Services
Privacy Policy This Privacy Policy (“ Policy”) describes the privacy policy of Authento Limited (“Authento,” “we”, “us”, or “our”) concerning personal information collected in connection with (i) Authento's verification and related online services, including but not limited to authentication, document verification, ID verification, and identity verification (the “Services”) and (ii) our website (the “Site”) and customer portals.
Authento is subject to the Hong Kong Data (Privacy) Ordinance, and amendments thereto (“PDPO”) as well as other applicable data protection laws. This Policy generally describes Authento's privacy practices as a data user for the categories of personal information described in Subsection I.2. (“Personal information we process”). You are not required to provide your personal information to Authento. However, if you do not provide us with your personal information, we may not be able to provide our Services.
Authento also makes the Services available to third parties (“Clients”) for integration into those Clients' websites and mobile applications. Authento processes the personal information of our Client's end-users (“End-Users”) on behalf of Clients for the purposes described in Subsection I.3 (“How we use your personal information”). When we provide Services to our Clients, we are generally acting on their behalf as their service provider and data processor. The Client determines the purpose of data processing, exercises control over the End-User's personal data, and stipulates the retention period of the End-User's data according to its purposes. For additional information about how your specific data is being collected and used in these cases, please review the privacy policy of our client(s) who is using our Services with you.
The scope of your consent is described in Section 8 (“Your consent”).
This Privacy Policy is divided into two parts. The first applies to those individuals using the Services to verify their identities. The second applies to visitors to the Site.
We encourage you to read through the Privacy Policy to understand what information Authento may collect and how Authento uses the information.
When you use the Services, or Authento's Clients use the Services to securely verify the identity of End-Users such as yourself, we may collect information from or about you. By using any of the Services, you acknowledge the data collection practices and purposes outlined in this Policy. This section explains what Personal Data (defined below) Authento collects through the Services, how Authento uses and shares that data, and how individuals can exercise choices regarding their Personal Data. Personal Data provided to Authento by Clients, and Personal Data provided to Clients from Authento, is also subject to each Client's privacy policy.
Authento uses information about you to provide and improve the Services or develop new services aimed at verifying your identity and helping prevent fraud. We analyze the data we collect to create insights about fraud, which enables us to glean information about potentially fraudulent transactions. For example, we use the data to identify commonly used fake identification documents or government identifiers. Other than with your consent, Authento does not sell or “share” (when defined by applicable law to mean the use of your personal information for cross contextual behavioral advertising) your personal information.
This subsection describes the Personal Data we collect and how we use it in order to provide the Services to our Clients. Personal Data means information that relates to an identified or identifiable individual.
You provide Personal Data to Authento directly or at the direction of a Client of Authento, so that your identity may be verified and/or to prevent fraud. In the course of performing the Services, Authento may also obtain Personal Data from other sources such as third party databases, government records, and other publicly available sources. The Personal Data we collect varies based on what you provide, what you and/or the Client has directed us to analyze, and what Personal Data is available from third parties.
Some data that we collect automatically is collected through cookies and similar technologies.
To provide the Services, Authento may process a government-issued identification or other document you provide directly to Authento or information provided by the Client to Authento. The personal information collected may include any information available on the documents submitted to Authento for the Services. From the information provided, Authento may process the following information:
Authento's collection of personal information may include data that may be considered biometric data in some jurisdictions. Authento will collect this information via facial recognition or similar technology from an image or video (including audio) of your face (e.g., a selfie) and an image of that face as it appears on an identification document that you provide via an online portal or mobile application.
Authento and/or a third party vendor used by Authento:
Authento securely stores all photos of identity documents that you upload, photos of your face that you upload, and data from scans of facial geometry extracted from the photos of your face that you upload in an encrypted format. Authento's third-party vendors may have access to such data and data from scans of facial geometry extracted from the photos of your face that you uploaded to provide some or all of the analysis, to store the data, to maintain backup copies, and to service the systems on which such data is stored.
Authento uses the reasonable standards of care within our industry to store, transmit, and protect from disclosure data from scans of facial geometry extracted from the photos of your face that you upload in a manner that is the same as or more protective than the manner in which it stores, transmits, and protects other confidential and sensitive information. Authento will not sell, lease, trade, or, other than to provide the Services, otherwise benefit from data from scans of facial geometry extracted from the photos of your face that you upload. Other than as set forth herein, Authento will not disclose, redisclose, or otherwise disseminate data from scans of facial geometry extracted from the photos of your face that you uploaded unless doing so:
Authento may share such data with the Client with which an End-User has a direct relationship and with Authento service providers. Authento may collect, process, and store such data for the purpose of providing and improving its Services, and for the long-term proof of inspection of your provided form of identification.
Authento will store your biometric data for as long as as set out in Subsection 5 (“Retention and international transfer”) .
Authento will process certain personal information about you that Authento collects from you directly, from its Clients, or other third parties, such as consumer reporting agencies and fraud prevention service providers. The categories of personal information that Authento may process varies depending on the Service and are described below.
When you use the Services, we may also automatically collect or receive certain information associated with you or your network device(s), including but not limited to information about your use of the Services and your preferences. This information includes:
If you use Authento's authentication service, we may install little pieces of software on your device to increase the speed of subsequent verifications. This software does not collect any information about you and does not track you.
We may also use cookies in connection with the Services.
To the extent permitted by applicable law, we may receive additional information about you, such as demographic data or other information to help detect fraud and safety issues from third party service providers or partners, and combine it with information we have about you. These categories of third parties include consumer reporting agencies, fraud prevention services, data brokers, government databases, and marketing and analytics providers.
If you connect to us through a social media platform or navigate to a social media platform from one of our sites, the social media platform will collect your information separately from us. You should review the social media platforms' privacy policies to understand how they are using your information and your rights in relation to such information.
We may derive additional information or draw inferences about you based on the information we have collected from you directly, passively, or through third parties.
We may use the information collected from or about you to authenticate and manage your identity when you create an Authento account, including to verify attributes of your identity, as well as to provide you with customer support and account updates. We may use this information to verify your identity with Authento partners, Clients, and service providers in both the public and private sector at your request and perform our obligations with you or to ensure that our Services function properly.
Overall, Authento processes the personal information described above (“Personal information we process”) for the following purposes:
Authento processes Personal Data in multiple ways, including, but not limited to, collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination (if so legally binding), or otherwise making available, alignment or combination, restriction, erasure or destruction.
Under certain circumstances Authento may also use the personal information listed above (“Personal information we process”) to:
Authento shares your personal information in the context of your transaction with a particular Client with that Client. In addition, to provide the Services as set out above (“How we use personal information”), Authento may share, disclose, or transfer your personal information to the following categories of recipients:
These parties will access, process or store Personal Data while performing their duties to us. Moreover, as set out in “How we use personal information”, we may also disclose Personal Data when required to do so by regulators or by law, and may share your personal information with the following categories of recipients:
We may also disclose personal information to third parties when explicitly requested by you.
Once you are verified, you are able to use your Authento Passport to register with various Clients through our platform. Authento provides such functionality only after you affirmatively consent to sharing the Personal Data with such Client as an End-User. Different Clients may require different types of information and you have control over your data during onboarding procedures with those Clients. We will seek your consent to share the relevant data with the Client so you can access their products and services. You can edit and review your personal information directly on the Authento portal. If you choose to cancel your account with us, we will delete your information unless we are contractually or legally prevented to do so and/or to prevent fraud and money laundering. Your personally identifiable information will not be sold and it will only be shared with third parties when necessary for the provision of the Services to you, to prevent fraud or money laundering and assist law enforcement in accordance with this Policy.
If you use any third-party or other Client software, products or services in connection with our Services, for example any third-party software that our platform integrates with, you might give such third-party access to your account and information. Policies and procedures of third-parties are not controlled by us, and this Policy does not cover how your information is collected or used by third parties. We encourage you to review the privacy policies of third-parties before you use the third-party software, product or service.
Our Site may contain links to third-party websites over which we have no control. If you follow a link to any of these websites or submit information to them, your information will be governed by their policies. We encourage you to review the privacy policies of third-party websites before you submit information to them.
From time to time, Authento may also share anonymized and/or aggregated information, such as by publishing a report on trends in the usage of our Services.
Information for California residents. Other than with your consent, Authento does not sell or share your personal information. The terms “sell”, “share”, and “personal information” are defined by the California Consumer Privacy Act (the “CCPA”) and the California Privacy Rights Act (“CPRA”).
You have certain choices about how we use your information, including how your Personal Data is shared.
Close your Authento Account. You may close your Authento account at any time. By choosing to close your Authento account, you are directing Authento to deactivate your identity credential and to purge the associated data from active use in our databases. Please note, however, that Authento does retain account history (e.g., events, logins, and transactions) as well as verification history (e.g., group, vaccine, or identity details including documentation and data elements used for verification) for up to three (3) years.
Please note: Use of your Authento credential to verify your identity will be stopped in the event you delete your Authento account.
Deleting your selfie image and Biometric Information. Those who have created an account requiring submission of a selfie image, and who consented to the collection of the associated Biometric Information, may request the deletion of both the selfie image and Biometric Information by submitting a request to support+privacy@authento.io. Deletion of the selfie image and associated Biometric Information may take up to thirty (30) days and will not impact the validity of your credential or verified status. Authentic reserves the right to retain this information as needed to comply with our legal obligations or to help prevent fraud.
Opt out from receiving marketing emails. To stop receiving our promotional emails, follow the instructions in any marketing email you get from us. When applicable, you can also change your preferences in your account. Even if you opt out of getting marketing emails, we are permitted to send you transactional messages. For example, we may still contact you about your use of our Services or any changes to our policies or Terms of Service.
Change or update the information you have given us. If you have verified yourself and created an Authento account, then you can correct or delete certain information or update your verification information by logging into your account and following the instructions or by contacting support+privacy@authento.io.
Ad Choices. We, our affiliates, and any associated third parties may collect information on our Services to help alert you to products and Services that may be relevant to your interests. This is known as interest-based advertising. We rely on third parties who collect information on the Services to provide opt-outs or other controls to you. For more information on how to opt-out of receiving interest-based advertising on desktop and mobile websites, please visit:
If you have further concerns or questions regarding your Personal Data, please email support+privacy@authento.io.
Except as otherwise provided, Authento will retain the personal information for (i) the period necessary to fulfill the purposes outlined in Subsection I.3 (“How we use your personal information”), in particular as long as necessary to identify potentially fraudulent transactions and (ii) as long as required by law or (iii) as long as relevant potential legal claims are not yet time-barred.
Where Authento serves as a service provider or processor as defined by the applicable law, Authento will retain personal information for the period determined, and as instructed, by the Client. Generally, in line with AML / CFT regulations, regulated financial companies are obliged to store the End-User's data for five years after the termination of the Client's relationship with the End-User or the date of the occasional transaction. In some jurisdictions, there may be a longer mandatory data retention period. Please note that if an End-User would like to make a request to delete the personal data that he or she has provided for the purpose of a particular Client, please make that request directly to the Client that controls that End-User's verification process.
In general, Personal Data, including biometric data, will be retained and stored by Authento and will be permanently destroyed when the Client's initial purpose and/or retention period prescribed by applicable law expires or Authento's compatible purposes for collecting the biometric data have been satisfied or after five (5) years from the individual's last interaction with Authento, whichever occurs first, or three (3) if there is a local specific legislative requirement.
Some of the recipients described in Subsection I.3 (“Whom we share personal information with”) are located in, or process personal information in, countries other than your country of residence. The personal information described in this Policy may be transferred to and processed in a jurisdiction other than your country of residence and elsewhere for the purposes described in Subsection 2 (“How we use personal information”). The data protection laws in these countries may be different from, or less stringent than, those in your location and/or country of residence. It is Authento's policy to use only third party service providers that are bound to maintain appropriate levels of security and confidentiality.
If you are accessing our Site from Europe, Australia, Asia, or any other region with laws or regulations governing personal data collection, use, and disclosure, you may be transferring your Personal Data to jurisdictions that may not have the same data protection laws as such other regions. By providing your information to the Site, you are consenting to the transfer of your information for processing and maintenance in accordance with this Policy and our Terms of Service. You are also consenting to the application of Hong Kong law in all matters concerning the Site and Services.
We take measures to help protect your personal information when it is transferred from the European Economic Area (“EEA”), Switzerland, or the United Kingdom (“UK”) to other countries. We may rely on European Commission adequacy decisions or UK adequacy regulations for certain countries or include standard clauses issued by the European Commission or by the UK Information Commissioner's Office in our contracts with recipients.
Authento uses commercially reasonable physical, electronic, and procedural safeguards designed to protect your personal information against loss or unauthorized access, use, modification, or deletion. However, no security program is foolproof, and thus Authento cannot guarantee the absolute security of your personal information or other information.
You can exercise any of the rights described in this section consistent with applicable law and our role with respect to your personal information by emailingsupport+privacy@authento.io. Please note that we may ask you to verify your identity before taking further action on your request. In some jurisdictions, applicable law may entitle you to:
Where we process your personal information based on your consent, you may withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. We will not discriminate against you for exercising any of the above rights.
You consent to Authento obtaining and using your personal information to enable your use of the Services which are partly based on machine learning algorithms; this includes your consent to:
You have the right to withdraw your consent at any time. The withdrawal of your consent does not affect the lawfulness of processing based on your consent before its withdrawal. If Authento has collected your personal information on the basis of your consent and you then withdraw your consent, Authento may retain your personal information independent of your consent to the extent necessary to establish, exercise or defend legal claims, to comply with legal obligations, or to identify potentially fraudulent transactions.
The Services are not intentionally designed for or directed at children. We recommend that persons over 13, but under 18 years of age, ask their parents for permission before using the Services or sending any information about themselves to anyone over the Internet. Otherwise, if Authento discovers that a child's personal data has been accidentally submitted to Authento, it will be deleted without undue delay.
To help safeguard the quality of the data provided by the Services, Authento implements measures that may include manual review of the personal information by specially trained verification agents or machine learning capabilities. When we process the personal information automatically, we apply the following examples of criteria:
If, and to the extent that, Authento's Clients make a decision based on the information provided by Authento, please reach out to the Client responsible for an End-User's personal information with any questions regarding the rights that End-User may have in case that End-User's personal information is subject to automated decision-making.
When Authento is engaged by its Clients to perform identity verification procedures in respect of End-Users, the processing of personal data by Authento is covered by those legal grounds that are relied on by certain Clients with whom Authento has an agreement.
As discussed in Subsection 2 (“How we use personal information”), Authento's legitimate interest in processing personal information arises from the strict necessity of internal analysis and ongoing development and improvement of Authento's services that our Clients use to detect fraud and illicit activities to prevent money laundering, terrorist financing, fraud, and other activities, which are considered a matter of substantial public interest. In this case, we use legitimate interest if the Client grants us permission to process data provided that Authento's purposes are compatible with those initial purposes for which the personal data has been collected. Such purposes are compatible due to the obligations or interests of our Client regarding the combat of fraud and detection of any illegal actions.
If you are a resident of the EEA, Switzerland, or the UK, Authento processes your personal information on the following legal bases under the General Data Protection Regulation (“GDPR“) or the UK GDPR:
When you visit and use the Site, we collect and process certain information about your interactions with the website and the data you leave at your sole discretion. For more information, please read this Policy attentively.
The Personal Data we collect depends on how you interact with us, the services you use, and the choices you make.
We collect information about you from different sources and in various ways when you use our services, including information you provide directly, information collected automatically, third-party data sources, and data we infer or generate from other data.
Information you provide directly. We collect Personal Data you provide to us. For example:
Information we collect automatically. When you use our services, we collect some information automatically. For example:
Information we create or generate. We infer new information from other data we collect, including using automated means to generate information about your likely preferences or other characteristics (“inferences”). For example, we infer your general geographic location (such as city, state, and country) based on your IP address.
Information we obtain from third-party sources. We also obtain the types of information described above from third parties. These third-party sources include, for example:
When you are asked to provide Personal Data, you may decline. And you may use web browser or operating system controls to prevent certain types of automatic data collection. But if you choose not to provide or allow information that is necessary for certain services or features, those services or features may not be available or fully functional.
We may use cookies, web beacons, mobile analytics and advertising IDs, and similar technologies to operate our websites and online services and to help collect data, including usage data, identifiers, and device information.
We use the Personal Data we collect for purposes described in this Privacy Policy or otherwise disclosed to you. For example, we collect and use the categories of Personal Data described above for the following purposes:
We disclose Personal Data with your consent or as necessary to complete your transactions or provide the services you have requested or authorized. In addition, we disclose each of the categories of Personal Data described above, with the types of third parties described below, for the following business purposes:
Third party analytics and advertising companies also collect Personal Data through our website and apps including identifiers and device information (such as cookie IDs, device IDs, and IP address), geolocation data, usage data, and inferences based on and associated with that data, as described in our Cookie Policy.
These third party vendors may combine this data across multiple sites to improve analytics for their own purpose and others. For example, we use Google Analytics on our website to help us understand how users interact with our website; you can learn how Google collects and uses information at www.google.com/policies/privacy/partners.
Please note that some of our services include integrations, references, or links to services provided by third parties whose privacy practices differ from ours. If you provide Personal Data to any of those third parties, or allow us to share Personal Data with them, that data is governed by their privacy statements. Finally, we may share de-identified information in accordance with applicable law.
Some of the data disclosures to these third parties may be considered a “sale” or “sharing” of Personal Data as defined under the laws of California and other U.S. states.
We retain Personal Data for as long as necessary to provide the services and fulfill the transactions you have requested, comply with our legal obligations, resolve disputes, enforce our agreements, and other legitimate and lawful business purposes. Because these needs can vary for different data types in the context of different services, actual retention periods can vary significantly based on criteria such as the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we use your Personal Data and whether we can achieve those purposes through other means, and our legal or contractual obligations.
We provide a variety of ways for you to control the personal data we hold about you, including choices about how we use that data. In some jurisdictions, these controls and choices may be enforceable as rights under applicable law.
Access, portability, correction, and deletion. If you wish to access, correct, or delete Personal Data about you that we hold, you may email support+privacy@authento.io to make your request.
Communications preferences. You can choose whether to receive promotional communications from us by email, and telephone. If you receive a promotional email from us and would like to stop, you can do so by following the directions in that message or by contacting us as described in the Contact Us section below. If you receive a sales call from us, you can ask to be placed on our do-not-call list. These choices do not apply to certain informational communications including surveys and mandatory service communications.
Data sales and targeted advertising. Some privacy laws define “sale” broadly to include some of the disclosures described above. To opt-out from such data “sales” or targeted advertising, opt out by clicking on “Do Not Sell or Share My Personal Information” on the footer of our website.
Except for the automated controls described above, if you send us a request to exercise your rights or these choices, to the extent permitted by applicable law, we may decline requests in certain cases. For example, we may decline requests where granting the request would be prohibited by law, could adversely affect the privacy or other rights of another person, would reveal a trade secret or other confidential information, or would interfere with a legal or business obligation that requires retention or use of the Personal Data. Further, we may decline a request where we are unable to authenticate you as the person to whom the Personal Data relates, the request is unreasonable or excessive, or where otherwise permitted by applicable law. If you receive a response from us informing you that we have declined your request, in whole or in part, you may appeal that decision by submitting your appeal as described in the Contact Us section below.
If the processing of Personal Data about you is subject to European Union data protection law, you have certain rights with respect to that data:
To make such requests please contact us as described in the Contact Us section below. You also have the right to lodge a complaint with a supervisory authority, but we encourage you to first contact us with any questions or concerns.
We rely on different lawful bases for collecting and processing Personal Data about you, for example, with your consent and/or as necessary to provide the services you use, operate our business, meet our contractual and legal obligations, protect the security of our systems and our customers, or fulfill other legitimate interests.
If you are a California resident and the processing of Personal Data about you is subject to the California Consumer Privacy Act (CCPA), you have certain rights with respect to that information.
Notice at Collection. At or before the time of collection, you have a right to receive notice of our practices, including the categories of Personal Data, the purposes for which such information is collected or used, whether such information is sold or shared, and how long such information is retained. You can find those details in this policy by clicking on the above links.
Right to Know. You have a right to request that we disclose to you the Personal Data we have collected about you. You also have a right to request additional information about our collection, use, disclosure, or sale of such Personal Data. Note that we have provided much of this information in this privacy policy. You may make such a “request to know” by emailing us at support+privacy@authento.io.
Rights to Request Correction or Deletion. You also have rights to request that we correct inaccurate Personal Data and that we delete Personal Data under certain circumstances, subject to a number of exceptions. To make a request to correct or delete, email us at support+privacy@authento.io.
Right to Opt-Out / “Do Not Sell or Share My Personal Information”. You have a right to opt-out from future “sales” or “sharing” of Personal Data as those terms are defined by the CCPA.
The CCPA requires us to describe the categories of Personal Data we sell and/or share to third parties and how to opt-out of future sales or sharing. The CCPA defines “sell,” “share,” and “personal information” very broadly, and some of our data sharing described in this privacy policy may be considered a “sale” or “sharing” under those definitions, such as disclosing Personal Data to third parties for our own advertising purposes. We let advertising and analytics providers collect IP addresses and cookie IDs along with associated device and usage data when you access our website, but we do not “sell” or “share” any other types of Personal Data.
If you do not wish for us or our partners to “sell” or “share” Personal Data relating to your visits to our websites for advertising purposes, you can make your request by clicking on Do Not Sell or Share My Personal Information page, using a Global Privacy Control, or emailing us at support+privacy@authento.io. If you opt-out using these choices, we will not share or make available such Personal Data in ways that are considered a “sale” or “sharing” under the CCPA. However, we will continue to make available to our partners (acting as our service providers) some Personal Data to help us perform advertising-related functions. Further, using these choices will not opt you out of the use of previously “sold” or “shared” Personal Data or stop all interest-based advertising.
We do not knowingly sell or share the Personal Data of minors under 16 years of age.
Right to Limit Use and Disclosure of Sensitive Personal Information. You have a right to limit our use of sensitive Personal Data for any purposes other than to provide the services or goods you request or as otherwise permitted by law. Note that we do not use Sensitive Personal Data for any such additional purposes.
You may designate, in writing or through a power of attorney, an authorized agent to make requests on your behalf to exercise your rights under the CCPA. Before accepting such a request from an agent, we will require the agent to provide proof you have authorized it to act on your behalf, and we may need you to verify your identity directly with us.
Further, to provide, correct, or delete specific pieces of Personal Data will need to verify your identity to the degree of certainty required by law. We will verify your request by asking you to send it from the email address associated with your account or requiring you to provide information necessary to verify your account. For some types of Personal Data we may have, there may be no reasonable method by which we can verify your identity as the person to whom that data relates.
Finally, you have a right to not be discriminated against for exercising these rights set out in the CCPA.
Additionally, under California Civil Code section 1798.83, also known as the “Shine the Light” law, California residents who have provided Personal Data to a business with which the individual has established a business relationship for personal, family, or household purposes (“California Customers”) may request information about whether the business has disclosed Personal Data to any third parties for the third parties' direct marketing purposes.
Please be aware that we do not disclose Personal Data to any third parties for their direct marketing purposes as defined by this law.
California Customers may request further information about our compliance with this law by emailing support+privacy@authento.io. Please note that businesses are required to respond to one request per California Customer each year and may not be required to respond to requests made by means other than through the designated email address.
The Personal Data we collect may be stored and processed in your country or region, or in any other country where we or our affiliates, subsidiaries, or service providers process data. We take steps designed to ensure that Personal Data is processed and protected as described in this policy wherever the data is located.
We take reasonable and appropriate steps to help protect Personal Data from unauthorized access, use, disclosure, alteration, and destruction.
To help us protect Personal Data, we request that you use a strong password and never share your password with anyone or use the same password with other sites or accounts.
Authento may need to update this Privacy Policy from time to time to comply with applicable law and regulations or other legitimate purposes. Subject to obtaining your explicit consent as may be required by applicable law, the new modified privacy statement will apply from that revision date. Therefore, we encourage you to review this Privacy Policy periodically to be informed about how we are protecting your information.
If you have any questions or comments regarding this Privacy Policy, please send an email to support+privacy@authento.io.
Last Updated: August, 2023