Document & Biometric Verification Privacy Notice

Versions: Spanish (Mexico) | French | Portuguese (Brazil)

Welcome. You’re in the right place to learn about how Socure Inc. (collectively, “Socure,” “we,” “us,” or “our”) uses personal information to provide identity verification and fraud prevention services to business customers via our Predictive Document Verification (“DocV”) solution. This Document & Biometric Verification Privacy Notice (“Privacy Notice”) addresses How DocV Works, the Personal Information We Collect (and the Sources), Where We Store And Transfer Your Personal Information, How We Use Your Information, How We Disclose Your Information, How Long We Retain Your Information, How We Protect Your Information, our Lawful Bases for Processing, Your Data Rights, How to Exercise Your Data Rights, and how to Contact Us. 

Subject to applicable law, we may update this Notice from time to time by publishing a new version on this website. Socure also maintains a Global Privacy Statement that applies to all our products & services. If our business customers use DocV and our other products and services, both the Global Privacy Statement and this Privacy Notice apply. (If you’re not sure which products our customers use, please ask them!)

How DocV Works

When you interact with DocV, we ask for your consent to Socure’s Terms of Use and this Privacy Notice. If you decline to consent, the transaction is canceled, which means that Socure does not collect personal information from you. Because Socure is a service provider, you will need to contact the Socure business customer who sent you to DocV to discuss the alternatives they provide to automated identity verification. If you consent, you will be asked to submit one or more photographs of your identity document (e.g., driver’s license front and back or passport). You may also be asked to submit a selfie, either for an initial transaction or for purposes of selfie re-verification. While you capture and submit your photographs, information about your device and how you interact with it may be collected automatically to help us detect unusual or suspicious activity.

Socure uses machine learning and artificial intelligence to help you capture quality photographs and to analyze the photographs you submit and the device you use to submit the photographs. Your photographs and biometric information may be analyzed using facial verification (1 photo compared against 1 photo), facial recognition (1 photo compared against 2 or more photos), or both, to enable DocV to predict the answer to several questions relating to identity verification and fraud prevention, such as:

• Were the photographs captured live at the time of submission?
• What type of document was submitted? 
• Is the document fake or otherwise tampered with? 
• Do the photographs on the document and selfie match? 
• Can the personal information on the document be validated? 
• Is this person of legal age to use the goods or services requested?
• Have we seen this person and/or device before? 
• Is the person using their device as expected? Could this be a bot or a hacker?

It is the exclusive decision of the Socure business customer: (a) whether and for what reason(s) you are sent to DocV; (b) which elements of personal information we collect and analyze on their behalf, including which types of photographs or documents we analyze on their behalf; (c) which alternative verification methods are available; and (e) whether and under what circumstances to accept, review, or reject a particular transaction.

Personal Information We Collect (and the Sources)

For DocV, Socure may collect personal information about you from our business customers or prospects, from your device, from you, from data brokers, and/or from our third-party service providers. The categories of personal information we collect when you interact with DocV are outlined below, together with information about the sources.

California Residents: We collect the same information above for you, and that information also may fall under the following California Consumer Privacy Act (CCPA) categories of personal information: Personal Information Categories Listed in the California Customer Records Statute (Cal. Civ. Code § 1798.80(e)); Internet or Other Electronic Network Activity Information; Audio, Electronic, Visual, Thermal, Olfactory, or Similar Information; Inferences; and Sensitive Personal Information.

Where We Store And Transfer Your Personal Information

Your personal information is stored in the United States, which means that, if you are not already located in the United States, your personal information is transferred to the United States.

How We Use Your Information

We use your personal information in accordance with law and our customer contracts to:

• perform identity verification and fraud prevention services on behalf of our business customers;
• help ensure the security and integrity of DocV;
• identify and repair errors that impair existing or intended DocV functionality or performance; and
• conduct internal research to develop, improve, test, or repair DocV or related services or technology.

The following is a non-exhaustive list of examples illustrating how Socure uses your personal information in connection with DocV:

• Identifiers like the information you provide to our business customer as part of an online transaction can be compared to the identifiers contained in the text and machine-readable components of the documents you submit to Socure via DocV.

• Biometric information may be used to help you take a quality image by providing you with real-time capture instructions such as “Move your phone away from your face” or “Move the phone towards your face.” Biometric information may also be used to compare your selfie to the photograph on your identity document or to provide selfie re-verification services to our business customers by assessing whether we have seen you before.

• Characteristics of protected classifications may be used to test DocV for bias and support fairness in outcomes by measuring product performance across document type (e.g. driver’s license from X state, visa or passport from Y country), age, gender, and race/ethnicity. 

• Device, Browser, and Network Information, including Geolocation Data may be used to detect whether a transaction is being initiated from a sanctioned country or to assist you in completing a DocV transaction in the language of your default browser settings.

• Behavioral data and inferences about how you typically interact with your device during a session may be used for anomaly detection (i.e. to identify behaviors that are not typical of how you interact with your device). For example, if you usually take 30 seconds to capture a photograph using your iPhone 13, but someone purporting to be you, captures a photograph in milliseconds using an Android device from an IP address that is atypical for you, this may indicate anomalous behavior on your device.

• Photographs may be used to extract identifiers, biometric information, and characteristics of protected classifications. Photographs also may be used to train and test machine learning models and to maintain a list of images used in repeated fraudulent or malicious interactions. 

Where permitted or required by law, Socure may also use your personal information to:

• comply with federal, state, or local laws, rules, or regulations, such as by verifying and fulfilling data rights requests;
• comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
• cooperate with law enforcement agencies concerning conduct or activity that we or our customers reasonably and in good faith believe may violate federal, state, local, or international laws, rules, or regulations; 
• investigate, establish, exercise, prepare for, or defend legal claims; and/or 
• perform internal operations aligned with your reasonable expectations or otherwise compatible with processing your personal information in our provision of DocV.

Socure’s use of biometric information does not meet the definition of “consumer health data” for purposes of U.S. state health privacy laws, including because the personal information is used to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities.

How We Disclose Your Information

The following table describes the recipients to whom Socure may disclose your personal information in connection with DocV, the purposes for the disclosure, and the categories of personal information disclosed. 

Socure does not sell, lease or trade biometric data or other personal information to third parties and has no actual knowledge that it sells or shares the personal information of consumers under 16 years of age, as defined by applicable law. Socure does not disclose sensitive personal information for purposes other than those specified in section 7027(l) of the California Consumer Privacy Act Regulations.

How Long We Retain Your Information

We have seen some fraudsters create hundreds of fake identity documents and selfies over time. According to the analysis conducted by Socure regarding the predictive value of your personal information in identity verification and ongoing fraud prevention, the following schedules outline Socure’s maximum retention periods for personal information collected and used in DocV. 

Your personal information may be retained for a shorter period of time than outlined above if deletion is required by law or contract, or if the purpose for which that information was collected has expired.

Special Notice re Data Rights Requests: Personal information used to verify your identity in connection with your exercise of a data rights request will be deleted within 7 days of verification. Records of your request to exercise your data rights, and our compliance with our fulfillment obligations, are maintained in accordance with applicable law.

How We Protect Your Information

Socure uses commercially reasonable physical, electronic, and procedural safeguards to protect information from loss, theft, misuse, unauthorized access, disclosure, alteration, and destruction, in accordance with applicable law, and we require our customers and third-party service providers to do the same. Biometric information receives the same rigorous privacy and security protections as other sensitive personal information. This includes encryption in transit and at rest, strict access controls, data minimization, and data governance procedures. Socure’s data protection practices are audited on a recurring basis, and we maintain ISO 27001 and SOC 2 Type 2 certifications. That said, there is simply no way to guarantee that any safeguards or security measures will be sufficient to prevent a security incident.

Your Data Rights

Generally, you have the right to file or lodge a complaint with the relevant supervisory authority and to not be discriminated against for exercising your rights. In addition, based on where you reside, you may be subject to one or more of the following data rights with respect to DocV:

• Right to Know / Be Informed as to the personal information or categories of personal information we have about you. 
• Right to Access a copy of the personal information we have about you.
• Right to Correction / Rectification inaccurate personal information that we have about you.
• Right to Deletion / Erasure of personal information about you. 
• Right to Opt Out of / Object to Certain Processing, such as certain types of profiling.
• Right to Restrict Processing, if you meet certain limited applicable circumstances.
• Right to Withdraw Consent at any time, free of charge. Any such withdrawal only applies prospectively and will not impact prior processing conducted in accordance with your prior freely given consent.
• Right to Appeal a refusal to take action on a request within a reasonable period of time after you receive the initial decision.

Any withdrawal of consent only applies to future processing and does not impact prior processing conducted in accordance with your prior freely given, explicit consent. The right to data portability does not apply to Socure, but we use reasonable efforts to provide you with information in response to an access request that is in a structured, commonly used, and machine-readable format.

How to Exercise Your Data Rights

To exercise your data rights relating to a specific DocV transaction, submit your request to the Socure business customer who sent you to Socure so they can pass along the request to us as their service provider. We cannot process our business customer data without their written instructions.

To exercise your rights as they relate to Socure’s data vendor data, please complete our Data Rights Form. Because data rights around the world keep changing, the form lists a variety of data rights that may or may not be available to you based on your residence. Keep in mind that we may not be able to fulfill your request if the law does not grant you the right you attempt to exercise.

Verifiable Data Protection Rights Requests: Socure will use commercially reasonable methods to confirm that you submitted a verifiable request, where applicable or required. This means that we may need to ask you for additional information, verify your identity, and retain some personal information to prove that we complied with your request.

Authorized Agent:  Where permitted by law, you may designate an authorized agent to make a data rights request on your behalf using Socure’s data rights form linked above, subject to appropriate verification and other applicable legal requirements.  Your authorized agent will need to provide documentation supporting the agent’s authority to make the request on your behalf.  We also may require you to verify your identity directly with us and confirm the request.

Lawful Bases for Processing (Non-U.S. Persons)

Residents of Canada: Your personal information is processed with your express consent. 

Residents of the United Kingdom or European Economic Area:  (a) your biometric information is processed with your explicit consent; (b) your racial or ethnic origin data is processed for reasons of substantial public interest; and (c) your remaining personal information is processed for the purpose of legitimate interests such as fraud prevention. Personal information processed to evaluate and fulfill data rights requests are processed for compliance with a legal obligation. Where Socure relies on legitimate interests, we take into consideration your reasonable expectations based on your relationship with our business customers and balance them against Socure’s needs to support our business customers’ requests to validate identities, assess risk, and prevent, detect, protect or defend against, or respond to security incidents, identity theft, fraud, harassment, malicious, deceptive, or illegal activities.

Data Privacy Frameworks (UK, EEA, Switzerland only)

Socure complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Socure has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal information received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.  Socure has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal information received from Switzerland in reliance on the Swiss-U.S. DPF. Socure subject to the investigatory and enforcement powers of the Federal Trade Commission.

Pursuant to the Data Privacy Frameworks, EU, UK, and Swiss individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under the Data Privacy Frameworks, should submit their request via this form. If requested to remove data, we will respond within a reasonable timeframe. 

We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request via this form. 

In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. 

Socure’s accountability for personal data that it receives in the United States under the Data Privacy Frameworks and subsequently transfers to a third party is described in the Data Privacy Framework Principles. In particular, Socure remains responsible and liable under the Data Privacy Framework Principles if third-party agents that it engages to process personal data on its behalf do so in a manner inconsistent with the Principles, unless Socure proves that it is not responsible for the event giving rise to the damage.

In compliance with the EU-U.S DPF, the UK Extension to the EU-U.S DPF, and the Swiss-U.S DPF Principles, Socure commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the EU-U.S DPF, the UK extension to the EU-U.S DPF, and the Swiss-U.S DPF Principles. European Union, United Kingdom, and Swiss individuals with inquiries or complaints should first contact Socure at privacy@socure.com.

Socure has further committed to refer unresolved privacy complaints under the EU-U.S. DPF program to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit this website for more information and/or to file a complaint. This service is provided free of charge to you.

If your EU-US DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. Click here for more information.

If there is any conflict between the terms in this Privacy Statement and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the relevant Principles shall govern.  To learn more about the EU-U.S. DPF program, please visit this website. You can verify Socure’s participation here.

How to Contact Us

Please do not email us your identity documents, selfies, or other personal information. If you are having trouble submitting your documents or need help troubleshooting or understanding the outcome of a specific transaction, please contact the Socure business customer who sent you to us.

To contact the Socure Privacy team, including our Data Protection Officer (DPO), you may email privacy@socure.com or call 1-888-690-3709. Our DPO is Socure’s General Counsel and VP of Legal, Aviad Levin-Gur.

Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Socure has appointed the European Data Protection Office (EDPO) as its GDPR Representative in the EU. You may contact EDPO regarding matters pertaining to the GDPR: (1) by using EDPO’s online request form; or (2) by writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium.

Pursuant to Article 27 of the UK GDPR, Socure has appointed the EDPO UK Ltd as its UK GDPR representative in the UK. You may contact EDPO UK regarding matters pertaining to the UK GDPR: (1) by using EDPO’s online request form; or (2) by writing to EDPO UK at 8 Northumberland Avenue, London WC2N 5BY, United Kingdom.