Book a Demo

Services Privacy Policy

Last Updated: September 2024

This Services Privacy Policy (“Privacy Policy“) sets out the privacy practices of Trulioo Information Services Inc. and our affiliates (“Trulioo“, “we“, “our“, “us“) in connection with the services we offer to our business customers (our “Services“).

We make our Services available to our customers for integration into our customers’ websites and mobile applications. This Privacy Policy does not apply to the services offered by our customers who use our Services. Please consult the privacy policy of our customer that is using our Services with you for more information about their processing of your personal information.

For additional information about how we process personal information in connection with our Services that is specific to a country, state or region, please refer to the section below headed Jurisdiction Specific Notices.

For details about the personal information we collect on our website or in connection with our general business activities, please visit our Website Privacy Policy.

  1. 1. Our Relationship With You
  2. 2. Information We Process On Behalf Of Our Customers
  3. 3. Using Information As A Controller
  4. 3.1 Providing Our Services
  5. 3.2 Product Development and Improvement
  6. 4. How Does Trulioo Share My Personal Information?
  7. 5. How Do We Keep Your Personal Information Secure?
  8. 6. Do We Transfer Your Personal Information Internationally?
  9. 7. What Are Your Privacy Rights and Choices?
  10. 8. For How Long is Personal Information Retained By Trulioo?
  11. 9. Automated Decision Making
  12. 10. Jurisdiction Specific Notices
  13. 11. Updates To This Privacy Policy
  14. 12. How To Contact Us

1. Our Relationship With You

This Privacy Policy applies to the processing of personal information by Trulioo as a “controller” (or such similar term under applicable law). When we talk about Trulioo acting as a “controller” we mean that Trulioo determines the purposes and means of processing (i.e., we make decisions about how we will handle your personal information).

Because of the nature of our Services, we primarily act as service provider and a “processor” when providing our Services (like our identity and business verification services) to customers.

This means that, when we are instructed by a customer, we facilitate the processing of your personal information on behalf of the customer. It is our customers who are responsible for determining what information we process and how we use it, as well as fulfilling your requests to exercise your rights. The section below headed “Information we process on behalf of our customers” explains what we do with this information, but if you are a user of a Trulioo customer, please refer to the privacy policy provided by our customer that is using our Services to process information about you for more information, including how to exercise your privacy rights.

As well as handling your personal information on behalf of our customers to provide our Services, we may also handle your personal information on our own behalf as a controller. For example, we may use information we collect when providing our Services to develop and improve our Services. We also act as a controller when providing some of our Services, such as our Fraud Intelligence service. For details about what types of personal information we collect as a controller in connection with our Services, how we use it and our legal basis for processing your personal information, please refer to the sections below headed “Using information as a controller“.

If you have any questions or concerns about our use of your personal information, please contact us using the contact details under “How To Contact Us” below.

2. Information We Process On Behalf Of Our Customers

This section provides details of the personal information we collect on behalf of a customer as a service provider or processor, depending on which of our Services the customer chooses to use. We may collect personal information about you from the customer, from you directly, or from third party data sources. 

Our customer is the controller and responsible for identifying a legal basis where required by law, which permits your personal information to be used for the purposes described below; you should review their privacy policy for further details.

Person Verification

We offer person verification services (such as our “Person Match” service) via a global network of trusted data sources to enable our customers to verify the identity of their users, detect fraud and comply with anti-money laundering (AML) and Know Your Client (KYC) requirements. Our network of data sources includes government and national ID registries, electoral rolls, consumer credit agencies, mobile network providers, utility companies and other trusted sources.

The types of personal information involved will vary depending on the verification checks available in the user’s location and the services selected by our customers. It may include name, date of birth, contact information (such as email address, residential address and telephone number), national ID number or other information provided by a data source.

Identity Document Verification

We offer identity document verification services to enable our customers to verify the authenticity of an identity document (“ID“) and confirm the identity of their user pictured in the ID and a live photograph (i.e., selfie).

To enable us to conduct a document verification check, a user will be asked to submit a photo of their ID (front and back) and/or a photograph / selfie depending on how our customers have configured the service. We will extract data from the ID, including facial scan data from the photo on the ID. Facial scan data will be compared to the selfie to assess whether the same person is pictured in both images. We will also look for signs of fraud in the images, including checking whether the images have been taken in real time (as opposed to an image of an image, for example) and whether any other fraud indicators are present (including any tampering of data on the ID or the presence of any data inconsistencies). Based on the results of these assessments, we will advise our customer whether the user’s identity has been verified or whether any indicators of fraud were detected.

When performing a document verification check on behalf of our customers, we collect and process the following personal information: government issued ID (for example, passport, driver’s license or identity card), any personal information captured on the ID (for example, name, date of birth, address, document number, and photo), and photograph / selfie. We will process facial scan data extracted from the photo on the ID and/or selfie, which may be classed as “biometric information”, “biometric data” or “biometric identifiers” in certain jurisdictions.


Facial Scan Data and Biometric Information
For more information about our processing of facial scan data for our document verification services, please refer to our Facial Scan and Biometric Information Policy.

Where permitted by our customers and applicable law, we may process the personal information listed above to improve our identity document verification services (including the machine learning models) or other services as a controller. For more details, please review the “Product Development and Improvement” section below.

Business Verification

We offer business verification services to enable our customers to meet their Know Your Business (KYB) compliance requirements by verifying company information, including information about company officers, such as directors, officers and ultimate beneficial owners, by providing access to information from government registries and other public records.

Information collected may include company ownership or directorship related information, including company address, position held (e.g., director), and current status (e.g., resigned, active, start date, end date).

Watch-list Screening

We provide watch-list screening services to enable our customers to screen an individual or a business’ information against global sanction or politically exposed person (PEP) lists and adverse media sources, and return publicly available information from such lists and sources in a report. If instructed by a customer, our watch-list screening services may be provided on an ongoing basis, for example where a customer’s regulatory obligations require ongoing monitoring.

3.  Using Information As A Controller

As explained above, when we use personal information to provide many of our Services to our customers, we are acting on their behalf as their service provider and processor. However, we also collect and process personal information about our customer’s users, and others, on our own behalf (as a “controller”) for the purposes described in this section.

We will only use your personal information for a particular purpose where we have a “legal basis” where required by law as described below. If you have further questions about the legal basis on which we collect and use your personal information, please contact us using the contact details provided below.

3.1 Providing Our Services

Fraud Intelligence

Fraud Intelligence is our fraud prevention and detection service, which is used by our customers to assess whether an individual being onboarded to the customer’s service is using a fraudulent or stolen identity. We do this by generating, combining and sharing our proprietary risk signals and third-party risk signals obtained from data providers, along with an overall risk score.

Categories of Personal Information

  • Customer Data: The information we collect to generate risk signals will be provided by our customers and will typically include the name, plus the email address or phone number for the customer’s user. Our customers may also provide us with other information including date of birth, physical address, national ID number, device information (such as IP address) and browser information of the customer’s users.

    When a customer submits customer data to the Service, Trulioo and/or our data providers will analyze the data, alone or in conjunction with other data provided by our data providers or other customers, to provide risk signals in response to the customer’s query.

    We may also receive insights from our customers about their fraud detection methods, including ongoing feedback regarding whether or not a customer’s user was ultimately deemed fraudulent or risky by the customer.

  • Personal Information Derived from Customer Data: We, or our third-party data providers, derive information from analyzing customer data, such as the number of times a data element has been queried in a period of time (velocity), the last time a data element has been seen (recency), or whether a match can be established between two data points (e.g., phone number to name match), to identify behavioral patterns and insights for our fraud prevention services (e.g., patterns confirming that a provided address is genuine).

Purposes of Processing

We process the personal information we collect to generate risk signals to support the provision of our fraud prevention and detection services to our customers. This allows our customers to gain insights to help them identify fraudulent transactions and make risk-based data driven decisions to better understand the risks associated with an individual seeking to use our customers’ services. For example, the risk signals may indicate if an individual shows unusual usage patterns (e.g., if you try to verify multiple times from multiple locations within a short timeframe) or if an identity has been associated with multiple email addresses or telephone numbers, which may be indicative of fraud.

Where permitted by our customers and applicable law, we and our data providers may also process the personal information described above for Fraud Intelligence to improve our Fraud Intelligence service (including the machine learning models) or other services. For more details, review the “Product Development and Improvement” section below.

Legal Basis

We will compile, store and analyze your personal information for the specific purposes described in this section to the extent that such processing is necessary for our and our customers’ legitimate interests. These legitimate interests include:

  • Our legitimate interests in operating, developing and improving our fraud prevention and detection services, including to better detect and prevent fraud; and
  • Our customers’ legitimate interests in combating identity theft and fraud and creating a safe online environment for users of the customer’s services.

Public Registry Data

Categories of Personal Information

We collect and maintain public registry data about businesses, which includes information about company officers, such as directors, officers and ultimate beneficial owners, to support the provision of our business verification services. The personal information we collect relates to company officers acting in their professional capacity. We collect this information from public records provided by official public registries.

The types of personal information we collect will depend on the information made available on the public registry in a particular country. If you are a company officer whose information is included in public registry data we collect, we may collect information about you such as the following (if it is disclosed on the particular registry): first and last name, company name, correspondence address (which is usually a business address), position at the company (e.g., shareholder / director), tenure at the company (start and end date), date of birth (month and year only), and nationality.

Purposes of Processing

We process the personal information we collect about company officers from public registries to support the provision of our business verification services to our customers. We do this to enable our customers to conduct due diligence on businesses, meet their compliance and regulatory obligations, and better understand the businesses they want to verify, as well as their company officers.

Legal Basis

We collect, build and maintain the personal information to the extent that such processing is necessary for the legitimate interests pursued by Trulioo and its customers. These legitimate interests include:

  • Surfacing more comprehensive data on a global basis, which helps customers complete more accurate, complete and expeditious business verification and therefore achieve better compliance with essential and strict AML and KYB/ KYC requirements;
  • Contributing to the achievement of corporate data accuracy and reliability by facilitating easier access to data held within otherwise siloed national official registers, thereby enabling errors or other questionable aspects of the data to be more readily detected; and
  • Ultimately serving a wider public benefit by contributing to the fight against corporate crime and the creation of a safer online environment.

3.2 Product development and improvement

Categories of Personal Information

Where permitted by our customers and applicable law, we may use certain personal information we collect in connection with our Services and described in this Privacy Policy to develop and improve our Services.

Please note that Trulioo does not process special categories of personal information for its own product improvement or machine learning purposes (including biometric data for the purpose of uniquely identifying you).

Purposes of Processing

Developing and improving our Services includes building and improving the technology used to provide our Services (such as the machine learning technologies and algorithms) and developing and testing new products and services. For example, to train our models to better detect fraudulent activity or verify a user’s identity (e.g., to recognize a new version of an ID document, to learn what driving licenses look like in different countries, and to better detect image blur and glare), to minimize bias and improve model performance and to ensure the accuracy and integrity of our models and algorithms. As part of this work, we train our technology to recognize specific patterns in information and make predictions about new sets of information based on those patterns. This is known as machine learning. Sometimes we will also use human review or verification, for example for quality or accuracy checks.

Legal Basis

We will compile, store and analyze your personal information for the specific purposes described in this section to the extent that such processing is necessary for our legitimate interests of developing, maintaining and improving the security, accuracy, efficacy and efficiency of our Services.

In some circumstances, where local data protection law requires, we will seek your consent to use your personal information for the purposes described in this section.

4. How Does Trulioo Share My Personal Information?

We share your personal information with the following categories of recipients:

  • members of the Trulioo group, only to the extent necessary to fulfill the purposes outlined in this Privacy Policy;
  • our third party business infrastructure providers, who we engage to enable us to support our Services and product development and improvement activities, such as data storage and hosting providers, and outsourcing partners (e.g., providers whose staff perform human review of document verification checks);
  • third party data providers, who are trusted third party service providers, data partners or public authorities who we engage to provide additional information depending on the Service a customer has chosen to use. For example, we engage third party data providers tosupport our Fraud Intelligence service, such as providers of third-party risk signals;
  • our customers in connection with the provision of our Services (such as public registry data for our business verification services and risk signals for our Fraud Intelligence service);
  • any competent law enforcement body, regulator, government agency, court or other third party (such as our professional advisers) where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person; or
  • any other person with your consent to the disclosure (obtained separately from any contract between us).

5. How Do We Keep Your Personal Information Secure?

We use appropriate technical and organizational measures to protect the personal information that we collect and process about you. The measures are designed to provide a level of security appropriate to the risk of processing your personal information. For example: (i) we only work with trusted technologies and vendors who are bound by contractual obligations to protect your personal information and who are assessed for information security risk prior to onboarding; (ii) we limit the number of people who can access your information to people who need to know as part of their job; (iii) we provide training to our employees on data privacy and information security; and (iv) we have in place reasonable security defenses, malware protections, vulnerability management and recovery resilience measures. Where possible, we also pseudonymize, de-identify and/or aggregate personal information to protect privacy and minimize security risks.

6. Do We Transfer Your Personal Information Internationally?

Trulioo is headquartered in Canada, with offices in the United States, Ireland and Denmark, as well as employees globally. We host our Services on Amazon Web Services’ (AWS) highly secure and reliable data centers around the world. Our third-party vendors and trusted data partners also operate globally. This means that we may process your personal information in, and transfer your personal information to, countries outside of the country in which you are based. These countries may have data protection laws that are different to the laws of your country (and, in some cases, may not be as protective).

Where we transfer your personal information to countries and territories outside of the European Economic Area (EEA), Switzerland and the UK, which have been formally recognized as providing an adequate level of protection for personal information, we rely on the relevant “adequacy decisions” from the European Commission or Swiss authorities, or the “adequacy regulations” (data bridges) from the Secretary of State in the UK. In 2001, the European Commission recognized Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) as providing adequate protection for European personal data. The decision is available here. Accordingly, for transfers of European personal information to Trulioo in Canada, Trulioo and its customers can rely on the European Commission’s adequacy decision. 

Where the transfer is not subject to an adequacy decision, we have taken appropriate safeguards to require that your personal information will remain protected in accordance with this Privacy Policy and applicable laws. The safeguards we use to transfer personal information are the European Commission’s Standard Contractual Clauses (and similar measures in the UK and Switzerland).

7. What Are Your Privacy Rights and Choices?

Depending on where you are located and subject to applicable privacy laws, you may have the following privacy rights: 

  • You may access, correct, update or request deletion of your personal information. 
  • You can object to processing of your personal information, ask us to restrict processingof your personal information or request portability of your personal information, (i.e., your data to be transferred in a readable and standardized format).
  • If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent. Withdrawing your consent may also mean we are unable to provide you with certain features or functionality of our Services to the extent consent is required for the processing of your personal information.

You have the right to complain to us or to a supervisory authority about our collection and use of your personal information. For more information, please contact your local supervisory authority.

If you would like to exercise any of your privacy rights you can email us at [email protected].

For additional information about your privacy rights that is specific to a country, state or region, please refer to the section below headed Jurisdiction Specific Notices.

We respond to all requests we receive from individuals wishing to exercise their privacy rights in accordance with applicable data protection laws.

If your request relates to information we process on behalf of our customers, we will redirect the request to the relevant customer.

8. For How Long is Personal Information Retained By Trulioo?

Where we are processing your personal information on behalf of our customers in order to provide our Services, we will retain and delete your personal information in accordance with the relevant customer contract or instructions.

Where we are processing your personal information for our own purposes, such as for product improvement or for our business verification services or Fraud Intelligence service, we retain the personal information we collect from you where we have an ongoing legitimate business need to do so. When we have no ongoing legitimate business need to process your personal information, we will either delete it or anonymize it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

9. Automated Decision Making

Automated-decision making refers to decisions that are made automatically on the basis of computer determinations (using software algorithms), without human review or intervention and that result in legal or significant effects.  

Our Services (including our Fraud Intelligence service) are integrated into our customers’ on-boarding process for their services and we (depending on the Service) are instructed by our customers to conduct verification checks about your identity and/or documents or to return fraud insights to help our customers assess whether to proceed with their on-boarding. Our customers can set their own parameters in connection with their use of our Services and it is our customers that ultimately decide how they use the verification results or fraud insights provided to them. By providing insights to customers, our aim is to empower them to make informed decisions. It is entirely at the customer’s discretion whether to proceed with your on-boarding based on the information provided to them through the Services, but also on the basis of other information available to them (including additional information they may request from users or obtain from other services providers or third-party sources) in order to allow them to make a decision.

If you have any questions about the outcome of a verification check relating to you or your identity document or to a fraud insight relating to you, please contact our customer that is using our Services with you.

10. Jurisdiction Specific Notices

California

If you are a California resident, you may have certain additional privacy rights and you should visit our California Privacy Notice for more information.

U.S. Consumer Health Data

If you are a United States resident, you can find more information about how we process “Consumer Health Data” as that term is defined in applicable U.S. state privacy laws in our U.S. Consumer Health Data Privacy Policy.

11. Updates to this Privacy Policy

We may update this Privacy Policy from time to time in response to changing legal, regulatory, technical or business developments. You can see when this Privacy Policy was last updated by checking the “last updated” date displayed at the top of this Privacy Policy. 

12.  How To Contact Us

If you have any questions or concerns about our use of your personal information, please contact us using the following details:

Email: [email protected]

You may also write to us at the following address:

FAO Privacy Office
Trulioo Information Services Inc.
400 – 114 E 4th Ave
Vancouver, BC V5T 1G2
Canada

Or, if you are located in Europe:

FAO Privacy Office
Trulioo (Ireland) Limited
1st Floor, 40 Molesworth Pl.
Dublin 2 D02 K023
Ireland

You may contact our Data Protection Officer by email at [email protected].