Services Privacy Policy

Last Updated: January 2024

This Services Privacy Policy (“Privacy Policy”) sets out the privacy practices of Trulioo Information Services Inc. and our affiliates (“Trulioo”, “we”, “our”, “us”) in connection with our identity verification and related online services (our “Services”).

Trulioo makes our Services available to our customers for integration into our customers’ websites and mobile applications. This Privacy Policy does not apply to the services offered by our customers who use our Services. Please consult the privacy policy of our customer that is using our Services with you for more information about their processing of your personal information.

If you are a California resident, you may have certain additional privacy rights and you should visit our California Privacy Notice for more information.

For details about the personal information we collect on our website or in connection with our general business activities, please visit our Website Privacy Policy.

• 1. Our relationship with you
• 2. Our Services
• 3. What types of personal information do we use?
• 3.1 Product development and improvement
• 3.2 Public registry data
• 4. What are our purposes and legal basis for processing your personal information?
• 4.1 Product development and improvement
• 4.2 Public registry data
• 5. How does Trulioo share my personal information?
• 6. How do we keep your personal information secure?
• 7. Do we transfer your personal information internationally?
• 8. What are your privacy rights and choices?
• 9. For how long is personal information retained by Trulioo?
• 10. Does Trulioo undertake automated decision making?
• 11. Updates to this Privacy Policy
• 12. How to contact us

1. Our relationship with you

When we provide our Services to our customers, such as by verifying an individual’s identity, carrying out identity document verification checks, or providing our other individual or business verification services, we are acting on behalf of our customers as their service provider and “processor” (or such similar term under applicable law). This means that it is our customers who control what personal information about you we process and how we use it. Our customers are also the party primarily responsible for fulfilling your requests to exercise your rights. For information on the use of your personal information by our customers and how to exercise your rights, please refer to the privacy policy provided by the company that is using our Services with you.

For certain limited purposes, we will act as a “controller” (or such similar term under applicable law). Those purposes are:

• Product development and improvement. Where permitted by our customers and applicable law, we may use certain personal information about you for our own internal purposes in order to develop and improve our Services.
• Business verification services. We collect company and company officer information from public registries in order to support the provision of our business verification services.

For details about what types of personal information we collect for such limited purposes as a controller, how we use it and our legal basis for processing your personal information, please refer to the sections below titled “What types of personal information do we use?” and “What are our purposes and legal basis for processing your personal information?”

If you have any questions or concerns about our use of your personal information, please contact us using the contact details under “How to contact us” below.

2. Our Services

Identity verification services

We offer identity verification services via a global network of trusted data sources to enable our customers to verify their users, detect fraud and comply with anti-money laundering (AML) and Know Your Client (KYC) requirements. Our network of data sources includes government and national ID registries, electoral rolls, consumer credit agencies, mobile network providers, utility companies and other trusted sources.

The types of personal information involved will vary depending on the verification checks available in the user’s location and the services selected by our customers. It may include name, date of birth, contact information (such as email address, residential address and telephone number), national ID number, information extracted from a utility bill uploaded by the user or other information provided by a data source.

Document verification services

We offer document verification services to enable our customers to verify the authenticity of an identity document (“ID“) and confirm the identity of their user pictured in the ID and a live photograph (i.e. selfie).

To enable us to conduct a document verification check, a user will be asked to submit a photo of their ID (front and back) and/or a photograph / selfie depending on how our customers have configured the service. We will extract data from the ID, including facial scan data from the photo on the ID. Facial scan data will be compared to the selfie to assess whether the same person is pictured in both images. We will also look for signs of fraud in the images, including checking whether the selfie has been taken in real time, and is of a real person (as opposed to an image of an image, for example) and whether any other fraud indicators are present (including any tampering of data on the ID or the presence of any data inconsistencies). Based on the results of these assessments, we will advise our customer whether the user’s identity has been verified or whether any indicators of fraud were detected.

When performing a document verification check on behalf of our customers, we collect and process the following personal information: government issued ID (for example, passport, driver’s license or identity card), any personal information captured on the ID (for example, name, date of birth, address, document number, and photo), and photograph / selfie. We will process facial scan data extracted from the photo on the ID and/or selfie, which may be classed as “biometric data” or “biometric information” in certain jurisdictions. For more information, please consult the privacy policy provided by the company using our document verification services with you.  

If you are located in the United States, please also refer to our Facial Scan and Biometric Information Policy for more information about the processing of your biometric personal information for our document verification services.

Business verification services

We offer business verification services to enable our customers to meet their Know Your Business (KYB) compliance requirements by verifying company information, including information about company officers, such as directors, officers and ultimate beneficial owners, by providing access to information from government registries, credit data and other public records.

Information collected may include company ownership or directorship related information, including company address, position held (e.g. director), and current status (e.g. resigned, active, start date, end date).

Watch-list screening services

We provide watch-list screening services to enable our customers to screen an individual or a business’ information against global sanction or politically exposed person (PEP) lists and adverse media sources, and return publicly available information from such lists and sources in a report. If instructed by a customer, our watch-list screen services may be provided on an ongoing basis, for example where a customer’s regulatory obligations require ongoing monitoring.

3.  What types of personal information do we use?

3.1 Product development and improvement

Where permitted by our customers and applicable law, we may use certain information collected in connection with our Services in order to develop and improve our Services and our proprietary technology.

Our document verification services incorporate technologies which can identify patterns in the information you provide and on an iterative basis learn from such information to become more accurate and efficient. The training, maintenance and improvement of this technology includes machine learning and may also involve human review or verification.

If you are located in the United States, please also refer to our Facial Scan and Biometric Information Policy for more information about the processing of your biometric personal information for our document verification services.

Our document verification service is able to recognize the presence of an identity document as well as the document’s key features. It is able to compare facial scan data from IDs and selfie images to determine that the same person is presented in both. It can also detect indicators of fraud, tampering, or data inaccuracies. For our product development and machine learning processes in connection with the technology that comprises document verification, we process the following personal information about you:

• The image of your ID and metadata related to the identity document image, such as image size and dimensions;
• Facial scan data extracted from the image of your ID and selfie; and
• Other personal information extracted from your ID, such as your name, address, date of birth, country of issue and document number.

Please note that Trulioo does not process special categories of personal information for its own product improvement or machine learning purposes (including biometric data for the purpose of uniquely identifying you).

3.2 Public registry data

We collect and maintain public registry data about businesses, which includes information about company officers, such as directors, officers and ultimate beneficial owners, to support the provision of our business verification services. The personal information we collect relates to company officers acting in their professional capacity. We collect this information from official public registries (such as Companies House in the UK) which are public records.

The types of personal information we collect will depend on the information made available on the public registry in a particular country. If you are a company officer whose information is included in public registry data we collect, we may collect and process the following information about you (if it is disclosed on the particular registry):

• first and last name;
• company name;
• correspondence address (which is usually a business address);
• position at the company (e.g., shareholder / director);
• tenure at the company (start and end date);
• date of birth (month and year only); and
• nationality.

4. What are our purposes and legal basis for processing your personal information?

4.1 Product development and improvement

We process the personal information that we collect from and about you only for the following product development and improvement purposes:

• To train our models to accurately verify identity documents, for example by learning what driving licenses look like in different countries; in order to do this we analyse the components which make up a driving license, label such information, and feed the labels into our models.
• To accurately capture an image of your identity document, we analyse the size and dimensions of the document, label such information and feed the labels into our models to train our technology to capture the clearest images possible to increase accuracy and speed of processing.
• To ensure that the images we capture are sufficiently clear to allow us to verify your identity and the identity document’s authenticity, we train our models to detect blur and glare and automatically request a second image where the initial image capture is low quality. 
• To train our models to accurately detect your live presence by analysing the image you provide (and learning from labelled examples of such images).
• To train our models to accurately and efficiently recognise and compare your facial images (including the image on your identity document and your selfie image, for example).
• For anti-fraud purposes, including to train our technologies to detect potentially fraudulent behaviours, fraudulent documentation and identity theft.

We will compile, store and analyse your personal information for the specific purposes described in this section to the extent that such processing is necessary for our legitimate interests of developing, maintaining and improving the security, accuracy, efficacy and efficiency of our document verification checks.

In some circumstances, where local data protection law requires, we will seek your consent to use your personal information for the purposes described in this section.

If you have further questions about the legal basis on which we collect and use your personal information, please contact us using the contact details provided below.

4.2 Public registry data

We process the personal information we collect about company officers from public registries to support the provision of our business verification services to our customers. We do this to enable our customers to conduct due diligence on businesses, meet their compliance and regulatory obligations, and better understand the businesses they want to verify, as well as their company officers.

We collect, build and maintain the personal information to the extent that such processing is necessary for the legitimate interests pursued by Trulioo and its customers. These legitimate interests include:

• Surfacing more comprehensive data on a global basis, which helps customers complete more accurate, complete and expeditious Business Verification and therefore achieve better compliance with essential and strict AML and KYB/ KYC requirements;
• Contributing to the achievement of corporate data accuracy and reliability by facilitating easier access to data held within otherwise siloed national official registers, thereby enabling errors or other questionable aspects of the data to be more readily detected; and
• Ultimately serving a wider public benefit by contributing to the fight against corporate crime and the creation of a safer online environment.

5. How does Trulioo share my personal information?

Trulioo uses some tools, apps and services to help us manage our business. If these tools are provided by third parties, we perform due diligence and use contractual measures to safeguard your data. More details are provided below.

We share your personal information with the following categories of recipients:

• members of the Trulioo group, only to the extent necessary to fulfil the purposes outlined in this Privacy Policy;
• our third party business infrastructure providers, who we engage to enable us to support our product development and improvement activities such as data storage and hosting providers;
• our customers in connection with the provision of our services (such as public registry data for our business verification services);
• any competent law enforcement body, regulatory, government agency, court or other third party (such as, our professional advisers) where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person; or
• any other person with your consent to the disclosure (obtained separately from any contract between us).

6. How do we keep your personal information secure?

We use appropriate technical and organisational measures to protect the personal information that we collect and process about you. The measures are designed to provide a level of security appropriate to the risk of processing your personal information. For example: (i) we only work with trusted technologies and vendors who are bound by contractual obligations to protect your personal information and who are assessed for information security risk prior to onboarding, (ii) we limit the number of people who can access your information to people who need to know as part of their job, (iii) we provide training to our employees on data privacy and information security; and (iv) we have in place reasonable security defenses, malware protections, vulnerability management and recovery resilience measures.

7. Do we transfer your personal information internationally?

Trulioo is headquartered in Canada, with offices in the United States, Ireland and Denmark, as well as employees globally. We host our Services on Amazon Web Services’ (AWS) highly secure and reliable data centres around the world. Our third party vendors and trusted data partners also operate globally. This means that we may process your personal information in and transfer your personal information to countries outside of the country in which you are based. These countries may have data protection laws that are different to the laws of your country (and, in some cases, may not be as protective).

Where we transfer your personal information to countries and territories outside of the European Economic Area, Switzerland and the UK, which have been formally recognized as providing an adequate level of protection for personal information, we rely on the relevant “adequacy decisions” from the European Commission or Swiss authorities, or the “adequacy regulations” (data bridges) from the Secretary of State in the UK. In 2001, the European Commission recognized Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) as providing adequate protection for European personal data. The decision is available here. Accordingly, for transfers of European personal information to Trulioo in Canada, Trulioo and its customers can rely on the European Commission’s adequacy decision. 

Where the transfer is not subject to an adequacy decision, we have taken appropriate safeguards to require that your personal information will remain protected in accordance with this Privacy Policy and applicable laws. The safeguards we use to transfer personal information are the European Commission’s Standard Contractual Clauses (and similar measures in the UK and Switzerland).

8. What are your privacy rights and choices?

Depending on where you are located and subject to applicable privacy laws, you may have the following privacy rights: 

• You may access, correct, update or request deletion of your personal information. 
• You can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information, (i.e. your data to be transferred in a readable and standardised format).  
• If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent. 

You have the right to complain to us or to a supervisory authority about our collection and use of your personal information. For more information, please contact your local supervisory authority.

If you would like to exercise any of your privacy rights you can email us at [email protected].

Residents of California may have certain additional privacy rights and you should visit our California Privacy Policy for more information.

We respond to all requests we receive from individuals wishing to exercise their privacy rights in accordance with applicable data protection laws.

If your request relates to information we process on behalf of our customers, we will redirect the request to the relevant customer.

9. For how long is personal information retained by Trulioo?

Where we are processing your personal information on behalf of our customers in order to provide our Services, we will retain and delete your personal information in accordance with the relevant customer contract or instructions.

Where we are processing your personal information for our own purposes, such as for product improvement or for our business verification services, we retain the personal information we collect from you where we have an ongoing legitimate business need to do so. When we have no ongoing legitimate business need to process your personal information, we will either delete it or anonymise it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

10. Does Trulioo undertake automated decision making?

Automated decisions mean that a significant decision concerning you is made automatically based on a computer determination (using software algorithms), without human review. 

Trulioo itself does not undertake automated decision making.

Our Services are integrated into our customers’ on-boarding process for their services and we are instructed by our customers to conduct verification checks about your identity and/or documents to help our customers assess whether to proceed with their on-boarding. Our customers can set their own risk parameters in connection with their use of our Services and it is our customers that ultimately decide how they use the verification results provided to them. It is entirely at the customer’s discretion whether to proceed with your on-boarding or ask you for more information in order to allow them to make a decision.

If you have any questions about the outcome of a verification check relating to you or your identity document, please contact our customer that is using our Services with you.

11. Updates to this Privacy Policy

We may update this Privacy Policy from time to time in response to changing legal, regulatory, technical or business developments.

You can see when this Privacy Policy was last updated by checking the “last updated” date displayed at the top of this Privacy Policy. 

12.  How to contact us

If you have any questions or concerns about our use of your personal information, please contact us using the following details:

Email: [email protected]

You may also write to us at the following address:

FAO Privacy Office
Trulioo Information Services Inc.
400 – 114 E 4th Ave
Vancouver, BC V5T 1G2
Canada

Or, if you are located in Europe:

FAO Privacy Office
Trulioo (Ireland) Limited
1st Floor, 40 Molesworth Pl.
Dublin 2 D02 K023
Ireland

You may contact our Data Protection Officer by email at [email protected].