Xertilox Privacy Notice
For Website and Mobile App
Introduction
When you visit and use Xertilox’s websites or mobile app, we collect and process certain information about your interactions and the data you choose to provide. For more details, please review this Privacy Notice attentively.
This is the Privacy Notice of XERTILOX LTD, incorporated and registered in England and Wales with company number 14689245 (hereinafter referred to as "Xertilox" or "we").
1. Scope
This Privacy Notice applies to representatives of Xertilox’s clients and visitors to Xertilox’s Website and Mobile App. Xertilox is a Data Controller under Article 24 of the EU GDPR and UK GDPR and determines the purposes and means of personal data processing in the following contexts: Cookies collected during the use of the Website; Interaction with the Xertilox Website or Mobile App (iOS and Android); Activities taken by a Client’s representative prior to establishing or during a business relationship with Xertilox, including the creation and use of accounts; Participation in webinars or events; Job application management and recruitment; Product and service development, including monitoring and analysing user behaviour.
2. Definitions
Client: The legal entity to which Xertilox provides services under specific legal arrangements.
Data Controller: Xertilox, where it determines the purposes and means of processing personal data.
Data Subject: Any individual whose personal data Xertilox processes, including but not limited to clients, representatives, job applicants, and visitors.
Personal Data: Any information relating to an identified or identifiable individual.
Processing: Any operation performed on personal data, including collection, recording, organisation, storage, adaptation, retrieval, use, disclosure, or destruction.
Special Categories: Personal data revealing racial or ethnic origin.
Visitor: Any individual interacting with the Xertilox website or mobile app.
Consent: Any freely given, specific, informed, and unambiguous indication of the data subject’s agreement to the processing of personal data.
Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.
Analytics: The careful study of something, by breaking it down into smaller pieces. Xertilox looks at trends and patterns in the app to inform our business decisions. Xertilox performs analytics on how users interact with the app using anonymous and aggregated data.
Face Scan/Selfie Image: A type of selfie photo (of your face) which is used for the purpose of checking it’s really you using your digital ID. Face scans are not viewable by you and cannot be shared with any businesses or individuals using digital ID.
GDPR & UK GDPR: The General Data Protection Regulation is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the UK & European Union (EU). It protects people and lays down rules about how data about people can be used.
Hashing: Hashing is a security measure which involves taking something like an email address or phone number and turning it into a unique set of characters using a hash function – this is a one-way transformation of personal data which helps keep it confidential and safe.
Third Parties: These are companies that we may have interactions with outside of Xertilox. For example this could be other apps, software and partner companies. Where we say ‘third party’ this means anyone who is not you or us. This could be another person or an organisation.
Xertilox Client: These are companies that pay Xertilox to receive our identity services. For example, where a company asks you to share data via your Digital ID using a wallet request/user ID request, this is a Xertilox Client.
Biometrics: A study of people’s unique physical and behavioural characteristics, which aims to identify or recognise people as a unique individual based on traits they have. At Xertilox we use biometrics so that we can confirm it is really you.
Data Protection Officer: The person who is responsible for overseeing a company’s data protection implementation to ensure compliance with data privacy law.
Encryption: This allows information to be hidden so that it cannot be read without special knowledge such as a key or a password.
3.Information Collection and Use
The app is a biometric identity app that provides you with a quick, easy, secure and privacy-friendly way to prove your age and / or identity, online and in person. You set it up once and then use it anywhere that accepts the app. It works by allowing you to share verified details (we call these attributes) from ID documents you add to your app account. In some cases you can also manually add details, and have them verified.
This privacy notice will refer to the collection and use of information when using the app.
We collect different pieces of your information for different reasons. We explain why we collect this information below. For each of our products, we have a product specific privacy notice. This notice refers to the App and this section provides information on personal information collection and use.
We collect information to set up your app account, when you add documents and when you use the app.
We use it to do things like:
create your account and provide the products / services;
check you don’t already have an account;
check the document you add is genuine and the photo matches your account set-up photo;
check you’re a real live person;
verify details;
check for fraud;
create your Xertilox User ID
Information & Use:
Checking you are a real person and fraud prevention. The reason why we ask you to do a face scan or video is to check that you are a real person.
Use: Why we take the image of your face
When you set up your app account we have a security measure to make sure you are a real person, and to make sure no-one is pretending to be you (such as by holding up a photo). This security measure is done in two different ways and the security measure we use will depend on whether your phone make and model is compatible with our technology being used, or whether there are any technical errors that prevent one technology from working.
How long is your image and biometric/Face scan kept for?
The photos you take and your biometric image: we keep this information until you or we close the account and delete the information.
if your account/wallet is not used, then your account will be automatically closed 2 years after the last login.
Information from Government-issued or other official identity documents (for example, passport, driving licence)
Why we collect your ID: The main use of your ID document information is to add the details to your app account, so they are available for you to prove your ID and age when needed. For example, we use this information to create a User ID wallet within your app.
Your photograph and Date of Birth
We use the photo and your date of birth (which we hash) to check if your identity is valid
Checking your document
We use the information to verify your identity and check the document is valid. You will not be able to add an expired passport or driving licence.
If your document has a date of birth we check this to make sure that it matches what you told us when you were asked about your age as part of setting up your wallet. If you are below a certain age in some countries you need parental consent to use the app. We don’t currently have a parental consent mechanism in place.
Checking your image
We check the document photo against the photo you took to set up the account, to check it’s your document. It may be sent to our Operations Team for a manual check.
Fraud checks
We may check your document information against national identity and Fraud Database (see below) and information from the Metropolitan Police Service Amberhill Identity Team in relation to false identity documents / information. We may also check your information against the Cifas fraud prevention database. The results of these checks could lead to you not being able to upload your documents/hold a wallet. In cases of serious document or identity fraud we may have to prevent you from setting up a wallet. We keep fraud information either in line with our internal fraud and misuse policy or the retention rules set by relevant fraud prevention bodies. If we file a fraud report with Cifas, we will keep your information for up to Seven years.
Internal Xertilox uses
While we verify your identity we keep the information securely, however, our Security and Fraud teams can access it, and may do so for training, compliance and quality assurance purposes.
Internal Fraud Checks
If we suspect fraud we will use your document information (along with your selfie, email address and phone number) to investigate the suspected fraud.
When we identify fraudulent or tampered with documents or other evidence of fraud such as impersonation, we will keep a copy of the associated data in our Internal Fraud systems for 7 years and use it to screen against incoming documents and selfies to detect repeat instances of fraud. If you wish to dispute a fraud record about you in the Internal Fraud Database you should email data@Xertilox.com.We will also use some of these documents as examples for internal staff training to better detect fraud.
Research and Development
We also use some information from ID documents for research and development purposes.
Statistics
We create general statistics and reports from some of this information to help us understand how people are using our app, and to allow us to improve the service. This information does not identify any specific user. See the sections on analytics for more information.
After you successfully add a document
We then add the details to your app account and keep this information encrypted on our servers (which means we can’t access it) until you or we close the account and delete the data. Your details include an image of your document, which you can share where a company requires it, such as Right to work checks.
Adding multiple documents
You can only have one document of each type at any one time. So if you add a passport and then want to add a second passport, the details from the second one will be listed in your account and available to share. The details from the first one will still remain within our databases but you will not be able to share them.
Information you add manually (for example, address, e-mail or other attributes you want to store in your app)
Email Verification If you add an email address we will verify it by sending you registration link.
Self-asserted attributes
You can also choose to manually add other information to the personal details section of your app for easy reference.
The details you can add will depend on your country. For example if you are in the UK you will have the option to add your National Insurance number.
Xertilox does not validate or do anything else with this information, apart from storing it securely for you. You can delete this information at any time.
Updating your information
When you add an updated ID document (such as when you renew your passport) the details from the new document will be in your account. We will archive the old document details.
Digital User ID/Wallet:
|
Updating your address
If you update your address by manually adding a new address, we will archive the old one.
If you update your address by adding a document that includes it, all the other details from that document will also appear in your account. We will archive the details you previously had, except for ones that do not also appear in the new document you add.
Updating your telephone number
If you update your mobile number, the new number will replace the old one.
4. Principles of Personal Data Processing
Xertilox adheres to GDPR principles, ensuring personal data is:
• Processed fairly, lawfully, and transparently;
• Collected for specified and legitimate purposes;
• Adequate and limited to necessary purposes;
• Accurate and up-to-date;
• Retained no longer than necessary;
• Securely processed.
5. Data We Collect
Personal Information
• Name
• Email address
• Phone number
• Address
• Selfie
• Date of Birth
• National insurance number
• Personal data of the representative data contained in an ID document, passport and/or Driving Licence)
• Information obtained in connection with providing the Services to the respective Client (e.g., communication materials)
• Personal data contained in corporate documents
Publicly available data relevant to the position of the Client’s representatives
Payment Information
• Credit card details (via Stripe)
• Bank account numbers (via Stripe)
Technical Data
• IP addresses
• Browser type
• Cookies
• Device type
• Device identification number
How Data is Collected
• Website and app forms
• Cookies and tracking technologies
• Third-party tools
• APIs
• Mobile application
• Web platform
5. How We Use Your Information
We process data for the following purposes: Analytics
Advertising Providing services Personalizing user experiences
6. Data Sharing
Xertilox only shares your data with :
third parties unless explicitly agreed by you through our Mobile App,
fraud prevention services (for security purposes only)
cloud storage providers (AWS - for encrypted data hosting)
regulatory authorities (when legally required)
We never sell your data or share it for marketing purposes.
7. Data Processing and Storage
Your data is processed and stored in the UK and EU on Amazon Web Services (AWS).
8. Data Security
We implement the following measures to protect personal data: Encryption Secure servers
9. Your Rights
Under GDPR, you have the following rights: Access your data Correct your data Request deletion of your data To exercise these rights, please contact us at info@xertilox.com or support@xertilox.com..
10. Cookies and Tracking Technologies
We use cookies to enhance your experience. The types of cookies we employ include:
• Functional cookies
• Analytical cookies
For more information, refer to our Cookie Policy.
11. Children’s Data
We do not knowingly collect data from children. If you believe a child’s data has been submitted, please contact us to delete it.
12. Contact Information
If you have questions or requests regarding this Privacy Notice, contact us at: Email: info@xertilox.com
13. Changes to this Privacy Notice
Xertilox reserves the right to update this Privacy Notice as needed. Changes will be effective upon posting. Please check this page periodically for updates.