ACUANT
MOBILE DEMO APPLICATION PRIVACY NOTICE

Effective Date: November 11, 2022

READ CAREFULLY THIS PRIVACY NOTICE. BY INSTALLING OR USING ACUANT INC.’S ACUANT MOBILE DEMO APPLICATION, YOU ACCEPT THIS PRIVACY NOTICE. IF YOU DO NOT ACCEPT THE TERMS OF THIS PRIVACY NOTICE, DO NOT INSTALL OR ACCESS THE ACUANT MOBILE DEMO APPLICATION.

We are Acuant Inc., delivering omnichannel business-to-business ("B2B") solutions for fast and secure identity verification. This Privacy Notice explains how Acuant, Inc. ("Acuant", "we", "us" or "our") collects, uses, discloses, and otherwise processes personal information (as defined below) in connection with our Acuant Mobile Demo Application (the "Demo App").

General information and contact details

This privacy notice sets out the personal information we collect and process about you through your use of the Demo App, and the purposes of the processing and how you can exercise your privacy rights in regard to the Demo App.

You will be reading this notice because of a link provided by Acuant or one of our customers to enable us to provide you with processing information about the Demo App.

Where we collect personal data from you directly, for example, through our website or because you have applied for a job with us, please see our Website Privacy Notice.

Our customers (i.e., your employer) and third-party service providers/processors will have a lawful reason for processing your data and may have a separate relationship with you. They are separately required to provide you with information (for example through their own privacy notice) about how they collect and process your data.

We have offices in 19 locations, and our registered head office is located within the United States of America at:

Acuant, Inc.
2018 Powers Ferry Road SE
Suite 720
Atlanta, GA 30338

If you have any questions about how we use your personal data, please contact our Data Protection Officer using this form, by email at [email protected] or call + 44 (0) 161 909 6713.

Our EEA representative is located in Spain at the following address

ACUANT, a GB Group Plc affiliate company
Edifici El Triangle 4a planta
Placa de Catalunya
1 08002 Barcelona
Spain

T: +34 (0) 935 451 156

We review this privacy notice on an annual basis, sooner if changes to regulation require it or we change the way we process personal data.

What do we do?

Acuant is a business-to-business global organization who create technology. Typically, our business customers use our technology so they can verify the information that their end users provide to them. We have several ways to verify identity, from document authentication, including matching third party reference data (which we receive from data suppliers) against the data individuals provide about themselves to our customers, or directly to us (the method of collection depends on the product our customer has taken). This Demo App is intended to allow you to sample our products that are used for identity verification and document authentication.

If this still sounds complex, here is a real world example from some of the products you may be sampling under the Demo App:

1. You (an individual/consumer) are going to open a bank account
2. In order to open the bank account, the bank (our customer) needs to verify you are who you say you are. This is for a number of reasons, such as for the bank to comply with anti-money laundering regulations or combatting fraud purposes.
3. The bank collects personal data from you and passes this to Acuant’s technology to process (via our product).
4. As part of this processing, and if the bank licensed our Assure ID product for example, we may run forensic testing and analysis on the ID document to authenticate that it is an original government issued identification document.
5. If the bank also licensed our Acuant Face product, then they would collect from you and provide us with your selfie photo and identity documents to have us verify that you (the person carrying out the journey) are the same as the one in the identity documents you provided to them.
6. Depending on the product, we may use third party service providers/processors to provide processing on our behalf as our service-provider/processor, for us to fulfill our obligations to our customer.
7. We pass the results back to the bank (our customer).
8. Our customer then decides how they will respond to you, e.g. open your bank account, decline your request etc.
9. Acuant does not have visibility on, nor can we influence how our customer responds to you.

More examples are included in the table below describing why we collect your personal data.

What personal data do we collect and why?

The personal data that we may collect about you under this Demo App broadly falls into the following categories:

• Basic information: Name/Address/Account Name
• Attribute: Telephone/Email/Date of Birth
• Device: IP Address, Geocode, Device ID (e.g., mobile, PC, etc.)
• Image: Photo on a passport or driving licence, self-taken photos

The purpose for collecting your personal data under the Demo App is to allow you to test our identification verification and document authentication products in the hopes of helping you sample them to help you and/or your business or employer consider them for purchase.

Acuant Acufill

Automates the extraction of data and images from government issued ID's, health insurance cards, and other identity documents to populate data fields in our customer's applications.

Acuant AssureID

Provides multi-factor authentication for IDs by applying forensic tests utilizing Acuant's document library in order to verify that the ID is not fraudulent or tampered with.

Acuant Face

Authenticates an ID document by performing a biometric match between the individual in a self-provided selfie photo to the individual in the corresponding ID photo.

Acuant Liveness

An add-on product to Acuant Face which is utilized to try to ensure that the selfie-photo that was submitted to authenticate the ID was a photo of a live person and not a photo of a photo, video, etc.

Acuant Ozone

Authenticates the chip data of an e-Passport to evaluate the cryptographic binding of the document to the identity and determine if the encoding conforms to ICAO standards and issuer specifications.

Our legal basis for processing personal data

We will collect personal data where the processing is in our or our customer’s legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. These include legitimate business interests which provide a societal benefit, such as preventing fraud, crime prevention and detection and ensuring only individuals who should have access to services are able to do so.

We will also rely on your explicit Consent as our lawful basis, where the processing includes special category data in the form of your biometric data. If you are not happy to provide your explicit consent in the tick box you will be presented with as part of this journey, then please consult with the organization that you are engaging with. They may provide an alternative means to verify your identity. Unfortunately, this is not something Acuant can influence.

The list below identifies the legitimate interest and consent that we rely on pursuant to the GDPR for this activity

Identity

As this is a global policy, lawful basis will be applicable to the personal data and jurisdiction related to its processing.

• Legitimate Interests of a third party: Our customers will have their own lawful basis for processing your data and will have communicated this with you. We have given a description of the types of services our customers provide in the table above, but in a nutshell, they help to prevent fraud by ensuring you are who you say you are, so you can access goods and services compliantly. Many of our customers must also meet a legal obligation when processing your personal data, such as ensuring you are old enough or verifying your identity.
• Consent: The journey includes steps that will perform face match and liveness tests so your biometric data will be processed. This is special category data under the GDPR, and Acuant will rely on explicit consent under Article 9(2)(a) to process such data.

Pursuant to our obligations under Article 30 GDPR, we maintain an up-to-date record of processing activities under our responsibility, which details for this processing activity the legitimate interest relied on as a lawful basis for processing the personal data.

You are entitled to more information on the balancing test we have carried out when determining we are able to rely on legitimate interest as our lawful basis for processing your personal data. If you have questions about this or need further information concerning the legal basis on which we collect and use your personal data, please contact us using the contact details provided below.

Who will we receive your personal data from and who will we share your personal data with and why?

As explained above under "What do we do", we receive personal data from the data subject using the Demo App and our third-party service providers/processors. We may also send personal data back to the individual using the Demo App (presumably yourself) and to our third-party service providers/processors, where there is a lawful reason, to allow the end user of the Demo App to sample our identification verification and document authentication products.

• Financial Services: Banks and financial services.
• Healthcare: Healthcare providers (for patient registration & billing)
• eCommerce: Retail (online shopping), online commerce platforms
• Gaming: Online gaming, loyalty programs
• Entertainment: Travel and leisure, media
• Public Sector: Law enforcement, local government, education bodies
• Utilities: Gas, electricity, water suppliers
• Miscellaneous: Cryptocurrency, automotive dealers

However, please note that we will not share the information that you provide to us on this Demo App with any third parties besides the Acuant Data & Technology Processors listed below.

Acuant Data & Technology Processors

We work with a number of trusted data and technology providers (i.e., service providers/processors). These include:

• Amazon Web Services, Inc.: Cloud Services Provider USA Region
• Microsoft Corporation (Azure): Facial Matching Service USA
• Amazon Web Services EMEA SARL: Cloud Services Provider UK/EEA Region
• Microsoft Corporation (Azure): Facial Matching Service UK/EEA

We may also disclose your personal data to the following categories of recipients:

• to our group companies, third party services providers and partners who provide data processing services to us, or who otherwise process personal information for purposes that are described in this privacy notice;
• to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
• to a potential buyer (and its agents and advisers) in connection with any proposed purchase, merger, acquisition, restructuring or insolvency of any part of our business, provided that we inform the buyer it must use your personal information only for the purposes disclosed in this privacy notice.

How long do we retain your data for in our Product?

We retain the personal data we collect from you in the Demo App for the length of time necessary to allow you to test out our products on our Demo App. This usually does not last longer than the amount of time it takes us to process your ID, which take approximately 10-60 seconds. We may also keep it to comply with our legal obligations, resolve any disputes and enforce our rights.

The only exception to the above is the image(s) of the ID you provide us with, including the personal information contained therein (“Images”). We may retain the Images only for internal use by our document library team to utilize for template creation purposes (“Purpose of Processing”). What this means, is that the document’s background, font, symbols, etc. will be used for us to create templates of what a valid identification document in your jurisdiction consists of, to help us train our technology to try to recognize fraudulent identification documents. We will not utilize the actual personal information, such as your name, driver’s license number, home address, etc. that is contained in the Images, but we will store it since we are storing the Images on which such information is printed. We will keep these Images for fifteen years unless you submit a request to us via our webform to have us delete it from our systems. We may also share the Images with our affiliated entities for the same Purpose of Processing.

Once the respective purpose of processing ceases to apply, we will either delete or anonymize the personal data or, if this is not possible (for example, because your personal data has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible.

Data Type: Transaction Image
Data Refresh: One-time
Acuant Data Retention Period: 10-60 seconds
Further Information: Data is only stored for the time of processing

Data Type: DL Sample Image
Data Refresh: Annually
Acuant Data Retention Period: 15 years
Further Information: Acuant retains the DL image for 15 years in our image library.

If you have questions about or need further information concerning how long we keep your personal data for, please contact us using our webform.

Cross Border Transfers

Your personal data may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country.

Our group companies, your employer (our customer), and third-party service providers/processors, may operate around the world. This means that when we collect your personal data, we may process it in any of these countries.

However, we have taken appropriate safeguards to require that your personal data will remain protected in accordance with this privacy notice.

These safeguards include implementing the European Commission’s Standard Contractual Clauses for transfers of personal data between our group companies, which require all group companies to protect personal data they process from the EEA and UK in accordance with UK and European Union data protection law.

Our Standard Contractual Clauses can be provided on request. We have implemented similar appropriate safeguards with our data suppliers, customers and third-party service providers and partners and further details can be provided upon request.

Your rights under the GDPR and DPA 2018

As an individual, you have rights under the GDPR regarding the use of your personal data, these are:

• The right to withdraw consent – you can withdraw consent at any time.
• The right to erasure – you can request that Acuant remove your personal data from our systems.
• The right to restrict processing – you can request that Acuant only process your personal data for the purposes you specify.
• The right to data portability – you can request that the personal data you have provided to Acuant be ported to another organization.
• The right to access your personal data – You have a right to know what personal data Acuant hold on you and for what purpose we are processing your personal data. This is known as a Subject Access Request (SAR).
• The right to rectification – you have the right to ask us to rectify any information you believe is inaccurate. You also have the right to ask us to complete information you think is incomplete.
• The right to object to processing – you have the right to object to processing if we are able to process your information because the processing is in our legitimate interests.
• The right to obtain information upon request on the balancing test we have carried out when determining we are able to rely on legitimate interest as our lawful basis for processing your personal data.

Please keep in mind that some of these rights are subject to an internal assessment that one of the grounds under the GDPR is satisfied.

You can make a request to us directly by completing our webform.

Alternatively, you can send these requests by post to:

Privacy & Data Compliance Team
GB Group Plc
The Foundation
Herons Way
Chester Business Park
Chester
CH4 9GB
United Kingdom

Or you can make a request in person or call +44 (0)161 909 6713. You are not required to pay any charge for exercising your rights. We have one calendar month to respond to you. If Acuant are unable to comply with your request, we will provide you with an explanation.

Your California Privacy Rights

As a California resident, you may be able to exercise the following rights in relation to the personal information that we have collected about you (subject to certain limitations at law):

The Right to Know:
You have the right to request any or all of the following information relating to your personal information we have collected and disclosed in the last 12 months, upon verification of your identity:

• The specific pieces of personal information we have collected about you;
• The categories of personal information we have collected about you;
• The categories of sources of the personal information;
• The categories of personal information that we have disclosed to third parties for a business purpose, and the categories of recipients to whom this information was disclosed;
• The categories of personal information we have sold about you (if any), and the categories of third parties to whom the information was sold; and
• The business or commercial purposes for collecting or, if applicable, selling the personal information.

The Right to Request Deletion:
You have the right to request the deletion of personal information we have collected from you, subject to certain exceptions.

The Right to Opt Out of Personal Information Sales:
You have the right to direct us not to sell personal information we have collected about you to third parties now or in the future. Please note that Acuant does not sell any personal information that it collects under this Demo App.

The Right to Non-Discrimination:
You have the right not to receive discriminatory treatment for exercising these rights.

"Shine the Light":
California residents that have an established business relationship with us have rights to know how their information is disclosed to third parties for their direct marketing purposes under California’s "Shine the Light" law (Civ. Code §1798.83).

How To Exercise Your California Consumer Rights:
To exercise your Right to Know or your Right to Deletion, please submit a request by:

• Filling out our California Consumer Rights Request Form; or
• Calling us at: 1 (833) 627-1023

Before processing your request, we will need to verify your identity and confirm you are a resident of the State of California. In order to verify your identity, we will generally either require the successful authentication of your account, or the matching of sufficient information you provide us to the information we maintain about you in our systems. This process may require us to request additional personal information from you, including, but not limited to, your email address, phone number, and/or date of last interaction with customer service.

To Exercise Your Right to Opt Out of Personal Information Sales:
We do not sell the personal information we collect on the Demo App.

Authorized Agents:
In accordance with the CCPA, you may designate an authorized agent to make a request on your behalf by selecting that option on the webform. If you use an authorized agent, please include written permission that you have designated that agent to make the request, or proof of the agent‘s power of attorney. We may follow up with you to verify your identity before processing your authorized agent’s request or ask you for any additional information that we consider necessary to verify you and/or your authorized agent’s identity.

Minors Under 16
Acuant does not knowingly collect, process, or sell the personal information of consumers less than 16 years of age. Please contact us at [email protected] to inform us if you have reason to believe that Acuant has collected information on an individual under the age of 16.

How to contact us if you're not happy

We appreciate that at Acuant we may not always get things right and it is regrettable for us as an organization when we receive a complaint. We take all complaints seriously and can assure you we will do our best to deliver a satisfactory outcome. If you do wish to complain about how your personal data is used by Acuant then please use our webform. Alternatively, please write to us at:

Privacy & Data Compliance Team
GB Group Plc
The Foundation
Herons Way
Chester Business Park
Chester
CH4 9GB
United Kingdom

Acuant will investigate and aim to respond within 10 working days, this allows us time to investigate your complaint thoroughly.

Your right to lodge a complaint with the Supervisory Authority

Where you believe that Acuant has not taken our responsibilities with your personal data seriously, you have the right to complain to a Supervisory Authority. In the UK, Acuant’s regulator is:

The Information Commissioner's office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone number: 0303 123 113 or 545 745

Email: [email protected]

Please refer to our Product Privacy Notice for additional information on our products and services.