This page provides both general privacy information and product-specific privacy information. Where we say ‘we’ and ‘us’ we mean Yoti. Where we say ‘third party’ this means anyone who is not you or us. This could be another person or an organisation.
The general section contains high-level information that applies across all our business. The product-specific privacy information is in separate pdf documents below. These cover the specific data collection and use activities for our different products and services, so you can easily find the information you need for the specific product or service you use.
As transparency and privacy are Yoti core values, we regularly check and update this policy to reflect new features and functionality. We have a lot of new features and functionality planned, so to avoid having to issue new privacy information every month, there may be information about things that aren’t quite in place yet, but they will be soon. Regularly reviewing our privacy information makes sure that you are always aware of what information we collect, how we use it and how we might share it. The ‘What’s new’ section summarises the changes made to the latest version. For the app, we will also tell you there is a new version in the information on what’s new when you go into your app store to update the app to the latest version.
High-level privacy information that applies across all our business.
Last updated: 05/11/2020
Yoti and Post Office EasyID apps
How we handle your data when you use the Yoti and Post Office EasyID apps.
Last updated: 19/04/2021
How we handle your data when you use our eSignatures solution.
Last updated: 23/07/2020
Yoti Password Manager
How we handle your data when you use Yoti Password Manager.
Last updated: 14/01/2019
Websites and social media
How we handle your data on our websites and social media.
Last updated: 16/10/2020
How we handle your data when you use the Hub.
Last updated: 19/09/2021
General privacy information
Last updated: 27/08/2020
- Cookies and Analytics sections: we have added information about an analytics cookie we will start using on web-based products.
- Security and data location section: we have added a sentence on Privacy Shield.
Previous version: 14 January 2019
Who we are
We are a digital identity platform and we design our software and services with privacy at their heart, guided by a set of principles.
We are monitored by a Guardian Council who make sure that we always seek to do the right thing.
We are certified as a B Corp company, meaning that we consider the impact of our decisions on employees, consumers, the community and the environment.
We are Yoti Ltd, Fountain House, 130 Fenchurch Street, London, EC3M 5DJ (company number 08998951), but you can call us ‘Yoti’. Our general email address is firstname.lastname@example.org.
We take your privacy very seriously. We design our software and services with privacy at their heart, guided by a set of principles which you can read here: https://yoti.com/ethical-framework/.
We are monitored by a Guardian Council, who are respected and influential individuals who make sure that Yoti always seeks to do the right thing, and that we are transparent about what we are doing and why. Read more about them here: https://yoti.com/ethical-framework/.
We are also certified as a B Corp company, meaning that we consider the impact of our decisions on employees, consumers, the community and the environment. Read more about it here: https://www.bcorporation.net.
Information collection and use
The product-specific privacy notices provide information for each product on personal information collection and use.
In general, we use your personal information to provide our identity app and its associated products and services. You can find more information on our lawful bases and retention at the link below.
|Lawful basis||Examples of when we use it|
|Performance of a contract||When you set up and use our app and associated products and services, almost all the personal information collection and use is necessary to provide the app, product or service.
If you provide us your contact details to ask us a question, request more information or contact our Customer Support, we use your details to reply and resolve any issues.
|Consent||We ask you to consent to us using your biometrics. This is because biometric data is sensitive data under the EU GDPR and the lawful bases available for this data are very limited. There are also biometrics laws in other countries that require consent.
See the section on biometrics for more information about the biometrics we use and why.
In the UK we can also use a ‘preventing or detecting unlawful acts’ lawful basis for our use of biometrics that is for fraud prevention purposes.
|Legitimate interests||Some personal data collection and use is in our legitimate business interests. To use this lawful basis we assess both our interests and yours, to make sure that what we’re doing does not cause any unjustified privacy intrusion.
Identity checks: where we check your details with a third party to make sure only verified identities can get a Yoti.
Fraud reporting: some fraud prevention bodies we work with require us to report identity fraud we discover.
Research and Development: we use non-sensitive data to continually improve and test our fraud prevention measures.
Analytics: we de-identify and aggregate the metrics information we get from users to understand how our website and app are performing, to identify bugs and to identify where we need to focus our efforts to improve.
Marketing campaign records: we keep information so we know who was sent what marketing information and when.
Invoice and billing: for corporate customers.
|Legal obligation||If you have provided us your contact details to hear about Yoti, its products and services and you no longer want to hear from us, we are obliged by law to stop contacting you. To meet this legal obligation we will add your details to a suppression list so you no longer hear from us.
If you are a corporate customer, we are obliged to carry out some due diligence.
We provide retention information in the relevant product-specific section.
In most cases, the information you add to your account or provide as part of using a product or service remains until you delete the account.
If you volunteer for user testing, we will keep the related information for six months.
As a Yoti user, you choose if you want to use Yoti to share your information with other individuals or with companies. As an organisation using Yoti for age or identity verification, you choose what information to request from individuals.
Where Yoti has access to your information, we may share it in specific circumstances, such as:
- suspected or confirmed identity fraud or other offences;
- valid and legally binding requests for information from third parties;
- to verify your details.
We do not sell your information.
This section describes the kind of circumstances where we may have to share personal information. The product-specific sections will set out what, if any, information sharing may take place for that product / service.
When Yoti shares your personal information
Yoti’s core principles are that it is not our business model to sell, transfer or share outside the company any of the personal information used to set up your account or your user activity information. However there are some situations where we will share or will have to share some information, and we list these below.
|Situation||Who we share it with|
|If we suspect identity fraud, a national security threat, legal infringement or a criminal offence||We may have to share a copy of your information with the appropriate authorities.|
|If you provide false or inaccurate information||One of these agencies is Cifas. Cifas keeps fraud reports for six years. Other Cifas members may use the information we report to refuse to provide you with services, financing or employment. You can find the Cifas privacy information here: https://www.cifas.org.uk/fpn.
You can get more information about our approach to fraud and misuse by emailing email@example.com.
|If we get a request for information from law enforcement or other official authority||Where your personal information is encrypted in our database, and we do not have the decryption key, we cannot provide any information. For information that we do have access to, we have an internal policy and process to make sure that we only disclose personal information where the request is valid; the information requested is no more than necessary; we can disclose it compliantly; and we think it’s the right thing to do.
We may have a legal obligation to share the information if we receive a court or similar legal order ordering us to disclose it.
|To verify your details||For some of our products and services we check certain details, including against a third party, as part of verifying identity and carrying out due diligence. The product-specific sections will set out when and how this happens.|
|To verify details on behalf of other companies||Some of our products and services may include the option to request an identity check against credit reference agency or other fraud prevention data. In these circumstances Yoti simply sends the relevant details to the credit reference agency or fraud prevention database on behalf of the company, and sends the response back to the company. The product-specific sections will set out when and how this happens.|
|We may use the services of other businesses to help us in certain areas, for example, for data storage, online payment providers and identity providers who we use to help with identity verification||Because of how we have designed the system, in most situations we won’t need to share your information with third parties. If we do, we will encrypt your data and / or it will be properly protected by the terms of our contract with these third parties.|
|If Yoti sells its assets||Yoti will only agree to the sale if the new business commits to the core Yoti principles of data privacy.
While we are negotiating with the company buying or combining Yoti with their own business, they won’t be able to access your encrypted personal information but Yoti may provide anonymised statistical information.
When you share your personal information
You alone will decide when you want to use a Yoti product or service to identify yourself to a third party, or to send and request information. You choose whether to agree or not to share the information that a third party requests from you.
Yoti encourages companies to only ask for the information they actually need, for example, your age, or confirming you are over 18, rather than a full date of birth. If you choose to share your information with a third party using Yoti, those third parties may choose to use that information to communicate with you or they may share that information with others. We suggest you read the privacy policies of any organisation you share your information with to understand how they will use your personal information.
Security and data location
Security is a core business principle. Our products and services do different things, so the specific security details for each one are listed in the relevant product sections. We always keep personal information in secure locations with strict access controls.
We continually test our systems and are ISO 27001 and SOC 2 compliant, which means we follow top industry standards for information security.
The product-specific privacy notices have more information on where we keep data and the security measures relevant to that product.
Where we use other organisations to support our business we have contract terms in place that contain obligations on the other organisation to safeguard your information. Some of these organisations have their servers in other countries. We have contract terms with these third parties and measures in place to cover any transfers of personal information. The measures used are EU-approved model contract clauses, Privacy Shield for some US companies, and some have Binding Corporate Rules. We are currently looking into suppliers who use Privacy Shield to move to an alternative, given the recent CJEU decision that invalidated Privacy Shield.
In future we may send your personal information to countries outside the UK. If those countries are in the European Union, Switzerland, Iceland, Liechtenstein and Norway, or countries with an EU adequacy decision, there are equivalent laws on handling personal information and so your information is protected in the same way as it is in the UK.
If we send your personal information to any other countries (for example, we may in the future have other databases and servers in other countries), some of these countries may not have equivalent laws on handling personal information. However, we will make sure that your personal information is properly protected.
In some countries, for legal or practical reasons, Yoti may have to store personal information in that country.
If we decide or are obliged to send or store your personal information in another country, we will update the relevant product privacy notice to describe the protections we have put in place.
Your rights and choices
You have several different rights with regard to your personal information. Some rights only apply in certain circumstances or to certain information. There are also exemptions from some rights in some circumstances.
Please click the link below to see information about all the rights. Each product-specific privacy notice sets out what rights apply for that particular product / service. If there is no rights and choices section, this information here applies.
Please send any rights requests to: firstname.lastname@example.org
For most of our products and services, you provide your personal information and can access it by going into the product / service.
If you want to make an access request for personal information not contained in a product / service you are using, please email: email@example.com.
With regard to the cookies and analytics we use, this information is collected and stored automatically through in-house and third-party tools, as set out in the sections on cookies and analytics. The product-specific sections will set out if there is any analytics information that is linked to any of your personal information.
The information we collect is de-identified and aggregated, so it is not possible to search or get the information using your name or your phone’s identifiers (for example, the IMEI number which is like a serial number for your phone). We cannot provide you with this information as it is not linked to any of your identifying details.
Google Analytics information
We use Google Analytics for some products or websites. Google creates and shares with us an identifier (such as, 76c24efd-ec42-492a-92df-c62cfd4540a3). The information that we collect through Google Analytics is linked only to this identifier, and so it is not possible to search or get the information using your name or your device’s other identifiers (for example, the IMEI number which is like a serial number for your phone). We cannot provide you with this information as it is not linked to any of your identifying details.
You can make an access request to Google here: https://support.google.com/policies/contact/sar
You are entitled to correct personal information we hold about you that is inaccurate.
For most of our products and services you have the ability to correct or replace inaccurate personal information.
If you have contacted our Customer Support or had other contact with us and want to make a correction request, please email: firstname.lastname@example.org.
In certain circumstances you are entitled to ask us to delete the personal information we hold about you.
For some of our products and services you can delete your account or certain information from within the product / service.
If you have any other deletion request, please email: email@example.com.
In certain circumstances you are entitled to object to Yoti processing your personal information.
If you receive any marketing, there will always be an unsubscribe option.
If you want to contact us about your objection rights, please email: firstname.lastname@example.org.
In certain circumstances you are entitled to ask us to restrict our processing of your personal information.
You can ask us to do this if:
- you dispute the accuracy of your personal information;
- our processing is unlawful but you prefer restriction to deletion;
- we no longer need the information but you need it for legal reasons; or
- you have objected to our processing and we are still dealing with this objection.
If you want to contact us about your restriction rights, please email: email@example.com.
In certain circumstances you are entitled to receive the personal information you have provided us in a structured, commonly used and machine-readable format.
For some of our products and services you can download your personal information from within the product / service.
If you have contacted our Customer Support or had other contact with us and want to make a portability request, please email: firstname.lastname@example.org.
Complain to the ICO
As a UK company we are regulated by the Information Commissioner’s Office (ICO) who is responsible for making sure that organisations comply with the law on handling personal information. You can complain to them here: https://ico.org.uk/global/contact-us/
Or you can complain to your local regulator: https://globalprivacyassembly.org/participation-in-the-assembly/members-online/
What’s a cookie?
It’s an online technology to collect information about you and to store your online preferences. Cookies are small pieces of information sent by a web server to a web browser which allows the server to uniquely identify the browser on each page.
Types of cookie
These expire when you close your browser and do not remain on your computer.
These are stored on your computer until they expire or you delete them from your cache. They are normally used to make sure the site remembers your preferences.
Categories of cookies
Strictly necessary cookies
These cookies are essential for you to move around our website and Dashboard and use their features. Without these cookies we cannot provide services you have asked for, such as access to secure areas.
These cookies collect anonymous information on how people use our Dashboard and website.
These cookies remember choices you make, such as your last action, language and search preferences. We can use these to provide you with a better experience based on your preferences. The information from these cookies is anonymous and they cannot track your browsing activity on other websites.
Our web-based products use a cookie to implement our in-house analytics for actions you take on your device when using the product. These analytics report at aggregate not individual user level and we use the information to understand how our products are being used and to improve them, as set out in the ‘Analytics’ section.
How do I delete cookies?
Go to the help and support area on your internet browser for instructions.
Information on deleting or controlling cookies is also available at https://www.allaboutcookies.org/.
If you delete or disable our cookies you may not be able to access certain areas or features of our site.
We collect information about your device and your use of our products using in-house analytics and third-party tools. The information we collect is de-identified and aggregated so we can’t identify you personally. We use it to understand how our products are being used and to improve them.
You can opt out of certain analytics in the app and by changing browser settings for web-based products that use a cookie to implement the analytics. This section provides general information, please see the ‘Analytics’ sections of the product-specific information for more details on analytics used in specific products.
What are analytics and why do we use them?
Analytics means collecting and analysing information about activity on our website and in our app. None of our analytics provide information about you personally. The statistics we get from this data allow us to understand how people are using our products and websites, and things like what works and what doesn’t, how long it takes to complete critical tasks and where we have users. Unlike most other companies, we don’t build individual profiles of the people who use our products and services. We simply look for trends and patterns to inform business decisions.
All these statistics are essential to understanding how our products and websites are performing and identify where we need to focus our efforts to improve.
Your choices for analytics
You have some control over analytics information collected through settings available in your website browser and on your phone, as well as in the Yoti app settings.
Both Android and iOS phones have privacy settings to limit the collection of the Advertising ID.
You can opt out of certain analytics through the app settings.
There are many different ways to contact us. The main ones are listed below. Please also see the ‘Yoti websites and social media’ section for other ways to contact us and our information collection and use practices when you do so. You can also contact us from the Yoti app and there is more information on that in the ‘Yoti app’ privacy notice.
For our EU Representative (required by GDPR)
Yoti has appointed European Data Protection Office (EDPO) as its GDPR representative in the EU.
EDPO’s online request form: https://edpo.com/gdpr-data-
Write to: EDPO, Avenue Huart Hamoir 71, 1030 Brussels, Belgium
We changed how we present our privacy information in January 2019 to distinguish between general information and product-specific information. You can find previous versions of the entire privacy information below.