored securely on your device). Only you hold the keys to decrypt your account information.

You can access all the personal information we hold on you through your Yoti app.

When you use your Yoti, we collect some information about your phone and how you are using the app, Dashboard and website. This information is collected and stored automatically through in-house and third-party tools, as set out in the sections on cookies and analytics.

In-house analytics

The information we collect is de-identified and aggregated and it is not possible to search or get the information using your name or your phone’s identifiers (for example, the IMEI number which is like a serial number for your phone). So we cannot provide you with this information as it is not linked to you specifically.

Google Analytics information

For each phone that is using our app Google creates and shares with us an identifier (such as, 76c24efd-ec42-492a-92df-c62cfd4540a3). The information that we collect from your phone through Google Analytics is linked only to this identifier, and so it is not possible to search or get the information using your name or your phone’s other identifiers (for example, the IMEI number which is like a serial number for your phone). So we cannot provide you with this information as it is not linked to you specifically.

You can make an access request to Google here: https://support.google.com/policies/contact/sar

expand-dismiss

Correction rights

expand-dismiss

You are entitled to correct personal information we hold about you that is inaccurate. If you think that any of the information in your Yoti account is not accurate, you can update it at any time through your account. Yoti only has access to the information in your account for up to 7 days after it is first provided to Yoti.

If you change your name, you can only update your Yoti by adding a government-issued identity document with the new name.

expand-dismiss

Deletion rights

expand-dismiss

In certain circumstances you are entitled to ask us to delete the personal information we hold about you.

If you want to close your account and delete your information, please read our FAQs here:

https://yoti.zendesk.com/hc/en-us/sections/202203845-Managing-my-Yoti-account

If you have any other deletion request, please email: privacy@yoti.com

expand-dismiss

Objection rights

expand-dismiss

In certain circumstances you are entitled to object to Yoti processing your personal information.

If you want to contact us about your objection rights, please email: privacy@yoti.com

expand-dismiss

Complain to the ICO

expand-dismiss

You can also complain to the Information Commissioner's Office (ICO) who is responsible for making sure that organisations comply with the law on handling personal information.

https://ico.org.uk/global/contact-us/

expand-dismiss

What’s a cookie?

expand-dismiss

It’s an online technology to collect information about you and to store your online preferences. Cookies are small pieces of information sent by a web server to a web browser which allows the server to uniquely identify the browser on each page.

expand-dismiss

Types of cookie

expand-dismiss

Session cookies

These expire when you close your browser and do not remain on your computer.

Persistent cookies

These are stored on your computer until they expire or you delete them from your cache. They are normally used to make sure the site remembers your preferences.

expand-dismiss

Categories of cookies

expand-dismiss

Strictly necessary cookies

These cookies are essential for you to move around our website and Dashboard and use their features. Without these cookies we cannot provide services you have asked for, such as access to secure areas.

Performance cookies

These cookies collect anonymous information on how people use our Dashboard and website.

Functionality cookies

These cookies remember choices you make, such as your last action, language and search preferences. We can use these to provide you with a better experience based on your preferences. The information from these cookies is anonymous and they cannot track your browsing activity on other websites.

expand-dismiss

How do I delete cookies?

expand-dismiss

Go to the help and support area on your internet browser for instructions.

Information on deleting or controlling cookies is also available at www.allaboutcookies.org

If you delete or disable our cookies you may not be able to access certain areas or features of our site.

expand-dismiss

Yoti website cookies

expand-dismiss

Name of the cookie

Type of cookie

What we do with it


yoti_ignoreCookieBanner

Functionality cookie

Used to know that you have seen the cookie banner, and so not to show it you again.


_ga

Performance cookie

(Google Analytics and Adwords) Used to show us how users arrive at and interact with our website. It helps highlight areas where we can improve and shows us how successful our marketing campaigns are.


_gat

Performance cookie

Used by Google Analytics to prevent attacks on their servers.


_gid

Performance cookie

Used by Google Analytics to distinguish users from each other.


Visual Website Optimiser

Functionality and performance cookies

VWO anonymously tracks where people click on our website allowing Yoti to generate a diagram highlighting the most active areas, as well as count how many times users click on a certain link or button. We use this technology to understand how people use our website and to test different content, so that we can improve the website. You can find information on the specific cookies used by VWO here: https://vwo.com/knowledge/cookies-used-by-vwo/

expand-dismiss

Yoti Dashboard cookies

expand-dismiss

Name of the cookie

Type of cookie

What we do with it


_yop

Strictly necessary cookie

Stores only a session ID (no user data).


_csrf

Strictly necessary cookie

Security feature to prevent account hijack.


xsrf-token

Strictly necessary cookie

Security feature to prevent account hijack.


connect.sid

Strictly necessary cookie

Stores only a session ID (no user data).


channel_id

Strictly necessary cookie

Used to identify which mobile to communicate with.


privateKey

Strictly necessary cookie

Used for decrypting personal information - no data from this cookie goes to Yoti.


publicKey

Strictly necessary cookie

Used to encrypt personal information.


refId

Strictly necessary cookie

Used with channel_id and is also used to identify which mobile to communicate with.


signedPublicKey

Strictly necessary cookie

To prove ownership of the Public Key.


ngStorage-ageLink

Strictly necessary cookie

Used to store the URL of a Yoti Connect Page.


ngStorage-profile

Strictly necessary cookie

Temporarily stores user’s avatar, date of birth and age - no data goes to Yoti.


_ye

Strictly necessary cookie

A session cookie used to store a user ID.


_ys

Functionality cookie

Stores data about the mobile a user is using. It also stores the ID of a Yoti App being shared, data sharing between Yoti users, and the last action a user was about to perform before installing the app.


acknowledgedBanners

Functionality cookie

Hides a banner telling you to add an admin email once you have dismissed it.

expand-dismiss

What are analytics and why do we use them?

expand-dismiss

Analytics means collecting and analysing information about activity on our website and in our app. None of our analytics provide information about you personally. The statistics we get from this data allow us to understand how people are using our website or app, and things like what works and what doesn’t, how long it takes to complete critical tasks and where we have users.

All these statistics are essential to understanding how our website and app are performing and identify where we need to focus our efforts to improve.

expand-dismiss

Yoti website analytics

expand-dismiss

Facebook, Twitter and Google Adwords pixels

These track activity on the website such as when a user completes an activity (for example, clicking through, completing a purchase, downloading the app). We use this to determine which platform users come to Yoti from, and to understand what actions users take once they arrive at Yoti. For more information, please see:

Visual Website Optimiser

VWO anonymously tracks where people click on our website allowing Yoti to generate a diagram highlighting the most active areas, as well as count how many times users click on a certain link or button. We use this technology to understand how people use our website and to test different content, so that we can improve the website.

expand-dismiss

Yoti app analytics

expand-dismiss

Adjust

We use Adjust performance and analysis technology in our app. This allows us to us to track and analyse which marketing channels or sources are producing the best results in directing users to download the Yoti app, and to help us understand how our users are using our app. When you launch the app, Adjust collects information on user activity (such as clicks and when you install the app), as well as when certain events happen (such as completing registration, successfully adding an ID document, adding a password to Yoti Password Manager, deleting the account and so on).

To provide this service, Adjust uses three identifiers which they anonymise using a technology called ‘hashing’. One identifier is one that Apple AppStore or Google Play gives your phone (depending on which app store you visited), The second identifier is your IP address which is like an address for your phone from your mobile network provider, and which may change if you take your phone to a different location. The third identifier is your MAC address, which is a unique number the phone manufacturer gives to the parts of your phone that connect to the internet. The hashing technology Adjust uses to anonymise these identifiers means that it is not possible to identify you or your mobile individually. Adjust then provide us with aggregated information.

We use Adjust with different advertising networks that allow us to show Yoti adverts on these networks. Adjust also pass back this aggregated information to these networks so they can improve their systems and do better at targeting relevant advertising.

See section 2 of Adjust’s privacy notice for more information:

https://www.adjust.com/privacy_policy/

You can opt out of Adjust analytics in the settings in the app.

In-house and Google analytics

Using our in-house software, and using Google Analytics, we collect some information from users and some information on when certain things happen as you use the app. This information includes information about your phone. Our in-house software does not track how you personally use our app.

The information is de-identified so that it is not associated with an identifiable user. The information provides us with statistics on things like:

  • the number of people installing the app;
  • the number of accounts created successfully;
  • how long it takes on average to carry out certain actions in the app, such as taking a photo, uploading a document;
  • how many addresses are uploaded from a document and how many are manually added; the number of account backups, account recoveries, and account deletions;
  • the percentage of people who stop using the app at certain key points, such as accepting the terms and conditions, taking a photo and so on;
  • the number of users per country, age band, and gender.

These statistics are crucial for us to understand how our app is performing, where things are failing, and what kinds of users we have. This information helps us to understand where we need to focus our business, marketing and product development efforts and what app improvements we need to make.

Yoti Password Manager

We use Google Analytics and our in-house analytics to understand the following.

  • What percentage of overall registered Yoti users also registered for Password Manager
  • How many active Password Manager users there are
  • How many users use Password Manager for at least one website
  • How many users per country: based on a truncated IP address to give the country
  • Which browser is used: Chrome, Mozilla, Safari or Internet Explorer
  • Total number of uses of Password Manager in a day, week and month (not per user)

What's new

Last updated on: 6th November 2017

Section

Changes


All sections

We have made general improvements to the presentation and layout of many sections, and consolidated information where it was duplicated.


Information collection and use

We have added in information for Indian users about our use of Aadhaar data when you add this to your Yoti.

We have also made some amends to update information on our use of your data to reflect some internal changes, specifically around internal checks to make sure you only have one account, and new functionality, such as in relation to Dashboard.


Information sharing

We have removed information relating to MyVenue products developed by our sister company Yoti External Applications Ltd, as this now has its own privacy notice on the MyVenue websites.


Your rights and choices

We have added information on our in-house analytics to the section on access rights.

We have added a contact email for deletion requests other than closing your account.


Cookies and analytics

We have separated this into two sections so it is clearer.