Application Privacy Policy

Trulioo offers worldwide electronic identity verification services to businesses, processing personal information received via application program interface (API) and returning validation results online, anywhere, in seconds.

This privacy policy applies to the personal information processed by Trulioo in our GlobalGateway API on behalf of our clients.

For our general website privacy policy, please visit Privacy Policy.

Policy updates

Trulioo reviews and updates this policy at minimum annually.

Last update: 9th July 2022.

Trulioo may, solely at our discretion, make changes or updates to this policy. If we make changes, we will post those changes, and alter the Policy update date.

Definitions

  • Australia Privacy Act: the Australian legislation for privacy protection
  • Client refers to a client of Trulioo, which may be an entity or an individual (e.g. a sole proprietor) that has signed a contract for Trulioo to provide services
  • Data partner is an independent controller of information under contract with Trulioo to perform a set of pre-arranged processes on data provided via the Trulioo API and return a match / no-match signal
  • End User is an individual whose personal information is collected by a Client and subsequently processed by Trulioo
  • GDPR: the General Data Protection Regulation is the European Union and European Economic Area law for data protection
  • Personal information is any data that could potentially identify a specific individual. (For residents of the European Union, this is equivalent to ‘personal data’.)
  • PIPA-BC: the Personal Information Protection Act is the British Columbia law on data protection
  • PIPEDA: the Canadian Personal Information Protection and Electronic Documents Act is the Canadian Federal-level law governing data protection

Trulioo’s information security processes are ISO-27001 certified

The ISO 27001 is an international industry standard in information security, which sets out a framework of controls to assess, manage, and mitigate the risks associated with the handling of sensitive information, including personal information. Eligibility for ISO 27001 certification is assessed annually by an independent third-party auditor.

Trulioo is certified under ISO27001:2013. Our priority is to protect the confidentiality, integrity, and availability of our systems and information.

We ensure that personal information is encrypted in transit and at rest using industry-standard encryption. Data centres selected for hosting must meet minimum requirements as laid out in our Physical and Environmental Safety policy. All personal information is deleted from Trulioo’s systems post-processing.

Data partners undergo information security due diligence review prior to entering our API system.

Trulioo’s services

Clients collect personal information from end users, and enter the relevant data points for validation into the Trulioo API.

Trulioo acts as a data processor as defined under the GDPR. Trulioo does not sell end user personal information, and does not use or disclose end user personal information received via its API for any purpose other than to provide clients with the services for which they have contracted, or if such disclosure or use is required in order to comply with the law, enforce our site policies, or protect our or others’ rights, property, or safety.

The relevant data are processed to return a match / no match signal via Trulioo’s API based on a comparison of the client-provided information against Data partner databases. Where required under contract, these data points may include government-related identifiers.

‘Relevant data’ is defined by contract and depends on the Client’s needs and the requirements of legislation and regulation to which that Client is subject.

For example purposes only: A financial product in the UK will have different requirements for identity verification than an advertiser in the USA. The relevant data points required in each case will therefore be different.

Client accounts

Clients are able to configure accounts for their team members in the API. When a Client opens an account, or configures an account for a team member, with Trulioo, they are asked to provide a user name, a business email, and a password. The Client will also configure the level of access required for each client team member.

This account information is not sold or disclosed to any third parties, and is used solely to provide Clients with the services for which they have contracted with Trulioo.

Client accounts that have been inactive for a period of six months may be subject to deactivation.

Logging and monitoring

Trulioo maintains logs of Client activity to support audit and maintenance of the API. Logging includes actions that affect access to an account, configuration changes, and the user involved. Access to log information is restricted to those at Trulioo with a need to know and to the Client admin-level user. Logs cannot be edited or deleted.

Customer support

If a Client makes a support request, Trulioo may collect Client user name and business information, including contact information, and may store this in Trulioo’s customer support CRM system and email system. This information may be shared internally with Trulioo staff who need to know in order to troubleshoot the reported issue and to respond to the Client.

What legislation do we adhere to?

Trulioo is based in Vancouver, Canada. We have locations in Sydney, Australia, San Diego and Austin, USA, Dublin, Ireland, Copenhagen, Denmark, and Iasi, Romania. In addition to being directly regulated under PIPEDA, the Australia Privacy Act, and the General Data Protection Regulation, our teams work with clients and data partners to ensure that our processing of data conforms to local requirements as dictated through contract.

In the Customer portal

Trulioo uses non-persistent cookies for session tracking and request verification when clients visit the admin or customer portal.

In addition, we use Hotjar, behaviour analytics software, to help us understand how users interact with pages and functionality in our website. Hotjar may collect optional email, country-level geolocation, operating system and device details, and page activity.

Hotjar respects Do-Not-Track requests. You can review Hotjar’s privacy policy here.

Google Analytics

Our customer portal makes use of Google Analytics. Your web browser automatically sends certain information to Google. This includes the URL of the page that you’re visiting and your IP address. Google may also set cookies on your browser or read cookies that are already there. Google Analytics uses the information shared by sites to deliver, maintain, and improve services, develop new services, measure the effectiveness of advertising, protect against fraud and abuse, and personalize content and ads that you see on Google and on partners’ sites and apps. Google Analytics does not collect or retain PII. You can learn more about Google Analytics’ use of information here.

We may also associate your engagement data from one visit with your engagement data from other visits, which is done via a unique user ID. At no time is your PII shared with Google.

Personal information may be transferred internationally

Personal information received from Clients for processing via the API may be transferred internationally, including to or through areas where the standards for data privacy differ from those in force in your jurisdiction.

For transfers of data involving EU residents, some of these countries may not be among those listed by the EU Adequacy Decisions. Where this is the case, Trulioo uses Standard Contractual Clauses.

Trulioo aims to ensure equivalent security of processing throughout our services. The API service is hosted variously in Australia, USA, and the EU.

Categories of personal information received

Dependent on contract, we may receive:

  • Demographic information, including age, gender, nationality
  • Identifiers, including first name, last name, initial(s), date of birth, email address, and/or telephone number, government identification codes or images of government-issued IDs
  • Location information, including internet protocol address, physical mailing address, billing address
  • Professional or employment-related information, including business email, address, telephone number, company name
  • Sensitive or biometric information, including images used for facial recognition matching, height, weight, eye colour, hair colour

Categories of third party to whom personal information may be disclosed

  • Data partners, for the purpose of verifying identity
  • CRM system to support responses to clients
  • Email system to support responses to clients

Data retention

Trulioo deletes all end user personal information post-processing. End user personal information is not backed up or otherwise retained once the processing operations have completed.

Data subjects rights requests

Trulioo will support Clients (data controllers) to the utmost of its ability in Clients’ responses to end users exercising their legal rights. Please contact support, or email [email protected].