When you visit and use Xertilox's websites or mobile app, we collect and process certain information about your interactions and the data you choose to provide. For more details, please review this Privacy Notice attentively.

This is the Privacy Notice of XERTILOX LTD, incorporated and registered in England and Wales with company number 14689245 (hereinafter referred to as "Xertilox" or "we").

1. Scope

This Privacy Notice applies to representatives of Xertilox's clients and visitors to Xertilox's Website and Mobile App. Xertilox is a Data Controller under Article 24 of the EU GDPR and UK GDPR and determines the purposes and means of personal data processing in the following contexts:

2. Definitions

Client
The legal entity to which Xertilox provides services under specific legal arrangements.
Data Controller
Xertilox, where it determines the purposes and means of processing personal data.
Data Subject
Any individual whose personal data Xertilox processes, including but not limited to clients, representatives, job applicants, and visitors.
Personal Data
Any information relating to an identified or identifiable individual.
Processing
Any operation performed on personal data, including collection, recording, organisation, storage, adaptation, retrieval, use, disclosure, or destruction.
Special Categories
Personal data revealing racial or ethnic origin.
Visitor
Any individual interacting with the Xertilox website or mobile app.
Consent
Any freely given, specific, informed, and unambiguous indication of the data subject's agreement to the processing of personal data.
Personal Data Breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.
Analytics
The careful study of something, by breaking it down into smaller pieces. Xertilox looks at trends and patterns in the app to inform our business decisions. Xertilox performs analytics on how users interact with the app using anonymous and aggregated data.
Face Scan/Selfie Image
A type of selfie photo (of your face) which is used for the purpose of checking it's really you using your digital ID. Face scans are not viewable by you and cannot be shared with any businesses or individuals using digital ID.
GDPR & UK GDPR
The General Data Protection Regulation is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the UK & European Union (EU). It protects people and lays down rules about how data about people can be used.
Hashing
Hashing is a security measure which involves taking something like an email address or phone number and turning it into a unique set of characters using a hash function – this is a one-way transformation of personal data which helps keep it confidential and safe.
Third Parties
These are companies that we may have interactions with outside of Xertilox. For example this could be other apps, software and partner companies. Where we say 'third party' this means anyone who is not you or us. This could be another person or an organisation.
Xertilox Client
These are companies that pay Xertilox to receive our identity services. For example, where a company asks you to share data via your Digital ID using a wallet request/user ID request, this is a Xertilox Client.
Biometrics
A study of people's unique physical and behavioural characteristics, which aims to identify or recognise people as a unique individual based on traits they have. At Xertilox we use biometrics so that we can confirm it is really you.
Data Protection Officer
The person who is responsible for overseeing a company's data protection implementation to ensure compliance with data privacy law.
Encryption
This allows information to be hidden so that it cannot be read without special knowledge such as a key or a password.

3. Information Collection and Use

The app is a biometric identity app that provides you with a quick, easy, secure and privacy-friendly way to prove your age and / or identity, online and in person. You set it up once and then use it anywhere that accepts the app. It works by allowing you to share verified details (we call these attributes) from ID documents you add to your app account. In some cases you can also manually add details, and have them verified.

This privacy notice will refer to the collection and use of information when using the app.

We collect different pieces of your information for different reasons. We explain why we collect this information below. For each of our products, we have a product specific privacy notice. This notice refers to the App and this section provides information on personal information collection and use.

We collect information to set up your app account, when you add documents and when you use the app.

We use it to do things like:

Checking you are a real person and fraud prevention

The reason why we ask you to do a face scan or video is to check that you are a real person.

Why we take the image of your face

When you set up your app account we have a security measure to make sure you are a real person, and to make sure no-one is pretending to be you (such as by holding up a photo). This security measure is done in two different ways and the security measure we use will depend on whether your phone make and model is compatible with our technology being used, or whether there are any technical errors that prevent one technology from working.

How long is your image and biometric/Face scan kept for?

The photos you take and your biometric image: we keep this information until you or we close the account and delete the information.

If your account/wallet is not used, then your account will be automatically closed 2 years after the last login.

Information from Government-issued or other official identity documents

(for example, passport, driving licence)

Why we collect your ID

The main use of your ID document information is to add the details to your app account, so they are available for you to prove your ID and age when needed. For example, we use this information to create a User ID wallet within your app.

Your photograph and Date of Birth

We use the photo and your date of birth (which we hash) to check if your identity is valid

Checking your document

We use the information to verify your identity and check the document is valid. You will not be able to add an expired passport or driving licence.

If your document has a date of birth we check this to make sure that it matches what you told us when you were asked about your age as part of setting up your wallet. If you are below a certain age in some countries you need parental consent to use the app. We don't currently have a parental consent mechanism in place.

Checking your image

We check the document photo against the photo you took to set up the account, to check it's your document. It may be sent to our Operations Team for a manual check.

Fraud checks

We may check your document information against national identity and Fraud Database (see below) and information from the Metropolitan Police Service Amberhill Identity Team in relation to false identity documents / information. We may also check your information against the Cifas fraud prevention database. The results of these checks could lead to you not being able to upload your documents/hold a wallet. In cases of serious document or identity fraud we may have to prevent you from setting up a wallet. We keep fraud information either in line with our internal fraud and misuse policy or the retention rules set by relevant fraud prevention bodies. If we file a fraud report with Cifas, we will keep your information for up to Seven years.

Internal Xertilox uses

While we verify your identity we keep the information securely, however, our Security and Fraud teams can access it, and may do so for training, compliance and quality assurance purposes.

Internal Fraud Checks

If we suspect fraud we will use your document information (along with your selfie, email address and phone number) to investigate the suspected fraud.

When we identify fraudulent or tampered with documents or other evidence of fraud such as impersonation, we will keep a copy of the associated data in our Internal Fraud systems for 7 years and use it to screen against incoming documents and selfies to detect repeat instances of fraud. If you wish to dispute a fraud record about you in the Internal Fraud Database you should email data@Xertilox.com. We will also use some of these documents as examples for internal staff training to better detect fraud.

Research and Development

We also use some information from ID documents for research and development purposes.

Statistics

We create general statistics and reports from some of this information to help us understand how people are using our app, and to allow us to improve the service. This information does not identify any specific user. See the sections on analytics for more information.

After you successfully add a document

We then add the details to your app account and keep this information encrypted on our servers (which means we can't access it) until you or we close the account and delete the data. Your details include an image of your document, which you can share where a company requires it, such as Right to work checks.

Adding multiple documents

You can only have one document of each type at any one time. So if you add a passport and then want to add a second passport, the details from the second one will be listed in your account and available to share. The details from the first one will still remain within our databases but you will not be able to share them.

Information you add manually

(for example, address, e-mail or other attributes you want to store in your app)

Email Verification

If you add an email address we will verify it by sending you registration link.

Self-asserted attributes

You can also choose to manually add other information to the personal details section of your app for easy reference.

The details you can add will depend on your country. For example if you are in the UK you will have the option to add your National Insurance number.

Xertilox does not validate or do anything else with this information, apart from storing it securely for you. You can delete this information at any time.

Updating your information

When you add an updated ID document (such as when you renew your passport) the details from the new document will be in your account. We will archive the old document details.

Digital User ID/Wallet

When you add an ID document we turn the name and photo into a digital ID that you can show on your phone. To quickly and easily share your verified name and photo with another person or third party company, you can simply share the user ID. This has the added benefit of confirming to the recipient that your ID card is a genuine ID.

Updating your address

If you update your address by manually adding a new address, we will archive the old one.

If you update your address by adding a document that includes it, all the other details from that document will also appear in your account. We will archive the details you previously had, except for ones that do not also appear in the new document you add.

Updating your telephone number

If you update your mobile number, the new number will replace the old one.

4. Principles of Personal Data Processing

Xertilox adheres to GDPR principles, ensuring personal data is:

5. Data We Collect

Personal Information

Payment Information

Technical Data

How Data is Collected

6. How We Use Your Information

We process data for the following purposes:

7. Data Sharing

Xertilox only shares your data with:

We never sell your data or share it for marketing purposes.

8. Data Processing and Storage

Your data is processed and stored in the UK and EU on Amazon Web Services (AWS).

9. Data Security

We implement the following measures to protect personal data:

10. Your Rights

Under GDPR, you have the following rights:

To exercise these rights, please contact us at info@xertilox.com or support@xertilox.com.

11. Cookies and Tracking Technologies

We use cookies to enhance your experience. The types of cookies we employ include:

For more information, refer to our Cookie Policy.

12. Children's Data

We do not knowingly collect data from children. If you believe a child's data has been submitted, please contact us to delete it.

13. Contact Information

If you have questions or requests regarding this Privacy Notice, contact us at:

Email: info@xertilox.com

14. Changes to this Privacy Notice

Xertilox reserves the right to update this Privacy Notice as needed. Changes will be effective upon posting. Please check this page periodically for updates.