General information and contact details
What do we do?
We are a business-to-business (B2B) technology organization that provide compliance and identification verification products and services to business customers on a global scale to help them detect fraud. Typically, our business customers use our technology so they can verify the information that you have provided to them. We do this by matching the data that you have provided to them with third party reference data (which we receive from data suppliers or our other business customers). This still sounds complex, so an example is often the easiest way to explain:
- You are going to open a bank account.
- In order to open the bank account, the bank (our customer) needs to verify you are who you say you are. They may be obligated to do this for a number of reasons, such as compliance with anti-money laundering (AML) regulations to fight fraud.
- The bank collects personal data from you and passes this to our technology to process (via our products and services).
- As part of this processing, we may match the personal data you provided against third party data from our data suppliers or data that we have pooled together in one of our Fraud Management network consortiums which hold data collected from other business customers.
- If our customer is utilizing our Selfie ID Verification service, then we would also collect your identity documents and a selfie photo, to verify that you are the same person as the one in the identity documents you provided.
- Matching your personal data may be done in two (2) ways, depending on the product that our customer is utilizing: a) We host a copy of this personal data that we receive from data suppliers or that we have pooled together in one of our Fraud Management network consortiums; and/or b) We access personal data via a web service, which means our data suppliers hold the database and we securely send them your personal data to match against the records they hold (collectively, the “Third Party Supplied Data”). They then return the result to us.
- We then pass the results back to the bank (our customer).
- Our customer then decides how they will respond to you, (e.g., open your bank account, flag your request, etc.) based on their own internal risk policies and criteria. We do not have control over how our customer responds to you, nor do we set their risk appetite.
What personal data do we collect, why, and do we sell it to third parties?
The personal information that we may collect about you broadly falls into the following categories:
- Basic information: Name, postal address, phone/mobile number, email address, date of birth
- Device information: IP address, geolocation, device address
- Transactional: Data our customers provide us with in regards to your transactions with them to help detect and prevent fraud
- Inference Data: Information generated from your interactions or transactions with our clients (which they provide to us) to create risk scores for fraud prevention and/or regulatory compliance purposes.
- Image: Photo on a passport, driving license, or other identification document, selfie photos.
- Documentation: Information on documentation that you provide to our customers, such as medical insurance cards, drivers licenses and passports.
- Sensitive Information: this will vary based on your jurisdiction’s approach to what type of data is sensitive or not. This may include: driver’s license or passport numbers, social security number or other government issued numbers, face biometric match scores.
Why we collect your personal data depends on the Service we provide to the customer that you provided your information to. However, we would only be processing this information for the purposes of fraud prevention and/or regulatory compliance.
Under certain jurisdictions (i.e., California and Virginia) we are deemed to sell your personal information when we collect it for processing under our Fraud Management network consortium.
|Service Offering||Description of Offerings|
||Verifies individuals by matching the data attributes they provided to our customers against the corresponding data attributes within our data sources. Part of these services involve using the data that the individual provided to our customers in our Fraud Management network consortium to gain insights on potential fraudulent activity, or risk scores, depending on the product that is used.
For example, if an e-commerce company needs to verify an individual’s age in order to sell to them, they may use our ExpectID Age services to ascertain that the individual is over the age of 21. Another example is if a gaming company needs to do Anti-Money Laundering checks for regulatory compliance, they could use our AML and Transactions Monitoring services together to get real time alerts to flag individuals who may be making fraudulent transactions.
||Authenticates ID documents to try to ensure that they were a valid government provided identification document. For example, if a business venue only allows patrons that are 21 and over to enter their premises, they could use our AssureID service to check that individuals’ IDs are authentic government issued IDs.
We also offer form filling services that do not authenticate IDs, but instead extract the data to automatically populate customer forms. For example, if a doctor’s office doesn’t want to have their patients manually fill out their insurance information on a paper form, they could use our MedicScan service. Our MedicScan service would scan their medical insurance card and auto-populate the relevant information into the doctor’s office electronic medical records.
||Verifies the validity of an ID belonging to the individual who submitted it, using a quick selfie and matching it against the photo on an ID. Our customers provide us with the following data for processing: (1) an image of the identity document that belongs to an individual and (2) a selfie photo of the individual.
For example, a person has applied for an online bank account and the bank needs to make sure that the person filling out the application is the same person on the ID document. The bank could use our Face and Liveness services to submit both a copy of the ID photo and a selfie and our third-party provider will do a match and provide us with a match score that determines if the person on the ID is the same as on the selfie and is in fact a live person.
For more information on our biometric processing practices, please see our Biometric Privacy Notice below.
||Asks individuals a series of relevant, multiple-choice, “out-of-wallet” dynamic security questions to help businesses confirm that an individual is truly who they claim they are. For example, if a business wants individuals to confirm their identity before a password reset, they could use our ExpectID IQ services to set up the questions they want answered to ascertain that John Doe is really John Doe (e.g., which of the following addresses were you residing in during 2019)|
||Our Consortium Fraud Network and eDNA data consortiums are not standalone products, Instead, they are separate and individual data pools that consist of the information that we receive from their corresponding customers. The Consortium Fraud Network may be fed into by customers who take our ExpectID offerings and our eDNA consortium may be fed into by customers who take our Compliance services if those services are not being provided via an ExpectID offering. The purpose of these network consortiums is to be able to gain insights from the data that is fed into them, for the purposes of fraud prevention and/or compliance.
Please note that all data in our network consortiums is pseudonymized and one-way hashed for technical safeguarding and that we do not grant our customers or any third-parties direct access to the data held in our network consortiums; the data is only accessed by us to help our products to generate a risk or pass/fail score, without actual disclosure of the data, for customers whose data is fed into the relevant network consortium. For the avoidance of doubt, data that is provided to the consortium Fraud Network is not shared with our eDNA consortium, and vice versa.
* Please note that we have recently made some marketing changes to the way we present and market our products to our B2B customers. If you are an existing customer who purchased products from either Acuant, Inc., or IDology, Inc. prior to April 1, 2023, please click here to see where the product you purchased would fall under the chart above.
Our Biometric Notice
Our products are meant to help our Customers reduce identity fraud, by authenticating identity documents that you provide to them. Our Face product (described below) is meant to authenticate that the person submitting the document to our customer is who they claim to be by performing a facial recognition match.
Our standard IDology API gives our business customers access to third-party data sources, watch lists, and award-winning identity verification, fraud prevention and compliance solutions, including one to one facial recognition and match services, part of which is performed by our third-party partners.
How does the facial recognition and match solution work?
Our API will collect the following images from an individual: (1) an identity document that they take a photo of and (2) a selfie image that they take of themselves, captured through our business customer’s identity verification interface, which the individual is interacting with. We send the images to our third-party partner (Microsoft Azure) who then performs a facial comparison using the latest available technology, and specified algorithms, to determine whether the faces contained in the two images belong to the same person and to generate a “Face Match Score” (on a scale of 0 to 100) representing the confidence level that the two images of the individual match each other. Our third-party partner is contractually limited to using the images and/or their corresponding data for purposes of performing the image comparison on our behalf. Once the comparison match is complete, the Face Match Score (which does not include any biometric identifiers or use any biometric identifiers to identify you) is passed through the IDology API to our business customer to help them determine their level of confidence that the individual submitting the selfie is the same person as the individual on the identity document.
IDology only uses the Face Match Score to try to help our customers authenticate that you are the same individual whose photo is on the ID document you provided, for the purpose of verification services and fraud prevention. At no point will we have access to any biometric identifiers that our third-party partner may have processed when generating your Face Match Score. Additionally, the biometric processing that IDology Face performs is not used to identify an individual, but instead it is used to authenticate the ID document you submitted by confirming that the individual in the selfie is the same individual in the ID document. Where required by law, our clients must obtain consent to collect and/or have us process your biometric data, and we have contractually obligated them to do so. IDology will not sell, lease, trade, or otherwise transfer your biometric data to any other third-party not addressed in this Section.
Our third-party partner is contractually required to destroy the images and any biometric data that they may have processed in accordance with a data retention schedule which does not exceed 24 hours. Please note that our business customer may retain the original images and the Face Match Score in accordance with their own internal policies, which we have no control or influence over. IDology only retain the selfie image and the ID document for 60 seconds or 14 days (depending on our customer’s configuration), after which they are destroyed from our environment. However, upon our customer’s request, we may retain the images and Face March Score on our customer’s behalf for an amount of time requested by the customer, strictly in accordance with our contractual agreement with the customer; for the avoidance of doubt, this would not include any actual biometric data. We will not store the Face Match Score after we cease to have a relationship with the customer unless we otherwise obtain permission or is required by law. For the avoidance of doubt, the Face Match Score cannot be used to identify you (it is simply a number from 1 to 100). IDology uses appropriate information security safeguards designed to protect the IDology Face data it is collecting and processing, when it is being collected, stored, and transmitted.
Our legal basis for processing personal data
We will collect personal information where the processing is in our or our customer’s legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms, in accordance with required applicable laws. These include legitimate business interests which provide a societal benefit, such as detecting and preventing fraud and helping our customers ensure only individuals who should have access to their services are able to do so.
In some of our products & services, we may also rely on your explicit consent as our lawful basis, where the processing includes special category data (such as your biometric data, for example). If you are not happy to provide your explicit consent, then please consult with the organization (i.e., our customer) that you are engaging with. They may provide an alternative means to verify your identity. Unfortunately, this is not something IDology can influence.
IDology’s Lawful basis
As this is a global policy, lawful basis will be applicable to the personal data and jurisdiction related to its processing.
- Legitimate Interests of a third party: Our customers will have their own lawful basis for processing your data and will have communicated this with you. We have given a description of the types of services our customers provide in the table above, but in a nutshell, they help to prevent fraud by ensuring you are who you say you are, so you can access goods and services compliantly. Many of our customers must also meet a legal obligation when processing your personal data, such as ensuring you are old enough or verifying your identity.
- Consent: Our customers are responsible for collecting your consent, when necessary, in accordance with applicable laws. The journey you will undergo includes steps that will perform face match and liveness tests so your biometric data will be processed. This is special category data under the GDPR and other privacy laws, as applicable, and IDology relies on the explicit consent under Article 9(2)(a) of the GDPR to process such data.
Who will we receive your personal data from and who will we share your personal data with and why?
As explained above, we receive personal data about you from our customers and data suppliers. We also send your personal data to our customers and data suppliers, where there is a lawful reason (as applicable), to do so in order to provide our products and services.
We offer our products services to public and private organizations worldwide. These include:
- Financial Services: Banks, payments, fintech, lending
- Healthcare: Healthcare providers (for patient registration & billing), insurance
- eCommerce: Retail (online shopping), online commerce platforms
- Gaming: Online gaming, gambling loyalty programs, lottery
- Entertainment: Travel and leisure, media
- Public Sector: Law enforcement, local government, border patrol, education bodies
- Utilities: Gas, electricity, water suppliers
- Miscellaneous: Cryptocurrency, automotive dealers, transportation
IDology Data Suppliers
We work with a number of trusted data suppliers who we have performed due diligence on. These include government and public authorities, regulated financial or consumer credit services organizations, other commercial organizations as well as publicly available information.
We may also disclose your personal data to the following categories of recipients:
- to any competent law enforcement body, regulatory, government agency, court or other third parties where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
How long do we retain your data for in our Products and Services?
With the exception of the services listed below, we retain personal information we collect from our customers and data suppliers for the length of time necessary to fulfill the specific purpose or purposes for which it has been collected (for example, to help our customers to comply with applicable legal requirements. We may also keep it to comply with our own compliance or legal obligations, resolve any disputes and enforce our rights. However, please note that retention limits may be set by our own customers, and if so, we are unable to delete it or affect their retention periods.
Once the respective retention purpose ceases to apply, we will either delete or anonymize the personal information or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
Document Authentication Services
All of our document authentication products have a retention period of 10-60 seconds; we retain the data only for as long as we need to process it, unless otherwise requested by our customer (then we would retain it for the duration that they contractually oblige us to). The only exception to this is if you are using our document authentication services using our Consortium Fraud Network services, in which case we may retain the personal information for a maximum of 90 days, as set out below.
Fraud Management Services
The data that we hold in our Consortium Fraud Network is kept for a maximum of 90 days. The data that we hold in our eDNA consortium is kept until our customers direct us to delete it, or (effective January 1, 2023) for no longer than 10 years, whichever is shorter.