Shufti Pro privacy policy

Shufti Pro Limited (“Shufti Pro”, “us”, “our” and/or “we”) aims to bring global businesses on board in a way that complies with all the legal and regulatory obligations, making the virtual marketplace a secure and safe environment. This Privacy Policy (the “Policy”) describes our privacy practices concerning information collected in connection with global identity and verification business of Shufti Pro that uses your information to support its customers with their business needs (the “Services”).

All the information we acquire from our clients, end-users and/or website visitors is only used to help us with the provision of the said Services.

This Privacy Policy is intended to help you comprehend what information we collect from our clients, end-users and/or website visitors (“you” and/or “your”), how do we use that information, and when do we use it, in order to provide our trusted Services. Our role does not just go as far as information collection, we are also committed to ensuring the security and privacy of the collected data.

Our Cookie Policy is mentioned as a separate section towards the end of this Privacy Policy.

Privacy notice for California residents

Introduction and Purpose:

The purpose of this notice is to apprise users of their rights under the California Consumer Privacy Act’2018 as well as the California Privacy Rights Act’2020 (hereinafter referred to as "CCPA" & “CPRA” respectively). This Notice serves as a complementary and supplementary document to our Privacy Policy , and is designed to elucidate data subjects' privacy rights related to Shufti Pro's treatment of personal information belonging to California residents that is stored with Shufti Pro. This applies to you if you are a California resident who maintains a permanent residency in the state and is thereby entitled to the protections afforded under the California privacy laws.

It is worth mentioning that as a third-party service provider, Shufti Pro processes and deletes any collected & stored personal information based solely on the documented instructions received from its clients. These, as well as all other terms, are documented in written form in the agreement between Shufti Pro and its clients. For more information on this please refer to our Terms & Conditions. It is also worth mentioning in this Notice that all terms and words related to data subject rights and other related parties used in this notice carry the same meaning as set out in §1798.140 of the CCPA and CPRA.

CATEGORIES COLLECTED PERSONAL INFORMATION:

For detailed information on the various kinds of data collected from Shufti Pro’s clients’ end-users, employees and those who interact with Shufti Pro through website forms or in any other manner (email, phone or post), in the past twelve (12) calendar months, you are referred to the Privacy Policy’s sections on:

- Visitors to our website;

- Our end-users and;

- Shufti Pro’s clients.

DATA SUBJECT/CONSUMER’s RIGHTS UNDER CALIFRONIA DATA PRIVACY LAWS:

In addition to the rights protected under “Your Rights” section in the Privacy Policy , California residents have the following rights. These rights are enforced, by virtue of CCPA & CPRA, by the California Attorney General & California Privacy Protection Agency (CPRA). These are:

Right of Access

Right of Access allows the end-users, clients, and customers etc. of Shufti Pro to be made aware of the information related to them, categories and specific pieces of personal information that it has collected. Shufti Pro, as required by the law, does not collect any data that is more than the purpose for what it was acquired. Those willing to exercise this right can fill in the data subject access form from Shufti Pro’s website.

Right of Deletion

Shufti Pro’s clients, clients’ end-users, customers as well as other related persons have the right to request Shufti Pro to delete any and all personal information that it has collected either directly from the data subject or through the controller. However, Shufti Pro is entitled by CCPA to not respond to a request for data deletion if the request falls in any of the exceptions provided in the CCPA.

Right to Know

Data subjects, being in any sort of relation with Shufti Pro, are entitled under the California data privacy laws to request Shufti Pro to disclose categories, categories of sources, the commercial purpose or business for collecting or selling personal information, the concerned third parties to whom Shufti Pro discloses collected personal data, the specific pieces of collected information about the data subjects. Shufti Pro shall facilitate the exercise of this right upon receiving a verifiable request from the data subject. In addition to this, a more detailed elaboration on how Shufti Pro collects, processes and stores data is in the following sections of the Privacy Policy:

- How Shufti Pro shares personal and anonymized information

- We may also use data collected for and;

- Information flow beyond Shufti Pro.

Right to Non-Discrimination

CCPA explicitly prohibits businesses from committing any kind of discrimination against any data subject in the exercise of their rights. There can be no discrimination by way of denial of any services, varied charging by offering discounts or burdening with any penalties and offering different quality of services or making any suggestion to that end. A business will be deemed to have not discriminated if the fee etc. were reasonable in the given situation or that cost; discount or other incentive has a direct relation with the concerned service.

Direct Marketing

The data subjects, whose data Shufti Pro has processed, collected, and stored and has sold or discloses for any business purpose, are entitled to request Shufti Pro to disclose to them the categories of data collected, categories that were sold, categories of persons to whom it was sold in a categorized manner. It can request for categories of personal information disclosed for business/commercial purposes. In addition, the CCPA prohibits selling personal data to third parties without prior notice being served to the data subjects and affording them an opportunity to exercise their right to opt out of sale (mentioned below).

Right to Opt-out of Sale

This right is referred to as “opting out of sale” and it allows the data subjects to make a verifiable request to Shufti Pro to not sell the collected personal information to any third parties. This right comes into action mainly when data subjects are notified by Shufti Pro that their data will be sold to third parties. In the absence of an explicit authorization, Shufti Pro is strictly barred from selling any personal information. An added facet of this right concerns minors. There are two aspects to this set out below. The following section forms part of the right to opt-in under the California privacy laws.

- Where the data subject is at least 13 years old and less than 16 years old, the consumer must consent to their personal collected data being sold;

- Where the data subject is less than 13 years old, a parent or a legally appointed guardian (subject to guardian-ward laws of the state) must consent to the sale of their personal data. This applies where Shufti Pro has actual knowledge of the data subject being a minor. This is also subject to the Children’s Online Privacy Protection Act (COPPA).

Right to Initiate Private Cause of Action

This right allows the data subjects, in addition to reaching out to Shufti Pro, to initiate private cause of action where there have been data breaches.

The following two rights have been added to the scheme of consumer rights under California data privacy law by the CPRA:

Right to Correct/Rectification

This right allows the data subject to request, by way of a verifiable application, Shufti Pro to correct any inaccurate/incorrect personal information that has been stored by it. This is subject to the nature of personal information as well as the purpose of processing the personal information.

Right to Limit Use and Disclosure

Under the California Privacy Laws, a data subject retains the right to, at any stage, to direct Shufti Pro to restrict the use of their collected personal data only for the purpose for which the data was originally collected. Shufti Pro is bound to provide notice to the consumers intimating that their collected data may be employed, or disclosed to a third party or a contractor, for a purpose other than for which it was collected originally. The said notice must specify the additional purposes and to whom the data will be disclosed.

SOURCES OF INFORMATION:

This section is connected to the “CATEGORIES COLLECTED PERSONAL INFORMATION” mentioned above. Shufti Pro collects information from the following sources:

Under the California Privacy Laws, a data subject retains the right to, at any stage, to direct Shufti Pro to restrict the use of their collected personal data only for the purpose for which the data was originally collected. Shufti Pro is bound to provide notice to the consumers intimating that their collected data may be employed, or disclosed to a third party or a contractor, for a purpose other than for which it was collected originally. The said notice must specify the additional purposes and to whom the data will be disclosed.

1) Directly from End-Users: Clients inform their end-users regarding the use of Shufti Pro for identity verification and direct them to submit the required information directly to our platforms. Subject to the documented terms of the data processing agreement.

2) Information through the Clients: Clients can collect the required information from the end-users and provide it to Shufti Pro. Subject to the documented terms of the data processing agreement.

3) Through its Website Forms: Shufti Pro collects information (please refer to Visitors to our Website section of the Privacy Policy) of those who visit its website and may enter their details on its website forms if they wish to get in touch with our Support team.

HOW TO REACH OUT TO US?

Under California privacy laws Shufti Pro is required, inter alia, to facilitate consumer requests pertaining to the use of their data. To exercise any of the rights mentioned in the previous section, data subjects can contact us to exercise your rights under California laws, at [email protected]. The said California privacy laws require that a verifiable request is made for the enforcement of these rights. We will look into & investigate your application and respond within ten (10) working days. This allows us time to scrutinize your application thoroughly, engage any other departments of Shufti Pro (if needed) and revert with the appropriate response. Data subjects may also contact their clients directly.

1. The Application Process:

This section is also bound by the overall timeframes as well as mechanisms mentioned in forms relating to subject access and deletion. To ensure the request is verifiable, prevent fraud and safeguard the security of personal information, we are obligated to verify the identity of any individual who submits a rights request. To this end, we will request that you furnish us with your full name, date of birth, and address, which will be matched against the information we have on our records for you- and to ascertain whether you are entitled to exercise rights under California laws or not. Once we have received and verified this information, we will check our databases. Additionally, we will promptly notify the client(s) of your request for information-whether it is access, rectification, or deletion. In most cases where there are clients, we are restricted by their decision. In any case, we will inform you and may also direct you to contact the client directly by providing their details.

2. Where a third party makes request:

Where an agent or representative, acting on data subject’s behalf, is submitting a request, Shufti Pro retains the right to verify the representative's identity as well as their authority to act on data subject’s behalf. An authorized representative must possess the subject’s signed consent to submit a request on the subject’s behalf or provide documentation demonstrating that they have a power of attorney, specifying the same, in accordance with California’s law. If there is a business entity(s) functioning as authorized representatives, and acting on the user’s behalf, it must be legally authorized by the California Secretary of State. In addition to this, Shufti Pro may contact the data subject directly as well to verify whether they authorized the said agent/representative.

3. Fees:

This process is void of any types of charges. However, we reserve the right to charge a fee where the application appears to be excessive.

CHANGES TO THIS NOTICE:

Shufti Pro is committed to constantly reviewing, renewing, and amending this Notice to ensure its continuous and constant compliance with the California data privacy laws.

For more information please contact us at: [email protected]

Visitors to our website

When you browse our website (https://shuftipro.com/), we collect the Internet Protocol (IP) address of the device you are using, cookies (small files that we embed on your computer, only if you consent to it) to enable our systems to recognize your browser and capture and retain certain information. We collect this data so that we can identify why our visitors are dropping out of the website and to identify areas of improvement to make the experience more engaging for you.

If you choose to communicate with us via chat or our instant messaging pop-up, we will collect your name and your email, as well as the logs of your chat. We only use this information to respond to your message or to inform you about our products and Services.

If you choose to contact via the contact forms on our website, we may collect your name, email address, contact number, company name, industry information, and any free text field information you choose to include. At the completion of this contact form, your IP address is no longer anonymous, and we will be able to identify you by a combination of your IP address and contact information.

If you choose to subscribe to our newsletter, we will collect your email. Newsletters may be sent upto twice every week with highlights and news about our services and related industry. You may unsubscribe from the newsletter at any time by updating your email preferences using the ‘UNSUBSCRIBE’ link in our email footers, or by sending an email to [email protected] with the subject line ‘UNSUBSCRIBE’ from the email address you wish to unsubscribe.

If you contact us through a third-party website or platform (such as LinkedIn), we collect your name, job title, company name and business email address.

Our end-users

The end-users are our client’s customers whose documents we authenticate and run against AML lists and databases to verify their identity. Depending on the type of verification process selected (onsite or offsite), we either collect end-user’s verification data from the clients or the end-users themselves.

Shufti Pro’s clients

Our clients are enterprises, companies, institutions, and businesses that have opted for our Services. The information we collect from clients include, any or all of, their full name, company email, phone number, company name, company website, country, verification volume, industry, and any other information required to set up their accounts with reference to the Services they select and the end-users they intend to verify.

Depending on the type of verification process selected (onsite or offsite), the data is collected directly from the end-users or the clients; clients in turn take the end-user’s information in the form of image and/or video proofs from the end-users and pass this data to us via our API. In case the clients do not provide certain information required for the selected Services, the missing information is collected from the end-users’ identity documents via OCR technology.

Data acquired for verification

Shufti Pro’s identity verification process describes what information we collect, how we collect it, and when we collect it. We require particular information from the end-users or clients (depending on whether it is an on-site or off-site verification) in order to perform Services.

The data includes, but is not limited to, the images and/or videos of the end-user’s identity documents (e.g. passport, ID card, or driving license), their biometric facial identifiers (e.g. face images and/or videos), and the textual information that is either extracted directly from the end-user’s identity particulars or is provided by the end-user at each step of the verification process.

Personally identifiable information (PII data)

PII Data is collected by us which includes name, contact information (email ID and/or phone number), date of birth and/or any other information required to perform the verification checks chosen by our client.

For instance, if the client selects the face verification service, we will also collect the image (selfie) or video (short clip showing end-user’s face) proof from the end-user. In the event the client opts for document verification, we would require an image or video of the desired document. Similarly, if a client selects AML screening service, we require the end-user’s name and date of birth for running them against the AML databases, sanctions, and watch lists.

During or after the verification process, whether successful or unsuccessful, we may collect/use your personal data including, without limitation, your name and/or email address for rating or review of your experience with us of our website and/or Services through use of a third-party platform (to name a few; Trustpilot, LinkedIn, Google Maps, Twitter, Facebook, Instagram, etc.)

Verification process

1. A verification request is Accepted

If the end-user passes all of the checks pre-set by the client, the verification request status becomes Accepted. Shufti Pro then sends these results to the client through the API. The results are also available to the client in the back-office management system, along with complete verification details (e.g. end-user’s personal information, image and/or video proofs, any .pdf reports, and AML results). The end-user is also shown the verification status after the process is completed.

2. A verification request is Declined

In cases where the end-user is not verified and the verification status is Declined, we send these results to the client through the API, as well as the back-office management system. The results show which checks the end-user passed and at which check they failed. The verification ends at the failed check. The complete verification details (e.g. end-user’s personal information, image and/or video proofs, any .pdf reports, and AML results) are available to the client in the back-office management system. The end-user is also shown the verification status after the process is completed.

How Shufti Pro shares personal and anonymized information

In general, we share the personal and anonymized information we collect in connection with the Services as detailed below:

1. We share the personal and anonymized information that we collect with you and to such other parties as instructed and agreed with you.

2. We also use third-party service providers to help us deliver, manage, and constantly improve our Services. These service providers may collect and/or use your personal information or anonymized information to assist us in achieving the purposes stated.

3. We may also share your personal information with other third parties when necessary to fulfil your requests for services; to complete a transaction that you initiate, to meet the terms of any agreement that you have with us or our partners, etc.

4. We partner with certain other third parties to collect anonymized information and engage in analysis, auditing, research, and reporting.

5. We may also use or share your personal information with third parties when we have reason to believe that doing so is necessary; to comply with applicable law or a court order, subpoena, or other legal process; to investigate, prevent, or take action regarding illegal activities; suspected fraud, violations of our terms and conditions, or situations involving threats to our property or the property or physical safety of any person or third party; to establish, protect, or exercise our legal rights or defend against legal claims; or to facilitate the financing, securitization, insuring, sale, assignment, bankruptcy, or other disposal of all or part of our business or assets.

Aggregated information

From time to time, we may also share anonymized and aggregated information about client and end-users of the Services (such as by publishing a report on trends in the usage of the Services).

Utilizing data for services

Shufti Pro makes use of the information collected, processed, and stored during any and each step of the identity verification process in order to verify end-users for a legitimate purpose. We ensure that the client’s business is completely legal and the information collection and usage is aligned with the end-user’s absolute consent. Our process is completely transparent and the end-user is informed which of their information will be used and for what purpose. Only once the end-user consents to the process, we start verifying their identity.

We may also use data collected for

1. Training our machines to learn algorithms to: verify the authenticity of new documents, recognize the text present on them and extract it, match that text using template matching techniques and recognize if the document is original, or counterfeit, forged, photo-shopped, photocopied, or tampered with.

2. The purposes of computer vision and machine learning techniques, we continually train our artificial intelligence systems to recognize and verify a wider range of identity documents from around the globe.

3. Preventing fraudulent use of Services. Whenever a fraudulent user uses the Services, we make sure that we store the documents and images they presented in our databases.

4. Training our human intelligence officers to effectively be a part of the identity verification process.

Information flow beyond Shufti Pro

We may disclose the information provided by you (end-user or client) to any member of our group of companies (which means our subsidiaries, our ultimate holding company, and all its subsidiaries) or third party service providers insofar as reasonably necessary for the purposes set out in this policy.

With respect to end-user personal information (including any images, videos, sensitive data, etc.), the client may require Shufti Pro to collect, use, disclose, or otherwise process data in ways that differ from those described in this Privacy Policy. Some features of the Services may be immobilized or changed by our client. In order to completely comprehend the handling of end-user private information while using our Services, the end-user must also review the privacy policy of the respective client.

We have facilities and staff in different countries around the world and as a result, personal information may be transferred to them or accessed from those locations. We take all the necessary actions to ensure the security of your personal information when transferred across borders.

The end-user’s personal information may travel outside the European Economic Area (EEA) for the purposes of human intelligence checks that serve as an essential part of the identity verification process. This data may be seen and processed, but not stored anywhere outside the EEA. We provide our clients with an option to forego the human intelligence checks, relying solely on the results detected and compiled by the artificial intelligence system. We have our office in the United Kingdom and provide services in 150+ countries. The hosting facility for our website is situated within EEA.

We may disclose your personal data to our insurers and/or professional advisers insofar as reasonably necessary for the purposes of obtaining and maintaining insurance coverage, managing risks, obtaining professional advice, and/or managing legal disputes.

Financial transactions relating to our website and services are handled by our payment services provider, Stripe. We will share transaction data with our payment services provider(s) only to the extent necessary for the purposes of processing your payments. You can find further information about the privacy policies and practices of Stripe at https://stripe.com/us/privacy.

Data storage and retention

Shufti Pro acquires and stores the information provided by its clients and end-users for rendering Services. Being a data processor of thousands of users comes with certain responsibility on our part. For this reason, our data retention policies and procedures are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data. Please see the below outlined terms:

1. Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

2. We will retain and delete your personal data as follows: End-user data category shall be retained or deleted according to the instructions provided by our client (data controller); kindly refer to the Request Form–Data Deletion (link given at the end of this Policy).

3. Personal data of our clients or their customers (end-users) shared with us shall be retained for a period of two (2) years following which it may be deleted from our system.
4. If no instructions are provided by the data controller, we will determine the period of retention based on the following criteria:

The period of retention of your personal information including any data, images, videos and/or private information will be determined based on the applicable data protection laws and the need for their presence in our system owing to any legal reasons or for the betterment of our website or services.

4. Notwithstanding the other provisions of this section, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

Data security

Shufti Pro ensures data security through adequate measures to minimize the likelihood of data breaches, whether pre-emptive or not. Data breaches and protection of data itself comes under the wider umbrella of the data lifecycle.

Additionally, observing the GDPR regulations, secure auditory practices are carried out to ensure standardized operations and encryption practices. New techniques are continually implemented in order to keep our data security ahead of the curve.

Compliance of some of our Services with the Payment Card Industry Data Security Standard (PCI DSS) is in itself an evidence that we are doing our very best to keep our customers’ valuable information safe & secure and out of the hands of people who may fraudulently use that data. PCI DSS ensures technical and operational strengths to raise the bar on our security.

Your rights

If you would like to access any personal information we hold about you, you may request us for the same by filling out our Request Form – Data Subject Access (link given at the end of this Policy) and return it to our Data Protection Officer as instructed therein. The provision of such information will be subject to the supply of appropriate evidence of your identity.

We may withhold personal information that you request to the extent permitted by law. In addition, you may request us, at any time, to not process your personal information. In practice, our clients will usually either expressly agree in advance to our use of your personal information for marketing purposes, or we will provide clients with an opportunity to opt out of the use of their personal information for marketing purposes.

Pursuant to your written request we shall also remove your personal data from our systems in line with the principle of ‘the right to be forgotten’.

For more information on how we safeguard your rights, please read the ‘Data Protection and Security Policy’ (link given at the end of this Policy).

In case of any query or concern, voice your thoughts at [email protected]

Children’s privacy

Our Services are not directed to children under the age of sixteen (16), and we will never knowingly collect personal or other information from anyone we know is under such age. We record an express declaration from anyone using our verification service that they are above such age at the time we acquire their personal information.

Changes to our privacy policy

We may be required to make changes to the Services in the future in view of changing technology or services. Whenever we revise the Policy, the new version will be available on the homepage of our website (https://shuftipro.com/). In case of any significant material change to our privacy practices, an appropriate notice will be provided to our clients.

Privacy complaints

Albeit regrettable, we appreciate that there could be lapses. We take all complaints seriously and can assure you that we will do our best to deliver a satisfactory outcome. If you do wish to complain about how your personal data is used by us then please write to us at [email protected]

We will investigate and respond within ten (10) working days. This allows us time to investigate your complaint thoroughly.

Cookie policy

We use first party cookies (cookies set directly by us) as well as third party cookies (as described below). We may also use pixel tags (usually in combination with cookies) from the third parties described below to get information about your usage of our website and services, and your interaction with us through email or other communications. We do not use cookies to identify you personally but to gain useful knowledge about how our website and services are used so we can keep improving it for our clients and end-users. Please note that if you limit the ability of websites to use cookies, you may be unable to access certain parts of our website and may not be able to benefit from its full functionality.

Shufti Pro may utilise the following cookies and other technologies:

Strictly Necessary

MouseFlow

Analytics/Performance

Google Analytics
Leadfeeder

Advertising/Targeting

Facebook
Google Ad Service
LinkedIn Insights
HubSpot
Quora
Instagram
Twitter
Intercom
Learn More