Yoti Identity Verification

Yoti Clients will direct you to complete an identity verification using Yoti technology. At this point we will collect information from you to send our Clients a report with the results of any checks requested by the Client.

The maximum amount of time that Yoti has access to your personal data to perform the check on behalf of our Clients is 28 days – in some cases Clients will configure the Yoti service so that your personal data is deleted immediately following the check. This will depend on the Client and their specific requirements. 

After 28 days (or sooner if chosen by the Client) Yoti will continue to store the data on behalf of the Client, according to the retention period set by them as controller. Yoti does not have access to the data following the initial 28 days. 

Where Yoti is under a legal or statutory obligation to retain your data, for example due to a valid request from law enforcement, we will keep your data for longer.

Our Clients

We will put your data into a report and send that report to our Client who has requested you complete the identity check.

Credit Reference Agencies & third party providers

If we need to use a credit reference agency to verify your address or other part of your identity, as requested by our Client, then we send the relevant details to the credit reference agency or fraud prevention database and use the response in our identity verification report sent to Clients.

Currently we use the following providers to assist with these checks:

• TransUnion: If it has been requested by a Client we will share your data (ID document and relevant data fields such as name, DoB, address) with TransUnion in order to check your identity and prevent criminal activity such as fraud and money laundering. More information about TransUnion and the ways in which it uses and shares personal information can be found in its privacy notice at https://www.transunion.co.uk/legal-information/bureau-privacy-notice
• Aristotle:We will share your information with Aristotle if requested as part of our Client’s identity check on you. You can find more information about how Aristotle processes your personal information at https://integrity.aristotle.com/privacy-policy/
• ComplyAdvantage:We will share your information (name, DoB, address) with ComplyAdvantage if requested as part of our Client’s identity check on you. You can find more information about how ComplyAdvantage processes your personal information at https://complyadvantage.com/privacy-notice/
• CitizenCard: When you upload a CitizenCard we will validate your information with them as the issuing authority. You can find more information about how CitizenCard processes your personal information at https://www.citizencard.com/cookie-privacy-policy
• FRS Labs:When you upload an AADHAAR card or an Indian PAN card we will validate your information with FRS Labs. You can find more information about FRS Labs at https://docs-frslabs.gitbook.io/frslabs/privacy-policy

Fraud Bodies

Where requested by Clients we will conduct fraud checks with fraud bodies. In some cases, for example where we suspect you are committing identity fraud or a criminal offence when using Yoti’s Identity Verification, we will share a copy of your information with the appropriate authorities. 

• Cifas: If, after investigation, we determine that there has been fraud that meets the criteria for reporting to Cifas, we will pass on the details to prevent further fraud and money laundering.Cifas keeps fraud reports for six years. Other Cifas members may use the information we report to refuse to provide you with services, financing or employment. You can find the Cifas privacy information at https://www.cifas.org.uk/fpn and individuals who want to dispute a Cifas record, must contact Cifas directly at https://www.cifas.org.uk/contact-us/I-Want-To-Make-A-Complaint  
• Synectics: We check your information against National SIRA and NFI databases. You can read more about Synectics here: https://www.synectics-solutions.com/privacy-policy 
• Metropolitan Police Service Amberhill Identity Team: We will share the document and information with Amberhill where we find that there is a match to their database of false identity documents/information. You can read more about Amberhill here.

Law Enforcement of other official body

We will have a legal obligation to share the information if we receive a court or similar legal order ordering us to disclose it.

Where we are required to share information with law enforcement or other government authority we will ensure

• The request is valid;
• The information requested is no more than necessary;
• That, where possible, we have tried to redirect the request to the relevant Client; and
• That, where possible, we have informed the relevant Client of the request.

We keep the data encrypted in our UK data centres (or in Montreal for our Canadian Clients) and, if configured by the Clients, the data could be sent to our security centre in India for manual checks. 

We always ensure any transfers of data follow the relevant legal requirements, such as entering into standard contractual clauses (SCCs) and completing transfer impact assessments to ensure that any data transferred is protected to an adequate standard. 

We are audited annually by KPMG against the SOC2 Type 2 Security control standards and we also maintain our ISO 27001, SIO9001 and ISO27701 certification. You can see more about Yoti’s technical and organisational measures at https://www.yoti.com/security/

Understanding how people use the Yoti Identity Verification service is essential. We need to know what’s working, and what isn’t, so we can improve. As a business, we need to know how many people are using it, where they are in the world, and which aspects are most popular.

We collect information about your device and your use of our websites using in-house analytics. We de-identify and aggregate the information we collect so we can’t identify you personally. We don’t build individual profiles of the people who use the Yoti Identity Verification service for advertising purposes. We simply look for trends and patterns to inform business decisions.

This information includes information about your phone, such as make and model, operating system, app version and screen size information. Our in-house software does not identify you personally.

We perform analytics on information created automatically by our internal systems when things happen. Our analytics looks at, on an aggregated and anonymous basis, the actions performed on our own servers, for example: how many sessions are created, how many of a particular document type are uploaded and the outcomes for particular checks (but without recording personal data). 

We do not perform any analytics on actions you take on your own device, such as clicking buttons. 

We do not store device IDs or any other unique device identifiers.  

We do not use any personal data, such as your mobile phone number or IP address, to identify you in our analytics. All we do is note your country location based on your IP address (but we do not store the full IP address). 

If you want to exercise your rights in relation to your check, you should contact the Organisation that requested you complete the check as they are responsible as controller. 

For general questions on Yoti or the IDV product: cs@yoti.com  

For questions about your rights: Contact the Organisation that requested you do the identity check

For questions on privacy: privacy@yoti.com

Or write to:

Yoti DPO
Yoti Ltd, 6th Floor,
107 Leadenhall St,
London, EC3A 4AF