Privacy Policy
Last updated: March 21, 2024
As a global identity verification and fraud detection platform, Trustmatic s.r.o. (“Trustmatic”, “we”, “us”, “our”) respects your privacy and takes great care to protect your personal data.
This policy describes how Trustmatic, a wholly owned subsidiary of Certn Holdings Inc., processes information about you when you (a) access and use our Website (www.trustmatic.com), and/or (b) access or use our services, including what personal data we collect; how we use, share and manage it; and how you can exercise your rights in respect of your personal data.
In this policy, “Personal Data” means any information relating to an identified or identifiable natural person, and includes a person’s name, contact information, identification numbers, location data, and biometric data such as a photograph.
Website
What information do we collect?
We may collect your data, including Personal Data, when you visit our Website by using Cookies (as defined in our Cookie Policy) or other similar technologies and process the data gathered by them. This data may include:
(1) your device’s internet protocol (IP) address;
(2) information in usage of the Website and other web log data, such as your browser, internet service provider (ISP), the specific pages you visit on the Website, the date and time of your visit, the files that you download and the URLs from the websites you visit before and after navigating to the Website;
(3) technical data (Device Signature), including but not limited to information about your IP address and domain name, your software and hardware attributes (including device IDs) and your general location (e.g. city, country); and
(4) e-mail address, when you subscribe to any Trustmatic’s newsletter or download Trustmatic’s content.
How do we use this information?
We may process Personal Data to understand and improve your experience with our Services and to serve you advertisements on non-Trustmatic properties via Cookies. For more information on how we use the information gathered via cookies, please review our Cookie Policy.
We may use Google Analytics, a web analysis service of Google Inc. ("Google"). Google Analytics uses cookies to analyze your use of our Website, to create reports about visitor activities for us and to provide further services associated with the use of the Website and the Internet. Although this information is collected through your Google ad settings, it is not provided to us in a personally-identifiable format.
We use the data we collect from our Website and Website visitors to analyze how people use our Website, and identify how we can improve visitors’ experience.
When you Access or Use our Services as an End-User
Overview
Trustmatic provides identity verification services to third parties (“Clients”). This means that, at the request of a Client, we will engage with you (an “End-User”) to validate your identity, which will require the collection and use of your Personal Data.
What Personal Data do we collect?
Because we are a service provider to our Clients, our Clients are ultimately responsible for disclosing to you their privacy policy and any information about the collection of your Personal Data by Trustmatic on their behalf; however please see below for a general description of how we process Personal Data to provide services to our Clients.
In order to provide identity verification or similar services to our Clients, our Clients may, with your consent, share your contact information with us (e.g., your email address). We will then, with your consent, collect Personal Data directly from you, which may include:
(1) A copy of an identity document, such as a passport, driver’s license, or other government-issued identification. The information that we collect or extract from this document may include your photo, name, sex, personal identification number or national equivalent, date of birth, address, age, legal capacity, nationality, citizenship, organ donor status, eye color, weight and height;
(2) Identity document details, such as the type and version of the document, issuing country, document number, issue date, expiration date, information embedded to document barcodes or machine readable zones (may vary depending on the document) and security features;
(3) a photo of your face (i.e., a “selfie” taken and submitted by you at the time of verification and the photo on your identity document) as well as data, such as facial measurements, extracted from the photo which are used to authenticate you; and
(4) any other personal information provided by you, e.g., information from communications with us, feedback you provide to us.
Lastly, based on the direction we receive from our Client, we may also collect your Personal Data independently from third parties as required to perform the services or detect fraud. For example, if we need to verify the validity of your identification document, we may inquire for additional information from the appropriate registrar or from other fraud prevention services. For fraud prevention and detection purposes, subject to applicable laws, we may also collect information about compromised identities; for example, images or device or network information which have been leaked or used to commit repetitive fraud via Trustmatic’s service. A list of Data Providers we currently use is available here.
How do we use your Personal Data?
We only use your Personal Data for the provision of identity verification and fraud prevention services to our Clients, as communicated to you at the time we collect your Personal Data.
We use the information on your identity document to extract biographic and biometric data and confirm the document is valid.
We capture images of your face to conduct biometric verification and liveness checks to validate that you are the rightful holder of the identity document.
We use your biometric data for two purposes:
- Liveness check: The liveness check is a process of determining whether the face presented in a photo is a real person using computer vision and pattern recognition technologies.
- Identity verification: To verify your identity in a quick, secure and accurate way, we use biometric identity verification. Biometric identity verification is the process of determining whether the images of two faces belong to the same person and works by analyzing and identifying unique facial features on the photo in the identity document you share with us and creating a secure biometric template. This template is then compared against the template generated from your selfie image and a similarity score is assigned.
We may also use limited Personal Data for related business purposes, such as investigating issues reported by you, maintaining, improving, upgrading or enhancing the services we provide. Wherever possible, we will use anonymized data instead of Personal Data.
Lawful Basis for Processing
Under data protection laws, we must have a lawful basis to process your Personal Data. The lawful basis for our processing of Personal Data generally depends on the Client as the use cases and related legal requirements vary from Client to Client, however we generally rely on your express consent to process your Personal Data.
If you have granted the Client and/or Trustmatic consent to process your Personal Data, the details of such processes and purposes for our processing will be outlined in the consent itself.
To the extent permitted by law and the Agreement, Trustmatic may also use limited Personal Data for other reasonably necessary operational purposes as part of provision of the Service, or rely on its legitimate interest for such processing. In each circumstance, we will only use the Personal Data required. Examples of legitimate purposes for which we may Process your Personal Data include:
(1) for analyzing the use of and improving our services, and using research and analysis results, among other methods, for carrying out satisfaction surveys, feedback questionnaires and developing our products and services, including development of autonomous and automated decision-making processes. Wherever possible we will use anonymised data for these purposes;
(2) for sending out newsletters, for marketing and developing and promoting our Services, for organization of campaigns, including personalized and targeted campaigns, and measuring the effectiveness of the performed marketing activities;
(3) for monitoring the Services. We may record the messages and instructions given on our premises or by means of communication (e-mail, telephone, video communication platforms, etc.), as well as information and other operations carried out by us, and shall use those recordings as needed to evidence instructions or other operations;
(4) for network and cyber security, as well as fraud detection and prevention;
(5) for the establishment, exercise or defense of legal claims; and ensuring compliance with applicable regulations;
(6) for satisfying our legal obligations with respect to the processing and retention of Personal Data.
Children’s Personal Data
We may process the Personal Data of children (e.g.., persons under 18 years of age depending on jurisdiction) in order to provide services to our Clients, and in such cases the applicable Client shall take steps to ensure that there is a legal basis for such processing (e.g., a consent from a guardian of that child). If we learn that we have collected the Personal Data of a child without the guardian’s consent, please notify us immediately at the contact information below so we can take steps to delete the information as soon as possible.
With whom do we share your Personal Data?
We do not share your Personal Data with third parties without your explicit consent, except in cases where it is necessary for the provision of our services or as permitted or required by law.
We may share your Personal Data, including identity verification data, with the Client through which you used our identity verification service.
We may also share certain Personal Data to third parties who help us deliver our services, and to other authorized third parties who are legally entitled to receive your Personal Data. For example, a End-User’s Personal Data, including biometric data, can be processed by authorized sub-processors that provide identity verification core services to Trustmatic, provided that:
(1) the purpose and the processing are lawful;
(2) we have diligently assessed that the authorized Data Processors or sub-processor will comply with the data protection requirements;
(3) the Personal Data processing is carried out in accordance with our guidelines and on the basis of a valid agreement.
How do we protect your Personal Data?
We take the security of your Personal Data seriously. We implement industry-standard security measures to protect your data from unauthorized access, disclosure, alteration, and destruction, and store it securely on our servers in encrypted format.
We continually test our systems to ensure that we are compliant and to ensure that we follow top industry standards for information security. We periodically carry out external audits are to check that our security arrangements are compliant. These auditors follow internationally recognised standards for best practice in security, such as ISO 27001.
How long do we store your Personal Data?
We will retain your data only for the duration necessary to fulfill the purposes outlined in this policy, as required by our clients, or as required by law. Once the data is no longer necessary, it will be securely anonymized or permanently deleted.
Personal Data, including biometric data, is permanently deleted from our systems within 30 days.
Your Privacy Rights and Choices
Giving consent for the processing of your Personal Data is voluntary and you have the right to withdraw your consent at any time; however, the decision not to consent or to withdraw your consent may mean that we are not able to verify your identity via our services.
In addition to the right to withdraw your consent, depending on where you live, you may have the following rights under data privacy laws:
- The right to submit a complaint: If you feel that we have not complied with applicable data protection laws, we would appreciate it if you contact us at privacy@certn.co. However, you also have the right to complain directly to a data protection authority or privacy regulatory body in your jurisdiction about our collection, use or other processing of your Personal Data. For more information, please contact your local data protection authority.
- The right to know: The right to receive confirmation as to whether we are processing Personal Data about you and to obtain certain details about the Personal Data we have collected about you.
- The right to access & portability: The right to obtain access to the Personal Data we have collected about you and the right to obtain a copy of the Personal Data in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the data to another entity without hindrance.
- The right to correction: The right to correct inaccuracies in your Personal data.
- The right to request deletion: The right to ask us to delete your Personal Data.
- The right to object: The right to file an objection if your Personal Data processing takes place on the basis of our legitimate interest or public interest.
- The right to restrict processing: The right which in certain cases allows you to direct us to limit the processing of your Personal Data for a certain period of time (e.g., if you have filed an objection to Personal Data processing).
- The right to non-discrimination: The right to not receive retaliatory or discriminatory treatment in connection with a request to exercise the above rights.
If you wish to exercise any of your rights regarding Personal Data or ask questions about the Privacy Policy, please submit a corresponding request to us at privacy@certn.co. We will respond to your request by email and in accordance with applicable law.
The Office for Personal Data Protection of the Slovak Republic (https://dataprotection.gov.sk/uoou/) is the lead data protection supervisory authority for Trustmatic (registered office at Hraničná 12, 820 07 Bratislava 27, Slovak Republic; phone number + 421 2 32 31 32 14, email zodpovednaosoba@pdp.gov.sk).
If you are in the United States and have concerns about the results of an appeal, you may contact the attorney general in the state where you reside.
Changes to the Privacy Policy
We may update this Privacy Policy to reflect changes in our practices or for legal reasons. We will notify you of any significant changes where required by law, and the updated policy will be effective upon posting.
Contact Us
If you have any questions or concerns about our Privacy Policy or the way we handle your data, please contact us at privacy@certn.co.
By using our services, you acknowledge that you have read and understood this Privacy Policy and agree to the collection and processing of your data as described herein.
JURISDICTION SPECIFIC NOTICES
You may have different rights depending on which jurisdiction you are a resident of, including USA states or Canadian provinces. Should there be any inconsistency or ambiguity between the terms of this section and any other part of this document, these terms shall prevail.
10.1 Policy of Collection and Additional Information for Residents of California
If you are a California resident, California law requires us to disclose the following additional information with respect to our collection, use, and disclosure of personal information.
Additional Disclosures
(1) In the preceding 12 months, we have collected the following categories of Personal Information identifiers, biometric information, demographic information, commercial information, internet or other electronic activity information, geolocation data,, electronic, or similar information, professional or employment-related information, inferences, and sensitive personal information. For more information about the data points we collect and the categories of sources of such collection.
(2) We collect personal information for the business and commercial purposes described in our privacy policy. In the preceding 12 months, we have disclosed personal information for the business and commercial purposes described in our privacy policy and we have made disclosures for business purposes to the following categories of recipients:
- The following categories of Personal Information: End-User related identifiers, demographic information, commercial information, internet or other electronic activity information, geolocation data, electronic, or similar information, inferences, and sensitive Personal Data; each have been disclosed to the following categories of Recipients: Data Controllers for whom we are Data Processors (e.g. Clients), our authorized Data Processors (sub-processors), authorized third party sites (e.g. external registries), and, as relevant on a case by case basis, to supervisory authorities, courts and government agencies.
- The following categories of Personal Information: Client Representative related identifiers, commercial information, internet or other electronic activity information, audio, electronic, or similar information; each have been disclosed to the following categories of Recipients: our authorized Data Processors (sub-processors), authorities and organizations intermediating or providing (electronic) mail, compliance or payment services, and, as relevant on a case by case basis, to supervisory authorities, courts and government agencies, debt collection agencies and credit registers.
- The following categories of Personal Information: Client Representative related identifiers, commercial information, electronic, or similar information; each have been disclosed to the following categories of Recipients: advertising and marketing partners, companies carrying out satisfaction surveys.
(3) As described in our privacy policy, we process personal information to understand and improve your experience with our Services and to serve you advertisements on non-Trustmatic websites. Some of these activities may be considered “sales” or “sharing” of your personal information or “targeted advertising” under the law that applies to you.
(4) We do not “sell,” “share” and engage in “targeted advertising” activities relating to personal information that we collect in the course of providing identity verification services to our Clients.
(5) We do not use sensitive personal information for any purpose other than to perform the Services or to improve, upgrade, or enhance the Services.
(6) In addition to your rights as stated the privacy policy, Your Privacy Rights include:
- You have the right to opt out of sharing and sales at any time by following the instructions here.
- To request access, correction, or deletion of your personal information, our data privacy officer (DPO) via email at privacy@certn.co.
- Authorized Agents. You have a right to submit a rights request via an authorized agent.
- California Policy of Financial Incentives. We may from time to time also offer various financial incentives. For example, we may provide coupons, or other benefits to customers who participate in feedback or research surveys. When you participate in a financial incentive, we collect personal information from you, such as identifiers (like your email address or phone number), professional or employment-related information, inferences drawn about your preferences, and other categories of personal data that relate to or are reasonably capable of being associated with you. More detailed information will be provided at the time of collection. You can opt into a financial incentive by following the sign-up or participation instructions provided, and, for any ongoing benefits, you can opt-out at any time, such as by following the unsubscribe instructions in the applicable program’s terms and conditions, promotional emails, or text messages, or contacting us at privacy@certn.co. In some cases, we may provide additional terms and conditions for a financial incentive, which we will provide to you when you sign up. The value of your Personal Data is reasonably related to the value of the offer or discount presented to you.
- For more information about the data points we collect and the categories of sources of such collection, see the Privacy Policy. See above for information about how long we retain the data points that we collect.
If you believe your rights under the California Consumer Privacy Act, as amended, have been violated you can contact us at privacy@certn.co and we will work to resolve your concerns.
You have the right to submit your complaint to the California Privacy Protection Agency (https://cppa.ca.gov/) at:
Mail:
CPPA
ATTN: PRA Coordinator
2101 Arena Blvd
Sacramento, CA 95834
Email: PRA@cppa.ca.gov with the Subject: ATTN: PRA Coordinator
Online: https://cppa.ca.gov/
10.2 Policy to Individuals Who are Residents of the State of Illinois, the State of Texas, and the State of Washington
(1) The Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq., Washington Biometric Privacy Protection Act, RCW 19.375.010 et seq., and the Business and Commerce Code of Texas on the Capture or Use of Biometric Identifiers, Tex.Bus.& Comm.Code § 503.001, regulates the collection, storage, use, and retention of “biometric identifiers'' and “biometric information”. “Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, photographs used for identity verification, or scan of hand or face geometry.
(2) Trustmatic collects certain biometric identifiers and biometric information, namely face scan information (face geometry information and information based on that), during the identity verification process. Trustmatic collects and uses this information to verify your identity, prevent fraud, and provide authentication Services to our Clients on an ongoing basis.
(3) For Illinois residents, we will permanently destroy their biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual’s last interaction with Trustmatic’s Clients, whichever occurs first.
(4) For Texas residents, we will permanently destroy their biometric identifiers the later of (1) one year after the purpose for collecting the identifier expires, or (2) one year after any recordkeeping obligations imposed by law in connection with the collection of the biometric identifier expires.
(5) For Washington residents, we will permanently destroy their biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual’s last interaction with Trustmatic’s Clients, whichever occurs first.
(6) Except where prohibited by law, your biometric data is accessible only to us and our service providers/sub-processors, which process your data only on our behalf to provide the Services. We do not share biometric data with any other third parties. The Client on whose behalf Trustmatic processes your data may receive from us information about you, such as copies of the identification document and photo you provided us, and data indicating whether we were able to identify and authenticate your identity.
(7) By clicking the relevant icons presented prior to the verification or authentication process, and choosing to continue, you acknowledge and agree that you have read the relevant disclosures, and that you voluntarily consent to Trustmatic’s collection, storage, retention, use, and disclosure of your biometric data.
(8) Trustmatic uses the reasonable standards of care within its industry to store, transmit, and protect from disclosure your biometric data, in a manner that is the same as or more protective than the manner in which it stores, transmits, and protects other confidential and/or sensitive information. Trustmatic does not sell, lease, trade or otherwise profit from the biometric data.
10.3 Canadian Province of Quebec
Act Respecting the Protection of Personal Information in the Private Sector, CQLR c P-39.1 (“Quebec Private Sector Act”) and An Act to modernize legislative provisions as regards the protection of personal information, 2021, Chapter 25 (“Law 25”). The Quebec Commission on Access to Information (“CAI”) is the regulatory authority that oversees the application of the Quebec Privacy Sector Act and Law 25.
If you believe your rights under the Quebec Privacy Sector Act or Law 25 have been violated you can contact us at privacy@certn.co and we will work to resolve your concerns.
You have a right to submit your complaint to the CAI (https://www.cai.gouv.qc.ca/) at:
Quebec Office 2.36 525, boulevard René-Lévesque Est Québec (Quebec) G1R 5S9 Telephone: 418 528-7741 Fax: 418 529-3102 |
Montreal Bureau 900 2045, rue Stanley Montreal (Québec) H3A 2V4 Telephone: 514 873-4196 Fax: 514 844-6170 |
10.4 Australia
The Privacy Act 1988 (No. 119, 1988) (as amended) (the “Privacy Act”) is Australia's consolidated data protection law which aims to promote the protection of your privacy. In addition to the Privacy Act, Australian Privacy Principle (“APP”) Guidelines of 2012 issued by the Office of the Australian Information Commissioner (“OAIC”) to interpret and apply the Privacy Act.
If you believe your rights under the Privacy Act or the APP have been violated you can contact us at privacy@certn.co and we will work to resolve your concerns.
You have the right to submit your complaint to the OAIC (https://www.oaic.gov.au/) at:
Mail: GPO Box 5288, Sydney NSW 2001 (send it by registered mail if you’re concerned about sending it by registered mail if you're concerned about sending it by standard post)
Fax: +61 2 6123 5145.
Phone: 1300 363 992