Last Updated: 20 April 2018

Onfido Privacy Policy

At Onfido, when we bring a legal identity online by verifying an identity or carrying out checks related to an identity (our “Identity Verification Services”), we are entrusted with the protection and security of that identity. In this Privacy Policy, we would like to help you understand how we use information to provide our Identity Verification Services and build trust in our system.

For details about the information we collect on our websites, including how we use cookies and similar tracking technologies, please visit our Website Data Usage and Cookie Policy.

Please review this Privacy Policy periodically as we may modify it from time to time. If we make any material changes, we’ll notify you, which may include posting a notice on our website and/or sending you an email.

The Information We Collect and the Onfido Identity Lifecycle

When we provide our Identity Verification Services, we collect the information we need. Typically, this includes the name and contact information of the user and any additional information related to the specific check. For example, if we are verifying an identity document, we will collect a copy of that identity document and the information contained within. Similarly, if we are checking a user’s criminal history, we will collect criminal history information from the appropriate authorities, where authorized. This information collection is further detailed in the Onfido Identity Lifecycle.

1. The Client

Clients are organisations that have requested that we verify an identity or carry out a check related to that identity. Clients frequently provide us with the name and contact information of the users they want checked, but at other times, the client provides us with all the information we need to provide our Identity Verification Services. Once we have verified an identity or run a particular check, we report the results to the client (commonly through the Onfido Dashboard), including where a user has not provided all requested information to Onfido to complete the check. The client then determines what decision to make based upon that information and whether additional information is required before making that decision.

2. The User

Users are individuals whose identities we verify or otherwise check. Users frequently provide us with the information we need to provide our Identity Verification Services that was not provided by the client, but when this occurs, this information may also be made available to the client. For example, this information might include an identity document (e.g., a passport or driver's license) and a photograph or video of the user, along with the facial identifiers in those documents, to verify that the user is the same person in the identity document. When we collect these documents, we also collect device identifiers to help us understand whether the device itself was previously used in relation to suspected fraudulent activity. We also collect identity information that has been leaked or otherwise made available on the public internet in an effort to further combat fraud.

3. Data Providers

Data providers are used to provide additional information to carry out specific checks. For example, if we need to verify a user’s right to drive, then we might ask for additional information from the appropriate governmental driving body.

We also keep logs of how our clients, users, and data providers interact with our Identity Verification Services. For example, this might include timestamps of when information is submitted to Onfido and information about the device that was used to submit that information to Onfido.

Using Information for our Identity Verification Services

At Onfido, it is our mission to bring the world’s legal identities safely online, and to do this, we use information to provide, maintain, and develop our Identity Verification Services as shown below:

Passing an Onfido Check

If we are able to verify a user and that user is able to pass all related checks, we notify the client that the user has passed the Onfido checks and the client can continue with their onboarding process.

Not Passing an Onfido Check

If we are not able to verify a user or that user is not able to pass all related Onfido checks, we recommend to the client that they conduct additional checks before onboarding the user. We often help with those additional checks as well.

Developing our Identity Verification Services

To further develop our Identity Verification Services, we train computers to recognize specific patterns in information and to make predictions on those patterns in relation to new sets of information. This is known as machine learning; for example, we train our machine learning models to locate and extract information in documents, detect fraudulent documents, and to engage in facial verification. Similarly, when we identify a fraudulent document, we seek to add that document to our database of fraudulent documents so we can identify it again in the future to help reduce fraud. Read more

Passing an Onfido Check

If we are able to verify a user and that user is able to pass all related checks, we notify the client that the user has passed the Onfido checks and the client can continue with their onboarding process.

Not Passing an Onfido Check

If we are not able to verify a user or that user is not able to pass all related Onfido checks, we recommend to the client that they conduct additional checks before onboarding the user. We often help with those additional checks as well.

Developing our Identity Verification Services

To further develop our Identity Verification Services, we train computers to recognize specific patterns in information and to make predictions on those patterns in relation to new sets of information. This is known as machine learning; for example, we train our machine learning models to locate and extract information in documents, detect fraudulent documents, and to engage in facial verification. Similarly, when we identify a fraudulent document, we seek to add that document to our database of fraudulent documents so we can identify it again in the future to help reduce fraud.

We use information for the above purposes on the basis that the user has requested Identity Verification Services, the client has a legitimate or lawful reason for requesting Identity Verification Services, it is in the legitimate interest of the client and Onfido for Onfido to use the information to develop Identity Verification Services, the processing is necessary to carry out a task in the public interest or for reasons of substantial public interest, the processing is for scientific research purposes, or the user has provided their consent.

Sharing Information Outside Onfido

In addition to sharing information with clients, users, and data providers as part of the Onfido Information Lifecycle described above, we also share information with external parties that are performing tasks on our behalf (including our affiliates) and with other companies, organisations, and individuals outside Onfido where we have a legitimate legal reason for so doing (for example, in connection with any merger or acquisition).

As part of our commitment to bringing legal identities safely online, we partner with universities and researchers who are active in the field of machine learning. Where appropriate and only where permitted under applicable law, we share user information with universities and researchers.

Whenever legally possible, we seek to protect the information we share by imposing privacy and security contractual safeguards on the recipient of the information, particularly where the recipient is located in a country that may have different or lesser privacy laws than those found in the country where the information was originally collected. However, sometimes it is not possible for us to impose privacy and security contractual safeguards, for example, when we have a legal obligation to disclose information to a government authority and that government authority is not willing to enter into such contractual safeguards.

Data Storage

We perform our Identity Verification Services on behalf of our clients for a variety of different purposes, as identified by our clients, and we rely on our clients to tell us when they no longer require us to store the information we’ve collected on their behalf. Once instructed, either through our agreement with the client or through an ad hoc request, we delete the information we have collected about users when performing the requested Identity Verification Services.

We may also store information for longer than described above where we have a legitimate legal reason for so doing, for example, where we are under a binding legal order not to destroy information.

Information Security

Onfido takes appropriate administrative, physical, technical and organizational measures designed to help protect information about users from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction. For more information about information security at Onfido, please visit the Guide to Security at Onfido. If you think you have identified a security vulnerability or bug in our Identity Verification Services, please report it to the Onfido security team at security@onfido.com and as described in the Onfido Responsible Security Bug Disclosure Policy.

Your Rights

If you would like to access a copy of your information, have your information deleted, or otherwise exercise control over how your information is used, please contact Onfido at privacyrequests@Onfido.com or the postal address provided below. Please be aware, some requests may require us to notify the relevant client (as described above in the Onfido Identity Lifecycle) so the client may fulfill the request (and not Onfido).

Contact Onfido or a Privacy Supervisory Authority

If you would like more information about how Onfido collects and uses information or if you would like to contact the Onfido data protection officer, please contact Onfido at privacyrequests@Onfido.com. Alternatively, you may contact us through the post at:

Attention: Privacy Office
Onfido Limited
40 Long Acre
London WC2E 9LG
United Kingdom

If you would like to raise a concern with a Privacy Supervisory Authority, a list of contact points is available here.