Last Updated: 28 May 2019

Onfido Privacy Policy

At Onfido, we’re creating a more open world, where identity is the key to access. We enable people to access services quickly, easily—and most important of all—securely. The information we collect and use helps us with that mission—and that’s it. No surprises.

At Onfido, when we verify an identity or carry out checks related to an identity (our “Identity Verification Services”), we’re committed to protecting the privacy and security of that identity. This Privacy Policy is meant to help you understand how we use the information we collect to provide our Identity Verification Services and build trust in our system.

For details about the information we collect on our websites and online platforms, including how we use cookies, please visit our Website Data Usage and Cookie Policy.

We may need to update this Privacy Policy from time to time, so we recommend you check back periodically If we make any substantial changes, we may notify you via email or by posting a notice on our website.

The Information We Collect and the Onfido Identity Lifecycle

To provide our Identity Verification Services, we need to collect certain information from users. The exact information needed depends on the check that’s being carried out. For example, when verifying the identity of a user, we’ll ask for an image of their identity document as well as a picture or video of their face. We’ll then seek to verify whether the identity document is likely to be genuine and whether the photo or video of the user’s face appears to match the photo on the identity document. If yes to both, the user will have proven their identity. The Onfido Identity Lifecycle below shows you how we collect that information.

Onfido Identity Lifecycle

1. The Client

Clients are organizations that have asked Onfido to verify an identity or carry out checks related to that identity. Once we have verified an identity or run a check, we share the results with the client in an Onfido Report, as described further below. The client then decides how they want to proceed with the user based on the results. In some cases, the client might ask for additional information before making a decision. Also, some clients only ask us to carry out a check if an earlier check was passed or not passed. This ensures we only do the minimum number of checks needed.

2. The User

Users are individuals whose identities we verify or otherwise check on behalf of our clients. We collect users’ information from clients or directly from the users themselves. This information might include an identity document (e.g. a passport or a driver's license), photos (at times, taken in quick succession for anti-fraud purposes) or a video of the user, and the biometric facial identifiers in those documents. This enables us to verify that the user is the true owner of the identity document. In some circumstances, we may also collect device identifiers and IP addresses to help us understand whether a device has previously been used in relation to suspected fraudulent activity and whether Onfido is permitted to provide Identity Verification Services in the country in which the user is located. To further combat fraud, we also collect identity information that has been leaked or otherwise made available on the internet.

3. Data Providers

Data providers are used to provide additional information to carry out specific checks. For example, if we need to verify a user’s right to drive, we might ask for additional information from the appropriate governmental driving body.

We also keep logs of how our clients, users, and data providers interact with our Identity Verification Services. This might include timestamps of when the information was submitted to Onfido, and information about the device used to submit that information.

Sometimes, we receive information we don’t need to provide our Identity Verification Services. For example, instead of a picture of their identity document, a user might upload a completely unrelated image. When this happens, we seek to delete this data.

Using Information for our Identity Verification Services

At Onfido, our mission is to create a more open world, where identity is the key to access. To do this, we use the information we collect to provide, maintain and develop our Identity Verification Services.

Passing an Onfido Check

If we’re able to verify the identity of a user and the user is able to pass all requested checks, we notify the client who can then continue with their onboarding process.

Not Passing an Onfido Check

If we’re unable to verify the identity of a user or the user isn’t able to pass all requested checks, we recommend to the client that they conduct additional checks before continuing with the onboarding process. We sometimes help with those additional checks too.

Developing our Identity Verification Services

To further develop our Identity Verification Services, we train our computers to recognize specific patterns in information and make predictions about new sets of information based on those patterns. This is known as machine learning. We’ve gathered a substantial and unique set of documents from around the world, from which we can train our machine learning models to locate and extract the information in documents, to detect fraudulent documents, and to engage in facial verification. We also train our human analysts to perform those tasks so they can assist when our machine learning models aren’t best suited for the task or are still learning. Sometimes, we’ll also re-run and re-submit checks to ensure our Identity Verification Services are working properly, particularly when testing a new feature or service for quality assurance. Together, these developments help make Onfido’s Identity Verification Services stronger and safer for all clients and users.Read more

Passing an Onfido Check

If we’re able to verify the identity of a user and the user is able to pass all requested checks, we notify the client who can then continue with their onboarding process.

Not Passing an Onfido Check

If we’re unable to verify the identity of a user or the user isn’t able to pass all requested checks, we recommend to the client that they conduct additional checks before continuing with the onboarding process. We sometimes help with those additional checks too.

Developing our Identity Verification Services

To further develop our Identity Verification Services, we train our computers to recognize specific patterns in information and make predictions about new sets of information based on those patterns. This is known as machine learning. We’ve gathered a substantial and unique set of documents from around the world, from which we can train our machine learning models to locate and extract the information in documents, to detect fraudulent documents, and to engage in facial verification.

We also train our human analysts to perform those tasks so they can assist when our machine learning models aren’t best suited for the task or are still learning. Sometimes, we’ll also re-run and re-submit checks to ensure our Identity Verification Services are working properly, particularly when testing a new feature or service for quality assurance. Together, these developments help make Onfido’s Identity Verification Services stronger and safer for all clients and users.

We use information to provide and maintain our Identity Verification Services on behalf of clients on the basis that the user has consented to the processing or otherwise requested Identity Verification Services, the client has a legitimate or lawful reason for requesting Identity Verification Services, or the processing is necessary to carry out a task in the public interest or for reasons of substantial public interest.

We also use information to further develop our Identity Verification Services on the basis that the processing is necessary in the legitimate interest of the client or Onfido, the processing is necessary to carry out a task in the public interest or for reasons of substantial public interest, the processing is necessary for scientific research purposes, or the user has provided their consent.

Automated Decision Making and Onfido Reports

When we verify an identity or carry out a check on behalf of a client, we provide an Onfido Report to that client. This Onfido Report details our recommendation and the reasoning behind it. The reasons are generated from the different machine learning models and human powered processes that are used to verify an identity or perform a check. As these machine learning models and human powered processes are under constant development, it is difficult to maintain a list of them in this Privacy Policy. But you can find an accurate and up to date list in our Technical Documentation, usually used by clients that have integrated or will be integrating with us.

Below, we have provided a graphical representation of an Onfido Report:

By providing our clients with these detailed Onfido Reports, our aim is to empower our clients to make informed decisions about users and to provide specific help to users that are having difficulty in passing an Onfido check.

Sharing Information Outside Onfido

As well as sharing information with clients, users, and data providers (as described above), Onfido also shares information with external parties that are performing tasks on our behalf (including our affiliates) and with other companies, organizations, government bodies, and individuals outside Onfido where we have a legitimate legal reason for doing so (for example, in connection with any merger or acquisition) or where we have been instructed to share the information on behalf of our clients.

As part of our commitment to bringing legal identities online safely, we partner with universities and researchers active in the field of machine learning. Where appropriate, and only where permitted under applicable law, we’ll share user information with them for scientific research purposes.

Whenever legally possible, we seek to protect the information we share by imposing contractual privacy and security safeguards on the recipient of the information. This is particularly important in cases where the recipient is located in a country that has different or lesser privacy laws than those of the country where the information was originally collected. In some cases, however, it’s not possible for us to do so — for example, when we have a legal obligation to disclose information to a government authority and that government authority isn’t willing to enter into such contractual safeguards.

Information Security

Onfido takes appropriate administrative, physical, technical and organizational measures designed to help protect information about users from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction. For more information about information security at Onfido, please visit the Guide to Security at Onfido. If you think you have identified a security vulnerability or bug in our Identity Verification Services, please report it to the Onfido security team at security@onfido.com and as described in the Onfido Responsible Security Bug Disclosure Policy.

Data Storage

We perform our Identity Verification Services on behalf of our clients for a variety of different reasons. Those reasons are identified by our clients, and we rely on them to tell us when they no longer need us to store the information we’ve collected on their behalf. Once instructed, either through our agreement with the client or through an ad hoc request, we delete the information we have collected about users when performing the requested Identity Verification Services.

If you, as a user, would like to make a specific request to have your information deleted, please make that request directly to the client that carried out your related check. For more information about how to do this, please see below under “Your Rights”.

Where we have a legitimate legal reason, we may also store information for longer than described above – for example, where we are under a binding legal order not to destroy information.

Your Rights

If you would like to access a copy of your information, have your information deleted, or otherwise exercise control over how your information is used, please contact Onfido at privacyrequests@Onfido.com, or the postal address below. Please be aware, some requests may require us to notify the relevant client (as described above in the Onfido Identity Lifecycle) so the client may fulfill the request instead (and not Onfido). This is necessary where Onfido is acting on the client’s behalf.

Government and Law Enforcement Requests

As Onfido provides its Identity Verification Services on behalf of its clients, Onfido will not disclose any information related to a specific check pursuant to a government or law enforcement request unless there is a binding legal order to do so or our client has consented to the disclosure. This is necessary for us to comply with our legal obligations. Any government or law enforcement body requesting information related to a specific check may contact us at privacyrequests@onfido.com, and we will seek to put you in contact with the relevant client.

Contact Onfido or a Privacy Supervisory Authority

If you would like more information about how Onfido collects and uses information, or if you would like to contact the Onfido data protection officer, please contact Onfido at privacyrequests@Onfido.com, or at:

Attention: Privacy Office
Onfido Limited
3 Finsbury Avenue
London EC2M 2PA
United Kingdom

If you would like to raise a concern with a Privacy Supervisory Authority, a list of contact points is available here.