Personr Pty Ltd processes personal data in the course of service provision to its Clients according to their instructions. 

The client is the Controller that determines the purpose of data processing, exercises control over the User’s personal data, and stipulates the retention period of the User’s data according to its purposes. Personr Pty Ltd, in turn, is a Processor that conducts only those data processing activities that the client requests. 

For clarity, Personr Pty Ltd performs remote identity verification procedures for the client as part of service provision. Before passing such procedures, the User consents to such processing or is properly notified by the client in line with the client’s Privacy Policy.

When developing and improving Services as a matter of public interest and other cases specified in this Privacy Notice, Personr Pty Ltd is the Controller of Users' personal data.

‍Scope
‍
This Privacy Notice outlines how we collect and process personal data, commit to protecting your information, and provide the framework through which effective management of data protection matters can be achieved while providing our Services. 

This Privacy Notice does not cover how Personr Pty Ltd Clients may treat Users' personal data. Clients provide this information in their privacy statements which are not subject to Personr Pty Ltd's control.

‍Definitions
‍
Agreement -The Service Provider Agreement concluded with each Client, its annexes and appendices;
‍
Client -The legal entity to which Personr Pty Ltd provides Services under the Agreement;
‍
Service(s) -The personal identity verification service and connected services provided by Personr Pty Ltd;


Data Controller, or Controller -The Client where it, alone or jointly with others, determines the purposes and means of the processing of personal data by written instruction for processing activities given to Personr Pty Ltd;
Data Processor, or Processor -Personr Pty Ltd where it processes personal data on behalf of a Data Controller;
‍
Third-Party Processors -Processors authorised to exercise certain processing activities under the direct authority of Personr Pty Ltd;
‍
Data Providers -Third-party service providers or public authorities used to collect additional information necessary for the provision of the Services;
Data Subject -Any individual (hereafter - User) whose personal data Personr Pty Ltd may process on behalf of the Controller (the Client’s customers);
‍
Personal data -Any information relating to an identified or identifiable Data Subject;
‍
Special categories of personal data -Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, or data concerning health or data concerning a natural person's sex life or sexual orientation;
‍
Data concerning health -Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
‍
Filing system -Any structured set of personal data which is accessible according to specific criteria, whether centralised, decentralised, or dispersed on a functional or geographical basis used for service provision;
‍
User -Any individual in respect of whom the identity verification procedure (or any of its elements) is performed as part of the Services provided to a Client (may be referred to as ‘you’ in this Notice);
‍
Website -personr.co, enterprise.personr.co;
‍
Processing -Any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‍
‍Personal data breach -A breach of data security leading to unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed;Consent -Any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which they, by a statement or by clear affirmative action, signify agreement to the processing of their personal data;
‍
Livechat -A system that allows Users to have a real-time interaction with Personr Pty Ltd’s support team in a chatbox on the Website page in the browser;
Customer due diligence procedure -The process and rules established by the Client in line with applicable regulations, including the requirements for identifying its customers, related risks and checking they are who they say they are (may be referred to as ‘KYC’ in this Notice);
‍
AML/CFT -Anti-Money Laundering / Combating the Financing of Terrorism legal rules and standards as envisaged in FATF recommendations, EU regulations, and national legislation;
‍
Politically Exposed Persons (PEPs) -Individuals who are or have been entrusted with prominent public functions (e.g., heads of state or government, senior politicians, senior government, judicial or military officials, senior executives of state-owned corporations, important political party officials), as well as their relatives and close associates;
‍
CCPA -The California Consumer Privacy Act of 2018, Civil Code sections 1798.100.

‍Principles of personal data processing that Personr Pty Ltd adheres to
‍
Personr Pty Ltd adheres to the principles of personal data protection as envisaged in the EU GDPR, UK GDPR, AU Privacy Act 1988 and CCPA.

In accordance with these principles, Personr Pty Ltd assists the Controller in ensuring that the User’s personal data is:

• Processed fairly and lawfully and in a transparent manner in relation to the Data Subject;
• Processed for specified, explicit, and legitimate purposes only and not further processed in a manner that is incompatible with those purposes;
• Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
• Kept accurate and up to date;
• Retained in a form permitting identification of Data Subjects for no longer than is necessary for the purposes for which they are processed;
• Processed in a manner that ensures their appropriate security;

‍
‍Purposes of personal data processing
‍
Performance of the Agreement -

‍While serving Clients, Personr Pty Ltd mainly processes your data as a Processor for the Client's benefit. Personr Pty Ltd processes personal data for the performance of the Agreements, including indicated services, obligations arising from the Agreement, and related rights, as well as for the execution of rights and fulfilment of obligations deriving from legal acts and processing Users' requests.
‍
This Privacy Notice does not cover how Personr Pty Ltd Clients may treat Users' personal data. Clients provide this information in their privacy statements which are not subject to Personr Pty Ltd's control.

Personr Pty Ltd collects and further processes Users' data for the Client, which may include matters of compliance with applicable AML/CFT and/or other laws and regulations and/or the Client's internal customer due diligence procedures. Once personal data is no longer necessary for the relevant purpose, Personr Pty Ltd erases it from its servers upon the Client's written instruction without leaving any backup copies after transferring it to the Client.

Other purposes -

We may process your data for purposes that serve Personr Pty Ltd's legitimate interests, which include the following purposes:

• Where it’s not prohibited by applicable laws and provided we have permission from our Clients, we may process some personal data, including biometrics, to develop and improve identity verification services to prevent and detect fraud and other illicit activity as part of substantial public interest via machine learning. For more information, please refer to Provision 5 (Service Development);
• Given the nature of our Services, we are to detect and prevent criminal activity, fraud, and money laundering by checking the provided User data against records of confirmed or suspected illegal activity, fraud or money laundering. If any sign of this appears, we will inform our Clients of this. For more information, please refer to Provision 5 (Fraud detection);
• In connection with the purpose above, we may also conduct profiling, statistical analysis, and analytics in AML/CFT tendency, fraud detection, and prevention. The System may aggregate the User's data with other Users' data to generate reports and charts our Clients may use when assuming the risk likelihood associated with specific characteristics;
• We sometimes may be obliged to process or retain all or part of personal data for the establishment, exercise, or defence of legal claims;
• We process some personal data while adhering to the principles of personal data handling, namely lawfulness and accountability, by obtaining the legal basis for processing specific personal data concerning certain Users, as required under laws applicable to such Users. Obtaining and maintaining records that we have obtained on such a legal basis is essential to prove that we comply and adhere to our legal obligations outside and in the European Union and the United Kingdom.

‍
‍Data processing activities
‍‍
Personr Pty Ltd provides multiple types of automated processing, including, but not limited to, collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination (if so legally binding), or otherwise making available, alignment or combination, restriction, erasure or destruction.

‍Document сheck -

‍For fraud detection, Personr Pty Ltd subjects personal data from photos and scanned copies of documents to automated reading and verification of authenticity by conducting different checks, such as completeness of records, screenshots detection, or cross-checking of all data from all submitted documents (e.g., name, date, and place of birth, signature). We also check the document's security features, including the embedded security chip, machine-readable zone (MRZ), barcodes, QR codes and other security components used for genuine data validation. The Personr Pty Ltd system analyses the results of the above to make an inference regarding the document’s trustworthiness.

‍Biometric processing methods -

‍Personr Pty Ltd may process biometrics to verify whether provided facial images are likely to match depending on the service chosen by a particular Client. The processing of biometrics means extracting facial features from uploaded or recorded facial images on government-issued identity documents submitted by the User and comparing them. We store this biometric data for a period our Client instructs.

There are several reasons why Clients ask for such biometrics processing. Generally, Clients may wish to check whether an identity document genuinely belongs to the User by comparing a provided facial image to the facial image contained in the identity document.

In addition, Clients may ask us to check whether a User is alive and genuine. To do this, we use our Liveness check to determine if the User isn’t holding a mobile phone, showing any signs of constraint, or attempting to defraud the system using emulators, static images, or ‘deep fakes’. 

As a rule, the User is prompted to blink, smile, or move their device while passing Liveness. During such checks, we may also detect signs of fraud or other spoofing attacks by comparing the User's facial features to those of known masks. 

Simultaneously, we may also check whether the User may be generating multiple identities by inspecting whether we have previously verified him/her on behalf of a particular Client. 

To determine if the User is known to a specific Client, we compare the User's facial image to the facial images of other Users previously verified on behalf of that particular Client.

When required by the Client, we assist in the authentication process. For this, the Client may ask the User to pass liveness. During this process, the User’s face is recognised, and the result is compared with the biometric data records of the said User obtained previously.

For each authentication attempt, we will compare the new liveness facial image with the biometrics of the said User obtained previously.

‍Data validation -

‍These data validation checks enable Clients to verify data against databases of third-party data providers and detect whether the User is involved in illicit activities, money laundering or terrorism financing. 

To do this, we will check the data extracted from the uploaded documents or provided by the User against a database of third-party data providers. The data providers we may use depend on the Client’s needs and the User’s location and may include ID registers, proof of address checks, the Social Security Administration and other government or commercial sources and databases, consumer credit agencies, PEP lists, global and country-specific sanctions lists, and adverse media sources.

Throughout the course of the Client’s relationship with the User, we may assist the Client in periodically screening the User’s data against databases to help prevent, detect, and investigate fraud and money laundering.

‍Know Your Business or KYB check -

‍If the Client subscribes to the KYB check, it requires us to verify the existence, details, ownership, and control structure (e.g., ultimate beneficial owner(s)) of a legal entity through analysis of corporate documents and review of corporate registries, where available.

‍Fraud detection -

‍Personr Pty Ltd implements a fraud detection and control network based on the anti-fraud checks required by our Clients and those included in our Services by default (e.g., Photoshop use or risk triggers calculation). 

Such checks require collecting, analysing, and re-using recorded User data.

Generally, Personr Pty Ltd verifies whether the User’s attributes—geolocation (IP address), device signature (operating system and camera name), email address, or mobile phone—have previously been involved in or related to any fraudulent activity or may currently signal suspicious behaviour patterns and otherwise point out that the User is fake.

At the Client’s order, we may check information with our Data Providers on AML/CFT regulations requirements, such as screening through adverse media mentions match or checking for residency in high-risk countries. 

Besides, we check whether the User creates multiple identities by inspecting whether we have previously verified a User on behalf of a particular Client using biometric data comparison techniques.

All these checks are designed to help us and Clients assess the likelihood of customer trustworthiness, flag potentially fraudulent activities and assign a relevant risk score when the Client needs to acknowledge cases when Users generate multiple identities, compromise their data, or manipulate device or network information. 

The Client may consult with the fraud detection and control network on the fraud-related level of risk of the User under the onboarding process without accessing any personal data.

‍Automated decision-making relief and checks -

‍We conduct identity verification checks on behalf of the Client, however, we do not make any final decisions. Our role is to provide the Client with reports containing information about the identity verification process and results (with the reasoning behind them reflecting the level of fraud or another risk if any. 

The reasons are derived from the work of our system and its algorithms, including those based on a symbiosis of machine learning models and intervention. The final decision on User onboarding is made by a human on the Client’s side when the checks' result is transmitted to the particular Client. 

The Clients consider this information while deciding to accept or decline a User application, request further checks, or continue to service that User following their risk assessment and investigations.

Personr Pty Ltd checks may be fully automated due to simplicity, using machine learning, or the Client's request. 

When Clients use check results to make final decisions regarding Users undergoing verification, the final decision-making process may or may not be automated by the Client. 

When the Client makes automated decisions, including those based on our check results, they shall inform you of the legal grounds and, if necessary, obtain your consent. Any User can appeal automated decisions by going through the methods provided on the Client's side.

‍When you've passed verification successfully -

‍All required checks have been successfully completed. This means that the data you've provided is genuine and compliant with the requirements of the particular Client and approved by them. Now you are allowed to use the service for which you were passing the verification process.

‍When you cannot pass verification successfully -

‍Some of the checks need to be more precise. It means that some of the data provided by Users do not comply with the Client's requirements by posing some risk or seeming potentially suspicious or fraudulent (e.g., the device you took the photo from is different from that you passed the whole verification process or the data presented are inconsistent). 

In this case, we return results to the Client for further consideration by tagging them with the relevant theme (e.g., 'WRONG_ADDRESS' or 'INCOMPLETE_DOCUMENT'). Then, the service for which you passed the verification check will consider and evaluate the results and ask for additional information from you to clarify your application. 

The Client may reject or freeze your application following its risk procedures or other internal policies.

‍Service development -

‍Our Clients use our services to detect whether a real person is passing the identity verification process, as well as any impersonation or spoofing attempts, to prevent money laundering, terrorist financing, fraud, and other activities that are considered a matter of public interest. That is why we, as a service provider, are responsible for providing the highest quality services. For this reason, where we have the authorisation of our Clients, and it is not prohibited by applicable law, we as a data controller use personal data to develop and improve our services by building and enhancing algorithms and developing and testing new verification options, products and services to verify a User's identity better and detect fraud.

We do this in two ways. We deploy a system of recognising specific patterns in the information and making predictions about new data sets based on those patterns by training our computers or so-called 'machine learning.’ Machine learning helps create models based on the information provided by the Users, such as signs of potential fake data, and selects the best models to be integrated into our system. 

The development of services also includes continuous improvement and assessment. We review our service delivery methods to ensure that we comply with Clients’ requirements and work appropriately by testing and correcting new features and functions. 

‍
‍Types of personal data processed by Personr Pty Ltd

We may collect and further process the following personal data of Users depending on the particular Service being provided to the Client:

• Categories of personal data
• Examples
• General personal data
• Full name, sex, personal identification code or number, date of birth, legal capacity, nationality and citizenship, location (street, city, country, and postcode).
• Identity document data
• Document type, issuing country, number, expiry date, MRZ, information embedded into document barcodes (may vary depending on the document), security features.
• Facial image data
• Photos of the face (including selfie images) and photos or scans of the face on the identification document, videos, and sound recordings.
• Biometrical data
• Facial features.
• Banking details
• Cardholder name, expiry date, first 6 and last 4 digits of the card number.
• Contact details
• Address, e-mail address, and phone number.
• Technical data
• Information regarding the date, time, and activity in the Services; IP address and domain name; software and hardware attributes (e.g., camera name and type); general geographic location (e.g., city, country) from User’s device.
• Geolocation data
• IP address