Yoti Identity Verification

Last updated: 12th August 2024

The Yoti Identity Verification Service (“IDV”) is provided by Yoti Ltd, except in the USA and Canada, where it is provided by Yoti USA Inc. This privacy information, in addition to the Yoti Biometrics Policy for users in Illinois, Texas and Washington, covers the identity verification methods we provide for this product. 

This privacy information will refer to the relevant Yoti entity as ‘us’ and the organisation you’re interacting with to prove your identity as the ‘Organisation’ or ‘Client’

When you use Yoti’s Identity Verification Service, Yoti is acting as the service provider or processor on behalf of our Clients. This means that our Clients are responsible for complying with the laws relating to your identity check including providing you with information about the processing of your personal data  – you should contact the Client (the Organisation that requested you complete the identity check) for any questions on their use of your data.

 

Contents

What is Yoti IDV?

Information collection and use on behalf of Yoti Clients

Identity Verification

Data Retention

Information sharing

Other companies’ use of your personal information

Security and data location

Analytics

In-house analytics

Your rights

Contact us

What is Yoti Identity Verification?

Yoti’s Identity Verification service allows one time verification of a living person’s identity. Yoti Clients use our Identity Verification service to assist in conducting identity checks for various purposes.

You can read more about Yoti’s Identity Verification service here: www.yoti.com/business/identity-verification 

Information collection and use on behalf of Yoti Clients

Yoti Clients will direct you to complete an identity verification using Yoti technology. At this point we will collect information from you to send our Clients a report with the results of any checks requested by the Client.

Identity Verification

Information Use
Identity Document including available ID Document fields We use your ID Document to check it’s a genuine document, establish your identity and check for fraud. 

We extract your details from the document such as your name, date of birth, address (if present), document number, nationality, type of document, gender, data of issue, date of expiry and photo in order to perform the identity checks requested by the Client and provide the results back to the Client.

If requested by the Client, we will also share an image of the ID Document with our Client.

Selfie Liveness: We use your selfie to check that you are a real person. 

Face match: We compare your selfie with the photo on your ID Document to make sure individuals only upload their own documents. 

In some countries this data may be considered biometric data and Yoti and/or our Client may ask for your consent to this processing. If you do not want to consent then you should contact our Client (the Organisation that asked you to complete the check) and ask for another option to verify your identity.

Address Where requested by our Client, we check your address (provided by you or extracted from your ID or supplementary document) against the records held by the Credit Reference Agency in order to verify the information. The check will be in the name of Yoti Limited.
Name, DoB, address and other ID Document fields We send your information to trusted third parties, such as Credit Reference Agencies, to look for other information about you that helps us verify your identity on behalf of our client that has requested the check.
Information on how we verified your identity This information creates a report stating how Yoti verified your identity, what checks we did and the results of those checks. This is sent to the Organisation that requested you complete the check. 

 

The results sent to the Client are recommendations only – it is up to our Clients to decide what to do with the results based on their use case.   

This information includes your IP address when using Yoti’s Identity Verification service.

Data Retention

The maximum amount of time that Yoti has access to your personal data to perform the check on behalf of our Clients is 28 days – in some cases Clients will configure the Yoti service so that your personal data is deleted immediately following the check. This will depend on the Client and their specific requirements. 

After 28 days (or sooner if chosen by the Client) Yoti will continue to store the data on behalf of the Client, according to the retention period set by them as controller. Yoti does not have access to the data following the initial 28 days. 

Where Yoti is under a legal or statutory obligation to retain your data, for example due to a valid request from law enforcement, we will keep your data for longer.

Information sharing

Our Clients

We will put your data into a report and send that report to our Client who has requested you complete the identity check.

 

Credit Reference Agencies & third party providers

If we need to use a credit reference agency to verify your address or other part of your identity, as requested by our Client, then we send the relevant details to the credit reference agency or fraud prevention database and use the response in our identity verification report sent to Clients.

Currently we use the following providers to assist with these checks:

  • TransUnion: If it has been requested by a Client we will share your data (ID document and relevant data fields such as name, DoB, address) with TransUnion in order to check your identity and prevent criminal activity such as fraud and money laundering. More information about TransUnion and the ways in which it uses and shares personal information can be found in its privacy notice at https://www.transunion.co.uk/legal-information/bureau-privacy-notice
  • Experian: We will share your data (ID document and relevant data fields such as name, DoB, address) with Experian in order to check your identity and prevent criminal activity such as fraud and money laundering. More information about Experian and the ways in which it uses and shares personal information can be found in its privacy notice at https://www.experian.co.uk/legal/crain/
  • Aristotle: We will share your information with Aristotle if requested as part of our Client’s identity check on you. You can find more information about how Aristotle processes your personal information at https://integrity.aristotle.com/privacy-policy/
  • ComplyAdvantage:We will share your information (name, DoB, address) with ComplyAdvantage if requested as part of our Client’s identity check on you. You can find more information about how ComplyAdvantage processes your personal information at https://complyadvantage.com/privacy-notice/
  • CitizenCard: When you upload a CitizenCard we will validate your information with them as the issuing authority. You can find more information about how CitizenCard processes your personal information at https://www.citizencard.com/cookie-privacy-policy
  • FRS Labs:When you upload an AADHAAR card or an Indian PAN card we will validate your information with FRS Labs. You can find more information about FRS Labs at https://docs-frslabs.gitbook.io/frslabs/privacy-policy

Law Enforcement of other official body

We will have a legal obligation to share the information if we receive a court or similar legal order ordering us to disclose it.

Where we are required to share information with law enforcement or other government authority we will ensure

  • The request is valid;
  • The information requested is no more than necessary;
  • That, where possible, we have tried to redirect the request to the relevant Client; and
  • That, where possible, we have informed the relevant Client of the request.

Security and data location

We keep the data encrypted in our UK data centres and, if configured by the Clients, the data could be sent to our security centre in India for manual checks. 

We always ensure any transfers of data follow the relevant legal requirements, such as entering into standard contractual clauses (SCCs) and completing transfer impact assessments to ensure that any data transferred is protected to an adequate standard. 

We are audited annually by KPMG against the SOC2 Type 2 Security control standards and we also maintain our ISO 27001, SIO9001 and ISO27701 certification. You can see more about Yoti’s technical and organisational measures at https://www.yoti.com/security/

Analytics

Understanding how people use the Yoti Identity Verification service is essential. We need to know what’s working, and what isn’t, so we can improve. As a business, we need to know how many people are using it, where they are in the world, and which aspects are most popular.

In-house analytics

We collect information about your device and your use of our websites using in-house analytics. We de-identify and aggregate the information we collect so we can’t identify you personally. We don’t build individual profiles of the people who use the Yoti Identity Verification service for advertising purposes. We simply look for trends and patterns to inform business decisions.

This information includes information about your phone, such as make and model, operating system, app version and screen size information. Our in-house software does not identify you personally.

We perform analytics on information created automatically by our internal systems when things happen. Our analytics looks at, on an aggregated and anonymous basis, the actions performed on our own servers, for example: how many sessions are created, how many of a particular document type are uploaded and the outcomes for particular checks (but without recording personal data). 

We do not perform any analytics on actions you take on your own device, such as clicking buttons. 

We do not store device IDs or any other unique device identifiers.  

We do not use any personal data, such as your mobile phone number or IP address, to identify you in our analytics. All we do is note your country location based on your IP address (but we do not store the full IP address). 

Your rights

If you want to exercise your rights in relation to your check, you should contact the Organisation that requested you complete the check as they are responsible as controller. 

Contact

For general questions on Yoti or the IDV product: cs@yoti.com  

For questions about your rights: Contact the Organisation that requested you do the identity check

For questions on privacy: privacy@yoti.com

Or write to:

Yoti DPO
Yoti Ltd, 6th Floor,
107 Leadenhall St,
London, EC3A 4AF