Authento

Privacy Policy

Privacy Policy This Privacy Policy (“ Policy”) describes the privacy policy of Authento Limited (“Authento,” “we”, “us”, or “our”) concerning personal information collected in connection with (i) Authento's verification and related online services, including but not limited to authentication, document verification, ID verification, and identity verification (the “Services”) and (ii) our website (the “Site”) and customer portals.

Authento is subject to the Hong Kong Data (Privacy) Ordinance, and amendments thereto (“PDPO”) as well as other applicable data protection laws. This Policy generally describes Authento's privacy practices as a data user for the categories of personal information described in Subsection I.2. (“Personal information we process”). You are not required to provide your personal information to Authento. However, if you do not provide us with your personal information, we may not be able to provide our Services.

Authento also makes the Services available to third parties (“Clients”) for integration into those Clients' websites and mobile applications. Authento processes the personal information of our Client's end-users (“End-Users”) on behalf of Clients for the purposes described in Subsection I.3 (“How we use your personal information”). When we provide Services to our Clients, we are generally acting on their behalf as their service provider and data processor. The Client determines the purpose of data processing, exercises control over the End-User's personal data, and stipulates the retention period of the End-User's data according to its purposes. For additional information about how your specific data is being collected and used in these cases, please review the privacy policy of our client(s) who is using our Services with you.

The scope of your consent is described in Section 8 (“Your consent”).

Summary

This Privacy Policy is divided into two parts. The first applies to those individuals using the Services to verify their identities. The second applies to visitors to the Site.

We encourage you to read through the Privacy Policy to understand what information Authento may collect and how Authento uses the information.

I. Privacy Policy applicable to individuals verifying their identity through the Services

When you use the Services, or Authento's Clients use the Services to securely verify the identity of End-Users such as yourself, we may collect information from or about you. By using any of the Services, you acknowledge the data collection practices and purposes outlined in this Policy. This section explains what Personal Data (defined below) Authento collects through the Services, how Authento uses and shares that data, and how individuals can exercise choices regarding their Personal Data. Personal Data provided to Authento by Clients, and Personal Data provided to Clients from Authento, is also subject to each Client's privacy policy.

Authento uses information about you to provide and improve the Services or develop new services aimed at verifying your identity and helping prevent fraud. We analyze the data we collect to create insights about fraud, which enables us to glean information about potentially fraudulent transactions. For example, we use the data to identify commonly used fake identification documents or government identifiers. Other than with your consent, Authento does not sell or “share” (when defined by applicable law to mean the use of your personal information for cross contextual behavioral advertising) your personal information.

1. How We Collect and Use Personal Data to Provide the Services

This subsection describes the Personal Data we collect and how we use it in order to provide the Services to our Clients. Personal Data means information that relates to an identified or identifiable individual.

You provide Personal Data to Authento directly or at the direction of a Client of Authento, so that your identity may be verified and/or to prevent fraud. In the course of performing the Services, Authento may also obtain Personal Data from other sources such as third party databases, government records, and other publicly available sources. The Personal Data we collect varies based on what you provide, what you and/or the Client has directed us to analyze, and what Personal Data is available from third parties.

Some data that we collect automatically is collected through cookies and similar technologies.

2. Personal information we process

Information that you and/or Clients provide to us through the use of Services

To provide the Services, Authento may process a government-issued identification or other document you provide directly to Authento or information provided by the Client to Authento. The personal information collected may include any information available on the documents submitted to Authento for the Services. From the information provided, Authento may process the following information:

• Personal identifiers (e.g., names, addresses, emails, phone numbers);
• Demographic data (e.g., birthdate, age, gender, marital status);
• Images of Identification documents (e.g., photographs and other information including personal identifiers, demographic characteristics, physical characteristics, etc.);
• Government documents and identifiers (e.g., driver's license, government ID number, Social Security Number);
• Files you upload (e.g. proof of address, tax forms, utility bills);
• Financial information (e.g., credit or debit card numbers, CVV, expiration dates, transaction information);
• Images or recordings (e.g., photographs and visual or audio recordings);
• Account information (e.g., details about your account with our Client or other third parties);
• Biometric data (see information box below).

  Biometric Data

  Authento's collection of personal information may include data that may be considered biometric data in some jurisdictions. Authento will collect this information via facial recognition or similar technology from an image or video (including audio) of your face (e.g., a selfie) and an image of that face as it appears on an identification document that you provide via an online portal or mobile application.

  Authento and/or a third party vendor used by Authento:

  • compares the data from a scan of facial geometry extracted from the government identification document that you upload to the data from a scan of facial geometry extracted from the photos of that face that you upload, in order to help verify your identity (“Verification”); and
  • may also use your information, including data from scans of facial geometry extracted from the government identification document and photos of your face that you upload, to detect and prevent fraud (“Fraud Prevention”).

  Authento securely stores all photos of identity documents that you upload, photos of your face that you upload, and data from scans of facial geometry extracted from the photos of your face that you upload in an encrypted format. Authento's third-party vendors may have access to such data and data from scans of facial geometry extracted from the photos of your face that you uploaded to provide some or all of the analysis, to store the data, to maintain backup copies, and to service the systems on which such data is stored.

  Authento uses the reasonable standards of care within our industry to store, transmit, and protect from disclosure data from scans of facial geometry extracted from the photos of your face that you upload in a manner that is the same as or more protective than the manner in which it stores, transmits, and protects other confidential and sensitive information. Authento will not sell, lease, trade, or, other than to provide the Services, otherwise benefit from data from scans of facial geometry extracted from the photos of your face that you upload. Other than as set forth herein, Authento will not disclose, redisclose, or otherwise disseminate data from scans of facial geometry extracted from the photos of your face that you uploaded unless doing so:

  • Completes a transaction requested and authorized by you or your legally authorized representative;
  • Is required by law or ordinance;
  • Is required pursuant to a warrant or subpoena issued by a court of competent jurisdiction; or
  • Is expressly consented to by you.

  Authento may share such data with the Client with which an End-User has a direct relationship and with Authento service providers. Authento may collect, process, and store such data for the purpose of providing and improving its Services, and for the long-term proof of inspection of your provided form of identification.

  Authento will store your biometric data for as long as as set out in Subsection 5 (“Retention and international transfer”) .

Information automatically processed when you use Authento's Services

​​Authento will process certain personal information about you that Authento collects from you directly, from its Clients, or other third parties, such as consumer reporting agencies and fraud prevention service providers. The categories of personal information that Authento may process varies depending on the Service and are described below.

When you use the Services, we may also automatically collect or receive certain information associated with you or your network device(s), including but not limited to information about your use of the Services and your preferences. This information includes:

• Online identifiers (e.g., IP addresses);
• Internet or other electronic network activity including information about your device's operating system, browser type, browser settings (e.g., country, language preferences), or your use of our website or application (e.g., time access, duration of visit);
• Geolocation information (e.g., the location of your device); and
• Inferences such as a transaction risk calculations and scores (e.g., Authento may review whether the IP address or other available information is known to have been used in a fraudulent transaction and provide an assessment of the likelihood the transaction is fraudulent).

If you use Authento's authentication service, we may install little pieces of software on your device to increase the speed of subsequent verifications. This software does not collect any information about you and does not track you.

We may also use cookies in connection with the Services.

Information collected from third parties

To the extent permitted by applicable law, we may receive additional information about you, such as demographic data or other information to help detect fraud and safety issues from third party service providers or partners, and combine it with information we have about you. These categories of third parties include consumer reporting agencies, fraud prevention services, data brokers, government databases, and marketing and analytics providers.

Information you provide through social media

If you connect to us through a social media platform or navigate to a social media platform from one of our sites, the social media platform will collect your information separately from us. You should review the social media platforms' privacy policies to understand how they are using your information and your rights in relation to such information.

Information we derive

We may derive additional information or draw inferences about you based on the information we have collected from you directly, passively, or through third parties.

3. How we use personal information

We may use the information collected from or about you to authenticate and manage your identity when you create an Authento account, including to verify attributes of your identity, as well as to provide you with customer support and account updates. We may use this information to verify your identity with Authento partners, Clients, and service providers in both the public and private sector at your request and perform our obligations with you or to ensure that our Services function properly.

Overall, Authento processes the personal information described above (“Personal information we process”) for the following purposes:

• To provide the Services to you or to Clients, which includes:
  • o enable you or the Client to identify and/or verify your identity in accordance with applicable International Anti Money Laundering regulations;
  • Comparing new scans of identification documents against scans of identification documents previously determined by Authento to be fraudulent;
  • Preventing the use of fraudulent identification documents;
  • Identifying and monitoring fraudulent transactions;
  • Sharing the results of Authento's analysis with a Client with whom an End-User has an existing relationship or with a Client to whom an End-User has authorized disclosure of Personal Data; and
  • Increasing the efficiency and effectiveness of the Services;
• To perform analytics and research concerning the Services and to improve the Services or develop new services, including through the use of machine learning;
• To protect and improve the security of the Services; and
• To anonymize the personal information and generate statistical or aggregated reports.

Authento processes Personal Data in multiple ways, including, but not limited to, collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination (if so legally binding), or otherwise making available, alignment or combination, restriction, erasure or destruction.

Under certain circumstances Authento may also use the personal information listed above (“Personal information we process”) to:

• Establish, exercise or defend legal claims;
• Investigate, prevent, or take action regarding illegal activities, suspected fraud, violations of our terms and conditions, or situations involving threats to our property, the property or physical safety of any person or third party;
• Facilitate the financing, securitization, insuring, sale, assignment, bankruptcy, or other disposal of all or part of Authento's business or assets;
• Respond to valid and enforceable subpoenas, court orders, and other legal process, or as otherwise required by law; and
• Comply with legal and/or regulatory requirements.

4. Whom we share personal information with

Sharing for business purposes

Authento shares your personal information in the context of your transaction with a particular Client with that Client. In addition, to provide the Services as set out above (“How we use personal information”), Authento may share, disclose, or transfer your personal information to the following categories of recipients:

• Service providers that help us deliver, manage, develop, and improve the Services including but not limited to third-party hosting, cloud services and other information technology services providers, email communication and SMS software providers, identity verification services, background check providers, public and private records database providers, consumer reporting services, and fraud and identity management providers;
• Contract partners or business partners who are participating in the performance of the delivery of the Services; and
• Companies that are part of our corporate group.

These parties will access, process or store Personal Data while performing their duties to us. Moreover, as set out in “How we use personal information”, we may also disclose Personal Data when required to do so by regulators or by law, and may share your personal information with the following categories of recipients:

• Legal advisors;
• Auditors for the performance of audits;
• Law enforcement, regulatory and other government agencies and authorities, professional bodies and other third parties, courts and public authorities; and
• Any acquirer or successor in the event of a corporate sale, merger, reorganization, dissolution, or similar event if any of your personal information is part of the assets we transfer or share in preparation for such a transaction.

Disclosure with Your Consent

We may also disclose personal information to third parties when explicitly requested by you.

Reusable Personal Data

Once you are verified, you are able to use your Authento Passport to register with various Clients through our platform. Authento provides such functionality only after you affirmatively consent to sharing the Personal Data with such Client as an End-User. Different Clients may require different types of information and you have control over your data during onboarding procedures with those Clients. We will seek your consent to share the relevant data with the Client so you can access their products and services. You can edit and review your personal information directly on the Authento portal. If you choose to cancel your account with us, we will delete your information unless we are contractually or legally prevented to do so and/or to prevent fraud and money laundering. Your personally identifiable information will not be sold and it will only be shared with third parties when necessary for the provision of the Services to you, to prevent fraud or money laundering and assist law enforcement in accordance with this Policy.

If you use any third-party or other Client software, products or services in connection with our Services, for example any third-party software that our platform integrates with, you might give such third-party access to your account and information. Policies and procedures of third-parties are not controlled by us, and this Policy does not cover how your information is collected or used by third parties. We encourage you to review the privacy policies of third-parties before you use the third-party software, product or service.

Our Site may contain links to third-party websites over which we have no control. If you follow a link to any of these websites or submit information to them, your information will be governed by their policies. We encourage you to review the privacy policies of third-party websites before you submit information to them.

Aggregated Information

From time to time, Authento may also share anonymized and/or aggregated information, such as by publishing a report on trends in the usage of our Services.

Information for California residents. Other than with your consent, Authento does not sell or share your personal information. The terms “sell”, “share”, and “personal information” are defined by the California Consumer Privacy Act (the “CCPA”) and the California Privacy Rights Act (“CPRA”).

5. Choices Regarding Personal Data

You have certain choices about how we use your information, including how your Personal Data is shared.

Close your Authento Account. You may close your Authento account at any time. By choosing to close your Authento account, you are directing Authento to deactivate your identity credential and to purge the associated data from active use in our databases. Please note, however, that Authento does retain account history (e.g., events, logins, and transactions) as well as verification history (e.g., group, vaccine, or identity details including documentation and data elements used for verification) for up to three (3) years.

Please note: Use of your Authento credential to verify your identity will be stopped in the event you delete your Authento account.

Deleting your selfie image and Biometric Information. Those who have created an account requiring submission of a selfie image, and who consented to the collection of the associated Biometric Information, may request the deletion of both the selfie image and Biometric Information by submitting a request to support+privacy@authento.io. Deletion of the selfie image and associated Biometric Information may take up to thirty (30) days and will not impact the validity of your credential or verified status. Authentic reserves the right to retain this information as needed to comply with our legal obligations or to help prevent fraud.

Opt out from receiving marketing emails. To stop receiving our promotional emails, follow the instructions in any marketing email you get from us. When applicable, you can also change your preferences in your account. Even if you opt out of getting marketing emails, we are permitted to send you transactional messages. For example, we may still contact you about your use of our Services or any changes to our policies or Terms of Service.

Change or update the information you have given us. If you have verified yourself and created an Authento account, then you can correct or delete certain information or update your verification information by logging into your account and following the instructions or by contacting support+privacy@authento.io.

Ad Choices. We, our affiliates, and any associated third parties may collect information on our Services to help alert you to products and Services that may be relevant to your interests. This is known as interest-based advertising. We rely on third parties who collect information on the Services to provide opt-outs or other controls to you. For more information on how to opt-out of receiving interest-based advertising on desktop and mobile websites, please visit:

If you have further concerns or questions regarding your Personal Data, please email support+privacy@authento.io.

6. Retention and international transfers

Retention

Except as otherwise provided, Authento will retain the personal information for (i) the period necessary to fulfill the purposes outlined in Subsection I.3 (“How we use your personal information”), in particular as long as necessary to identify potentially fraudulent transactions and (ii) as long as required by law or (iii) as long as relevant potential legal claims are not yet time-barred.

Where Authento serves as a service provider or processor as defined by the applicable law, Authento will retain personal information for the period determined, and as instructed, by the Client. Generally, in line with AML / CFT regulations, regulated financial companies are obliged to store the End-User's data for five years after the termination of the Client's relationship with the End-User or the date of the occasional transaction. In some jurisdictions, there may be a longer mandatory data retention period. Please note that if an End-User would like to make a request to delete the personal data that he or she has provided for the purpose of a particular Client, please make that request directly to the Client that controls that End-User's verification process.

In general, Personal Data, including biometric data, will be retained and stored by Authento and will be permanently destroyed when the Client's initial purpose and/or retention period prescribed by applicable law expires or Authento's compatible purposes for collecting the biometric data have been satisfied or after five (5) years from the individual's last interaction with Authento, whichever occurs first, or three (3) if there is a local specific legislative requirement.

International Transfers

Some of the recipients described in Subsection I.3 (“Whom we share personal information with”) are located in, or process personal information in, countries other than your country of residence. The personal information described in this Policy may be transferred to and processed in a jurisdiction other than your country of residence and elsewhere for the purposes described in Subsection 2 (“How we use personal information”). The data protection laws in these countries may be different from, or less stringent than, those in your location and/or country of residence. It is Authento's policy to use only third party service providers that are bound to maintain appropriate levels of security and confidentiality.

If you are accessing our Site from Europe, Australia, Asia, or any other region with laws or regulations governing personal data collection, use, and disclosure, you may be transferring your Personal Data to jurisdictions that may not have the same data protection laws as such other regions. By providing your information to the Site, you are consenting to the transfer of your information for processing and maintenance in accordance with this Policy and our Terms of Service. You are also consenting to the application of Hong Kong law in all matters concerning the Site and Services.

We take measures to help protect your personal information when it is transferred from the European Economic Area (“EEA”), Switzerland, or the United Kingdom (“UK”) to other countries. We may rely on European Commission adequacy decisions or UK adequacy regulations for certain countries or include standard clauses issued by the European Commission or by the UK Information Commissioner's Office in our contracts with recipients.

7. Security

Authento uses commercially reasonable physical, electronic, and procedural safeguards designed to protect your personal information against loss or unauthorized access, use, modification, or deletion. However, no security program is foolproof, and thus Authento cannot guarantee the absolute security of your personal information or other information.

8. Your Privacy Rights

You can exercise any of the rights described in this section consistent with applicable law and our role with respect to your personal information by emailingsupport+privacy@authento.io. Please note that we may ask you to verify your identity before taking further action on your request. In some jurisdictions, applicable law may entitle you to:

• Request confirmation of whether we are processing your personal information, obtain a copy of your personal information, and obtain information about how we handle your personal information;
• Receive an electronic copy of personal information that you have provided to us in a structured, commonly used, and machine-readable format, or ask us to transmit this information to another company (where technically feasible);
• Subject to certain exceptions prescribed by law, request deletion of your personal information
• Object to or restrict our uses of your personal information;
• Seek correction or amendment of inaccurate, untrue, incomplete, or improperly processed personal information; and
• Lodge a complaint with the competent supervisory authority or regulatory agency.

Where we process your personal information based on your consent, you may withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. We will not discriminate against you for exercising any of the above rights.

9. Your consent

You consent to Authento obtaining and using your personal information to enable your use of the Services which are partly based on machine learning algorithms; this includes your consent to:

• Authento (or a third party service provider used by Authento) processing your personal information using machine learning algorithms, including facial recognition algorithms, to provide and improve its Services and to match an image of your face with an image of your face on your identification document, which may qualify as a processing of sensitive personal information; and
• Authento sharing your personal information that Authento has collected in connection with your transaction with a particular Client with that Client (e.g., a visually scanned or photographed image of your face or of your identification document) and service providers; and
• Authento retaining your personal information described in Subsection I.2 (“Personal information we process”) to provide our Services and to identify potentially fraudulent transactions.

You have the right to withdraw your consent at any time. The withdrawal of your consent does not affect the lawfulness of processing based on your consent before its withdrawal. If Authento has collected your personal information on the basis of your consent and you then withdraw your consent, Authento may retain your personal information independent of your consent to the extent necessary to establish, exercise or defend legal claims, to comply with legal obligations, or to identify potentially fraudulent transactions.

10. Other important information

Children's privacy

The Services are not intentionally designed for or directed at children. We recommend that persons over 13, but under 18 years of age, ask their parents for permission before using the Services or sending any information about themselves to anyone over the Internet. Otherwise, if Authento discovers that a child's personal data has been accidentally submitted to Authento, it will be deleted without undue delay.

Data quality and automated decision making

To help safeguard the quality of the data provided by the Services, Authento implements measures that may include manual review of the personal information by specially trained verification agents or machine learning capabilities. When we process the personal information automatically, we apply the following examples of criteria:

• Checks on the integrity and quality of photographs;
• Checks on the integrity and recognition of documents;
• Extraction and analysis of text, graphical layout, and any other available information on the documents, face photographs and biometric data, background;
• Analysis of results of all the steps combined, considering multiple variables, predictions and confidence values for a final score;
• Lookups against known images as well as known fraudulent cases;
• Procedures to minimize demographic bias in machine learning algorithms; and
• In cases of identity verification, a selfie or video may be used to compare against the photograph on an identification document, to ensure the individual is genuinely present during the transaction.

If, and to the extent that, Authento's Clients make a decision based on the information provided by Authento, please reach out to the Client responsible for an End-User's personal information with any questions regarding the rights that End-User may have in case that End-User's personal information is subject to automated decision-making.

Legal basis for processing

When Authento is engaged by its Clients to perform identity verification procedures in respect of End-Users, the processing of personal data by Authento is covered by those legal grounds that are relied on by certain Clients with whom Authento has an agreement.

As discussed in Subsection 2 (“How we use personal information”), Authento's legitimate interest in processing personal information arises from the strict necessity of internal analysis and ongoing development and improvement of Authento's services that our Clients use to detect fraud and illicit activities to prevent money laundering, terrorist financing, fraud, and other activities, which are considered a matter of substantial public interest. In this case, we use legitimate interest if the Client grants us permission to process data provided that Authento's purposes are compatible with those initial purposes for which the personal data has been collected. Such purposes are compatible due to the obligations or interests of our Client regarding the combat of fraud and detection of any illegal actions.

If you are a resident of the EEA, Switzerland, or the UK, Authento processes your personal information on the following legal bases under the General Data Protection Regulation (“GDPR“) or the UK GDPR:

• Your consent;
• Authento's and its Clients' prevailing legitimate interest to achieve the purposes set out in Subsection I.1. (“How we collect and use your personal information”) and the prevailing legitimate interest of individuals whose personal information is used for a fraudulent transaction to not become victims of identity theft;
• The necessity to comply with legal obligations to which Authento is subject; and
• The necessity for the establishment, exercise, or defense of legal claims.

II. Privacy Policy applicable to Authento Clients and Site visitors

When you visit and use the Site, we collect and process certain information about your interactions with the website and the data you leave at your sole discretion. For more information, please read this Policy attentively.

1. Personal Data Collected From Site Visitors

The Personal Data we collect depends on how you interact with us, the services you use, and the choices you make.

We collect information about you from different sources and in various ways when you use our services, including information you provide directly, information collected automatically, third-party data sources, and data we infer or generate from other data.

Information you provide directly. We collect Personal Data you provide to us. For example:

• Name and contact information. We collect name, username or alias, and contact details such as email address, postal address, and phone number.
• Demographic data. In some cases, such as when you register or participate in surveys, we request that you provide age, gender, marital status, and similar demographic details.
• Payment information. If you make a purchase or other financial transaction, we collect credit card numbers, financial account information, and other payment details.
• Content and files. We collect the photos, documents, or other files you upload to our services; and if you send us email messages or other communications, we collect and retain those communications.

Information we collect automatically. When you use our services, we collect some information automatically. For example:

• Identifiers and device information. When you visit our websites, our web servers automatically log your Internet Protocol (IP) address and information about your device, including device identifiers (such as MAC address); device type; and your device's operating system, browser, and other software including type, version, language, settings, and configuration. As further described in the Cookies, Mobile IDs, and Similar Technologies section below, our websites and online services store and retrieve cookie identifiers, mobile IDs, and other data.
• Geolocation data. Depending on your device and app settings, we collect geolocation data when you use our apps or online services.
• Usage data. We automatically log your activity on our websites, apps and connected products, including the URL of the website from which you came to our sites, pages you viewed, how long you spent on a page, access times, and other details about your use of and actions on our website.

Information we create or generate. We infer new information from other data we collect, including using automated means to generate information about your likely preferences or other characteristics (“inferences”). For example, we infer your general geographic location (such as city, state, and country) based on your IP address.

Information we obtain from third-party sources. We also obtain the types of information described above from third parties. These third-party sources include, for example:

• Data brokers. Data brokers and aggregators from which we obtain data to supplement the data we collect. ‍
• Third party partners. Third party applications and services, including social networks you choose to connect with or interact with through our services. ‍
• Co-branding/marketing partners. Partners with which we offer co-branded services or engage in joint marketing activities.
• Service providers. Third parties that collect or provide data in connection with work they do on our behalf, for example companies that determine your device's location based on its IP address.
• Publicly available sources. Public sources of information such as open government databases.

When you are asked to provide Personal Data, you may decline. And you may use web browser or operating system controls to prevent certain types of automatic data collection. But if you choose not to provide or allow information that is necessary for certain services or features, those services or features may not be available or fully functional.

2. Cookies, Mobile IDs, and Similar Technologies

We may use cookies, web beacons, mobile analytics and advertising IDs, and similar technologies to operate our websites and online services and to help collect data, including usage data, identifiers, and device information.

3. How we use Personal Data

We use the Personal Data we collect for purposes described in this Privacy Policy or otherwise disclosed to you. For example, we collect and use the categories of Personal Data described above for the following purposes:

• Product and service delivery, including to provide and deliver our services, including troubleshooting, improving our services, and personalizing our services;
• Business operations, including to operate our business, such as billing, accounting, improving our internal operations, securing our systems, detecting fraudulent or illegal activity, and meeting our legal obligations;
• Product improvement, development, and research, including to develop new services or features, and conduct research;
• Personalization, including to understand you and your preferences to enhance your experience and enjoyment using our services;
• Customer support, including to provide customer support and respond to your questions;
• Communications, including to send you information, including confirmations, invoices, technical notices, updates, security alerts, and support and administrative messages;
• Marketing, including to communicate with you about new services, offers, promotions, rewards, contests, upcoming events, and other information about our services and those of our selected partners (see the Choice and Control section of this Privacy Policy for how to change your preferences for promotional communications); and
• Advertising, including display advertising to you (see our Cookie Policy for information about personalized advertising and your advertising choices).

4. How we disclose Personal Data

We disclose Personal Data with your consent or as necessary to complete your transactions or provide the services you have requested or authorized. In addition, we disclose each of the categories of Personal Data described above, with the types of third parties described below, for the following business purposes:

• Public information. You may select options available through our services to publicly display and share your name and/or username and certain other information, such as your profile, demographic data, content and files, or geolocation data.
• Service providers. We provide Personal Data to vendors or agents working on our behalf for the purposes described in this policy. For example, companies we've hired to provide customer service support or assist in protecting and securing our systems and services may need access to Personal Data to provide those functions.
• Financial services & payment processing. When you provide payment data, for example to make a purchase, we will provide payment and transactional data to banks and other entities as necessary for payment processing, fraud prevention, credit risk reduction, or other related financial services.
• Affiliates. We enable access to Personal Data across our subsidiaries, affiliates, and related companies, for example, where we share common data systems or where access is needed to provide our services and operate our business.
• Corporate transactions. We may disclose Personal Data as part of a corporate transaction or proceeding such as a merger, financing, acquisition, bankruptcy, dissolution, or a transfer, divestiture, or sale of all or a portion of our business or assets.
• Legal and law enforcement. We will access, disclose, and preserve Personal Data when we believe that doing so is necessary to comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies.
• Security, safety, and protecting rights. We will disclose Personal Data if we believe it is necessary to:
  • protect our customers and others, for example to prevent spam or attempts to commit fraud, or to help prevent the loss of life or serious injury of anyone;
  • operate and maintain the security of our services, including to prevent or stop an attack on our computer systems or networks; or
  • protect the rights or property of ourselves or others, including enforcing our agreements, terms, and policies.

Third party analytics and advertising companies also collect Personal Data through our website and apps including identifiers and device information (such as cookie IDs, device IDs, and IP address), geolocation data, usage data, and inferences based on and associated with that data, as described in our Cookie Policy.

These third party vendors may combine this data across multiple sites to improve analytics for their own purpose and others. For example, we use Google Analytics on our website to help us understand how users interact with our website; you can learn how Google collects and uses information at www.google.com/policies/privacy/partners.

Please note that some of our services include integrations, references, or links to services provided by third parties whose privacy practices differ from ours. If you provide Personal Data to any of those third parties, or allow us to share Personal Data with them, that data is governed by their privacy statements. Finally, we may share de-identified information in accordance with applicable law.

Some of the data disclosures to these third parties may be considered a “sale” or “sharing” of Personal Data as defined under the laws of California and other U.S. states.

5. Data Retention

We retain Personal Data for as long as necessary to provide the services and fulfill the transactions you have requested, comply with our legal obligations, resolve disputes, enforce our agreements, and other legitimate and lawful business purposes. Because these needs can vary for different data types in the context of different services, actual retention periods can vary significantly based on criteria such as the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we use your Personal Data and whether we can achieve those purposes through other means, and our legal or contractual obligations.

6. Choice and Control of Personal Data

We provide a variety of ways for you to control the personal data we hold about you, including choices about how we use that data. In some jurisdictions, these controls and choices may be enforceable as rights under applicable law.

Access, portability, correction, and deletion. If you wish to access, correct, or delete Personal Data about you that we hold, you may email support+privacy@authento.io to make your request.

Communications preferences. You can choose whether to receive promotional communications from us by email, and telephone. If you receive a promotional email from us and would like to stop, you can do so by following the directions in that message or by contacting us as described in the Contact Us section below. If you receive a sales call from us, you can ask to be placed on our do-not-call list. These choices do not apply to certain informational communications including surveys and mandatory service communications.

Data sales and targeted advertising. Some privacy laws define “sale” broadly to include some of the disclosures described above. To opt-out from such data “sales” or targeted advertising, opt out by clicking on “Do Not Sell or Share My Personal Information” on the footer of our website.

Except for the automated controls described above, if you send us a request to exercise your rights or these choices, to the extent permitted by applicable law, we may decline requests in certain cases. For example, we may decline requests where granting the request would be prohibited by law, could adversely affect the privacy or other rights of another person, would reveal a trade secret or other confidential information, or would interfere with a legal or business obligation that requires retention or use of the Personal Data. Further, we may decline a request where we are unable to authenticate you as the person to whom the Personal Data relates, the request is unreasonable or excessive, or where otherwise permitted by applicable law. If you receive a response from us informing you that we have declined your request, in whole or in part, you may appeal that decision by submitting your appeal as described in the Contact Us section below.

7. European Data Protection Rights

If the processing of Personal Data about you is subject to European Union data protection law, you have certain rights with respect to that data:

• You can request access to, and rectification or erasure of, Personal Data;
• If any automated processing of Personal Data is based on your consent or a contract with you, you have a right to transfer or receive a copy of the Personal Data in a usable and portable format;
• If the processing of Personal Data is based on your consent, you can withdraw consent at any time for future processing;
• You can object to, or obtain a restriction of, the processing of Personal Data under certain circumstances; and
• For residents of France, you can send us specific instructions regarding the use of Personal Data after your death.

To make such requests please contact us as described in the Contact Us section below. You also have the right to lodge a complaint with a supervisory authority, but we encourage you to first contact us with any questions or concerns.

We rely on different lawful bases for collecting and processing Personal Data about you, for example, with your consent and/or as necessary to provide the services you use, operate our business, meet our contractual and legal obligations, protect the security of our systems and our customers, or fulfill other legitimate interests.

8. California Privacy Rights

If you are a California resident and the processing of Personal Data about you is subject to the California Consumer Privacy Act (CCPA), you have certain rights with respect to that information.

Notice at Collection. At or before the time of collection, you have a right to receive notice of our practices, including the categories of Personal Data, the purposes for which such information is collected or used, whether such information is sold or shared, and how long such information is retained. You can find those details in this policy by clicking on the above links.

Right to Know. You have a right to request that we disclose to you the Personal Data we have collected about you. You also have a right to request additional information about our collection, use, disclosure, or sale of such Personal Data. Note that we have provided much of this information in this privacy policy. You may make such a “request to know” by emailing us at support+privacy@authento.io.

Rights to Request Correction or Deletion. You also have rights to request that we correct inaccurate Personal Data and that we delete Personal Data under certain circumstances, subject to a number of exceptions. To make a request to correct or delete, email us at support+privacy@authento.io.

Right to Opt-Out / “Do Not Sell or Share My Personal Information”. You have a right to opt-out from future “sales” or “sharing” of Personal Data as those terms are defined by the CCPA.

The CCPA requires us to describe the categories of Personal Data we sell and/or share to third parties and how to opt-out of future sales or sharing. The CCPA defines “sell,” “share,” and “personal information” very broadly, and some of our data sharing described in this privacy policy may be considered a “sale” or “sharing” under those definitions, such as disclosing Personal Data to third parties for our own advertising purposes. We let advertising and analytics providers collect IP addresses and cookie IDs along with associated device and usage data when you access our website, but we do not “sell” or “share” any other types of Personal Data.

If you do not wish for us or our partners to “sell” or “share” Personal Data relating to your visits to our websites for advertising purposes, you can make your request by clicking on Do Not Sell or Share My Personal Information page, using a Global Privacy Control, or emailing us at support+privacy@authento.io. If you opt-out using these choices, we will not share or make available such Personal Data in ways that are considered a “sale” or “sharing” under the CCPA. However, we will continue to make available to our partners (acting as our service providers) some Personal Data to help us perform advertising-related functions. Further, using these choices will not opt you out of the use of previously “sold” or “shared” Personal Data or stop all interest-based advertising.

We do not knowingly sell or share the Personal Data of minors under 16 years of age.

Right to Limit Use and Disclosure of Sensitive Personal Information. You have a right to limit our use of sensitive Personal Data for any purposes other than to provide the services or goods you request or as otherwise permitted by law. Note that we do not use Sensitive Personal Data for any such additional purposes.

You may designate, in writing or through a power of attorney, an authorized agent to make requests on your behalf to exercise your rights under the CCPA. Before accepting such a request from an agent, we will require the agent to provide proof you have authorized it to act on your behalf, and we may need you to verify your identity directly with us.

Further, to provide, correct, or delete specific pieces of Personal Data will need to verify your identity to the degree of certainty required by law. We will verify your request by asking you to send it from the email address associated with your account or requiring you to provide information necessary to verify your account. For some types of Personal Data we may have, there may be no reasonable method by which we can verify your identity as the person to whom that data relates.

Finally, you have a right to not be discriminated against for exercising these rights set out in the CCPA.

Additionally, under California Civil Code section 1798.83, also known as the “Shine the Light” law, California residents who have provided Personal Data to a business with which the individual has established a business relationship for personal, family, or household purposes (“California Customers”) may request information about whether the business has disclosed Personal Data to any third parties for the third parties' direct marketing purposes.

Please be aware that we do not disclose Personal Data to any third parties for their direct marketing purposes as defined by this law.

California Customers may request further information about our compliance with this law by emailing support+privacy@authento.io. Please note that businesses are required to respond to one request per California Customer each year and may not be required to respond to requests made by means other than through the designated email address.

9. Location of Personal Data

The Personal Data we collect may be stored and processed in your country or region, or in any other country where we or our affiliates, subsidiaries, or service providers process data. We take steps designed to ensure that Personal Data is processed and protected as described in this policy wherever the data is located.

10. Security

We take reasonable and appropriate steps to help protect Personal Data from unauthorized access, use, disclosure, alteration, and destruction.

To help us protect Personal Data, we request that you use a strong password and never share your password with anyone or use the same password with other sites or accounts.

III. Changes to this policy

Authento may need to update this Privacy Policy from time to time to comply with applicable law and regulations or other legitimate purposes. Subject to obtaining your explicit consent as may be required by applicable law, the new modified privacy statement will apply from that revision date. Therefore, we encourage you to review this Privacy Policy periodically to be informed about how we are protecting your information.

IV. Contacting Authento

If you have any questions or comments regarding this Privacy Policy, please send an email to support+privacy@authento.io.

Last Updated: August, 2023