Product Privacy Notice
PRODUCT PRIVACY NOTICE
Effective Date: December 30, 2022
General information and contact details
This Product Privacy Notice ("Notice") sets out the personal information that Acuant Inc. ("Acuant", "we", or "us") collect and process about you through our products and services, the purposes of the processing and how you can exercise your privacy rights.
You may be reading this notice because of a link provided by one of our third-party data suppliers, one of our customers, or you simply want more information on processing in relation to our products and services. Where we collect personal information from you directly, for example, through our website or because you have applied for a job with us, or for additional information on our company, please see our general Privacy Notice.
Our customers and data suppliers should have a lawful reason for processing your data and may have a separate relationship with you. Where applicable and in accordance with any relevant corresponding laws or regulations, they will be required to provide you with information (for example through their own privacy notice) about how they collect and process your data.
What do we do?
Acuant is a business-to-business (B2B) technology organization that provides compliance and identification verification products and services to business customers on a global scale to help them detect fraud. Typically, our business customers use our technology so they can verify the information that you have provided to them. We do this by matching the data that you have provided to them with third party reference data (which we receive from data suppliers or our other business customers). This still sounds complex, so an example is often the easiest way to explain:
- You are going to open a bank account.
- In order to open the bank account, the bank (our customer) needs to verify you are who you say you are. They may be obligated to do this for a number of reasons, such as compliance with anti-money laundering (AML) regulations to fight fraud.
- The bank collects personal data from you and passes this to Acuant's technology to process (via our products and services).
- As part of this processing, we may match the personal data you provided against third party data from our data suppliers or data that we have pooled together in our patented eDNA technology (described below) which is collected from other business customers.
- We may also collect identity documents, which may include a selfie photo, to verify that the person carrying out the journey is the same as those in the identity documents. We will only collect the selfie if our customer is utilizing our Acuant Face technology (described below).
- Matching your personal data may be done in two (2) ways, depending on the product that our customer is utilizing: a) Acuant hosts a copy of this personal data that we receive from data suppliers or that Acuant has pooled together in its eDNA data consortium; and/or b) Acuant access personal data via a web service, which means our data suppliers holds the database and we securely send them your personal data to match against the records they hold (collectively, the "Third Party Supplied Data"). They then return the result to Acuant.
- We pass a result back to the bank (our customer) based on the match between your input data against the Third Party Supplied Data. Please note that we do not pass back any actual personal data on you, but instead only either a risk score, or a pass/fail score.
- Our customer then decides how they will respond to you, e.g. open your bank account, decline your request etc.
- Acuant does not have visibility on, nor can we influence how our customer responds to you, nor do we set their risk appetite.
What personal data do we collect, why, and do we sell it to third parties?
The personal information that we may collect about you broadly falls into the following categories:
- Basic information: Name, postal address, phone/mobile number, email address, date of birth
- Device information: IP address, geolocation, device address
- Transactional: Data our customers provide us with in regards to your transactions with them to help detect and prevent fraud
- Inference Data: Information generated from your interactions or transactions with our clients (which they provide to us) to create risk scores for fraud prevention and regulatory compliance purposes.
- Image: Photo on a passport, driving license, or other identification document, self-taken photos.
- Documentation: Information on documentation that you provide to our customers such as medical insurance cards, drivers licenses and passports
- Sensitive Information: Driver’s license or passport (and the information contained therein), social security number or other government issued numbers, face biometric match scores
Why we collect your personal data depends on the service(s) we provide, but for processing under our products and services it will always be to perform technology services on our customers’ behalf in relation to their compliance purposes and/or fraud prevention/detection.
Under certain jurisdictions (i.e., California and Virginia) we are deemed to sell your personal information when we collect it for processing under our Compliance Services (as further explained below). Please see our California and Virginia Privacy Notice Page for more information in relation to the sale of your personal information.
Our products are meant to help our Customers reduce identity fraud, by authenticating identity documents that you provide to them. Our Acuant Face product (described below) is meant to ensure that the person submitting the document to our customer is who they claim to be by performing a facial recognition match.
Our standard Acuant API gives our business customers access to 30+ third-party data sources, 300+ watch lists, and award-winning identity verification, fraud prevention and compliance solutions, including one to one facial recognition and match services, part of which is performed by our third-party partners.
How does the facial recognition and match solution work?*
Our API will collect the following images from an individual: (1) an identity document that they take a photo of and (2) a selfie image that they take of themselves, captured through our business customer’s identity verification interface, which the individual is interacting with. We send the images to our third-party partner (Microsoft Azure) who then performs a facial comparison using the latest available technology, and specified algorithms, to determine whether the faces contained in the two images belong to the same person and to generate a "Face Match Score" (on a scale of 0 to 100) representing the confidence level that the two images of the individual match each other. Our third-party partner is contractually limited to using the images and/or their corresponding data for purposes of performing the image comparison on our behalf. Once the comparison match is complete, the Face Match Score (which does not include any biometric identifiers or use any biometric identifiers to identify you) is passed through the Acuant API to our business customer to help them determine their level of confidence that the individual submitting the selfie is the same person as the individual on the identity document.
Acuant only uses the Face Match Score to try to help our customers authenticate that you are the same individual whose photo is on the ID document you provided, for the purpose of verification services and fraud prevention. At no point will we have access to any biometric identifiers that our third-party partner may have processed when generating your Face Match Score. Additionally, the biometric processing that Acuant Face performs is not used to identify an individual, but instead it is used to authenticate the ID document you submitted by confirming that the individual in the selfie is the same individual in the ID document. Where required by law, our clients must obtain consent to collect and/or have us process your biometric data, and we have contractually obligated them to do so. Acuant will not sell, lease, trade, or otherwise transfer your biometric data to any other third-party not addressed in this Section.
Our third-party partner is contractually required to destroy the images and any biometric data that they may have processed in accordance with a data retention schedule which does not exceed 24 hours. Please note that our business customer may retain the original images and the Face Match Score in accordance with their own internal policies, which we have no control or influence over. We only retain the selfie image and the ID document for approximately 60 seconds, after which they are destroyed from our environment. However, upon our business customer’s request, we may retain the Face Match Score on our customer’s behalf for the amount of time requested by the customer, strictly in accordance with our contractual agreement with the customer. We will not store the Face Match Score after we cease to have a relationship with the customer unless we otherwise obtain permission or is required by law. For the avoidance of doubt, the Face Match Score cannot be used to identify you (it is simply a number from 1 to 100). Acuant uses appropriate information security safeguards designed to protect the Acuant Face data it is collecting and processing, when it is being collected, stored, and transmitted.
*For Government customers, the services are performed pursuant to the government contract and may differ from these disclosures.
Our products are meant to help our customers reduce fraud, which may benefit you by helping you get the best price and keeping your identity protected. With each online order companies must make a decision whether to ship or decline the order. Our customers can opt to take in our transaction monitoring and KYC products to help them prevent and combat online fraud. Additionally, they can also take our KYB, AML and Peps & Sanctions products to help them comply with any verification requirements they may have under applicable laws. All of our compliance platform products (except for Peps & Sanctions) feed into our eDNA data consortium.
Our eDNA data consortium is a data pool that consists of the information that we receive from all of our customers who take any of our compliance platform products, which are all utilized for fraud and/or compliance purposes.
Please note that data that in eDNA is pseudonymized and one-way hashed for technical safeguarding and that we do not grant our customers or any third parties direct access to the data held in eDNA; the data in eDNA is only accessed to help our products process their fraud/compliance needs to generate a risk or pass/fail score, without actual disclosure of the data.
Our legal basis for processing personal data
We will collect personal information where the processing is in our or our customer’s legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms, in accordance with required applicable laws. These include legitimate business interests which provide a societal benefit, such as detecting and preventing fraud and helping our customers ensure only individuals who should have access to their services are able to do so.
In some of our products & services, we may also rely on your explicit consent as our lawful basis, where the processing includes special category data (such as your biometric data, for example). If you are not happy to provide your explicit consent, then please consult with the organization (i.e., our customer) that you are engaging with. They may provide an alternative means to verify your identity. Unfortunately, this is not something Acuant can influence.
The table below identifies the legitimate interest that we rely on pursuant to the GDPR for each of our activities.
Acuant's Lawful basis
As this is a global policy, lawful basis will be applicable to the personal data and jurisdiction related to its processing.
- Legitimate Interests of a third party: Our customers will have their own lawful basis for processing your data and will have communicated this with you. We have given a description of the types of services our customers provide in the table above, but in a nutshell, they help to prevent fraud by ensuring you are who you say you are, so you can access goods and services compliantly. Many of our customers must also meet a legal obligation when processing your personal data, such as ensuring you are old enough or verifying your identity.
- Consent: Our customers are responsible for collecting your consent, when necessary, in accordance with applicable laws. The journey you will undergo includes steps that will perform face match and liveness tests so your biometric data will be processed. This is special category data under the GDPR and other privacy laws, as applicable, and Acuant relies on the explicit consent under Article 9(2)(a) of the GDPR to process such data.
If you have questions or need further information concerning the legal basis on which we collect and use your personal information, please contact us using our webform.
Who will we receive your personal data from and who will we share your personal data with and why?
As explained above, we receive personal data about you from our customers and data suppliers. We also send your personal data to our customers and data suppliers, where there is a lawful reason (as applicable), to do so in order to provide our products and services.
We offer our products services to public and private organizations worldwide. These include:
- Financial Services: Banks and financial services.
- Healthcare: Healthcare providers (for patient registration & billing)
- eCommerce: Retail (online shopping), online commerce platforms
- Gaming: Online gaming, loyalty programs
- Entertainment: Travel and leisure, media
- Public Sector: Law enforcement, local government, education bodies
- Utilities: Gas, electricity, water suppliers
- Miscellaneous: Cryptocurrency, automotive dealers
Acuant Data Suppliers
We work with a number of trusted data suppliers. These include government and public authorities, regulated financial or consumer credit services organizations, other commercial organizations as well as publicly available information.
We may also disclose your personal data to the following categories of recipients:
- to our group companies, third party services providers and partners who provide data processing services to us, or who otherwise process personal information for purposes that are described in this privacy notice;
- to any competent law enforcement body, regulatory, government agency, court or other third parties where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
- to a potential buyer (and its agents and advisers) in connection with any proposed purchase, merger, acquisition, restructuring or insolvency of any part of our business, provided that we inform the buyer it must use your personal information only for the purposes disclosed in this privacy notice.
How long do we retain your data for in our Products and Services?
We retain personal information we collect from our customers and data suppliers for the length of time necessary to fulfill the specific purpose or purposes for which it has been collected (for example, to help our customers to comply with applicable legal requirements, such as anti-money laundering), as set out below. We may also keep it to comply with our legal obligations, resolve any disputes and enforce our rights. However, please note that a vast majority of the time, retention limits are set by our own customers, and we are unable to access the data nor are we able to delete it or affect their retention periods.
Once the respective purpose ceases to apply, we will either delete or anonymize the personal information or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
All of our identity verification products have a retention period of 10-60 seconds; we retain the data only for as long as we need to process it, unless otherwise requested by our customer (then we would retain it for the duration that they contractually oblige us to).
The data that we hold in eDNA is data that our customers provide to us, and this is kept until our customers direct us to delete it, or (effective January 1, 2023) for no longer than 10 years, whichever is shorter.
If you have questions about or need further information concerning any privacy matters (such as your privacy rights under CCPA or GDPR, for example) please see our general Privacy Notice. To make any privacy rights requests, please contact us using our webform or feel free to contact us using the information provided in our Privacy Notice, linked above.