This Privacy Notice (“Notice”) describes the privacy practices of Jumio Corporation, 100 Mathilda Place, Suite 100, Sunnyvale, CA 94086, United States (“Jumio” or “we”) concerning personal information collected in connection with Jumio’s verification and related online services, including but not limited to Authentication, Document Verification, ID Verification, and Identity Verification (the “Services”).
Jumio makes the Services available to third parties (“Customers”) for integration into those Customers’ websites and mobile applications. Jumio processes the personal information of our Customer’s end-users (“End-Users”) for the purposes described in Section 3 (“How we use your personal information”).
This Notice provides information about the personal information collected through the Services. A separate notice, available here, describes our privacy practices in connection with our website and customer portals, located at www.jumio.com.
The scope of your consent is described in Section 8 (“Your consent”).
Jumio uses information about you to provide and improve the Services or develop new services aimed at verifying your identity and helping prevent fraud. We analyze the data we collect to create insights about fraud, which enables us to provide our Customers with information about potentially fraudulent transactions. For example, we use the data to identify commonly used fake identification documents or government identifiers.
Other than with your consent, Jumio does not “sell” or “share” (when defined by applicable law to mean the use of your personal information for cross contextual behavioral advertising) your personal information.
We encourage you to read through the Notice to understand what information Jumio may collect and how Jumio uses the information.
Data protection and privacy laws in certain jurisdictions, like the European Economic Area (“EEA”), the United Kingdom (“UK”), and the California Consumer Privacy Act (the “CCPA”) as amended by the California Privacy Rights Act (“CPRA”), differentiate between “controllers” or “businesses” and “processors” or “service providers” of personal information. A controller or business decides why and how to process personal information. A processor or service provider processes personal information on behalf of a controller, based on the controller’s instructions.
This Notice generally describes Jumio’s privacy practices as a controller for the categories of personal information described in Section 2 (“Personal information we process”). You are not required to provide your personal information to Jumio. However, if you do not provide us with your personal information, we may not be able to provide our Services.
Note that for certain customers (including certain customers in the EEA/UK) and/or under certain laws , Jumio still serves as a processor or service provider as defined by the applicable law. Where that is the case, please refer to the Customer with which you have an existing relationship for information about your privacy rights, retention, and how your personal information is used and shared.
To provide the Services, Jumio may process a government-issued identification or other document you provide or information provided by the Customer. The personal information collected may include any information available on the documents submitted to Jumio for the Services. From the information provided, Jumio may process the following information:
Biometric Data
Jumio’s collection of personal information may include data that may be considered biometric data in some jurisdictions. Jumio will collect this information via facial recognition or similar technology from an image (e.g., a selfie) or video (including audio) and from an image of your face as it appears on an identification document that you provide. Jumio may share such data with a Customer with which you have a direct relationship and with Jumio service providers. Jumio may collect, process, re-collect, otherwise obtain, and store such data for the purpose of providing and improving its Services, and for the long-term proof of inspection of your provided form of identification. Jumio will permanently destroy such biometric data derived from images and recordings in its possession within three years after you first provided those images or videos. Where Jumio serves as a processor or service provider as defined by the applicable law, Jumio will permanently destroy any such biometric data in its possession in accordance with the Customer’s instructions but no longer than the earlier of the date (i) that the Customer ceases to have a relationship with Jumio or (ii) that is within three years after the date that the Customer informs Jumio its last interaction with you has occurred. |
Jumio will process certain personal information about you that Jumio collects from you directly, from its Customers, or other third parties, such as consumer reporting agencies and fraud prevention service providers. The categories of personal information that Jumio may process varies depending on the Service and are described below.
When you use the Services, we may also automatically collect certain information which enables us to provide, improve, and develop our Services. This information includes:
If you use Jumio’s Authentication service, we may install little pieces of software (called service workers) on your device to increase the speed of subsequent verifications. The service worker does not collect any information about you and does not track you.
We may also use cookies in connection with the Services. For information about cookies and similar tracking technologies, visit our Cookie Notice.
To the extent permitted by applicable law, we may receive additional information about you, such as demographic data or other information to help detect fraud and safety issues from third party service providers or partners, and combine it with information we have about you. These categories of third parties include consumer reporting agencies, fraud prevention services, data brokers, government databases, and marketing and analytics providers.
Overall, Jumio processes the personal information described in Section 2 (“Personal information we process”) for the following purposes:
Under certain circumstances Jumio may also use the personal information listed in Section 2 (“Personal information we process”) to:
Sharing for business purposes. Jumio shares your personal information in the context of your transaction with a particular Customer with that Customer. In addition, to provide the Services as set out in Section 3 (“How we use your personal information”), Jumio may share, disclose, or transfer your personal information to the following categories of recipients:
Moreover, as set out in Section 3 (“How we use your personal information”) we may share your personal information with the following categories of recipients:
Aggregated information. From time to time, Jumio may also share anonymized and/or aggregated information, such as by publishing a report on trends in the usage of our Services.
Information for California residents. Other than with your consent, Jumio does not sell or share your personal information. The terms “sell”, “share”, and “personal information” are defined by the California Consumer Privacy Act (the “CCPA”) and the California Privacy Rights Act (“CPRA”).
Except as otherwise provided in this Notice, Jumio will retain the personal information for (i) the period necessary to fulfill the purposes outlined in Section 3 (“How we use your personal information”), in particular as long as necessary to identify potentially fraudulent transactions and (ii) as long as required by law or (iii) as long as relevant potential legal claims are not yet time-barred.
Where Jumio serves as a service provider or processor as defined by the applicable law, Jumio will retain personal information for the period determined, and as instructed, by the Customer.
The personal information described in this Notice may be transferred to and processed in the United States for the purposes described in Section 3 (“How we use your personal information”). Some of the recipients described in Section 4 (“Whom we share personal information with”) are located in, or process personal information in, countries other than your country of residence. The data protection laws in these countries may be different from, or less stringent than, those in your country of residence.
We take measures to help protect your personal information when it is transferred from the European Economic Area (“EEA”), Switzerland, or the United Kingdom (“UK”) to other countries. We may rely on European Commission adequacy decisions or UK adequacy regulations for certain countries or include standard clauses issued by the European Commission or by the UK Information Commissioner’s Office in our contracts with recipients.
Jumio uses commercially reasonable physical, electronic, and procedural safeguards designed to protect your personal information against loss or unauthorized access, use, modification, or deletion. However, no security program is foolproof, and thus Jumio cannot guarantee the absolute security of your personal information or other information. For more information about our Security program, please visit our Security page.
You can exercise any of the rights described in this section consistent with applicable law and our role with respect to your personal information by emailing [email protected]. Please note that we may ask you to verify your identity before taking further action on your request.
In some jurisdictions, applicable law may entitle you to:
Where we process your personal information based on your consent, you may withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
We will not discriminate against you for exercising any of the above rights.
Certain jurisdictions provide residents a right to appeal a refusal of a request, you may request an appeal of a refusal by sending an email to [email protected].
You consent to Jumio obtaining and using your personal information to enable your use of the Services which are partly based on machine learning algorithms; this includes your consent to:
You have the right to withdraw your consent at any time. The withdrawal of your consent does not affect the lawfulness of processing based on your consent before its withdrawal. If Jumio has collected your personal information on the basis of your consent and you then withdraw your consent, Jumio may retain your personal information independent of your consent to the extent necessary to establish, exercise or defend legal claims, to comply with legal obligations, or to identify potentially fraudulent transactions.
The Services are not directed to children under the age of 13, and Jumio will never knowingly collect personal or other information from anyone it knows is under the age of 13. We recommend that persons over 13, but under 18 years of age, ask their parents for permission before using the Services or sending any information about themselves to anyone over the Internet.
To help safeguard the quality of the data provided by the Services, Jumio implements measures that may include manual review of the personal information by specially trained verification agents or machine learning capabilities. When we process the personal information automatically, we apply the following examples of criteria:
Jumio does not use automated decision-making that would produce legal effects for you, or that would similarly significantly affect you. If, and to the extent that, Jumio’s Customers make a decision based on the information provided by Jumio, please reach out to the Customer responsible for your personal information with any questions regarding the rights you may have in case your personal information is subject to automated decision-making.
If you are a resident of the EEA, Switzerland, or the UK, Jumio processes your personal information on the following legal bases under the General Data Protection Regulation (“GDPR“) or the UK GDPR:
Technology and the Internet are rapidly changing. Jumio therefore is likely to make changes to the Services in the future and as a consequence will need to revise this Notice to reflect those changes. When we revise the Notice, Jumio will post any updates on the Notice at https://www.jumio.com/legal-information/privacy-notices/online-services-notice/, so we recommend reviewing that page periodically. If we make a material change to the Notice, you will be notified appropriately.
If you have any questions or comments regarding this Notice, please send an email to [email protected].
If you prefer to contact us by mail, please write to Jumio Corporation, ATTN: Privacy, 100 Mathilda Place, Suite 100, Sunnyvale, CA, 94086, U.S.A.
Jumio’s representative in the EU is Jumio Software Development GmbH, Lunaplatz 5, 4030 Linz, Austria. Jumio’s Data Protection Officer may be contacted at [email protected].
Last Updated: May 16, 2023