Privacy is a fundamental human right. Your personal data is exactly that, yours. At OCR Labs Global Limited (OCR Labs), we want to keep it that way. That is why privacy is paramount to us, in everything we do, and we are committed to respecting your privacy.
1. What is personal or sensitive data?
Personal data includes data or an opinion (whether true or not) about an individual that is reasonably identifiable. For example, this may include your name, age, gender, postcode and contact details.
Sensitive data includes biometric data, data about an individual's health, political affiliations, union associations, race and ethnic origins, criminal record and religious or philosophical beliefs.
2. What data do we collect and hold?
We may collect and hold the following types of personal and sensitive data:
- mailing or street address;
- email address;
- telephone number and other contact details;
- age or date of birth;
- government related identifiers, such as your licence number and class, Medicare number, state or national ID card number, passport number, and birth or marriage certificate number;
- other data identifiable from scanned ID documents you provide, such as photographs of your face;
- biometric data, such as video footage or photographs of your face;
- data obtained from fraud-prevention services and document verification services;
- your device ID, device type, geo-location data, computer and connection data, IP address and standard web log data;
- any additional data relating to you that you provide to us directly through our website or apps or indirectly through your use of our website or apps or online presence or through other websites or accounts from which you permit us to collect data;
- data you provide to us through client or customer surveys; and
- any other personal data that may be required in order to facilitate your dealings with us.
3. How do we collect your data?
We may collect these types of personal or sensitive data either directly from you, or from third parties. We may collect this data when you:
- utilise one of our verification services through one of our apps or web-based platforms;
- if you are a representative of one of our partners or clients, create an administrator account or otherwise use one of our apps or web-based platforms on behalf of one of our partners or clients;
- communicate with us through correspondence, chats, email or otherwise through our website; or
- otherwise interact with our sites, services, content or advertising.
We may receive personal, sensitive or anonymised data about you from our clients where they make use of our services. This data may include a client ID that identifies you in the third party's database, as well as the categories of data set out above. We will advise you as soon as possible where we collect personal and sensitive data from another source other than yourself.
In addition, when you apply for a job or position with us, we may collect certain data from you (including your name, contact details, working history and relevant records checks) from any recruitment consultant, your previous employers and others who may be able to provide data to us to assist in our decision on whether or not to make you an offer of employment or engage you under a contract.
Retention of your data
4. Why do we collect, hold, use and disclose your data?
The purposes for which we will use personal and sensitive data will depend on the relationship with you and the products or services you require from us. We may collect, hold, use and disclose your personal and sensitive data for the following purposes:
- to enable you to access and use our website or apps;
- to provide verification services, where you are seeking to access one of our clients' products or services (or the products or services of third parties, where our clients act as brokers, resellers, referrers or representatives of such parties);
- to operate, protect, improve and optimise our website or apps, business and our clients' and users' experience, such as to perform analytics, conduct research and create new products, and conduct training;
- to send you service, support and administrative messages, reminders, technical notices, updates, security alerts in connection with our verification services, and data requested by you;
- to comply with our legal obligations, resolve any disputes that we may have with any of our clients or users, and enforce our agreements with third parties; and
- where relevant, to consider your employment application.
We may also be entitled:
- to use personal data for any purpose which is related to the above purposes; and
- to use sensitive data for any purpose which is directly related to the above purposes.
We may also use de-identified, aggregated data to share insights about users of our verification services, such as by publishing a report on trends in the usage of such services.
5. Other circumstances where we may disclosure of your personal or sensitive data
Under certain circumstances, we may be required to disclose your personal and sensitive data if required to do so by law or in response to valid requests by public authorities (e.g., a court or a government agency).
Other legal requirements
We may disclose your personal and sensitive data in the good faith belief that such action is necessary to:
- comply with a legal obligation;
- protect and defend the rights or property of the Company;
- prevent or investigate possible wrongdoing in connection with our services;
- protect the personal safety of users of the services or the public;
- protect against legal liability.
6. Do we use your personal data for direct marketing?
If we have collected your personal data because you are a representative of one of our current or prospective partners or clients, we may send you direct marketing communications and data about services and products offered by members of the OCR Labs Group. Noting, we do not use personal data collected as part of our identity verification services, we provide to our partners and/or clients, for direct marketing.
Our marketing may take the form of emails, SMS, mail or other forms of communication, in accordance with the Privacy Act.
You may opt-out of receiving marketing materials from us by contacting us using the details set out below or by using the opt-out facilities provided (e.g. an unsubscribe link).
If we use your personal data for direct marketing, we will ensure we comply with our obligations under the Do Not Call Register Act 2006 and the Spam Act 2003.
7. To whom do we disclose your personal and sensitive data?
- companies within the OCR Labs Group;
- our clients and third parties (where our clients act as brokers, resellers, referrers or representatives of such parties), where you are seeking to access their products and/or services and are required to verify your identity in order to do so;
- our employees and contractors, for the purposes of managing our products and systems and providing our services*^1^;
- third party suppliers and service providers (including providers of document verification services to help us verify the validity of identity documents you disclose to us, and other providers for the operation of our websites and/or our business or in connection with providing our products and services to you);
- professional advisers, dealers and agents;
- our existing or potential agents, business partners or partners (including our trusted resellers and referrers);
- specific third parties authorised by you to receive data held by us;
- other persons, including government agencies, regulatory bodies and law enforcement agencies, or as required, authorised or permitted by law; and
- as otherwise required or permitted by law.
\1 -- noting parts of our algorithm engineering teams are located overseas (UK). These teams may be provided access to data that we reasonable suspect are fraudulent identity documents and/or spoofed liveness video. If this occurs, we maintain full control of access to this data that is only retained for a very limited period time and is not transferred outside of Australia.*
8. Overseas transfer of personal and sensitive data
Your data, including personal data, is processed at our operating offices and in any other places where the parties involved in the processing are located. It means that this data may be transferred to --- and maintained on --- computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction.
9. Security and storage
OCR Labs is equipped for the toughest standards. Our platform meets stringent privacy, security and integrity standards based on international best practices.
Whilst we cannot guarantee the safety or security of your personal data, we take reasonable physical, electronic, and procedural measures to protect your personal and sensitive data against loss or unauthorised access, use, interference, modification, or deletion.
Among other things, we encrypt personal and sensitive data both in transit and at rest and we implement robust disaster recovery and business continuity procedures.
Personal and sensitive data will be held in a secure environment either in writing, electronically or both. We have security measures in place which are intended to protect personal and sensitive data. The key methods of securing the storage of personal and sensitive data include:
- Secure access to electronic and physical records containing personal and sensitive data, via password protected access permissions to systems and security-protected access to filing cabinets and storage;
- Access only to authorised OCR Labs employees and contractors that require access to perform their daily duties; and
- Varying access levels depending on the level of the authority and the type of personal and sensitive data required to be accessed.
Controls relating to how personal and sensitive data is extracted from the secure environment and how it is used and distributed. We also regularly conduct independent security audits, vulnerability scans, and penetration tests to ensure compliance with security international best practices and standards.
10. Unsolicited personal and sensitive data
There may be circumstances where an individual provides us with the personal or sensitive data about another person. Where we receive unsolicited personal data which we do not require for the purposes we have outlined above, we will destroy or de-identity that data as soon as practicable (if it is lawful and reasonable to do so).
11. Accessing and correcting your data
You can access the personal data we hold about you by contacting us using the contact data below.
Sometimes, we may not be able to provide you with access to all of your personal data and, where this is the case, we will provide you with a written notice explaining why. We may also need to verify your identity when you request your personal data.
We note that we may not have stored your personal data where it was collected by us to perform verification services and such services have been completed.
If you think that any personal data, we hold about you is inaccurate, outdated, incorrect or incomplete, please contact us promptly and we will take reasonable steps to ensure that it is corrected.
12. General Data Protection Regulation (GDPR) Privacy
Legal Basis for Processing Personal Data under GDPR
We may process personal data under the following conditions:
- Consent: you have given your consent for processing personal data for one or more specific purposes.
- Performance of a contract: provision of personal data is necessary for the performance of an agreement with you and/or for any pre-contractual obligations thereof.
- Legal obligations: processing personal data is necessary for compliance with a legal obligation to which we are subject to.
- Vital interests: processing personal data is necessary in order to protect your vital interests or of another natural person.
- Public interests: processing personal data is related to a task that is carried out in the public interest or in the exercise of official authority vested us.
- Legitimate interests: processing personal data is necessary for the purposes of the legitimate interests pursued by us.
In any case, we will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.
Your Rights under the GDPR
We undertake to respect the confidentiality of your personal data and to guarantee you can exercise your rights.
- Request access to your personal data. The right to access, update or delete the data we have on you. Whenever made possible, you can access, update or request deletion of your personal data directly within your account settings section. If you are unable to perform these actions yourself, please contact us to assist you. This also enables you to receive a copy of the personal data we hold about you.
- Request correction of the personal data that we hold about you. You have the right to have any incomplete or inaccurate data we hold about you corrected.
- Object to processing of your personal data. This right exists where we are relying on a legitimate interest as the legal basis for our processing and there is something about your particular situation, which makes you want to object to our processing of your personal data on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
- Request erasure of your personal data. You have the right to ask us to delete or remove personal data when there is no good reason for us to continue processing it.
- Request the transfer of your personal data. We will provide to you, or to a third-party you have chosen, your personal data in a structured, commonly used, machine-readable format. Please note that this right only applies to automated data which you initially provided consent for us to use or where we used the data to perform a contract with you.
- Withdraw your consent. You have the right to withdraw your consent on using your personal data. If you withdraw your consent, we may not be able to provide you with access to certain specific functionalities of the service.
Exercising of Your GDPR Data Protection Rights
You may exercise your rights of access, rectification, cancellation and opposition by contacting us. Please note that we may ask you to verify your identity before responding to such requests. If you make a request, we will try our best to respond to you as soon as possible.
You have the right to complain to a Data Protection Authority about Our collection and use of your personal data. For more data, if you are in the European Economic Area (EEA), please contact Your local data protection authority in the EEA.
13. Facebook Fan Page
Data Controller for the Facebook Fan Page
The Company is the Data Controller of Your Personal Data collected while using the Service. As operator of the Facebook Fan Page the Company and the operator of the social network Facebook are Joint Controllers.
The Company has entered into agreements with Facebook that define the terms for use of the Facebook Fan Page, among other things. These terms are mostly based on the Facebook Terms of Service: https://www.facebook.com/terms.php
We use the Facebook Insights function in connection with the operation of the Facebook Fan Page and on the basis of the GDPR, in order to obtain anonymized statistical data about Our users.
For this purpose, Facebook places a Cookie on the device of the user visiting Our Facebook Fan Page. Each Cookie contains a unique identifier code and remains active for a period of two years, except when it is deleted before the end of this period.
Facebook receives, records and processes the information stored in the Cookie, especially when the user visits the Facebook services, services that are provided by other members of the Facebook Fan Page and services by other companies that use Facebook services.
14. CCPA Privacy
Your Rights under the CCPA
- The right to notice. You must be properly notified which categories of Personal Data are being collected and the purposes for which the Personal Data is being used.
- The right to access / the right to request. The CCPA permits You to request and obtain from the Company information regarding the disclosure of Your Personal Data that has been collected in the past 12 months by the Company or its subsidiaries to a third-party for the third party's direct marketing purposes.
- The right to say no to the sale of Personal Data. You also have the right to ask the Company not to sell Your Personal Data to third parties. You can submit such a request by visiting our "Do Not Sell My Personal Information" section or web page.
The right to know about Your Personal Data. You have the right to request and obtain from the Company information regarding the disclosure of the following:
- The categories of Personal Data collected
- The sources from which the Personal Data was collected
- The business or commercial purpose for collecting or selling the Personal Data
- Categories of third parties with whom We share Personal Data
- The specific pieces of Personal Data we collected about You
- The right to delete Personal Data. You also have the right to request the deletion of Your Personal Data that have been collected in the past 12 months.
The right not to be discriminated against. You have the right not to be discriminated against for exercising any of Your Consumer's rights, including by:
- Denying goods or services to You
- Charging different prices or rates for goods or services, including the use of discounts or other benefits or imposing penalties
- Providing a different level or quality of goods or services to You
- Suggesting that You will receive a different price or rate for goods or services or a different level or quality of goods or services.
Exercising Your CCPA Data Protection Rights
In order to exercise any of Your rights under the CCPA, and if you are a California resident, You can email or call us or visit our "Do Not Sell My Personal Information" section or web page.
The Company will disclose and deliver the required information free of charge within 45 days of receiving Your verifiable request. The time period to provide the required information may be extended once by an additional 45 days when reasonably necessary and with prior notice.
Do Not Sell My Personal Information
We do not sell personal information. However, the Service Providers we partner with (for example, our advertising partners) may use technology on the Service that "sells" personal information as defined by the CCPA law.
If you wish to opt out of the use of your personal information for interest-based advertising purposes and these potential sales as defined under CCPA law, you may do so by following the instructions below.
Please note that any opt out is specific to the browser You use. You may need to opt out on every browser that you use.
You can opt out of receiving ads that are personalized as served by our Service Providers by following our instructions presented on the Service:
From Our "Cookie Consent" notice banner
Or from Our "CCPA Opt-out" notice banner
Or from Our "Do Not Sell My Personal Information" notice banner
Or from Our "Do Not Sell My Personal Information" link
The opt out will place a cookie on Your computer that is unique to the browser You use to opt out. If you change browsers or delete the cookies saved by your browser, you will need to opt out again.
Your mobile device may give you the ability to opt out of the use of information about the apps you use in order to serve you ads that are targeted to your interests:
- "Opt out of Interest-Based Ads" or "Opt out of Ads Personalization" on Android devices
- "Limit Ad Tracking" on iOS devices
You can also stop the collection of location information from Your mobile device by changing the preferences on your mobile device.
15. "Do Not Track" Policy as Required by California Online Privacy Protection Act (CalOPPA)
Our Service does not respond to Do Not Track signals.
However, some third-party websites do keep track of Your browsing activities. If You are visiting such websites, You can set Your preferences in Your web browser to inform websites that You do not want to be tracked. You can enable or disable DNT by visiting the preferences or settings page of Your web browser.
16. Children's Privacy
Our Service does not address anyone under the age of 13. We do not knowingly collect personally identifiable information from anyone under the age of 13. If You are a parent or guardian and You are aware that Your child has provided Us with Personal Data, please contact Us. If We become aware that We have collected Personal Data from anyone under the age of 13 without verification of parental consent, We take steps to remove that information from Our servers.
We also may limit how We collect, use, and store some of the information of Users between 13 and 18 years old. In some cases, this means We will be unable to provide certain functionality of the Service to these users.
If We need to rely on consent as a legal basis for processing Your information and Your country requires consent from a parent, We may require Your parent's consent before We collect and use that information.
17. Using our website and cookies
When you use our verification services, we automatically receive and record certain data from your computer (or another device) and/or your web browser.
This may include such data as the third-party website or application into which the services are integrated, the date and time that you use the services, your IP address and domain name, your software and hardware attributes (including operating system, device model, and hashed device fingerprint data), and your general geographic location (e.g., your city, state, or metropolitan region).
To obtain such data, we may use web logs or applications that recognize your computer and gather data about its online activity.
What are cookies? Cookies are small files that are stored on your computer or other device by your web browser.
A cookie allows us to recognize whether you have used our services before and may store user preferences and other data.
How are cookies used? For example, cookies can be used to collect data about your use of our services during your current session and over time, your computer or other device's operating system and browser type, your Internet service provider, your domain name and IP address, and your general geographic location.
How do you avoid cookies? If you are concerned about having cookies on your computer or device, you can set your browser to refuse all cookies or to indicate when a cookie is being set, allowing you to decide whether to accept it.
You can also delete cookies from your computer.
However, if you choose to block or delete cookies, certain features of our services may not operate correctly.
Our website or apps may contain links to websites operated by third parties. Those links are provided for convenience and may not remain current or be maintained.
Unless expressly stated otherwise, we are not responsible for the privacy practices of, or any content on, those linked websites, and have no control over or rights in those linked websites.
- Making a complaint
If you think we have breached the Privacy and/or applicable data protection laws, or you wish to make a complaint about the way we have handled your personal data, you can contact us using the details set out below.
Please include your name, email address and/or telephone number and clearly describe your complaint.
We will acknowledge your complaint and respond to you regarding your complaint within a reasonable period of time.
If you think that we have failed to resolve the complaint satisfactorily, we will provide you with data about the further steps you can take, one of which is to lodge a complaint with the Office of the Australian Data Commissioner.
20. Contact us
Privacy Officer e: firstname.lastname@example.org
Effective Date: 16 April 2021