updated 18-10-2024
Privacy Policy
-
Introduction
-
Definitions
-
Whose personal data does Inverid process?
-
Who is responsible for the processing of your personal data?
-
What personal data does Inverid process?
-
How does Inverid obtain your personal data?
-
Why and on what grounds does Inverid process personal data?
-
How long does Inverid keep your personal data?
-
Does Inverid transfer your personal data to other parties and to countries outside the EU?
-
Is my data secure?
-
What are your rights?
-
When do you contact our Data Protection Officer (DPO)?
-
Can we change this Privacy Policy?
1. Introduction
In this Privacy Policy, we explain how and on what basis Inverid collects, stores and processes personal data of data subjects, i.e., our customer’s representatives, users of our services, job applicants, and visitors (see definitions below). We also explain what data subjects’ rights are and our obligations and liabilities. With examples we make this information easier to understand.
Inverid’s core business is providing the ReadID identity verification technology based on chips in government-issued identity documents. ReadID is in most cases provided as a cloud (software-as-a-service or SaaS) service in which we process users’ personal data as instructed by our customers. In this case, our customers are the controllers who determine the purpose of the processing of the users’ personal data and, accordingly, Inverid is a processor of user information with respect to those services. In order to fully understand how personal data is processed, data subjects should also review the privacy policy of our customers for whose services they are actually getting verified for.
Besides offering ReadID as a cloud service, we also have a so-called client-only version, where the verification of the chip happens solely in the user’s phone and therefore there is no processing of personal data by Inverid on its servers. Our publicly available ReadID Me app for example uses the client-only version of ReadID.
In other cases, Inverid is a data controller of personal data, for instance regarding visitors of our website and representatives of customers asking for support. We may also process certain anonymised information of ReadID users for the development and improvement of our services and in other forms and purposes.
Naturally, in all cases we handle the data with care.
2. Definitions
Here you can find the meaning of the most important terms in this Privacy Policy to help you understand how and for what we are processing your personal data.
Data controller: a legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data and gives instructions regarding processing activities to Inverid, unless Inverid is acting as the data controller.
Data processor: Inverid processes personal data on behalf of the data controller, unless Inverid is acting as the data controller. Inverid may use sub-processors who, under the authority of the controller, are authorised to process personal data.
Data subject / you: a natural person about whom we have information or data enabling the identification of the natural person. Data subjects include our customers’ representatives, users that make use of our identity verification services, visitors of our website, job applicants, and other natural persons whose personal data we may process.
Customer: the legal entity to whom we provide our services under a contractual agreement.
Personal data: information that directly or indirectly identifies you as a person (i.e., the data subject), such as your name and address, email address or telephone number. Information about a legal entity is not personal data, but information about a contact person or representative of a legal entity is.
Processing: any operation which is performed on personal data, such as the collection, storage, use, provision, transmission, and deletion of it.
ReadID SaaS user: a natural person regarding whom we provide the ReadID service at the request of the customer. This could be via the Inverid ready-to-use ReadID Ready app or via the ReadID SaaS Software Development Kit (SDK) that the customer can integrate in its own mobile application. Both the Ready app and SDK communicate with a SaaS Server provided by a public cloud provider and that does all the actual data processing and verifications.
ReadID Me user: a natural person that uses our personal and client-only ReadID Me application.
ReadID Client-Only user: a user of the client-only version of ReadID provided by a customer.
Representative of the customer: a natural person who interacts with Inverid as the representative of a customer prior to the conclusion of the contractual agreement and under the agreement.
Visitor: any person who shows an interest in Inverid or in our ReadID products and services, e.g., visitors of our website, readers of our newsletter, attendees of our webinars, explorers of vulnerabilities in our systems, or potential new employees.
3. Whose personal data does Inverid process?
Inverid processes the personal data of:
- ReadID SaaS users, as a processor for our customers, i.e., the data controllers.
- Representatives of customers, as a data controller.
- Visitors, as a data controller.
We do not process personal data of ReadID Me users as all personal data remains on the mobile phone running the ReadID Me application. The same applies to customers that make use of the client-only version of ReadID, since Inverid does not receive any personal data. In these cases, the customer is fully responsible for the privacy of the personal data being processed. For transparency reasons, however, we have included the client-only use of ReadID in the privacy policy.
4. Who is responsible for the processing of your personal data?
This Privacy Policy covers the processing of personal data by Inverid B.V. (the Netherlands), Inverid Software B.V. (the Netherlands) and Inverid Ltd (UK). Apart from ReadID SaaS data, personal data may be shared between these legal entities to the extent that this is permitted by law.
For the ReadID SaaS services, Inverid is processing personal data on behalf of a customer. The customer in that case is the data controller and Inverid the data processor.
5. What personal data does Inverid process?
Personal data we process about ReadID SaaS users: Inverid provides identity verification services to its customers. This means we verify your identity. For that you (i.e., the ReadID SaaS user) have acknowledged data processing according to the customer’s privacy policy and subsequent data processing by us in accordance with this Privacy Policy. We may collect and process the following personal data:
- Personal data present in the chip of a supported identity document presented by the user, e.g., a passport, identity card or driving license.
- Personal data present on the holder page (back and front) of the presented identity document.
- A face biometric scan (to verify that a User is the right person by matching it with the face image from the identity document).
- IP-address of the user.
This dataset or part of it, combined with non-personal data such as the outcomes of the various verifications we conduct, is shared with the customer conform a data processing agreement.
For ReadID SaaS performance improvement purposes we need to collect anonymous usage information, for example, to detect problems with identity documents from certain countries. This usage information does not contain personal data. Moreover, Inverid cannot directly or indirectly relate the usage information to a specific person. Usage information will only be used for improving the quality of ReadID and not for other purposes. Inverid will only retain the information for as long as is necessary to fulfil the specified purpose.
Specifically, Inverid collects the following usage information via the ReadID SaaS SDK:
- Phone details, including phone type, Android version, iOS version, memory size. We do not collect information that is unique for a certain phone.
- What type of identity document was scanned and read, whether or not the scan was successful, the chip was read successfully, what country issued the identity document, the document signing certificate as stored on the chip, and the date of expiry. We collect the date of expiry since this allows us to determine the version of the scanned identity document.
- Usability information: how long the different steps take if a user managed to go through all steps and usage frequency.
Inverid uses servers under its own control and specific usage analytics data is hosted by a third party.
Personal data we process about representatives of customers: To enter into an agreement with Inverid, to provide our service, to communicate with the representative of our customer and for other lawful reasons we need to process the data of customer’s representatives. This means we may process, among other information, the following personal data of Representatives of the customer:
- personal information of the representative of the customer, such as name, job title, position, and contact information;
- personal information in connection with provision of the service, such as the representative’s login information to the ReadID management portal including username, email address, and mobile phone number.
Personal data we process about visitors: We may collect data when you visit for instance our website (e.g., by using cookies), receive our newsletter (e.g., upon subscription), attend an Inverid webinar (e.g., upon registration) and/or apply for a job position at Inverid. This personal data, among other information, may be as follows:
- personal information, such as IP address, time, and location;
- information on usage of the website, such as the pages you visit, the date and time of your visit, the files that you download and the URLs from the websites you visit before and after navigating to the website;
- e-mail addresses, when you subscribe to Inverid’s newsletters, download Inverid’s content or register for an Inverid webinar;
- name and email address if you decide to contact Inverid related to reporting an issue mentioned in our Coordinated Vulnerability Disclosure Policy. If you consent, we may also disclose your name in our Hall of Fame.
- curriculum vitae and motivation letters for job applicants.
Personal data we process about ReadID Me users: Inverid provides the ReadID Me application through the Play Store and the App Store. ReadID Me is for your personal use and publicly available free of charge. We provide this app so Users can see what is in the chip of their identity document. In addition, the analytics and feedback we get helps us to improve the underlying ReadID software. The ReadID Me app runs client-only. This means that the app processes the data to access the chip and the personal data read from it locally on the smartphone of the ReadID Me user and does not share them with Inverid, i.e., the app does not send personal data to a server for processing by Inverid. Moreover, the personal information that is processed is not stored on the smartphone. Inverid thus does not collect personal information. We do not know nor want to know who the ReadID Me users are and whose identity documents are scanned.
Similar as for ReadID SaaS, ReadID Me collects anonymous usage information that will be used by Inverid to improve our ReadID services (see section above for ReadID SaaS users).
Personal data we process about ReadID Client-Only users: In this case, Inverid does not process any personal data about the user. The customer may process personal data and is fully responsible for the privacy of any personal data being processed. Moreover, Inverid also does not collect any anonymised usage data.
6. How does Inverid obtain your personal data?
How we obtain personal data of a ReadID SaaS user: We receive your personal data through an identity verification we conduct for a customer service that you use. The customer has contractually authorised us to process your data on behalf of them in the context of a certain service.
How we obtain personal data of a customer’s representative: We collect this data either from you directly when you communicate with us directly, e.g., by sending us an email, providing us with your personal data on the phone or through our customer support tools. We may also collect some of your personal data during the provision of our service to your employer. We also check information about the customer (including about relevant representatives of the customer) from publicly available sources. We only gather relevant and necessary data in order to validate the right of representation e.g., this may include verification of your identity, processing of your personal data for operating our service, etc.
How we obtain personal data about visitors: When you visit our website, we use cookies to collect information. The purpose of these cookies is to improve the user experience of your visit to our website and to provide Inverid with information that can be used for future optimisations. The cookies originate from HubSpot, HotJar, YouTube and DoubleClick.
Our website uses different types of cookies:
- Strictly necessary cookies - These cookies are necessary for the proper functioning of the website and cannot be disabled.
- Preference cookies - These cookies enable the website to remember information that affects the behaviour and design of the website.
- Analytical cookies - These cookies help us understand how visitors interact with our website by collecting and reporting information anonymously.
- Targeting cookies -These cookies are used for targeting purposes. They can be used to build a profile of interests of website visitors, so that relevant advertisements can be shown. They do not store directly identifiable personal information.
You can modify previously stored cookie settings/preferences via the cookie settings button on our website.
Moreover, you can always delete all cookies currently stored in the internet browser on your device.
For job applicants, we use the HomeRun recruitment platform for the processing of job application forms and associated personal data. Please refer to the HomeRun privacy policy for more details.
For our newsletter, the downloading of content, attending webinars or apply for a job at Inverid, you provide your personal data yourself.
How we obtain personal data of ReadID Me users: Personal data is not collected via the use of our ReadID Me app. This app is for personal use only. Non-personal metadata (see above) is collected during the usage of the app.
How we obtain personal data of ReadID Client-Only users: In this case, Inverid does not obtain any personal or other data from the app.
7. Why and on what grounds does Inverid process personal data?
We may only process your personal data if there is a so-called 'lawful basis' for doing so.
Grounds for the processing of personal data of a ReadID SaaS user: We process your personal data as a processor for the benefit of the customer in order to fulfil the agreement we have with the customer. The lawful basis for the processing of the data thus stems from the customer and the service it is providing to you. So, please consult the privacy policy or statement of the customer as well for this purpose. There may also be a legitimate interest for the processing to be able to offer the best possible service on the market. This includes troubleshooting, data analysis, testing, fraud prevention and detection, system maintenance, support, reporting and hosting of data.
Grounds for the processing of personal data of customer representatives: We mainly process your personal data in the establishment and execution of the contractual agreement with our customer, i.e., your employer. There may also be a legitimate interest for ensuring a trust-based relationship with customers. For example, the processing of personal data that is strictly necessary to determine the ultimate beneficiaries in order to prevent, e.g., fraud. Or, for conducting product and market research for purposes of quality assurance, product improvements, developments and assessing its market fit. This may include contacting and communication, interviews, recording of such communications for a limited period of time, etc. with existing and potential new customer representatives.
Grounds for the processing of personal data of a visitor: Data processing of visitors is typically based on consent given by you. Consent may be asked for the cookies that we use on our website or when you subscribe to our free newsletter by providing your e-mail address. In case we rely on your consent for the processing of your data, you have the right to revoke your consent at any time. Please note that any processing Inverid carried out before the withdrawal of your consent remains lawful. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case when you withdraw your consent. When you apply for a job, we have legitimate interest in the processing of your data.
Grounds for processing of data of ReadID Me users: Inverid does not process any personal data in the context of ReadID Me, so there is no lawful basis required. Only non-personal data is processed in order to improve our ReadID identity verification product.
Grounds for processing of data of ReadID Client-Only user: Inverid is not involved in any processing of personal data as a processor or controller. The customer in this case is the controller of the personal data and has its own ground for the processing of it.
Besides these grounds, there may also be legal obligations with respect to the processing of personal data in general. Inverid processes personal data in compliance to legal obligations such as tax obligations, court orders or police investigations.
When personal data processing is carried out for a new purpose different from that for which it was originally collected or is not based on the consent given by the data subject, i.e., you, we shall carefully assess the permissibility of such new processing.
8. How long does Inverid keep your personal data?
We do not keep your data longer than is necessary to serve the purposes for which we collected the data or the purposes for which data is reused and to comply with laws and regulations.
Retention periods for ReadID SaaS user data: A hard-coded maximum retention period of 50 days is enforced for all ReadID SaaS sessions that contain personal data. The customer, however, is advised to set a smaller retention period, e.g., no more than a few days, and/or to immediately request us to delete the data after having received the sessions results. When a ReadID session is deleted, it is removed permanently from the database, but not from backups of the database. The retention time of the backup is maximum 14 days and can be made shorter at customer request. These backups are required to be able to recover from a serious incident.
In case we make use of sub-processors for performing face biometrics for identity document holder verification purposes or for doing optical processing of document images, we require them to keep any collected personal only as long as they need to achieve the purpose for which the data was collected. This is also set forth in the data processing annex of the contractual agreement with the customer.
In case there are reasonable grounds to believe that certain identity claims are fraudulent, the retention period may be extended for a certain period or until there are no reasonable grounds anymore.
Non-personal data that is collected during the ReadID Ready and SDK with SaaS sessions will be retained as long as needed to improve our services.
Retention periods for customer representative data: Personal data processed in the context of the establishment of the agreement with the customer will be archived for seven (7) years after the ending of the contract. Personal data of representatives that require access to our ReadID management portal or related services will be removed immediately by Inverid after removal of the account.
Retention periods for visitor data: This data is typically obtained with your consent. We will stop processing the data when you withdraw your consent (for instance by unsubscribing from our newsletter or Hall of Fame). Names listed in the Hall of Fame will be deleted after three (3) years. For job applicants that have submitted a CV and/or motivation letter and are not hired, their personal data will be removed after one (1) month.
Retention periods for ReadID Me user data: Since this is non-personal data we keep it as long as we need it for improving our services.
Retention periods for ReadID Client-Only user data: Since we do not process any personal data in this context, retention is not applicable. Please consult the privacy policy of the customer offering the client-only version of ReadID.
In general, if we no longer need the data for the purposes described above, the personal data will be permanently erased or anonymised. Where we have a legitimate legal reason, we may store personal information for longer than described above, for example, where we are under a binding legal order not to destroy information.
9. Does Inverid transfer your personal data to other parties and to countries outside the EU?
Unless stated otherwise in this Privacy Policy or noted otherwise to you separately, we may disclose your personal data to data controllers for whom we are data processors (e.g., our customers) and to our authorised service providers (sub-processors), as well as to persons who are legally entitled to receive your personal data. Inverid also uses external IT-suppliers and cookie service providers. We have diligently assessed that these external parties will comply with the data protection requirements.
Transfer of ReadID SaaS user data: Inverid uses external service providers (sub-processors) to optically verify identity documents and to perform liveness detection and face comparison. We only share the necessary personal data which is necessary for these providers to perform their tasks.
The current authorized sub-processors engaged for the ReadID service are listed below. Each of these sub-processors have their own privacy policy, the link to that policy is also listed below.
- Public cloud provider:
- Amazon Web Services (AWS), Inc. We use various AWS regions depending on the location of our Customers. Current locations are Ireland, Frankfurt, London, and Sydney. The generic AWS privacy policy can be found here: https://aws.amazon.com/privacy/. Amazon Web Services EMEA SARL is the authorized representative of AWS, Inc. in the European Economic Area (EEA). Relevant to consult in this context are the AWS data processing annexes: https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf and https://d1.awsstatic.com/Supplementary_Addendum_to_the_AWS_GDPR_DPA.pdf
- Open Telekom Cloud, T-Systems International GmbH, for data processing addendum see https://open-telekom-cloud.com/_Resources/Persistent/d/8/0/d/d80d17f63186334ba36afcc6924a0e2b4575f3ef/open-telekom-cloud-supplementary-conditions-commissioned-processing-personal-data.pdf.
- Microsoft Azure, as a cold standby for continuity purposes. We have an agreement with Microsoft Ireland Operations Limited for the hosting of ReadID servers in Ireland as prime location. For a customer that is based in the EEA, processing of personal data shall always take place in EEA as well. The Azure privacy policy can be found here: https://azure.microsoft.com/en-us/explore/trusted-cloud/privacy#:~:text=We%20do%20not%20share%20your,the%20services%20you%20have%20chosen. The most recent data processing annex is here: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA.
- Biometric verification provider:
- iProov Ltd, iproov.com, for privacy policy see https://www.iproov.com/biometric-data-retention-schedule.
- Optical verification provider:
- Veriff ÖU, http://www.veriff.com , for privacy policy see https://www.veriff.com/privacy-notice.
- Onfido Ltd, onfido.com, for privacy policy see https://onfido.com/privacy/.
Please note that these sub-processors may also make use of sub-processors themselves.
Inverid only shares your personal data with external parties when this is allowed as per applicable privacy and data protection law. Inverid may provide personal data to external parties because:
- it is necessary to execute the contract with you;
- you consented to this;
- Inverid has a legitimate interest;
- Inverid is legally obliged to do so.
All our data is hosted and processed in the European Economic Area (EEA), except for personal data we process for ReadID customers that are located outside the EEA or that require us to perform optical or biometric verification by sub-processors. In the latter case the processing is done in the United Kingdom. Personal data can legally be transferred to the United Kingdom based on a decision of the European Commission on the adequacy of data protection. Please also refer to the privacy policy of the customer for further motivation of your personal data processing in this context.
Transfer of customer representatives’ data: Customer representative’s personal data can be shared with our advertising and marketing partners, companies carrying out satisfaction surveys, debt collection agencies, credit registers, authorities and organizations intermediating or providing (electronic) mail, compliance, or payment services and the like. Personal data required for accessing ReadID session data may be shared with the public cloud providers mentioned above.
Transfer of visitor data: Visitor data may be transferred to external IT-suppliers and cookie service providers. We have diligently assessed that these external parties will comply with the data protection requirements.
Transfer of ReadID Me user data: Personal data is not processed by Inverid in this context. Metadata only is transferred to the above-mentioned public cloud providers for further processing.
Transfer of ReadID Client-Only data: A transfer policy is not required since we do not process any personal data in this context. Please consult the privacy policy of the customer offering the client-only version of ReadID.
10. Is my data secure?
Inverid has taken the necessary organisational, technical, and contractual security measures to protect your personal data against accidental loss, unauthorised access, modification, or disclosure. Examples of organisational controls are: security policies regarding the processing of data, our security certifications and code of conduct. Technical controls involve encryption of personal data at rest and in transit and access controls including strong authentication. Contractually, these controls are laid down. Part of our contract with the customer is a Data Processing Annex which purpose is to protect ReadID users and customer representatives by setting out clear expectations regarding the handling of their personal data.
We have set up procedures to deal with any suspected personal data breaches, and we will notify our customer, any relevant data protection authority and even you directly of a breach where we are legally required to do so.
Within Inverid, people only have access to your personal data if this is necessary for their job function. All these persons also have a duty of confidentiality and are periodically screened.
We have a certified Management System for Information Security (ISO27001:2022) and Privacy Information (ISO27701:2019). As part of our certification, our security measures to protect your personal data are annually evaluated by an independent external auditor. All our sub-processors are at least ISO27001 certified as well.
11. What are your rights?
You have the right to:
- request information on personal data we process and what we do with the personal data;
- request access to your personal data;
- request correction of your personal data;
- request erasure of your personal data;
- request to transfer your personal data (if technically and/or legally possible);
- object to specific processing of the personal data;
- revoke your consent.
To exercise these rights please send an email to dpo@inverid.com.
Please note that if your request concerns data we have processed as a processor (i.e., in the course of our service provision) you must submit your request to the customer who is the data controller of the processing of your personal data. We will inform you about this.
When you make use of your rights, we may need to request specific information from you to help us confirm your identity and ensure your right to access the relevant personal data (or to exercise any of your other legal rights). This is a security measure we take to help avoid your personal data being disclosed to a person who has no right to receive it.
We may also contact you to ask you for further information in relation to your request to help speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
12. When do you contact our Data Protection Officer (DPO)?
Inverid has appointed a DPO. The DPO monitors the application and compliance with data protection laws such as the General Data Protection Regulation (GDPR). If you are not satisfied with the way a question or complaint has been handled, you can contact the DPO via dpo@inverid.com. In addition, you can ask a question or file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). Be aware that in most cases Inverid acts as a processor of personal data for its customers, i.e., the controllers. We may redirect you to the controller that is responsible for the processing of your personal data.
13. Can we change this Privacy Policy?
Yes, our Privacy Policy may change from time to time. You will always find the most up-to-date version of our Privacy Policy at: inverid.com/privacy and underlying web pages.
The current policy has been updated on 18-10-2024 and integrates the previous three separate privacy policies we had for our Inverid website and the various ReadID products in a single policy.
Want to learn more about privacy-friendly identity verification?
Contact a specialistConverting, scalable, easy-to-use, and secure NFC-First identity verification.
Subscribe for our Inverid NewsletterISO/IEC 27001 certified
ISO/IEC 27701 certified
eIDAS module certifications
SOC2 type 2
Cyber Essentials Plus