Mobile App Privacy Notice
Effective: September 29, 2022
AuthenticID, Inc. (“AuthenticID,” “we” “our” or “us”) offers identity verification solutions (“Identity Services”) to enterprises (each an “Enterprise Customer”), including via this mobile application (the “App”). Our Enterprise Customers may use this App, as part of our Identity Services, in order to establish and authenticate the identity and credentials of their employees or other end users (each an “End User”).
Authorized End Users of an Enterprise Customer may download and install the App and enroll their identity information in order to establish a digital credential (a “Digital Credential”) that can be used to authenticate or login to an account(s) or online service(s) with the Enterprise Customer (the “Online Services”). An End User’s Digital Credential is specific to a particular Enterprise Customer and can only be used to authenticate that End User to the Online Services designated by that Enterprise Customer.
This Mobile App Privacy Notice (“Notice”) describes AuthenticID’s use, disclosure and other processing of personal information collected through the App. We collect and process an End User’s personal information through the App, only on behalf of a particular Enterprise Customer who has chosen to use the App as part of our Identity Services. We are a “service provider” or “processor” for the personal information that we collect on behalf of an Enterprise Customer through the App. This means that we collect, use and process this personal information only as directed by the relevant Enterprise Customer and not for our own purposes.
To enroll and verify your identity, and establish and maintain your Digital Credential through the App, you must submit certain personal information (the “Identity Data”), which may include:
- Name, contact details, and preferences: name, email address and contact information (including your phone number).
- Your ID docs: we may collect photos and images of your driver’s license, passport or other government-issued ID or ID document (each, an “ID”), as well as information extracted from your ID (such as name, contact information, birthdate, ID number, gender, and data from the machine-readable zone of your ID). (Such information will be stored in encrypted format on the Enterprise Client’s private blockchain and can only be accessed with a personal decryption key, which is stored on your device; we do not retain this information)
- Identifiers: a decentralized blockchain identifier (DID) and if you provide it, your Social Security number (note that your SSN itself will not be stored or retained, our Enterprise Customers will only keep a log of whether a SSN has previously been provided and verified or not; we will not retain such information).
- Photos: selfies captured through your mobile device and ID photos extracted from your ID(s). We may collect these when you enroll and create your Digital Credential and also in order to re-authenticate you through the App. (Your photo will be stored in a secure enclave on your personal device; we will not retain such information).
- Biometric identifiers: facial recognition templates and other biometric identifiers (“Biometric Identifiers”) that are derived from your selfies and ID photos, and compared for purposes matching your ID photo(s) to your selfies. This information is considered sensitive personal information under certain privacy laws. this information will be stored in encrypted format on the Enterprise Client’s private blockchain and can only be accessed with a personal decryption key, which is stored on your device; we will not retain such information).
- Account information: in order to authenticate to certain Online Services, you may have to provide your username and other account information.
- Communications and support: if you contact us through the App, or related to your Identity Pass or use of the App, we collect and maintain a record of your requests and communications.
When you use the App and your Digital Credential, we collect information about you, your device and your usage activity (the “Authentication Data”), including:
- Device, connectivity, and configuration data: data about your device and your device configuration. For example, data about the operating systems and other software installed on your device, IP address, device identifiers, regional and language settings]. In addition, when you share a “selfie” through your device, we receive certain information derived from your device camera, such as location data.
- Error reports and performance data: data about the performance of the App, our Identity Services, and any problems you experience, including error reports. Error reports (sometimes called “crash dumps”) can include details of the software or hardware related to an error, files opened when an error occurred, and data about other software on your device.
- Usage data: such as how long and often you use the App and which Enterprise Customer you authenticate with.
- Location data: such as precise location information from your device with your permission or location information derived from your IP address or other device data.
- Authentication logs: we maintain records of each use, and actual or attempted login or authentication through the App or Digital Credential, including date and time stamps, whether the login or authentication was successful. This information may be linkable with the other Authentication Data and Identity Data that we collect and process about you.
- Metadata: When you upload an image of your ID, or a photo, selfie or other image, we may derive and collect certain “metadata” associated with that image or file, which may include date and time stamps, file size and type, and other attributes and information associated with that image or file.
- TrueDepth API: Our App uses automatically collected information from your device camera and the TrueDepth API provided by Apple. This information is used to track the user’s head and face so that we can detect any kind of image or video spoofing thus making the scan feature more robust. None of the information collected by the TruDepth API ever leaves the user’s device nor is it persistently stored on the device.
You can choose not to provide your personal information to us or agree to the collection of your biometric information and identifiers or other sensitive personal information by choosing not to enroll for a Digital Credential. For information about how to deactivate the App, please see the YOUR CHOICES AND RIGHTS section below
PURPOSES OF PROCESSING
We use, disclose and otherwise process Identity Data and Authentication Data collected through the App, in order to provide the App and our Identity Services to Enterprise Customers, including:
- Identity Services and authentication: to provide our Identity Services to Enterprise Customers—including to authenticate End Users, compare and End User’s selfies to their ID photos, establish and maintain End User Digital Credentials, and maintain Authentication Logs and other records associated with our Identity Services—and for related troubleshooting, quality control and support purposes.
- Performance and quality: to verify, maintain, secure, build and improve the quality of the App and our Identity Services. However, we will not use End User personal information collected on behalf of one Enterprise Customer in order to provide our services to another person or Enterprise Customer.
- Security and integrity: to detect data security incidents and protect against malicious, deceptive, fraudulent or illegal activity.
- Compliance with law: to comply with our legal obligations, including in order to respond to legal process.
AuthenticID does not sell or share your personal information, nor uses it for targeted advertising. We may disclose personal information, including sensitive personal information, that we collect as follows:
- Enterprise Customers: we share information related to your use of the App specific to an Enterprise User who authenticates your Identity through your use of our App services with the respective Enterprise Customer.
- 1Kosmos: the Identity Data you provide to enroll for and use the Identity Services, including any authentication transactions, will be stored in encrypted format and written to a private blockchain (i.e., closed network) maintained by 1Kosmos, and which can only be accessed with your private decryption key kept on your device. The private blockchain and encrypted information therein is maintained by 1Kosmos on behalf of each relevant Enterprise Customer.
- Service providers: with our third-party service providers, including Amazon Web Services and 1Kosmos, who use this information to perform services on our behalf (such as maintaining the private blockchain), such as hosting and cloud storage providers, auditors, advisors, consultants, customer service and/or support providers.
- Legal compliance: in response to a valid court order, subpoena, government investigation, or as otherwise required by law. We also reserve the right to report to law enforcement agencies any activities that we, in good faith, believe to be unlawful.
AGGREGATE AND DE-IDENTIFIED DATA
We may also use aggregate, anonymous, and in some cases de-identified, information from the App and our Identity Services in order to analyze, improve and develop our business and services, and for similar research and analytics purposes. For example, we may use automated processes, artificial intelligence, and machine learning, to analyze data, which helps us improve our App and services and identify fraud patterns. Where we use, disclose or process de-identified data (data that is no longer reasonably linked or linkable to an identified or identifiable natural person, household, or personal or household device) we will maintain and use the information in de-identified form and not to attempt to re-identify the information, except in order to determine whether our de-identification processes are reasonable and adequate pursuant to applicable privacy laws.
YOUR CHOICES AND RIGHTS
You may have certain rights and choices (as described below) regarding your personal information, including your Identity Data and Authentication Data that is collected and processed by us through the App, including (subject to applicable laws and any relevant exceptions):
- To access and receive a copy of your personal information, and information about the processing of your personal information is;
- To correct inaccurate personal information;
- To delete your personal information;
- To limit certain use and disclosure of your sensitive personal information; and
- To consent and withdraw your consent to certain processing.
As directed by our Enterprise Customers, we will take reasonable steps as necessary to enable them to respond to your requests pursuant to applicable privacy laws.
Exercising your rights under applicable privacy laws. If you would like to submit a request or exercise a right under applicable privacy laws, you should submit your request directly to the relevant Enterprise Customer. If you submit a request to us, we will endeavor to forward your request to the relevant Enterprise Customer, and will take reasonable steps, as directed by that Enterprise Customer, to enable them to respond to your request pursuant to applicable privacy laws.
Deactivating Your Digital Credential. If you would like to stop using your Digital Credential, you can delete the App from your device. Deleting the App will delete the encryption key for your Digital Credential and associated Identity Data stored by AuthenticID and our service providers (including 1Kosmos), which means that it will no longer be accessible in readable form. Please note that, deleting the App will also delete the personal information stored on your device through the App (including your personal decryption key and image). This means that all information collected through the App and stored on the private blockchain remains encrypted indefinitely and can no longer be accessed or used by anyone, including you. This renders your Digital Credential inaccessible and unusable and prevents it from being used for authentication purposes in the future.. If you would like to request more information regarding the personal information collected or processed by us related to the App, you should submit a request to the relevant Enterprise Customer. As noted above, AuthenticID will take reasonable steps, as directed by Enterprise Customer as necessary to enable the Enterprise Customer to respond to your request as required by applicable privacy laws.
We have implemented administrative, physical, personnel, and technical safeguards designed to protect the limited personal information we collect or hold from loss, misuse, unauthorized access, disclosure, alteration, and destruction. Please be aware that despite our efforts, no data security measures can guarantee security.
Generally, we retain personal information as long as reasonably necessary to perform our Identity Services and to comply with the instructions of our Enterprise Customers (unless a longer time frame is required in order to comply with applicable law and legal obligations or protect or defend our legal rights).
Identity Data. Please note that any Identity Data collected through the App and stored in encrypted format on the private blockchain is only accessible through the key stored on your personal device, and upon deletion of the App, any personal information will be rendered permanently obfuscated and inaccessible by way of deleting your key, which cannot be restored.
Information stored on the Device. Personal information, including your personal encryption key and image, will be stored and retained in a secure enclave on your personal device until you delete the App. Upon deletion of the App, personal information in the secure enclave is securely deleted and cannot be restored.
Biometric Data. To the extent we retain any biometric data as part of providing the Identity Services, such data is retained for as long as reasonably necessary for the purposes described in this Notice after which your Biometric Data will be securely deleted in accordance with (and subject to) our data retention policy and our legal obligations. To the extent that biometric data is retained as part of the blockchain, please refer to the Identity Data section above.
Our Services are not targeted to minors under the age of sixteen (16) and we do not knowingly or specifically collect information about minors under the age of 16. If you believe we have unintentionally collected such information, please notify us as set out in the Contact Us section below.
We may update this Notice from time to time, for example to reflect new privacy law requirements or changes in our privacy practice.
If you have any questions about this Notice, please feel free to contact us at [email protected].