About Us | Product Privacy Notice

Effective Date: January 1, 2024

General information and contact details

This Product Privacy Policy (“Product Privacy Policy“) sets out the personal information that IDology Inc. and Acuant, Inc., (collectively (“IDology“, “we“, or “us“) collect and process about you through our products and services (“Services“), the purposes of the processing and how you can exercise your privacy rights.
For information in regards to how we collect personal information from you directly on our site, rights request information, or for more generic privacy information, please see our General Privacy Policy.
Our customers and data suppliers should have a lawful reason for processing your data and may have a separate relationship with you. Where applicable and in accordance with any relevant corresponding laws or regulations, they will be required to provide you with information (for example through their own privacy policy) about how they collect and process your data.

What do we do?

We are a business-to-business (B2B) technology organization that provide – identification verification, regulatory compliance and fraud management products and services (collectively, our “Services”) to business customers on a global scale. Typically, our business customers use our technology so they can verify the information that you have provided to them. We do this by matching the personal information that you have provided to them with third party reference data (which we receive from data suppliers or our other business customers). This still sounds complex, so an example is often the easiest way to explain:

You are going to open a bank account.
In order to open a bank account, the bank (our business customer) needs to verify if you are who you say you are. They may be obligated to do this for a number of reasons, such as compliance with anti-money laundering (AML) regulations to fight fraud.
The bank collects personal information from you and passes it to our technology to process (via our products and services).
As part of this processing, we may match the personal information you provided against third party data from our data suppliers or data that we have pooled together in one of our Fraud Management network consortiums which hold data collected from other business customers.
If our customer is utilizing our Selfie ID Verification service, then we would also collect your identity documents and a selfie photo, to verify that you are the same person as the one in the identity documents you provided.
Matching your personal information may be done in two (2) ways, depending on the product that our customer is utilizing: a) We host a copy of this personal information that we receive from data suppliers or that we have pooled together in one of our Fraud Management network consortiums; and/or b) We access personal information via a web service, which means our data suppliers hold the database and we securely send them your personal information to match against the records they hold (collectively, the “Third Party Supplied Data”). They then return the result to us.
We then pass the results back to the bank (our business customer).
Our business customer then decides how they will respond to you, (e.g., open your bank account, flag your request, etc.) based on their own internal risk policies and criteria. We do not have control over how our business customer responds to you, nor do we set their risk appetite in relation to their business practices.

What personal information do we collect, why, and do we sell it to third parties?

The personal information that we may collect about you broadly falls into the following categories:

Basic information: Name, postal address, phone/mobile number, email address, date of birth
Device information: IP address, geolocation, device address
Transactional: Data our business customers provide to us about your transactions with them to help in the detection and prevention of fraud
Inference Data: Information generated from your interactions or transactions with our business customers (which they provide to us) to create risk scores for fraud prevention and/or regulatory compliance purposes.
Image: Photo on a passport, driver’s license, or other identification document, selfie photos.
Documentation: Information on documentation that you provide to our business customers, such as medical insurance cards, drivers licenses and passports.
Sensitive Information: this will vary based on your jurisdiction’s specific approach to what type of data is sensitive or not. This may include driver’s license or passport numbers, social security number or other government issued numbers, face biometric match scores.

Why we collect your personal information depends on the Service we provide to our business customer and to whom you provided your information. However, we only process your personal information for the purposes of providing our Services to business customers and, under limited circumstances, to comply with any jurisdiction-specific legal requirements, and our commitment to continuously improve and develop our technology to provide identity verification, regulatory compliance and fraud management Services to our business customers (e.g., when we collect your personal information for processing under our Fraud Management network consortium.

We do not use or disclose sensitive personal information for purposes which would require us to offer consumers the right to limit under the CCPA. For more information, please refer to our General Privacy Policy.

Our Services

Service Offering	Description of Offerings
ExpectID Platform Data Verification Compliance Services	Verifies individuals by matching the data attributes they provided to our customers against the corresponding data attributes within our data sources. Part of these services involve using the data that the individual provided to our customers in our Fraud Management network consortium to gain insights on potential fraudulent activity, or risk scores, depending on the product that is used. For example, if an e-commerce company needs to verify an individual’s age in order to sell to them, they may use our ExpectID Age services to ascertain that the individual is over the age of 21. Another example is if a gaming company needs to do Anti-Money Laundering checks for regulatory compliance, they could use our AML and Transactions Monitoring services together to get real time alerts to flag individuals who may be making fraudulent transactions.
Document Authentication	Authenticates ID documents to try to ensure that they were a valid government provided identification document. For example, if a business venue only allows patrons that are 21 and over to enter their premises, they could use our AssureID service to check that individuals’ IDs are authentic government issued IDs. We also offer form filling services that do not authenticate IDs, but instead extract the data to automatically populate customer forms. For example, if a doctor’s office doesn’t want to have their patients manually fill out their insurance information on a paper form, they could use our MedicScan service. Our MedicScan service would scan their medical insurance card and auto-populate the relevant information into the doctor’s office electronic medical records.
Selfie ID Verification	Verifies the validity of an ID belonging to the individual who submitted it, using a quick selfie and matching it against the photo on an ID. Our customers provide us with the following data for processing: (1) an image of the identity document that belongs to an individual and (2) a selfie photo of the individual. For example, a person has applied for an online bank account and the bank needs to make sure that the person filling out the application is the same person on the ID document. The bank could use our Face and Liveness services to submit both a copy of the ID photo and a selfie and our third-party provider will do a match and provide us with a match score that determines if the person on the ID is the same as on the selfie and is in fact a live person. For more information on our biometric processing practices, please see our Biometric Privacy Notice below.
Dynamic KBA	Asks individuals a series of relevant, multiple-choice, “out-of-wallet” dynamic security questions to help businesses confirm that an individual is truly who they claim they are. For example, if a business wants individuals to confirm their identity before a password reset, they could use our ExpectID IQ services to set up the questions they want answered to ascertain that John Doe is really John Doe (e.g., which of the following addresses were you residing in during 2019)
Fraud Management	Our Fraud Management network consortiums (ie., Velocity and eDNA) are not standalone products. Instead, they are separate and individual data pools that consist of the information that we receive from customers who take our Services. The purpose of our Fraud Management network consortiums is to be able to gain insights from the data that is pooled into them, for the purposes of providing our Services to our business customers. Please note that all data in our Fraud Management network consortiums is pseudonymized and one-way hashed for technical safeguarding and that we do not grant our business customers or any third-parties direct access to the data held in our Fraud Management network consortiums; the data is only accessed by us to help our products to generate a risk or pass/fail score, without actual disclosure of the data, for customers whose data is pooled into the Fraud Management network consortium.

* Please note that we have recently made some marketing changes to the way we present and market our products to our B2B customers. If you are an existing customer who purchased products from either Acuant, Inc., or IDology, Inc. prior to April 1, 2023, please click here to see where the product you purchased would fall under the chart above.

Our Biometric Notice

Our products are meant to help our business customers reduce identity fraud, by authenticating identity documents that you provide to them. Our Face product (described below) is meant to authenticate that the person submitting the document to our business customer is who they claim to be by performing a facial recognition match.
Our standard IDology API gives our business customers access to third-party data sources, watch lists, and award-winning identity verification, fraud prevention and compliance solutions, including one to one (1:1) facial recognition and match services, part of which is performed by our third-party providers.
How does the facial recognition and match solution work?
Our API will collect the following images from an individual: (1) an identity document that they take a photo of and (2) a selfie image that they take of themselves, captured through our business customer’s identity verification interface, which the individual is interacting with. We send the images to our third-party provider (eg., Microsoft Azure) who then performs a facial comparison using the latest available technology, and specified algorithms, to determine whether the faces contained in the two images belong to the same person and to generate a “Face Match Score” (on a scale of 0 to 100) representing the confidence level that the two images of the individual match each other. Our third-party provider is contractually limited to using the images and/or their corresponding data for purposes of performing the image comparison on our behalf. Once the comparison match is complete, the Face Match Score (which does not include any biometric identifiers or use any biometric identifiers to identify you) is passed through the IDology API to our business customer to help them determine their level of confidence that the individual submitting the selfie is the same person as the individual on the identity document. IDology does not process biometric data.
IDology only uses the Face Match Score to try to help our customers authenticate that you are the same individual whose photo is on the ID document you provided, for the purpose of verification services and fraud prevention. At no point will we have access to any biometric identifiers or information that our third-party proider may have processed when generating your Face Match Score. Additionally, the biometric processing that IDology Face performs is not used to identify an individual, but instead it is used to authenticate the ID document you submitted by confirming that the individual in the selfie is the same individual in the ID document. Where required by law, our clients must obtain consent to collect and/or have us process your biometric data, and we have contractually obligated them to do so. IDology will not sell, lease, trade, or otherwise transfer your biometric data to any other third-party not addressed in this Section.
Our third-party provider is contractually required to destroy the images and any biometric data that they may have processed in accordance with a data retention schedule which does not exceed 24 hours. Please note that our business customer may retain the original images and the Face Match Score in accordance with their own internal policies, which we have no control or influence over. IDology only retain the selfie image and the ID document for 60 seconds or 14 days (depending on our business customer’s configuration), after which they are destroyed from our environment. However, upon our business customer’s request, we may retain the images and Face March Score on our business customer’s behalf for the time they requested, strictly in accordance with our contractual agreement with the customer; for the avoidance of doubt, this would not include any actual biometric data. We will not store the Face Match Score after we cease to have a relationship with the business customer unless we otherwise obtain permission or is required by law. For the avoidance of doubt, the Face Match Score cannot be used to identify you (it is simply a number from 1 to 100). IDology uses appropriate information security safeguards designed to protect the IDology Face data it is collecting and processing, when it is being collected, stored, and transmitted.

Our legal basis for processing personal information

We will collect personal information where the processing is in our or our business customer’s legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms, in accordance with required applicable laws. These include legitimate business interests which provide a societal benefit, such as detecting and preventing fraud and helping our customers ensure only individuals who should have access to their services are able to do so.
In some of our products & services, we may also rely on your explicit consent as our lawful basis, where the processing includes special category data (such as your biometric data, for example). If you are not happy to provide your explicit consent, then please consult with the organization (i.e., our business customer) that you are engaging with. They may provide an alternative means to verify your identity. Unfortunately, this is not something IDology can influence.

IDology’s Lawful basis

As this is a global policy, lawful basis will be applicable to the personal information and jurisdiction related to its processing.

Legitimate Interests of a third party: Our customers will have their own lawful basis for processing your data and will have communicated this with you. We have given a description of the types of services our customers provide in the table above, but in a nutshell, they help to prevent fraud by ensuring you are who you say you are, so you can access goods and services compliantly. Many of our customers must also meet a legal obligation when processing your personal information, such as ensuring you are old enough or verifying your identity.
Consent: Our customers are responsible for collecting your consent, when necessary, in accordance with applicable laws. The journey you will undergo includes steps that will perform face match and liveness tests so your biometric data will be processed. This is special category data under the GDPR and other privacy laws, as applicable, and IDology relies on the explicit consent under Article 9(2)(a) of the GDPR to process such data.

If you have questions or need further information concerning the legal basis on which we collect and use your personal information, please contact us using our webform or contact us using any of the methods set out in our General Privacy Policy.

Who will we receive your personal information from and who will we disclose your personal information with and why?

As explained above, we receive personal information about you from our business customers and data suppliers. We also send your personal information to our customers and data suppliers, where there is a lawful reason (as applicable), to do so in order to provide our Services.

IDology Customers

We offer our products services to public and private organizations worldwide. These include:

Financial Services: Banks, payments, fintech, lending
Healthcare: Healthcare providers (for patient registration & billing), insurance
eCommerce: Retail (online shopping), online commerce platforms
Gaming: Online gaming, gambling loyalty programs, lottery
Entertainment: Travel and leisure, media
Public Sector: Law enforcement, local government, border patrol, education bodies
Utilities: Gas, electricity, water suppliers
Miscellaneous: Cryptocurrency, automotive dealers, transportation

IDology Data Suppliers

We work with a number of trusted data suppliers who we have performed due diligence on. These include government and public authorities, regulated financial or consumer credit services organizations, other commercial organizations as well as publicly available information.
We may also disclose your personal information to the following categories of recipients:

to our group companies, third party services providers and partners who provide data processing services to us, or who otherwise process personal information for purposes that are described in this privacy policy;
to any competent law enforcement body, regulatory, government agency, court or other third parties where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
to a potential buyer (and its agents and advisers) in connection with any proposed purchase, merger, acquisition, restructuring or insolvency of any part of our business, provided that we inform the buyer it must use your personal information only for the purposes disclosed in this privacy policy.

How long do we retain your data for in our Products and Services?

With the exception of the services listed below, we retain personal information we collect from our business customers and data suppliers for the length of time necessary to fulfill the specific purpose or purposes for which it has been collected (for example, to help our customers to comply with applicable legal requirements. We may also keep it to comply with our own compliance or legal obligations, resolve any disputes and enforce our rights. However, please note that retention limits may be set by our own customers, and if so, we are unable to delete it or affect their retention periods.
Once the respective retention purpose ceases to apply, we will either delete or anonymize the personal information or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

Document Authentication Services

All of our document authentication products have a retention period of 10-60 seconds; we retain the data only for as long as we need to process it, unless otherwise requested by our business customer (then we would retain it for the duration that they contractually oblige us to). The only exception to this is if our business customers use our document authentication services using our Fraud Management network consortium (Specifically, Velocity), in which case we may retain your personal information for a maximum of 90 days, as set out below.

Fraud Management Services

Our GBG IDology Fraud Management network consortiums include the following:

Fraud Management network consortiums	Retention Period
IDology, Inc. – Consortium Fraud Network or Velocity,	The data that we hold in Velocity is kept for a maximum of 90 days.
Acuant, Inc. – eDNA	The data that we hold in eDNA may be kept for a maximum of 10 years.

If you have questions about or need further information concerning any privacy matters please see our General Privacy Notice. To make any privacy rights requests, please Contact Us using our webform or feel free to contact us using the information provided in our General Privacy Policy, linked above.

Fraud Protection

ExpectID® Platform

Identity Verification

Regulatory Compliance

Age Verification

Contactability

Digital Identity

KBA Enhancement or Replacement

KYC Compliance

Onboarding & New Account Opening

Step-Up Authentication & Reverification

Automotive & Transportation

Cryptocurrencies

Finance, Banking & Payments

FinTech

Gaming, Gambling & Lottery

Government & Border Control

Healthcare

Insurance

Lending

Retail, Sharing Economy & Telcos

Travel, Hospitality & Entertainment

Consumer Finance

Consumer Insurance

Consumer Lending

Digital Banking

Gaming

Vinoshipper

Blog

Content Library

News

Success Stories

Company

Deployment

Events

Partners

Careers

Policies

Suppliers

Contact Us & Support

IDology Product Privacy Policy