Shufti Limited (“Shufti”, “us”, “our” and/or “we”) aims to bring global businesses on board in a way that complies with all the legal and regulatory obligations, making the virtual marketplace a secure and safe environment. This Privacy Policy (the “Policy”) describes our privacy practices concerning information collected in connection with global identity and verification business of Shufti that uses your information to support its customers with their business needs (the “Services”).
All the information we acquire from our clients, end-users and/or website visitors is only used to help us with the provision of the said Services.
This Privacy Policy is intended to help you comprehend what information we collect from our clients, end-users and/or website visitors (“you” and/or “your”), how do we use that information, and when do we use it, in order to provide our trusted Services. Our role does not just go as far as information collection, we are also committed to ensuring the security and privacy of the collected data.
Our Cookie Policy is mentioned as a separate section towards the end of this Privacy Policy.
Introduction and Purpose:
The purpose of this notice is to apprise users of their rights under the California Consumer Privacy Act’2018 as well as the California Privacy Rights Act’2020 (hereinafter referred to as "CCPA" & “CPRA” respectively). This Notice serves as a complementary and supplementary document to our Privacy Policy and is designed to elucidate Consumers' privacy rights related to Shufti's treatment of personal information belonging to California residents that is stored with Shufti. As a third-party service provider (Data Processor), Shufti processes and deletes any collected & stored personal information based solely on the documented instructions received from its clients (Data Controllers). These, as well as all other terms, are documented in written form in the agreement between Shufti and its clients. California residents should primarily direct their data rights requests to the Data Controller unless Shufti is the Data Controller for data. For more information on this, please refer to our Terms & Conditions. It is also worth mentioning in this Notice that all terms and words related to Consumer rights and other related parties used in this notice carry the same meaning as set out in §1798.140 of the CCPA and CPRA.
CATEGORIES COLLECTED PERSONAL INFORMATION:
For detailed information on the various kinds of data collected from Shufti’s clients’ end-users, employees and those who interact with Shufti through website forms or in any other manner (email, phone or post), in the past twelve (12) calendar months, you are referred to the Privacy Policy’s sections on:
- Visitors to our website;
- Our end-users and;
- Shufti’s clients.
CONSUMER/CONSUMER’s RIGHTS UNDER CALIFRONIA DATA PRIVACY LAWS
In addition to the rights protected under this Privacy Policy , California residents have the following rights. These rights are enforced, by virtue of CCPA & CPRA, by the California Attorney General & California Privacy Protection Agency (CPRA). These are:
Right of Access
Shufti’s end-users, clients, and customers have the right to be informed about the categories and specific pieces of personal information that Shufti has collected about them. If Shufti is acting as a Data Controller, you may exercise this right by contacting us directly. As noted above, if Shufti is acting as a Data Processor, please direct your request to the Data Controller. Shufti will assist the Data Controller in facilitating this right as required by law.
Right of Deletion
Shufti’s clients, clients’ end-users, customers, as well as other related persons, have the right to request Shufti to delete any and all personal information that it has collected either directly from the Consumer or through the controller. If Shufti is acting as a Data Controller, you may submit a deletion request directly to us. As noted above, if Shufti is acting as a Data Processor, please direct your request to the Data Controller, who will instruct Shufti accordingly. Shufti is entitled by CCPA to not respond to a request for data deletion if the request falls under any of the exceptions provided in the CCPA.
Right to Know
Consumers, being in any sort of relation with Shufti, are entitled under the California data privacy laws to request Shufti to disclose categories, categories of sources, the commercial purpose or business for collecting or selling personal information, the concerned third parties to whom Shufti discloses collected personal data, the specific pieces of collected information about the Consumers. If Shufti is acting as a Data Processor, such requests should generally be directed to the Data Controller. Shufti shall facilitate the exercise of this right upon receiving a verifiable request from the Consumer as per the instructions received from the Data Controller. In addition to this, a more detailed elaboration on how Shufti collects, processes, and stores data is in the following sections of the Privacy Policy:
- How Shufti shares personal and anonymized information
- We may also use data collected for and;
- Information flow beyond Shufti.
Right to Non-Discrimination
CCPA explicitly prohibits businesses from committing any kind of discrimination against any Consumer in the exercise of their rights. There can be no discrimination by way of denial of any services, varied charging by offering discounts or burdening with any penalties and offering different quality of services or making any suggestion to that end. This non-discrimination right applies to Shufti when acting as a Data Controller. If Shufti is acting as a Data Processor, any claims of discrimination should be directed to the Data Controller, who has the primary responsibility.
Direct Marketing
Consumers whose data Shufti has processed, collected, stored, and sold or disclosed for any business purpose, are entitled to request Shufti to disclose to them the categories of data collected, categories that were sold, and categories of persons to whom it was sold in a categorized manner. If Shufti is acting as a Data Controller, you may exercise this right directly with us. As noted above, if Shufti is acting as a Data Processor, please direct your request to the Data Controller. The CCPA prohibits selling personal data to third parties without prior notice being served to the Consumers and affording them an opportunity to exercise their right to opt-out of the sale.
Right to Opt-out of Sale
Right to Opt-out of Sale allows the Consumers to make a verifiable request to Shufti to not sell the collected personal information to any third parties. If Shufti is acting as a Data Controller, you can submit your opt-out request directly to us. However, if we are acting as a Data Processor, such requests should be made to the Data Controller. Shufti is strictly barred from selling any personal information without explicit authorization. The added facets regarding minors' consent for data sales apply where Shufti has actual knowledge of the Consumer being a minor, subject to the Children’s Online Privacy Protection Act (COPPA).
Right to Initiate Private Cause of Action
This right allows the Consumers, in addition to reaching out to Shufti, to initiate private cause of action where there have been data breaches.
The following two rights have been added to the scheme of consumer rights under California data privacy law by the CPRA:
Right to Correct/Rectification
This right allows the Consumer to request, by way of a verifiable application, Shufti to correct any inaccurate/incorrect personal information that has been stored by it. If Shufti is acting as a Data Controller, you may request correction directly from us. If we are acting as a Data Processor, you should direct your request to the Data Controller, who will instruct Shufti on how to proceed.
Right to Limit Use and Disclosure
Under the California Privacy Laws, a Consumer retains the right to, at any stage, direct Shufti to restrict the use of their collected personal data only for the purpose for which the data was originally collected. If Shufti is the Data Controller, we will handle your request directly. If we are acting as a Data Processor, you should direct your request to the Data Controller, who will decide on how to proceed. Shufti is bound to follow the Data Controller's instructions regarding any notice to consumers about the additional purposes for which their data may be used or disclosed.
SOURCES OF INFORMATION:
This section is connected to the “CATEGORIES COLLECTED PERSONAL INFORMATION” mentioned above. Shufti collects information from the following sources:
1) Directly from End-Users: Clients inform their end-users regarding the use of Shufti for identity verification and direct them to submit the required information directly to our platforms. Subject to the documented terms of the data processing agreement.
2) Information through the Clients: Clients can collect the required information from the end-users and provide it to Shufti. Subject to the documented terms of the data processing agreement.
3) Through its Website Forms: Shufti collects information (please refer to Visitors to our Website section of the Privacy Policy) of those who visit its website and may enter their details on its website forms if they wish to get in touch with our Support team.
HOW TO REACH OUT TO US?
Under California privacy laws, Shufti is required, inter alia, to facilitate consumer requests pertaining to the use of their data. If Shufti is acting as a Data Controller, Consumers can contact us to exercise their rights at [email protected]. If Shufti is acting as a Data Processor, Consumers should primarily direct their requests to the Data Controller (Shufti's client). The said California privacy laws require that a verifiable request is made for the enforcement of these rights. We will look into & investigate your application and respond within ten (10) working days. This allows us time to scrutinize your application thoroughly, engage any other departments of Shufti (if needed), and revert with the appropriate response. In cases where Shufti is not the Data Controller, we will notify the relevant Data Controller of your request.
1. The Application Process:
This section is also bound by the overall timeframes as well as mechanisms mentioned in forms relating to subject access and deletion. To ensure the request is verifiable, prevent fraud, and safeguard the security of personal information, we are obligated to verify the identity of any individual who submits a rights request. To this end, we will request that you furnish us with your full name, date of birth, and address, which will be matched against the information we have on our records for you to ascertain whether you are entitled to exercise rights under California laws or not. Once we have received and verified this information, we will check our databases. If Shufti is acting as a Data Processor, you should direct your request to the Data Controller (our client). We will assist the Data Controller in processing your request as instructed by them. In most cases where there are clients, we are restricted by their decision. In any case, we will inform you and may also direct you to contact the client directly by providing their details.
2. Where a third party makes request:
Where an agent or representative, acting on a Consumer’s behalf, is submitting a request, Shufti retains the right to verify the representative's identity as well as their authority to act on the Consumer’s behalf. An authorized representative must possess the subject’s signed consent to submit a request on the subject’s behalf or provide documentation demonstrating that they have a power of attorney, specifying the same, in accordance with California law. If there is a business entity functioning as an authorized representative and acting on the user’s behalf, it must be legally authorized by the California Secretary of State. If Shufti is acting as a Data Processor, the representative should submit the request to the Data Controller. We may verify the request with the Data Controller before taking any action. Shufti may also contact the Consumer directly to verify whether they authorized the said agent/representative.
3. Fees:
This process is void of any types of charges. However, we reserve the right to charge a fee where the application appears to be excessive.
CHANGES TO THIS NOTICE:
Shufti is committed to constantly reviewing, renewing, and amending this Notice to ensure its continuous and constant compliance with the California data privacy laws.
For more information please contact us at: [email protected]
When you browse our website (https://shuftipro.com/), we collect the Internet Protocol (IP) address of the device you are using, cookies (small files that we embed on your computer, only if you consent to it) to enable our systems to recognize your browser and capture and retain certain information. We collect this data so that we can identify why our visitors are dropping out of the website and to identify areas of improvement to make the experience more engaging for you.
If you choose to communicate with us via chat or our instant messaging pop-up, we will collect your name and your email, as well as the logs of your chat. We only use this information to respond to your message or to inform you about our products and Services.
If you choose to contact via the contact forms on our website, we may collect your name, email address, contact number, company name, industry information, and any free text field information you choose to include. At the completion of this contact form, your IP address is no longer anonymous, and we will be able to identify you by a combination of your IP address and contact information.
If you choose to subscribe to our newsletter, we will collect your email. Newsletters may be sent upto twice every week with highlights and news about our services and related industry. You may unsubscribe from the newsletter at any time by updating your email preferences using the ‘UNSUBSCRIBE’ link in our email footers, or by sending an email to [email protected] with the subject line ‘UNSUBSCRIBE’ from the email address you wish to unsubscribe.
If you contact us through a third-party website or platform (such as LinkedIn), we collect your name, job title, company name and business email address.
Data Subjects have rights under various privacy regulations concerning their Personal Data. These rights generally include the ability to request access, deletion, correction, restriction of processing, as well as opting out of the sale or sharing of their information.
HOW TO EXERCISE YOUR RIGHTS
If you wish to exercise these rights concerning data managed by Shufti, please submit your request via email to [email protected]. The information you provide will be used solely to process your request.
Upon receiving your request, our Data Protection Team will acknowledge it and respond within the timeframe required by law. Due to the sensitive nature of the data we handle and the methods used for its collection, we may need to verify your identity before fulfilling certain requests. This step ensures that your data is protected and that your privacy rights are upheld.
Important Information for Data Subjects
If you have utilized Shufti’s services, it is important to note that our role in handling your Personal Data may vary based on our agreement with the service provider you interacted with.
When Shufti Acts as a Data Controller:
We may request additional information to verify your identity before processing your request. In these cases, you will receive specific instructions on how to proceed with your request.
When Shufti Acts as a Data Processor:
If we are acting as a Data Processor, you should direct your request to the service provider with whom you have a direct relationship. If Shufti receives your request while acting in this capacity, we will notify the relevant service provider, who will then manage your request and inform you of the outcome.
Your privacy is a top priority, and we are committed to ensuring that your rights are respected and upheld throughout this process.
For more information on how we safeguard your rights, please read the ‘Data Protection and Security Policy’ (link given at the end of this Policy).
The end-users are our client’s customers whose documents we authenticate and run against AML lists and databases to verify their identity. Depending on the type of verification process selected (onsite or offsite), we either collect end-user’s verification data from the clients or the end-users themselves.
Our clients are enterprises, companies, institutions, and businesses that have opted for our Services. The information we collect from clients include, any or all of, their full name, company email, phone number, company name, company website, country, verification volume, industry, and any other information required to set up their accounts with reference to the Services they select and the end-users they intend to verify.
Depending on the type of verification process selected (onsite or offsite), the data is collected directly from the end-users or the clients; clients in turn take the end-user’s information in the form of image and/or video proofs from the end-users and pass this data to us via our API. In case the clients do not provide certain information required for the selected Services, the missing information is collected from the end-users’ identity documents via OCR technology.
Shufti’s identity verification process describes what information we collect, how we collect it, and when we collect it. We require particular information from the end-users or clients (depending on whether it is an on-site or off-site verification) in order to perform Services.
The data includes, but is not limited to, the images and/or videos of the end-user’s identity documents (e.g. passport, ID card, or driving license), their biometric facial identifiers (e.g. face images and/or videos), and the textual information that is either extracted directly from the end-user’s identity particulars or is provided by the end-user at each step of the verification process.
PII Data is collected by us which includes name, contact information (email ID and/or phone number), date of birth and/or any other information required to perform the verification checks chosen by our client.
For instance, if the client selects the face verification service, we will also collect the image (selfie) or video (short clip showing end-user’s face) proof from the end-user. In the event the client opts for document verification, we would require an image or video of the desired document. Similarly, if a client selects AML screening service, we require the end-user’s name and date of birth for running them against the AML databases, sanctions, and watch lists.
During or after the verification process, whether successful or unsuccessful, we may collect/use your personal data including, without limitation, your name and/or email address for rating or review of your experience with us of our website and/or Services through use of a third-party platform (to name a few; Trustpilot, LinkedIn, Google Maps, Twitter, Facebook, Instagram, etc.)
1. A verification request is Accepted
If the end-user passes all of the checks pre-set by the client, the verification request status becomes Accepted. Shufti then sends these results to the client through the API. The results are also available to the client in the back-office management system, along with complete verification details (e.g. end-user’s personal information, image and/or video proofs, any .pdf reports, and AML results). The end-user is also shown the verification status after the process is completed.
2. A verification request is Declined
In cases where the end-user is not verified and the verification status is Declined, we send these results to the client through the API, as well as the back-office management system. The results show which checks the end-user passed and at which check they failed. The verification ends at the failed check. The complete verification details (e.g. end-user’s personal information, image and/or video proofs, any .pdf reports, and AML results) are available to the client in the back-office management system. The end-user is also shown the verification status after the process is completed.
In general, we share the personal and anonymized information we collect in connection with the Services as detailed below:
1. We share the personal and anonymized information that we collect with you and to such other parties as instructed and agreed with you.
2. We also use third-party service providers to help us deliver, manage, and constantly improve our Services. These service providers may collect and/or use your personal information or anonymized information to assist us in achieving the purposes stated.
3. We may also share your personal information with other third parties when necessary to fulfil your requests for services; to complete a transaction that you initiate, to meet the terms of any agreement that you have with us or our partners, etc.
4. We partner with certain other third parties to collect anonymized information and engage in analysis, auditing, research, and reporting.
5. We may also use or share your personal information with third parties when we have reason to believe that doing so is necessary; to comply with applicable law or a court order, subpoena, or other legal process; to investigate, prevent, or take action regarding illegal activities; suspected fraud, violations of our terms and conditions, or situations involving threats to our property or the property or physical safety of any person or third party; to establish, protect, or exercise our legal rights or defend against legal claims; or to facilitate the financing, securitization, insuring, sale, assignment, bankruptcy, or other disposal of all or part of our business or assets.
From time to time, we may also share anonymized and aggregated information about client and end-users of the Services (such as by publishing a report on trends in the usage of the Services).
Shufti makes use of the information collected, processed, and stored during any and each step of the identity verification process in order to verify end-users for a legitimate purpose. We ensure that the client’s business is completely legal and the information collection and usage is aligned with the end-user’s absolute consent. Our process is completely transparent and the end-user is informed which of their information will be used and for what purpose. Only once the end-user consents to the process, we start verifying their identity.
1. Training our machines to learn algorithms to: verify the authenticity of new documents, recognize the text present on them and extract it, match that text using template matching techniques and recognize if the document is original, or counterfeit, forged, photo-shopped, photocopied, or tampered with.
2. The purposes of computer vision and machine learning techniques, we continually train our artificial intelligence systems to recognize and verify a wider range of identity documents from around the globe.
3. Preventing fraudulent use of Services. Whenever a fraudulent user uses the Services, we make sure that we store the documents and images they presented in our databases.
4. Training our human intelligence officers to effectively be a part of the identity verification process.
We may disclose the information provided by you (end-user or client) to any member of our group of companies (which means our subsidiaries, our ultimate holding company, and all its subsidiaries) or third party service providers insofar as reasonably necessary for the purposes set out in this policy.
Additionally, we may collect the end-user's mobile number to send SMS/OTP as part of the verification process. No mobile information will be shared, sold, or rented to third parties or affiliates for marketing or promotional purposes. This data is strictly used for authentication purposes, ensuring that the end-user's privacy is maintained at all times.
With respect to end-user personal information (including any images, videos, sensitive data, etc.), the client may require Shufti to collect, use, disclose, or otherwise process data in ways that differ from those described in this Privacy Policy. Some features of the Services may be immobilized or changed by our client. In order to completely comprehend the handling of end-user private information while using our Services, the end-user must also review the privacy policy of the respective client.
We have facilities and staff in different countries around the world and as a result, personal information may be transferred to them or accessed from those locations. We take all the necessary actions to ensure the security of your personal information when transferred across borders.
The end-user’s personal information may travel outside the European Economic Area (EEA) for the purposes of human intelligence checks that serve as an essential part of the identity verification process. This data may be seen and processed, but not stored anywhere outside the EEA. We provide our clients with an option to forego the human intelligence checks, relying solely on the results detected and compiled by the artificial intelligence system. We have our office in the United Kingdom and provide services in 150+ countries. The hosting facility for our website is situated within EEA.
We may disclose your personal data to our insurers and/or professional advisers insofar as reasonably necessary for the purposes of obtaining and maintaining insurance coverage, managing risks, obtaining professional advice, and/or managing legal disputes.
Financial transactions relating to our website and services are handled by our payment services provider, Stripe. We will share transaction data with our payment services provider(s) only to the extent necessary for the purposes of processing your payments. You can find further information about the privacy policies and practices of Stripe at https://stripe.com/us/privacy.
Shufti acquires and stores the information provided by its clients and end-users for rendering Services. Being a data processor of thousands of users comes with certain responsibility on our part. For this reason, our data retention policies and procedures are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data. Please see the below outlined terms:
1. Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
2. We will retain and delete your personal data as follows: End-user data category shall be retained or deleted according to the instructions provided by our client (data controller).
3. Personal data of our clients or their customers (end-users) shared with us shall be retained for a period of three (3) months following which it may be deleted from our system. 1. If no instructions are provided by the data controller, we will determine the period of retention based on the following criteria:
The period of retention of your personal information including any data, images, videos and/or private information will be determined based on the applicable data protection laws and the need for their presence in our system owing to any legal reasons or for the betterment of our website or services.
4. Notwithstanding the other provisions of this section, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
Shufti ensures data security through adequate measures to minimize the likelihood of data breaches, whether pre-emptive or not. Data breaches and protection of data itself comes under the wider umbrella of the data lifecycle.
Additionally, observing the GDPR regulations, secure auditory practices are carried out to ensure standardized operations and encryption practices. New techniques are continually implemented in order to keep our data security ahead of the curve.
Compliance of some of our Services with the Payment Card Industry Data Security Standard (PCI DSS) is in itself an evidence that we are doing our very best to keep our customers’ valuable information safe & secure and out of the hands of people who may fraudulently use that data. PCI DSS ensures technical and operational strengths to raise the bar on our security.
Our Services are not directed to children under the age of sixteen (16), and we will never knowingly collect personal or other information from anyone we know is under such age. We record an express declaration from anyone using our verification service that they are above such age at the time we acquire their personal information.
We may be required to make changes to the Services in the future in view of changing technology or services. Whenever we revise the Policy, the new version will be available on the homepage of our website (https://shuftipro.com/). In case of any significant material change to our privacy practices, an appropriate notice will be provided to our clients.
Albeit regrettable, we appreciate that there could be lapses. We take all complaints seriously and can assure you that we will do our best to deliver a satisfactory outcome. If you do wish to complain about how your personal data is used by us then please write to us at [email protected].
We will investigate and respond within ten (10) working days. This allows us time to investigate your complaint thoroughly.
We use first party cookies (cookies set directly by us) as well as third party cookies (as described below). We may also use pixel tags (usually in combination with cookies) from the third parties described below to get information about your usage of our website and services, and your interaction with us through email or other communications. We do not use cookies to identify you personally but to gain useful knowledge about how our website and services are used so we can keep improving it for our clients and end-users. Please note that if you limit the ability of websites to use cookies, you may be unable to access certain parts of our website and may not be able to benefit from its full functionality.
Shufti may utilise the following cookies and other technologies:
Strictly Necessary
MouseFlowAnalytics/Performance
Google AnalyticsLeadfeeder
Advertising/Targeting
FacebookGoogle Ad Service
LinkedIn Insights
HubSpot
Quora
Intercom
Learn More
