Privacy Policy

WYA Biometrics (“WYA”) respects the privacy of our users.  This Privacy Policy (“Policy”) describes our privacy practices concerning information collected in connection with WYA online services, including but not limited to Digital Onboarding, and Face Recognition services. (the “Services”). WYA makes the Services available to third parties for integration into those third parties’ websites, applications, and online services.  WYA collects, uses, and discloses individual users’ information only as directed by these third parties and, accordingly, under applicable data protection laws, WYA is a processor or service provider (“data processor”) of user information with respect to the Services and not a controller or business (“data controller”). Further, some features of the Services may be disabled or altered by the data controller, or the data controller may require WYA to collect, use, disclose, or otherwise process data in ways that differ from those described below. Thus, to fully understand how your information will be handled when you use the Services, you must review not just this Policy, but also the privacy policy of the third party with whom you are dealing directly (the “Customer Data Controller”). As an exception to the above, WYA processes personal information in the capacity of a data controller and a business to comply with its regulatory obligations. For further information please review the section “WYA acting as a data controller” below.

Notwithstanding the above, WYA may process certain individual users’ information in anonymized and/or aggregated form for its own purposes.

What personal and other information WYA collects about you

WYA collects “personal information” about users of the Services. “Personal information” is information such as a name, email address, or identification card image, which refers to an identified or identifiable person. WYA processes personal information on behalf of the Customer Data Controller. For its own purposes, WYA only processes the personal information described in section “WYA acting as a data controller” and anonymized and/or aggregated information. “Anonymized information” is information which does not relate to an identified or identifiable person or is rendered anonymous in such a manner that the person is no longer identifiable.

Personal information. WYA collects a wide range of personal information through the Services. This information varies depending on the WYA application and the Customer Data Controller in question, but may include such information as name, email address, state or national ID card number, other ID card number and/or date of birth. In some cases, WYA may collect a visually scanned or photographed image of your face and/or your identification card.

WYA collection of personal information may include biometric identifiers and/or biometric information (collectively “biometric data”), and WYA may share such biometric data with the Customer Data Controller. WYA may collect, process and store your biometric data for the purpose of verification services and long-term proof of inspection of your provided form of identification, on behalf of and as instructed by the Customer Data Controller. WYA will store your biometric data for as long as the Customer Data Controller requests (e.g., the duration of your use of its services), which shall be no longer than the earlier of the date when (i) the Customer Data Controller ceases to have a relationship with WYA or (ii) within three (3) years after the Customer Data Controller informs WYA that its last interaction with you has occurred.

Facial recognition. If you agree to use our Face Recognition with Biometric Facial Recognition, or other facial recognition service that we offer to our business customers, WYA will collect an image of your face that you provide through a mobile app (i.e. a selfie) and a photo or scan of your face as it appears on an identification document. WYA will use facial recognition technology only for the purpose of verifying your identity as the person who appears on the identification document. WYA may share the facial scans with the WYA customer through which you used WYA identity verification service. WYA will retain your facial recognition information, for the amount of time requested by the WYA customer through which you used WYA identity verification service. In no event will WYA store your facial recognition information after WYA ceases to have a customer relationship with the customer through which you used WYA identity verification service.

Data provided by third parties.  We may receive personal or anonymized and/or aggregated information about you from the Customer Data Controller that integrates the Services into its website, application, or other online service. This information includes a customer ID, selected by the Customer Data Controller, that uniquely identifies you in the third party’s database.  For additional information, review the privacy policy of the Customer Data Controller.

At the direction of the Customer Data Controller, WYA also might obtain information about you from other third parties, such as consumer reporting agencies and fraud-prevention services.

Tracking data.  When you use the Services, we automatically receive and record certain information from your computer (or other device) and/or your web browser.  This may include such information as the third-party website or application into which the Services are integrated, the date and time that you use the Services, your IP address and domain name, your software and hardware attributes (including operating system, device model, and hashed device fingerprint information), and your general geographic location (e.g., your city, state, or metropolitan region; or your geolocation (GPS coordinates) if available). We will process such data only as instructed by the Customer Data Controller, or as required for WYA to meet its obligations relating to its own regulatory compliance.

How WYA uses the personal and anonymized/aggregated information that we collect

In general, WYA uses the personal and anonymized and/or aggregated information that we collect in connection with the Services as discussed in this section of the Policy.

Other than as described under the section “WYA acting as a data controller” personal information is used by WYA  only as directed by the Customer Data Controller that integrates the Services into its website, application, or other online service.  Subject to the privacy policy of the Customer Data Controller, we use your personal information as follows on behalf of the Customer Data Controller.

WYA may use your personal information to provide the Services.  For example, we might use your ID card information to populate an online form, or to verify your identity in connection with your use of another online service.  We also may use your personal information to fulfill the terms of any agreement between us and the Customer Data Controller; to complete a transaction that you initiate; to deliver confirmations, account information, notifications, and similar operational communications; and to comply with legal and/or regulatory requirements.

Anonymized and/or aggregated information that we collect in connection with the Services is used by WYA for its own purposes to perform analytics and research concerning the Services.

We process the provided personal information manually, by our specially trained verification agents or automatically with the use of our software and machine learning capabilities. When we process the personal information automatically, we apply especially the following criteria:

• Checks on the integrity and quality of the photographs;
          
• Checks on the integrity and recognition of the document;
          
• Extracting and analysis of text, graphical layout, and any other available information on the document, face photographs and face maps, background;
          
• Analysis of results of all the steps combined, considering multiple variables, predictions and confidence values for a final score;
          
• Lookups against known images as well as known cases;
          
• In case of identity verification, your selfie is compared to the photo on the document and is used to ensure your liveness in the Cookies and other tselfie.
  

Please reach out to the Customer Data Controller responsible for your personal information with any inquiries regarding the rights you may have in case your personal information is subject to automated decision-making.

How WYA shares personal and anonymized/aggregated information with other entities

In general, WYA shares the personal and anonymized and/or aggregated information that we collect in connection with the Services as discussed below.

Other than as described under the section “WYA acting as a data controller” below, WYA shares personal information only as directed by the Customer Data Controller, and thus the following language is subject to the privacy policy of the Customer Data Controller.

Customer Data Controller.  We share the personal and pseudonymized information that we collect on behalf of a particular Customer Data Controller with that Customer Data Controller.

Aggregated information.  From time to time, WYA may also share anonymized and/or aggregated information about users of the Services, such as by publishing a report on trends in the usage of the Services.

WYA processes your personal information on behalf of the Customer Data Controller pursuant to a written agreement for verification services. As such, WYA acts as a service provider to the Customer Data Controller. Moreover, WYA does not sell your personal information and, in providing its services to the Customer Data Controller, WYA will not retain, use, or disclose your personal information to any other third parties. Any questions or requests regarding WYA processing of your personal information in respect of your rights should be directed to the Customer Data Controller that is responsible for your personal information.

Security

WYA uses commercially reasonable physical, electronic, and procedural safeguards designed to protect your personal information against loss or unauthorized access, use, modification, or deletion. Among other things, WYA encrypts sensitive information both in transit and at rest.  WYA regularly conducts security audits, vulnerability scans, and penetration tests to ensure compliance with industry security practices and standards.  However, no security program is foolproof, and thus we cannot guarantee the absolute security of your personal or other information.  Moreover, we cannot guarantee the safety of your information when in the possession of other parties, such as the Customer Data Controller.

Reviewing and updating your information

With the exception of WYA acting as a data controller (please see below), WYA will grant you access to your personal information only as directed by the Customer Data Controller that integrates the Services into its website, application, or online service.  WYA also will retain your personal information as directed by the Customer Data Controller and, accordingly, we may retain your personal information for as short as a few minutes or longer as directed by the Customer Data Controller.

Thus, if you want to learn more about the personal information that WYA has about you, or you would like to submit a request to update or change that information, please contact the Customer Data Controller. You also may reach us by email at [email protected].

WYA acting as a data controller

1. Processing of GPS coordinates and IP addresses
   

WYA acts as a data controller when processing GPS coordinates and IP addresses collected when rendering its services to Customers Data Controllers.

The data subjects whose personal information is processed are end-users using the Services.

Purpose and legal basis for processing

WYA processes the personal information – GPS coordinates and IP addresses – on the basis of Article 6(1)(f) GDPR, specifically:

(i)         the prevailing legitimate interest of WYA to comply with its legal obligations in jurisdictions outside of the European Union;

(ii)        the prevailing legitimate interest of data subjects using WYA services to be notified of biometric information processing by WYA and express their consent, under the laws applicable to WYA concerning the respective user.

Recipients of the personal information

1.         
   The personal information is entrusted to data processors         acting on WYA behalf, providing hosting services, technical staff         and relevant technical infrastructure. In such case the processors shall process personal information on the basis of an agreement with WYA and exclusively in accordance with WYA instructions.
           
2. The personal information may be received by competent state authorities operating on the basis of generally applicable legal provisions.
           
3. WYA authorized employees and contractors may have access to the personal information.
   

The period for which the personal information will be stored

GPS coordinates and IP addresses will only be stored for the period necessary to establish the location of the data subject and deleted immediately afterwards. 

Data subjects’ rights in regard to personal information – GPS coordinates and IP addresses

In accordance with applicable law, you may have the right to: (i) request confirmation of whether we are processing your personal information; (ii) obtain access to or a copy of your personal information; (iii) receive an electronic copy of personal information that you have provided to us, or ask us to send that information to another company (the “right of data portability”); (iv) object to or restrict our uses of your personal information; (v) seek correction or amendment of inaccurate, untrue, incomplete, or improperly processed personal information; and (vi) request erasure of personal information held about you by us, subject to certain exceptions prescribed by law.

We will process such requests in accordance with applicable laws.  To protect your privacy, we will take steps to verify your identity before fulfilling your request. If we are unable to verify your identity, we will not be able to fulfill your request.

Data Subjects Located in the European Economic Area – Supervisory Authority

If you are located in the European Economic Area, you have the right to file a complaint with the supervisory authority – Austrian Data Protection Authority (Österreichische Datenschutzbehörde). To exercise your rights please contact us at the address provided below.

Additional information for users of the Services from outside the United States

The personal information that WYA collects through or in connection with the Services is transferred to and processed in the United States for the purposes described above.  WYA also may subcontract the processing of your data to, or otherwise share your data with, its affiliates or third parties in the United States or countries other than your country of residence.  The data protection laws in these countries may be different from, and less stringent than, those in your country of residence.

However, we only transfer your personal information to countries where the EU Commission has decided that they have an adequate level of data protection or we take measures to ensure that all recipients provide an adequate level of data protection. We do this for example by entering into appropriate data transfer agreements based on Standard Contractual Clauses (2010/87/EC and/or 2004/915/EC).

Children’s Privacy

The Services are not directed to children under the age of 13, and WYA will never knowingly collect personal or other information from anyone it knows is under the age of 13. We recommend that persons over 13 but under 18 years of age ask their parents for permission before using the Services or sending any information about themselves to anyone over the Internet.

Changes to this Policy

Technology and the Internet are rapidly changing.  WYA therefore is likely to make changes to the Services in the future and as a consequence will need to revise this Policy to reflect those changes.  When we revise the Policy, WYA will post the new Policy on the WYA website’s home page (www.wyabiometrics.com), so you should review that page periodically.  If we make a material change to the Policy, you will be provided with appropriate notice.  If we maintain your email address, we also may email you a copy of the revised Policy at your most recently provided email address.  It is therefore important that you update your email address if it changes.

Questions or comments

If you have any questions or comments regarding our Policy, please mail or email us at:

Email: [email protected]

The Data Protection Officer can be reached by email at: [email protected]

We may request that you confirm your identity in order to continue with your request.

 Effective date: December 30, 2019