PRODUCT PRIVACY NOTICE
Effective Date: June 13, 2022
General information and contact details
This Product Privacy Notice ("Notice") sets out the personal information that Acuant Inc. ("Acuant", "we", or "us") collect and process about you through our products and services, the purposes of the processing and how you can exercise your privacy rights.
You may be reading this notice because of a link provided by one of our third-party data suppliers, one of our customers, or you simply want more information on processing in relation to our products and services. Where we collect personal information from you directly, for example, through our website or because you have applied for a job with us, or for additional information on our company, please see our general Privacy Notice.
Our customers and data suppliers should have a lawful reason for processing your data and may have a separate relationship with you. Where applicable and in accordance with any relevant corresponding laws or regulations, they will be required to provide you with information (for example through their own privacy notice) about how they collect and process your data.
What do we do?
Acuant is a business-to-business (B2B) technology organization that provides compliance and identification verification products and services to business customers on a global scale to help them detect fraud. Typically, our business customers use our technology so they can verify the information that you have provided to them. We do this by matching the data that you have provided to them with third party reference data (which we receive from data suppliers or our other business customers). This still sounds complex, so an example is often the easiest way to explain:
- You are going to open a bank account.
- In order to open the bank account, the bank (our customer) needs to verify you are who you say you are. They may be obligated to do this for a number of reasons, such as compliance with anti-money laundering (AML) regulations to fight fraud.
- The bank collects personal data from you and passes this to Acuant’s technology to process (via our products and services).
- As part of this processing, we may match the personal data you provided against third party data from our data suppliers or data that we have pooled together in our patented eDNA technology (described below) which is collected from other business customers.
- We may also collect identity documents, which may include a selfie photo, to verify that the person carrying out the journey is the same as those in the identity documents. We will only collect the selfie if our customer is utilizing our Acuant Face technology (described below).
- Matching your personal data may be done in two (2) ways, depending on the product that our customer is utilizing: a) Acuant hosts a copy of this personal data that we receive from data suppliers or that Acuant has pooled together in its eDNA data consortium; and/or b) Acuant access personal data via a web service, which means our data suppliers holds the database and we securely send them your personal data to match against the records they hold (collectively, the "Third Party Supplied Data"). They then return the result to Acuant.
- We pass a result back to the bank (our customer) based on the match between your input data against the Third Party Supplied Data. Please note that we do not pass back any actual personal data on you, but instead only either a risk score, or a pass/fail score.
- Our customer then decides how they will respond to you, e.g. open your bank account, decline your request etc.
- Acuant does not have visibility on, nor can we influence how our customer responds to you, nor do we set their risk appetite.
More examples are included in the table below describing why we collect your personal data.
What personal data do we collect and why?
The personal information that we may collect about you broadly falls into the following categories:
- Basic information: Name, postal address, phone/mobile number, email address, date of birth
- Device information: IP address, geolocation, device address
- Transactional: Data our customers provide us with in regards to your transactions with them to help detect and prevent fraud
- Social: Data you yourself opted-into sharing with our customers from your social networks
- Image: Photo on a passport, driving license, or other identification document, self-taken photos.
- Documentation: Information on documentation that you provide to our customers (e.g., medical insurance number)
Why we collect your personal data depends on the services we provide.
Our products are meant to help our Customers reduce identity fraud, by authenticating identity documents that you provide to them. Our Acuant Face product is meant to ensure that the person submitting the document to our customer is who they claim to be by performing a facial recognition match.
Our standard Acuant API gives our business customers access to 30+ third-party data sources, 300+ watch lists, and award-winning identity verification, fraud prevention and compliance solutions, including one to one facial recognition and match services, part of which is performed by our third-party partners.
How does the facial recognition and match solution work?*
Our API will collect the following images from an individual: (1) an identity document that they take a photo of and (2) a selfie image that they take of themselves, which are captured through our business customer’s identity verification interface, which the individual is interacting with. We send the images to our third-party partner who then performs a facial comparison using the latest available technology, and specified algorithms, to determine whether the faces contained in the two images belong to the same person and to generate a "Face Match Score" on a scale of 0 to 100 representing the confidence level that the two images of the individual match each other. Each third-party partner is contractually limited to using the images or facial biometric data for purposes of performing the image comparison on our behalf. Once the comparison match is complete, the Face Match Score (no biometric data) is passed through the Acuant API to our business customer to help them determine their level of confidence that the individual submitting the selfie is the same person as the individual on the identity document.
Acuant and its business customers do not receive nor access any facial biometric data generated from the images (only our third-party partners do), and our third-party partners are contractually required to destroy the images and any biometric data in accordance with a data retention schedule which does not exceed 24 hours unless the underlying transaction was determined to be fraudulent.
Please note that our business customer may retain the original images and the Face Match Score in accordance with their own internal policies. Upon our business customer’s request, we may retain the Face Match Score on our customer’s behalf for the amount of time requested by the customer strictly in accordance with our contractual agreement with the customer. We will not store the Face Match Score after we cease to have a relationship with the customer unless we otherwise obtain permission or are required by law.
*For Government customers, the services are performed pursuant to the government contract and may differ from these disclosures.
Our products are meant to help our customers reduce fraud, which may benefit you by helping you get the best price and keeping your identity protected. With each online order companies must make a decision whether to ship or decline the order. Our customers can opt to take in our transaction monitoring and KYC products to help them prevent and combat online fraud. Additionally, they can also take our KYB, AML and Peps & Sanctions products to help them comply with any verification requirements they may have under applicable laws. All of our compliance platform products (except for Peps & Sanctions) feed into our eDNA data consortium.
Our eNDA data consortium is a data pool that consists of the information that we receive from all of our customers who take any of our compliance platform products, which are all utilized for fraud/compliance purposes.
Please note that data that in eDNA is pseudonymized and one-way hashed for technical safeguarding and that we do not grant our customers or any third parties direct access to the data held in eDNA; the data in eDNA is only accessed to help our products process their fraud/compliance needs to generate a risk or pass/fail score, without actual disclosure of the data.
Our legal basis for processing personal data
We will collect personal information where the processing is in our or our customer’s legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms, in accordance with required applicable laws. These include legitimate business interests which provide a societal benefit, such as detecting and preventing fraud and helping our customers ensure only individuals who should have access to their services are able to do so.
In some of our products & services, we may also rely on your explicit consent as our lawful basis, where the processing includes special category data (such as your biometric data, for example). If you are not happy to provide your explicit consent, then please consult with the organization (i.e., our customer) that you are engaging with. They may provide an alternative means to verify your identity. Unfortunately, this is not something Acuant can influence.
The table below identifies the legitimate interest that we rely on pursuant to the GDPR for each of our activities.
Acuant's Lawful basis
As this is a global policy, lawful basis will be applicable to the personal data and jurisdiction related to its processing.
- Legitimate Interests of a third party: Our customers will have their own lawful basis for processing your data and will have communicated this with you. We have given a description of the types of services our customers provide in the table above, but in a nutshell, they help to prevent fraud by ensuring you are who you say you are, so you can access goods and services compliantly. Many of our customers must also meet a legal obligation when processing your personal data, such as ensuring you are old enough or verifying your identity.
- Consent: Our customers are responsible for collecting your consent, when necessary, in accordance with applicable laws. The journey you will undergo includes steps that will perform face match and liveness tests so your biometric data will be processed. This is special category data under the GDPR and other privacy laws, as applicable, and Acuant relies on the explicit consent under Article 9(2)(a) of the GDPR to process such data.
If you have questions or need further information concerning the legal basis on which we collect and use your personal information, please contact us using our webform.
Who will we receive your personal data from and who will we share your personal data with and why?
As explained above, we receive personal data about you from our customers and data suppliers. We also send your personal data to our customers and data suppliers, where there is a lawful reason (as applicable), to do so in order to provide our products and services.
We offer our products services to public and private organizations worldwide. These include:
- Financial Services: Banks and financial services.
- Healthcare: Healthcare providers (for patient registration & billing)
- eCommerce: Retail (online shopping), online commerce platforms
- Gaming: Online gaming, loyalty programs
- Entertainment: Travel and leisure, media
- Public Sector: Law enforcement, local government, education bodies
- Utilities: Gas, electricity, water suppliers
- Miscellaneous: Cryptocurrency, automotive dealers
Acuant Data Suppliers
We work with a number of trusted data suppliers. These include government and public authorities, regulated financial or consumer credit services organizations, other commercial organizations as well as publicly available information.
We may also disclose your personal data to the following categories of recipients:
- to our group companies, third party services providers and partners who provide data processing services to us, or who otherwise process personal information for purposes that are described in this privacy notice;
- to any competent law enforcement body, regulatory, government agency, court or other third parties where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
- to a potential buyer (and its agents and advisers) in connection with any proposed purchase, merger, acquisition, restructuring or insolvency of any part of our business, provided that we inform the buyer it must use your personal information only for the purposes disclosed in this privacy notice.
How long do we retain your data for in our Products and Services?
We retain personal information we collect from our customers and data suppliers for the length of time necessary to fulfill the specific purpose or purposes for which it has been collected (for example, to help our customers to comply with applicable legal requirements, such as anti-money laundering), as set out below. We may also keep it to comply with our legal obligations, resolve any disputes and enforce our rights. However, please note that a vast majority of the time, retention limits are set by our own customers, and we are unable to access the data nor are we able to delete it or affect their retention periods.
Once the respective purpose ceases to apply, we will either delete or anonymize the personal information or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
All of our identity verification products have a retention period of 10-60 seconds; we retain the data only for as long as we need to process it.
The data that we hold in eDNA is data that our customers provide to us, and this is kept until our customers direct us to delete it.
If you have questions about or need further information concerning how long we keep your personal data for, please contact us using our webform or feel free to contact us using the information provided in our general Privacy Notice.