Jumio Online Services Privacy Notice

This Privacy Notice (“Notice”) describes the privacy practices of Jumio Corporation, 100 Mathilda Place, Suite 100, Sunnyvale, CA 94086, United States (“Jumio” or “we”) concerning personal information collected in connection with Jumio’s verification and related online services, including but not limited to Authentication, Document Verification, ID Verification, and Identity Verification (the “Services”).

Jumio makes the Services available to third parties (“Customers”) for integration into those Customers’ websites and mobile applications. Jumio processes the personal information of our Customer’s end-users (“End-Users”) for the purposes described in Section 3 (“How we use your personal information”).

This Notice provides information about the personal information collected through the Services. A separate notice, available here, describes our privacy practices in connection with our website and customer portals, located at www.jumio.com.

The scope of your consent is described in Section 8 (“Your consent”).

Short Summary

Jumio uses information about you to provide and improve the Services or develop new services aimed at verifying your identity and helping prevent fraud. We analyze the data we collect to create insights about fraud, which enables us to provide our Customers with information about potentially fraudulent transactions. For example, we use the data to identify commonly used fake identification documents or government identifiers.

Other than with your consent, Jumio does not “sell” or “share” (when defined by applicable law to mean the use of your personal information for cross contextual behavioral advertising) your personal information.

We encourage you to read through the Notice to understand what information Jumio may collect and how Jumio uses the information.

1. Our relationship with you

Data protection and privacy laws in certain jurisdictions, like the European Economic Area (“EEA”), the United Kingdom (“UK”), and the California Consumer Privacy Act (the “CCPA”) as amended by the California Privacy Rights Act (“CPRA”), differentiate between “controllers” or “businesses” and “processors” or “service providers” of personal information. A controller or business decides why and how to process personal information. A processor or service provider processes personal information on behalf of a controller, based on the controller’s instructions.

This Notice generally describes Jumio’s privacy practices as a controller for the categories of personal information described in Section 2 (“Personal information we process”). You are not required to provide your personal information to Jumio. However, if you do not provide us with your personal information, we may not be able to provide our Services.

Note that for certain customers (including certain customers in the EEA/UK) and/or under certain laws , Jumio still serves as a processor or service provider as defined by the applicable law. Where that is the case, please refer to the Customer with which you have an existing relationship for information about your privacy rights, retention, and how your personal information is used and shared.

2. Personal information we process

Information you or Customers provide to us through the use of Jumio Services

To provide the Services, Jumio may process a government-issued identification or other document you provide or information provided by the Customer. The personal information collected may include any information available on the documents submitted to Jumio for the Services. From the information provided, Jumio may process the following information:

  • Personal identifiers (e.g., names, addresses, emails, phone numbers);
  • Images of Identification documents (e.g., photographs and other information including personal identifiers, demographic characteristics, physical characteristics, etc.);
  • Government identifiers (e.g., driver’s license numbers, passport numbers, etc.) please note that Jumio redacts certain government identifiers in accordance with applicable national laws;
  • Financial information (e.g., credit or debit card numbers, CVV, expiration dates, transaction information);
  • Images or recordings (e.g., photographs and visual or audio recordings); and
  • Biometric data (see information box below).
Biometric Data

Jumio’s collection of personal information may include data that may be considered biometric data in some jurisdictions. Jumio will collect this information via facial recognition or similar technology from an image (e.g., a selfie) or video (including audio) and from an image of your face as it appears on an identification document that you provide.

Jumio may share such data with a Customer with which you have a direct relationship and with Jumio service providers. Jumio may collect, process, re-collect, otherwise obtain, and store such data for the purpose of providing and improving its Services, and for the long-term proof of inspection of your provided form of identification.

Jumio will permanently destroy such biometric data derived from images and recordings in its possession within three years after you first provided those images or videos.

Where Jumio serves as a processor or service provider as defined by the applicable law, Jumio will permanently destroy any such biometric data in its possession in accordance with the Customer’s instructions but no longer than the earlier of the date (i) that the Customer ceases to have a relationship with Jumio or (ii) that is within three years after the date that the Customer informs Jumio its last interaction with you has occurred.

Information automatically processed when you or Customers use Jumio’s Services

​​Jumio will process certain personal information about you that Jumio collects from you directly, from its Customers, or other third parties, such as consumer reporting agencies and fraud prevention service providers. The categories of personal information that Jumio may process varies depending on the  Service and are described below.

When you use the Services, we may also automatically collect certain information which enables us to provide, improve, and develop our Services. This information includes:

  • Online identifiers (e.g., IP addresses);
  • Internet or other electronic network activity including information about your device’s operating system, browser type, browser settings (e.g., country, language preferences), or your use of our website or application (e.g., time access, duration of visit);
  • Geolocation information (e.g., the location of your device); and
  • Inferences such as a transaction risk calculations and scores (e.g., Jumio may review whether the IP address or other available information is known to have been used in a fraudulent transaction and provide an assessment to a Customer of the likelihood the transaction is fraudulent).

If you use Jumio’s Authentication service, we may install little pieces of software (called service workers) on your device to increase the speed of subsequent verifications. The service worker does not collect any information about you and does not track you.

We may also use cookies in connection with the Services. For information about cookies and similar tracking technologies, visit our Cookie Notice.

Information collected from third parties

To the extent permitted by applicable law, we may receive additional information about you, such as demographic data or other information to help detect fraud and safety issues from third party service providers or partners, and combine it with information we have about you. These categories of third parties include consumer reporting agencies, fraud prevention services, data brokers, government databases, and marketing and analytics providers.

3. How we use your personal information

Overall, Jumio processes the personal information described in Section 2 (“Personal information we process”) for the following purposes:

  • To provide the Services, which includes:
    • Verifying End-User identity;
    • Comparing new scans of identification documents against scans of identification documents previously collected by Jumio;
    • Preventing the use of fraudulent identification documents;
    • Identifying and monitoring fraudulent transactions;
    • Sharing the results of Jumio’s analysis with a Customer with whom an End-User has an existing relationship; and
    • Increasing the efficiency and effectiveness of the Services;
  • To perform analytics and research concerning the Services and to improve the Services or develop new services, including through the use of machine learning;
  • To protect and improve the security of the Services; and
  • To anonymize the personal information and generate statistical or aggregated reports.

Under certain circumstances Jumio may also use the personal information listed in Section 2 (“Personal information we process”) to:

  • Establish, exercise or defend legal claims;
  • Investigate, prevent, or take action regarding illegal activities, suspected fraud, violations of our terms and conditions, or situations involving threats to our property, the property or physical safety of any person or third party;
  • Facilitate the financing, securitization, insuring, sale, assignment, bankruptcy, or other disposal of all or part of Jumio’s business or assets;
  • Respond to valid and enforceable subpoenas, court orders, and other legal process, or as otherwise required by law; and
  • Comply with legal and/or regulatory requirements.

4. Whom we share personal information with

Sharing for business purposes. Jumio shares your personal information in the context of your transaction with a particular Customer with that Customer. In addition, to provide the Services as set out in Section 3 (“How we use your personal information”), Jumio may share, disclose, or transfer your personal information to the following categories of recipients:

  • Services providers that help us deliver, manage, develop, and improve the services including but not limited to third-party cloud service providers;
  • Contract partners or business partners who are participating in the performance of the delivery of the Services; and
  • Companies that are part of our corporate group.

Moreover, as set out in Section 3 (“How we use your personal information”) we may share your personal information with the following categories of recipients:

  • Legal advisors;
  • Auditors for the performance of audits;
  • Courts and public authorities; and
  • Any acquirer or successor in the event of a corporate sale, merger, reorganization, dissolution, or similar event if any of your personal information is part of the assets we transfer or share in preparation for such a transaction.

Aggregated information. From time to time, Jumio may also share anonymized and/or aggregated information, such as by publishing a report on trends in the usage of our Services.

Information for California residents. Other than with your consent, Jumio does not sell or share your personal information. The terms “sell”, “share”, and “personal information” are defined by the California Consumer Privacy Act (the “CCPA”) and the California Privacy Rights Act (“CPRA”).

5. Retention and international transfers

Retention

Except as otherwise provided in this Notice, Jumio will retain the personal information for (i) the period necessary to fulfill the purposes outlined in Section 3 (“How we use your personal information”), in particular as long as necessary to identify potentially fraudulent transactions and (ii) as long as required by law or (iii) as long as relevant potential legal claims are not yet time-barred.

Where Jumio serves as a service provider or processor as defined by the applicable law, Jumio will retain personal information for the period determined, and as instructed, by the Customer.

International Transfers

The personal information described in this Notice may be transferred to and processed in the United States for the purposes described in Section 3 (“How we use your personal information”). Some of the recipients described in Section 4 (“Whom we share personal information with”) are located in, or process personal information in, countries other than your country of residence. The data protection laws in these countries may be different from, or less stringent than, those in your country of residence.

We take measures to help protect your personal information when it is transferred from the European Economic Area (“EEA”), Switzerland, or the United Kingdom (“UK”) to other countries. We may rely on European Commission adequacy decisions or UK adequacy regulations for certain countries or include standard clauses issued by the European Commission or by the UK Information Commissioner’s Office in our contracts with recipients.

6. Security

Jumio uses commercially reasonable physical, electronic, and procedural safeguards designed to protect your personal information against loss or unauthorized access, use, modification, or deletion. However, no security program is foolproof, and thus Jumio cannot guarantee the absolute security of your personal information or other information. For more information about our Security program, please visit our Security page.

7. Your privacy rights

You can exercise any of the rights described in this section consistent with applicable law and our role with respect to your personal information by emailing [email protected]. Please note that we may ask you to verify your identity before taking further action on your request.

In some jurisdictions, applicable law may entitle you to:

  • Request confirmation of whether we are processing your personal information, obtain a copy of your personal information, and obtain information about how we handle your personal information;
  • Receive an electronic copy of personal information that you have provided to us in a structured, commonly used, and machine-readable format, or ask us to transmit this information to another company (where technically feasible);
  • Subject to certain exceptions prescribed by law, request deletion of your personal information;
  • Object to or restrict our uses of your personal information;
  • Seek correction or amendment of inaccurate, untrue, incomplete, or improperly processed personal information; and
  • Lodge a complaint with the competent supervisory authority or regulatory agency.

Where we process your personal information based on your consent, you may withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

We will not discriminate against you for exercising any of the above rights.

Appeals

Certain jurisdictions provide residents a right to appeal a refusal of a request, you may request an appeal of a refusal by sending an email to [email protected].

You consent to Jumio obtaining and using your personal information to enable your use of the Services which are partly based on machine learning algorithms; this includes your consent to:

  • Jumio processing your personal information using its machine learning algorithms, including facial recognition algorithms, to provide and improve its Services and to match an image of your face with an image of your face on your identification document, which may qualify as a processing of sensitive personal information; and
  • Jumio sharing your personal information that Jumio has collected in connection with your transaction with a particular Customer with that Customer (e.g., a visually scanned or photographed image of your face or of your identification document) and service providers; and
  • Jumio retaining your personal information described in Section 2 (“Personal information we process”) to provide our Services and to identify potentially fraudulent transactions.

You have the right to withdraw your consent at any time. The withdrawal of your consent does not affect the lawfulness of processing based on your consent before its withdrawal. If Jumio has collected your personal information on the basis of your consent and you then withdraw your consent, Jumio may retain your personal information independent of your consent to the extent necessary to establish, exercise or defend legal claims, to comply with legal obligations, or to identify potentially fraudulent transactions.

9. Other important information

Children’s privacy

The Services are not directed to children under the age of 13, and Jumio will never knowingly collect personal or other information from anyone it knows is under the age of 13. We recommend that persons over 13, but under 18 years of age, ask their parents for permission before using the Services or sending any information about themselves to anyone over the Internet.

Data quality and automated decision making

To help safeguard the quality of the data provided by the Services, Jumio implements measures that may include manual review of the personal information by specially trained verification agents or machine learning capabilities. When we process the personal information automatically, we apply the following examples of criteria:

  • Checks on the integrity and quality of photographs;
  • Checks on the integrity and recognition of documents;
  • Extraction and analysis of text, graphical layout, and any other available information on the documents, face photographs and biometric data, background;
  • Analysis of results of all the steps combined, considering multiple variables, predictions and confidence values for a final score;
  • Lookups against known images as well as known fraudulent cases;
  • Procedures to minimize demographic bias in machine learning algorithms; and
  • In cases of identity verification, a selfie or video may be used to compare against the photograph on an identification document, to ensure the individual is genuinely present during the transaction.

Jumio does not use automated decision-making that would produce legal effects for you, or that would similarly significantly affect you. If, and to the extent that, Jumio’s Customers make a decision based on the information provided by Jumio, please reach out to the Customer responsible for your personal information with any questions regarding the rights you may have in case your personal information is subject to automated decision-making.

Legal basis for processing

If you are a resident of the EEA, Switzerland, or the UK, Jumio processes your personal information on the following legal bases under the General Data Protection Regulation (“GDPR“) or the UK GDPR:

  • Your consent;
  • Jumio’s and its Customers’ prevailing legitimate interest to achieve the purposes set out in Section 2 (“How we use your personal information”) and the prevailing legitimate interest of individuals whose personal information is used for a fraudulent transaction to not become victims of identity theft;
  • The necessity to comply with legal obligations to which Jumio is subject; and
  • The necessity for the establishment, exercise, or defense of legal claims.

10. Changes to this notice

Technology and the Internet are rapidly changing. Jumio therefore is likely to make changes to the Services in the future and as a consequence will need to revise this Notice to reflect those changes. When we revise the Notice, Jumio will post any updates on the Notice at https://www.jumio.com/privacy-center/privacy-notices/online-services-notice/ so we recommend reviewing that page periodically. If we make a material change to the Notice, you will be notified appropriately.

11. Contacting Jumio

If you have any questions or comments regarding this Notice, please send an email to [email protected].

If you prefer to contact us by mail, please write to Jumio Corporation, ATTN: Privacy, 100 Mathilda Place, Suite 100, Sunnyvale, CA, 94086, U.S.A.

Jumio’s representative in the EU is Jumio Software Development GmbH, Lunaplatz 5, 4030 Linz, Austria. Jumio’s Data Protection Officer may be contacted at [email protected].

Last Updated: May 16, 2023