Entrust Identity Verification Services Facial Scan and Audio Recording Policy

This Facial Scan and Audio Recording Policy (“Facial Scan Policy”) applies to users located in the United States who use the Entrust Identity Verification Services (formerly the Onfido Identity Services) (“Services”). 

This Facial Scan Policy describes how Onfido, Inc. and its affiliate companies* (collectively, “Entrust”) treats data from photos/videos (including audio recordings) of you and your identity documents captured via your device camera or otherwise uploaded, including data that may be construed as a scan of face geometry or voiceprint extracted from such images/videos of you and your identity documents submitted to the Services (“Scan Data”) and information, regardless of how it is captured, converted, stored, or shared, based on your Scan Data that is used to identify you, including an Encrypted Biometric Token (“EBT”) (“Scan Information”). Scan Data and Scan Information (collectively, “Biometric Data”) may be considered to be biometric identifiers or biometric information by applicable biometric privacy laws. 

This Facial Scan Policy should be read in conjunction with the Entrust Identity Verification Service’s Terms of Service and Product Privacy Notice which describe the Services and their use of personal data, including sensitive personal data, in more detail. Notwithstanding any indication to the contrary, in the Terms of Service or Product Privacy Notice or any other document or policy, the terms of this Facial Scan Policy shall prevail in the event of any inconsistency with other terms or notices provided to you. 

Why Entrust is using Biometric Data: You are likely reading this Facial Scan Policy because you have been directed to it by a company that owns or operates a website or app that you are trying to use or some other service you wish to access (“Company”). This Company is an Entrust client. Entrust helps its clients to verify their users’ identities so the users can access the Company’s services quickly, easily and securely. At the Company’s request, Entrust, and its service providers named below (“Providers”), will collect, capture, obtain, possess, store, use, process, disclose and re-disclose (“Processes”) Biometric Data on the Company’s behalf, for the purposes of: 

(1) Verifying your identity by comparing facial Biometric Data extracted from the photo/video of your face, to facial Biometric Data extracted from the photo in your identity document; 

(2) Authenticating you and your use of the Company’s services by comparing facial Biometric Data from a reference image (for example, an image you provided to the Company when you signed up for an account or the photo in your identity document), to the facial Biometric Data extracted from a new photo/video of your face; 

(3) Analyzing Biometric Data to detect and prevent fraud, including to determine whether Entrust has previously verified your identity and/or to identify signs of coercion or social engineering; 

(4) Evaluating the authenticity of images and videos and identity documents, including detecting whether there is a genuine human or physical document in your photos/videos or signs of tampering; and 

(5) Improving and developing the Entrust Identity Verification Services, where permitted by applicable law. 

In addition to the Biometric Data, Entrust will Process other personal data, including sensitive personal data, (for example IP address and other data about your device and personal data extracted from your identity document e.g. name, date of birth etc) (“Personal Data”) for the purposes listed above. See the Entrust Identity Verification Services Product Privacy Notice for more information. 

Entrust will use reasonable standards of care, consistent with its industry, to store, transmit, and protect from disclosure your Biometric Data, in a manner that is the same as or more protective than the manner in which it stores, transmits, and protects other confidential and sensitive information. Entrust will not sell, lease, trade, or, other than for the purposes described in this Policy, otherwise profit from Biometric Data. 

Retention of your Biometric Data: In the event that the Company uses the Services to generate an EBT, Entrust will not store your EBT. Rather, the Company will store your EBT and Entrust will retain a key that can be used to access the data in the EBT pursuant to your consent for the purposes set forth in this Facial Scan Policy. The key that Entrust stores does not contain any Personal Data (it is a 256bits randomly generated number). 

Other than the EBT, Entrust stores and uses the Biometric Data described above for a maximum of three-hundred and sixty five (365) days after you or the Company submitted photos/videos of your face and/or identity document to the Services, or a shorter retention period set by the Company. After this, it permanently destroys your Biometric Data that it stores, unless otherwise required by law or legal process to retain the data. Entrust stores all photos/videos (including audio recordings) for up to three (3) years after submission of photos/videos of your face and/or identity document to the Services, at which time they are permanently destroyed, unless otherwise required by law or legal process to retain the materials. (You should read the Company’s own privacy related policies and terms of use to understand how long the Company may retain Biometric Data, including your EBT, if applicable). 

You will be asked whether you consent to the use of your Biometric Data as described above (see more below). If you do not consent, Entrust will not extract Biometric Data from your photos/videos or audio recordings, Process your Biometric Data, or verify or authenticate your identity. Entrust will store a record of the partially completed process and any photos/videos (including audio recordings) in accordance with the instructions of the Company up to a maximum of three (3) years from the time you terminated the process. After this time Entrust will permanently destroy your photos/videos (including audio recordings), unless otherwise required by law or legal process to retain the materials. 

Disclosure of your Biometric Data: When Processing your Biometric Data on behalf of the Company, Entrust will only disclose, redisclose or otherwise disseminate Biometric Data in the following circumstances: 

• In accordance with the Company’s instructions, to complete a Company transaction and as requested and authorized by you or your legally authorized representative;
• To complete a financial transaction requested or authorized by you or your legally authorized representative;
• As required by state or federal law, or municipal ordinance;
• As required pursuant to a warrant or subpoena issued by a court of competent jurisdiction;
• To a third-party Provider acting on Entrust’s behalf, namely Microsoft Ireland Operations Limited (whose technology is used to convert your audio recording into written text (“Speech to Text”)) and Amazon Web Services (who provides another Speech to Text service as well as cloud storage); or
• As expressly consented to by you or your authorized representative. 

Entrust is in no way linked to or responsible for the practices of the Company or Providers. Entrust encourages you to read the Company’s and any Provider’s privacy policies and terms and conditions which may apply to the use of Biometric Data. 

Your consent: BY CLICKING ON THE “ACCEPT” BUTTON, YOU AGREE THAT YOU: (1) HAVE READ, UNDERSTAND, AND ACCEPT THIS FACIAL SCAN POLICY AND TERMS OF SERVICE; (2) GRANT CONSENT TO ENTRUST, THE COMPANY AND PROVIDERS TO PROCESS YOUR BIOMETRIC DATA AND OTHER PERSONAL DATA FOR THE PURPOSES DESCRIBED IN THIS FACIAL SCAN POLICY; (3) RELEASE IN FAVOUR OF ENTRUST, THE COMPANY, AND THE PROVIDERS ANY CLAIMS RELATED TO YOUR BIOMETRIC DATA, PHOTO/VIDEO (INCLUDING AUDIO RECORDINGS); AND (4) CONFIRM THAT YOU ARE NOT ACCESSING THE SERVICES IN ANY JURISDICTION WHERE THE SERVICES ARE NOT PERMITTED BY APPLICABLE LAW. 

Withdrawal of your consent: If you consent now but would like to later withdraw your consent, please contact the Company as described in the Company’s Privacy Policy. 

*Onfido, Inc. affiliate companies

• Onfido Ltd 14-18 Finsbury Square, 3rd Floor, London, England, EC2A 1AH
• Onfido SAS Regus La Defense Tour Ariane, 5 place de la Pyramide, 92088 Paris La Defense Cedex
• Onfido Inc Paracorp Incorporated, 2140 South Dupont Highway, Camden, Delaware 19934
• Onfido GmbH Am Kaiserkai 69, 20457 Hamburg
• Onfido Unipessoal Avenida D João II, n°46 - 4A, 1990-095 Lisboa
• Onfido Services India Private Limited Unit No. 9, Corporate Park II, 9th floor, VN Purav Marg, Near Swastik Chambers, Chembur, Mumbai - 400071
• Onfido PTE Ltd 100 Tras Street, #16-01, 100 AM, Singapore (079027)
• Onfido BV Ground, 1st, 2nd and 3rd Floor, Joop Geesinkweg 901-999, Amsterdam-Duivendrecht, 1114 AB, Netherlands 
• Airside Mobile Inc 3500 S Dupont Highway, Dover, Kent Country, 19901, Delaware
• Entrust Corporation, 1187 Park Place, Shakopee, Minneapolis, MN 55379, Minnesota and each of its subsidiaries who may process personal data in order to provide the Services to the Company.