Last Updated: 16 October 2018

Onfido Privacy Policy

At Onfido, it’s our mission to bring the world’s legal identities safely online. We enable people to access services quickly, easily – and most important of all – securely. The information we collect and use helps us with that mission – and that’s it. No surprises.

At Onfido, when we verify an identity or carry out checks related to an identity (our “Identity Verification Services”), we are entrusted with the protection and security of that identity. In this Privacy Policy, we want to help you understand how we use the information we collect to provide our Identity Verification Services and build trust in our system.

For details about the information we collect on our websites, including how we use cookies, please visit our Website Data Usage and Cookie Policy.

We’ll update this Privacy Policy from time to time, so make sure you check back periodically If we make any substantial l changes, we may notify you via email or by posting a notice on our website.

The Information We Collect and the Onfido Identity Lifecycle

In order to provide our Identity Verification Services, there’s certain information we need from users before we begin. Typically, this includes the name and contact information of the user as well as any other information needed to complete all requested checks. If we are verifying an identity document, for example, we will also collect an image of that identity document and the information contained within it. Similarly, if we are checking a user’s criminal history, we will collect criminal history information from the appropriate authorities, where authorized. The Onfido Identity Lifecycle explains how we collect that information.

Onfido, Client, User, Data Providers
1. The Client

Clients are organisations that have asked Onfido to verify an identity, or carry out checks related to that identity. Often, clients provide us with the name, contact information, and other necessary information relating to the users they want checked. Once we have verified an identity or run a check, we report the results to the client, usually through the Onfido Dashboard. This includes instances where a user has not provided all the requested information to Onfido, and we have been unable to complete the requested checks. The client then decides how to proceed with the user based upon that information. In some cases, additional information will be required before the client makes that decision. Also, some clients instruct us to only carry out a check if an earlier check was passed or not passed. This is done to ensure that we only carry out the minimum needed checks.

2. The User

Users are individuals whose identities we verify or otherwise check. Users frequently provide us with the information we need to provide our Identity Verification Services. This can include additional information to that provided by the client, but in these cases, that additional information may also be made available to the client. In particular, this information might include an identity document (e.g., a passport or driver's license), a photograph or video of the user, and the biometric facial identifiers in those documents. We use this information to verify that the user is the same person in the identity document. When we collect these documents, we also collect device identifiers to help us understand whether the device itself was previously used in relation to suspected fraudulent activity. We also collect user identity information that has been leaked or otherwise made available on the public internet, which further helps us combat fraud.

3. Data Providers

Data providers are used to provide additional information to carry out specific checks. For example, if we need to verify a user’s right to drive, we might ask for additional information from the appropriate governmental driving body.

We also keep logs of how our clients, users, and data providers interact with our Identity Verification Services. This might include timestamps of when information is submitted to Onfido, and information about the device that was used to submit that information to Onfido.

At times, we sometimes also receive information that we do not need to provide our Identity Verification Services - for example, if a user uploads an unrelated image instead of an image of an identity document. When this occurs, we seek to delete this data.

Using Information for our Identity Verification Services

At Onfido, it’s our mission to bring the world’s legal identities safely online. To do this, we use the information we collect to provide, maintain, and develop our Identity Verification Services:

Passing an Onfido Check

If we are able to verify a user, and that user is able to pass all requested checks, we notify the client that the user has passed. The client then continues with their onboarding process.

Not Passing an Onfido Check

If we are not able to verify a user or that user is not able to pass all requested checks, we recommend to the client that they conduct additional checks before continuing with onboarding the user. We often help with those additional checks as well.

Developing our Identity Verification Services

To further develop our Identity Verification Services, we train computers to a) recognize specific patterns in information and b) make predictions about new sets of information based on those patterns. This is known as machine learning, and we’ve gathered a substantial and unique set of documents from around the world, from which we can train our machine learning models to locate and extract the information in documents, detect fraudulent documents, and to engage in facial verification. Similarly, we also train human agents to verify documents so they may assist in the provision of the Identity Verification Services where our machine learning models are not best suited for the task. In addition, when we identify a fraudulent document, we add it to our database of fraudulent documents so we can learn from it and identify it again if anyone tries to use it in future. Together, these developments help make Onfido’s Identity Verification Services stronger and safer for all clients and users.Read more

Passing an Onfido Check

If we are able to verify a user, and that user is able to pass all requested checks, we notify the client that the user has passed. The client then continues with their onboarding process.

Not Passing an Onfido Check

If we are not able to verify a user or that user is not able to pass all requested checks, we recommend to the client that they conduct additional checks before continuing with onboarding the user. We often help with those additional checks as well.

Developing our Identity Verification Services

To further develop our Identity Verification Services, we train computers to a) recognize specific patterns in information and b) make predictions about new sets of information based on those patterns. This is known as machine learning, and we’ve gathered a substantial and unique set of documents from around the world, from which we can train our machine learning models to locate and extract the information in documents, detect fraudulent documents, and to engage in facial verification. Similarly, we also train human agents to verify documents so they may assist in the provision of the Identity Verification Services where our machine learning models are not best suited for the task. In addition, when we identify a fraudulent document, we add it to our database of fraudulent documents so we can learn from it and identify it again if anyone tries to use it in future. Together, these developments help make Onfido’s Identity Verification Services stronger and safer for all clients and users.

We use information for these purposes on the basis that the user has requested Identity Verification Services, the client has a legitimate or lawful reason for requesting Identity Verification Services, it is in the legitimate interest of the client and Onfido for Onfido to use the information to develop Identity Verification Services, the processing is necessary to carry out a task in the public interest, or for reasons of substantial public interest, the processing is for scientific research purposes, or the user has provided their consent.

Sharing Information Outside Onfido

In addition to sharing information with clients, users, and data providers (as described above), Onfido also shares information with external parties that are performing tasks on our behalf (including our affiliates), and with other companies, organisations, government bodies, and individuals outside Onfido where we have a legitimate legal reason for so doing (for example, in connection with any merger or acquisition) or where we have been instructed to share the information on our client's behalf.

As part of our commitment to bringing legal identities safely online, we partner with universities and researchers who are active in the field of machine learning. Where appropriate, and only where permitted under applicable law, we share user information with those universities and researchers for scientific research purposes.

Whenever legally possible, we seek to protect the information we share by imposing contractual privacy and security safeguards on the recipient of the information. This is particularly important in cases where the recipient is located in a country that has different or lesser privacy laws than those of the country where the information was originally collected. In some cases, however, it is not possible for us to impose contractual privacy and security safeguards. One example would be when we have a legal obligation to disclose information to a government authority, and that government authority is not willing to enter into such contractual safeguards.

Data Storage

We perform our Identity Verification Services on behalf of our clients for a variety of different reasons. Those reasons are identified by our clients, and we rely on them to tell us when they no longer need us to store the information we’ve collected on their behalf. Once instructed, either through our agreement with the client or through an ad hoc request, we delete the information we have collected about users when performing the requested Identity Verification Services.

Where we have a legitimate legal reason, we may also store information for longer than described above – for example, where we are under a binding legal order not to destroy information.

Information Security

Onfido takes appropriate administrative, physical, technical and organizational measures designed to help protect information about users from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction. For more information about information security at Onfido, please visit the Guide to Security at Onfido. If you think you have identified a security vulnerability or bug in our Identity Verification Services, please report it to the Onfido security team at security@onfido.com and as described in the Onfido Responsible Security Bug Disclosure Policy.

Your Rights

If you would like to access a copy of your information, have your information deleted, or otherwise exercise control over how your information is used, please contact Onfido at privacyrequests@Onfido.com, or the postal address below. Please be aware, some requests may require us to notify the relevant client (as described above in the Onfido Identity Lifecycle) so the client may fulfill the request instead (and not Onfido).

Contact Onfido or a Privacy Supervisory Authority

If you would like more information about how Onfido collects and uses information, or if you would like to contact the Onfido data protection officer, please contact Onfido at privacyrequests@Onfido.com, or at:

Attention: Privacy Office
Onfido Limited
3 Finsbury Avenue
London EC2M 2PA
United Kingdom

If you would like to raise a concern with a Privacy Supervisory Authority, a list of contact points is available here.