All the information we acquire from the Clients and the End-users is used to help us with provision of Services.
Shufti Pro’s Clients
Our Clients are enterprises, companies, institutions, and businesses that have opted for our Services. The information we collect from the Clients includes their Full Name, Company Email, Phone Number, Company Name, Company Website, Country, Verification Volume, Industry, and any other information required to set up their accounts, with reference to the Services they select, and the End-users they wish to verify.
Depending on the type of verification process selected, i.e. onsite or offsite, the data is collected directly from the End-users or the Clients. In case if it is from the Clients, they take the information and image and video proofs from the End-users and pass the data to us via the API. Shufti Pro will verify only the information that has been provided by the End-users. In case the Clients don’t provide certain information required for the selected services, the missing information is collected from the End-users via OCR technology. They End-users will be asked to show their documents in real-time so relevant information may be extracted from them. Furthermore, if the End-user fails a certain check, the verification process ends. This is to ensure that the Client’s verification balance is not wasted if the End-user is not verified.
The legal basis for this processing is the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract.
The End-users are our Client’s customers, whose identities we verify, documents we authenticate and run against AML lists and databases. Depending on the type of verification process selected, i.e. onsite or offsite, Shufti Pro either collects End-user’s verification data from the Clients or the End-users themselves.
This data includes but is not limited to the images/videos of the End-user’s identity documents (e.g. passport, ID card or driving license), their biometric facial identifiers (e.g. face images/videos). We also require textual information that is either extracted directly from the End-user’s identity particulars or is provided by the End-user at each step.
Data acquisition and Identity Verification Process
Shufti Pro’s Identity Verification Process describes what information we collect, how we collect it and when we collect it. Shufti Pro requires particular information from the End-users or Clients (depending on whether it is an on-site or off-site verification) in order to perform Services.
Personally Identifiable Information:
Personally Identifiable Information (“PII Data”) is collected, which includes name, contact information (email ID and phone number), DoB and any other information required to carry out the verification checks chosen by Shufti Pro’s Client. For instance, if the Client selects the Face Verification Service, we will also collect the image (selfie) or video (short clip showing End-user’s face) proof from the End-user. In the event the Client opts for document verification, we would require an image or video of the desired document.
Akin to this, if the Client selects AML screening Service, we require the End-user’s Name and DoB for running them against the AML databases, sanctions, and watch lists.
- A verification request is Accepted
- If the End-user passes all of the checks pre-set by the Client, the verification request status becomes ‘Accepted’. Shufti Pro then sends these results to the Client through the API. These results are also available to the Client in the back-office management system, along with complete verification details (e.g. End-user’s personal information, image/video proofs, any .pdf reports, and AML results). The End-user is also shown the verification status after the process completes.
- A verification request is Declined
- In cases where the End-user is not verified and the verification status is ‘Declined’, we send these results to the Client through the API, as well as the back office management system. The results show which checks the End-user passed and at which check they failed. The verification ends at the failed check. The complete verification details (e.g. End-user’s personal information, image/video proofs, any .pdf reports, and AML results) is available to the Client in the back-office management system. The End-user is also shown the verification status after the process completes.
How Shufti Pro shares personal and anonymized information.
In general, Shufti Pro shares the personal and anonymized information that we collect in connection with the Services as discussed below:
We share the personal and anonymized information that we collect on behalf of a particular Client with that Client and to such other parties as instructed and agreed with the Client.
Shufti Pro also uses third-party service providers to help us deliver, manage, and improve the Services. These service providers may collect and/or use your personal information or anonymized information to assist us in achieving the purposes discussed herein.
We may also share your personal information with other third parties when necessary to fulfill your requests for Services; to complete a transaction that you initiate; or to meet the terms of any agreement that you have with us or our partners.
We partner with certain other third parties to collect anonymized information and engage in analysis, auditing, research, and reporting.
We may also use or share your personal information with third parties when we have reason to believe that doing so is necessary: to comply with applicable law or a court order, subpoena, or other legal process; to investigate, prevent, or take action regarding illegal activities, suspected fraud, violations of our terms and conditions, or situations involving threats to our property or the property or physical safety of any person or third party; to establish, protect, or exercise our legal rights or defend against legal claims; or to facilitate the financing, securitization, insuring, sale, assignment, bankruptcy, or other disposal of all or part of our business or assets.
From time to time, we may also share anonymized and aggregated information about Client and End-users of the Services, such as by publishing a report on trends in the usage of the Services.
Utilizing Data for Services
Shufti Pro makes use of the information collected, processed and stored during any and each step of the Identity Verification process on Client’s request for our services in order to verify End-users for a legitimate purpose. We ensure that the Client’s business is completely legal and the information collection and usage is aligned with the End-user’s absolute consent. Our process is completely transparent; the End-user is informed which of their information will be used and for what purpose. Only once the End-user consents to the process, do we start verifying their identity.
We may also use data collected for:
- Training our machines to learn algorithms to verify the authenticity of new documents, recognize the text present on them and extract it, match that text using template matching techniques and recognize if the document is original or counterfeit, forged or photo-shopped , photocopied or tampered with.
- The purposes of computer vision and machine learning techniques, we continually train our artificial intelligence systems to recognize and verify a wider range of identity documents from around the globe.
- Fraud prevention: Whenever a fraudulent user uses the Services, we make sure that we store the documents and images they presented, in our databases.
- Training our Human Intelligence officers to effectively be a part of the identity verification process.
Information flow beyond Shufti Pro
Shufti Pro may disclose the information provided by you (End-user or Client) to any member of our group of companies (this means our subsidiaries, our ultimate holding company, and all its subsidiaries) or third party service providers insofar as reasonably necessary for the purposes set out in this policy.
- We have facilities and staff in different countries around the world and as a result personal information may be transferred to them or accessed from those locations. We take all the necessary actions to ensure the security of your personal information when transferred across borders.
- Verification data may travel outside the EU for the purposes of Human Intelligence Checks that serve as an essential part of the Identity Verification Process. This data may be seen and processed, but not stored anywhere outside the European Economic Area (EEA). We have our office in the United Kingdom and provide services in 150+ countries. The hosting facility for our website is situated in the United Kingdom. The European Commission has made an “adequacy decision” with respect to the data protection laws in this country. However, we provide Clients with an option to forego the Human Intelligence checks, relying solely on the results detected and compiled by the Artificial Intelligence System.
- We may disclose your personal data to our insurers and/or professional advisers insofar as reasonably necessary for the purposes of obtaining and maintaining insurance coverage, managing risks, obtaining professional advice and managing legal disputes.
- Financial transactions relating to our website and services are handled by our payment services provider, Stripe. We will share transaction data with our payment services providers only to the extent necessary for the purposes of processing your payments. You can find information about the payment services providers’ privacy policies and practices at Stripe: https://stripe.com/us/privacy.
Data Storage and Retention
Shufti Pro acquires and stores the information provided by its Clients and End-users for rendering Services. Being the data processor of millions of users comes with certain responsibility and liability on our part. For this reason, our data retention policies and procedures are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data. Below are the terms outlined for this section:
- Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- We will retain and delete your personal data as follows:
- End-user data category shall be retained or deleted according to the instructions provided by our Client ( data controller).
- Personal data of our Clients shared with us shall be retained for a period of two (2) years following which it may be deleted from our system.
- If no instructions are provided by the data controller, we will determine the period of retention based on the following criteria:
- The period of retention of your personal information including any data, images, videos and/or private information will be determined based on the applicable data protection laws and the need for their presence in our system owing to any legal reasons or for the betterment of our website or services.
- Notwithstanding the other provisions of this section, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
Shufti Pro ensures data security through adequate measures to minimize the likelihood of data breaches, whether pre-emptive or post. Data breaches and protection of data itself come under the wider umbrella of the data lifecycle.
Additionally, observing the GDPR regulations, secure auditory practices are carried out to ensure standardized operations and encryption practices. New techniques are continually implemented in order to keep our Data Security ahead of the curve.
For more information about Shufti Pro’s data security, data protection and policy in case of data breaches, read our Ultimate Guide to GDPR Compliance. If you feel like you have encountered a shortfall in our policy or a security breach in Shufti Pro’s system, reach out to us on email@example.com, for adequate error reporting.
If you would like to access any personal information we hold about you; provision of such information will be subject to:
- The payment of a fee (currently fixed at GBP 10), and
- The supply of appropriate evidence of your identity (for this purpose, we will usually accept a photocopy of your passport certified by a solicitor or bank plus an original copy of a utility bill showing your current address).
We may withhold personal information that you request to the extent permitted by law. In addition, you may request us, at any time, to not process your personal information . In practice, you will usually either expressly agree in advance to our use of your personal information for marketing purposes, or we will provide you with an opportunity to opt out of the use of your personal information for marketing purposes.
Pursuant to you written request we shall also remove your personal data from our systems in line with the principle of “Right to be Forgotten”.
For more information about your rights, please read the “Data Subject Rights – Consent Management” section of our GDPR e-book. In case of any query or concern, voice your thoughts at firstname.lastname@example.org.