1. WHAT DOES THIS PRIVACY NOTICE COVER?

1.1 If you are reading this Privacy Notice, it indicates that you are an end-user or have interacted with one of our customers (an online service provider, e.g. financial institution or an iGaming platform). Your interaction with this customer has prompted them to verify your identity through utilizing SEON’s services.

1.2 In the light of this, this Privacy Notice (“Privacy Notice”) describes how SEON processes your Personal Data (please see the definition of Personal Data in Section 5.2) in the context of providing and improving identity verification services, such as document verification, liveness checks and address verification on behalf and for the benefit of our customers (including your online service provider which you have an existing relationship with), which enables us to provide our customers with information aimed at verifying their end-users’ (including your) identity and helping prevent (identity) fraud, criminal activity, money laundering and similar practices as part of substantial public interest.

1.3 Except in cases where we act as the data controller as set out in this Privacy Notice, we primarily act as a data processor and process Personal Data strictly in accordance with the instructions, on behalf and for the benefit of our customers rendering SEON’s identity verification services integrated into these customers’ websites and mobile applications for them to ensure that they meet Know Your Customer (KYC), Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT), anti-fraud compliance and similar regulatory requirements. For more information about our and our customer’s roles please refer to Section 2 of this Privacy Notice.

1.4 To gain a complete understanding of how your Personal Data is processed in relation to SEON’s identity verification service, you should review both this Privacy Notice provided by SEON and the privacy notices of the Customers whose services you are being verified for.

1.5 You can find jurisdiction-specific notices in Section 11 below, such as a notice to EU Data Subjects in Section 11.1; a notice to California, Colorado, Connecticut, Utah, and Virginia Residents in Section 11.2 and a notice to Texas and Illinois residents in Section 11.3.

1.6 At SEON we are committed to protecting your Personal Data and respecting your right to privacy. Please read this notice carefully, as it explains how your Personal Data during the provision of the identity verification services to our customers are being processed, your rights, and how you can contact us or the customer with any questions or concerns. 

2. DETAILS OF THE DATA CONTROLLER, DATA PROCESSOR AND THE DATA PROTECTION OFFICER (“DPO”)

2.1 In certain jurisdictions, such as the European Economic Area (EEA), the United Kingdom (UK), and certain states of the United States (US) such as Virginia, Utah, California, Connecticut, Colorado, Illinois and Texas, data protection and privacy laws distinguish between (i) “controllers” or “businesses”;  and (ii) “processors” or “service providers” or “contractors”.

2.2 Data controller/business/contractor (hereinafter together referred to as: “Controller”) is the party that sets out the purposes and means (why and how) of processing of Personal Data, exercise control of the Personal Data, and stipulate retention periods of the Personal Data according to their purposes.

Except for the processing set out in Section 4.2.3 of this Privacy Notice (where the controller is SEON), the Controller, in the light of SEON’s identity verification services, is SEON’s customer, thus the company/business that has requested identity verification services from SEON. They are the ones determining why and how your Personal Data is processed. 

For more information about how the Controller’s KYC, AML/CFT, prevention of (identity) fraud, criminal activity, money laundering and similar practices affect your Personal Data and about your privacy rights, retention, and how your Personal Data is processed and shared, please refer to the Controllers’ own privacy notices.

2.3 Data processor/service provider/contractor/third party (hereinafter together referred to as: “Processor”) is a party that processes Personal Data on the Controller’s behalf, based on the Controller’s instructions.

Except for the processing set out in Section 4.2.3 of this Privacy Notice (where the controller is SEON), the Processor, in the light of SEON’s identity verification services is SEON Technologies Kft. (registered seat: H-1072 Budapest, Rákóczi út 42. 7. em; company registration number: 01-09-292732; hereinafter referred to as “SEON”) which is the signatory to the service agreement concluded with the Controller whose behalf we process your Personal Data for identity verification purposes. 

For any inquiries about this Privacy Notice, please contact SEON at the following email address: [email protected]

2.4 Before undergoing SEON’s identity verification procedures, you as the Controller’s end-user must be appropriately informed by the Controller of the processing in accordance with their own privacy notices. This includes, among others, disclosing their privacy notices to you and informing you about the use of SEON’s identity verification services in their privacy notices. Depending on the legal basis the Controller relies on for the data processing (see Section 4.2.1 of this Privacy Notice), you may also be required to provide your consent for the processing prior to such processing.  You can only be forwarded to the identity verification feature’s interface if you have accepted the Controller’s privacy notice and, where consent is the legal basis, appropriate consent has been given (please refer to Section 4.2.1 of this Privacy Notice). When you enter into SEON’s interface but before the start of the verification session, SEON also provides clear and comprehensive information to you about SEON’s data processing by this Privacy Notice that we shared with you via a hyperlink before the start of the verification session.

2.5 SEON has appointed a Data Protection Officer (DPO). SEON commits to resolve complaints about your privacy and our collection or use of your Personal Data transferred to the United States pursuant to the EU/US Data Privacy Framework. You may contact our DPO at [email protected].  SEON will investigate and attempt to resolve any complaints or disputes regarding processing of Personal Data within a reasonable timeframe.  See Section 3, “EU-US Data Privacy Framework (DPF)” and Section 10, “Remedies,” for more information.

2.6 Please note that any requests made towards us as Processors regarding your Personal Data will first be directed to the Controller. Please see Section 10.2. for more information about handling your requests.

3. EU-U.S. DATA PRIVACY FRAMEWORK (DPF) 

3.1 SEON and its US subsidiaries comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and UK Extension set forth by the U.S. Department of Commerce. SEON has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) concerning the processing of Personal Data received from the European Union in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy notice and the EU-U.S. DPF Principles and the DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program and to view our certification, please visit https://www.dataprivacyframework.gov/.

3.2 SEON is responsible for processing Personal Data it receives under the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and subsequently transfers to a third party acting as an agent on its behalf. Access complies with the EU-U.S. DPF Principles for all onward transfers of Personal Data from the EU, including the onward transfer liability provisions. The Federal Trade Commission has jurisdiction over SEON’s compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. In certain situations, Access may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

3.3. SEON is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) with regard to our compliance with the EU-U.S. Data Privacy Framework (DPF).

3.4 In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, SEON commits to resolve DPF Principles-related complaints about our collection and use of your Personal Data. EU and UK individuals with inquiries or complaints regarding our handling of Personal Data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, should first contact SEON at: [email protected]

3.5 In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, SEON commits to refer unresolved complaints concerning our handling of Personal Data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF to an alternative dispute resolution with the panel established by the EU data protection authorities (DPAs) and Information Commissioner’s Office (ICO).

3.6 For complaints, regarding EU-U.S. DPF and the UK Extension to the EU-U.S. DPF compliance not resolved by any of the other DPF mechanisms; you have the possibility, under certain conditions, to invoke binding arbitration. Further information can be found on the official DPF website: https://www.dataprivacyframework.gov/s/article/C-Pre-Arbitration-Requirements-dpf

4. WHY AND HOW ARE WE PROCESSING YOUR PERSONAL DATA?

4.1 Purposes and legal bases

SEON as Processor: Provision of our Services.

4.1.1 As we primarily act as a Processor, we process your Personal Data solely for the purposes defined by the Controller. The most common purpose, and this is the essence of SEON’ identity verification service, is assisting the Controller meeting their regulatory requirements and standards on user verification in accordance with their local regulations. This objective typically includes, but is not limited to:

• Enhancing the accuracy and efficiency of identity verification and address verification processes;
• Reducing the risk of (identity) fraud, criminal activity, money laundering and similar practices  by employing advanced document verification and facial recognition technologies;
• Providing a reliable and user-friendly method for verifying the identity and document validity of end-users in real-time or asynchronous processing (depending on the Controller’s needs); 
• Ensuring compliance with regulatory requirements related to Know-Your-Customer (KYC), Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT) and similar measures; and
• Contributing to the Controller’s  internal customer due diligence procedures.

With respect to your Personal Data, SEON’s primary purpose in the processing is to perform our identity verification services to the Controller.

Therefore, to be able to perform the service agreement(s) concluded with the Controller, obligations arising from Agreements, and related rights, SEON processes your Personal Data outlined in Section 5 to provide, manage and maintain our identity verification services in order to help the Controller verifying user identity, preventing the use of fraudulent identification documents and identifying and monitoring fraudulent transactions, (identity) fraud, criminal activity, money laundering and similar practices.

This includes:

• Document verification (may include age verification, if applicable): This step involves you capturing an image of your identification document (such as passport, driver’s license, ID card, or residence permit card), both sides if relevant, using your mobile or laptop cameras. The documents are then analyzed to extract relevant Personal Data and evaluate their authenticity and, if applicable, verify your age.

• Liveness (Selfie) Check: This step requires you to take a selfie photo or video with your mobile or laptop cameras while SEON captures an image or a short video of your face. From the selfie image or video, SEON extracts frames and runs through a liveness verification and a face matching algorithm comparing it with the image on the identification document to assess whether the image on the identification document and the live photo or video you take of yourself match, as well as detect whether you are physically present, alive and genuine when you take the photo or video of yourself.

• Address Verification (if applicable): This is a critical component used to confirm your residential address (if the Controller chooses to utilise this component). This step helps verifying that you reside at the address you claim. The verification process involves uploading an image of the document (typically utility bills, bank statements, or government-issued letters that display your name and address), validating it for tampering, cross-matching the name with the POI, extracting the address, and ensuring the document is recent.

• Sharing the results of SEON’s analysis to the Controller: In the course of providing our services, we analyze the Personal Data we receive (e.g. identification documents, biometric data) to verify your identity. The results of this analysis, including whether the verification was successful, are shared with the Controller (our customer that requested the verification). This enables the Controller to use the information for their compliance or onboarding processes, as outlined in their own privacy notice. Please note however that your Biometric Personal Data is never shared with the Controller, this type of data does not leave SEON’s system.

• In the course of this we conduct analytics, utilising artificial intelligence and machine learning,  including using facial recognition algorithms to refine the accuracy and performance of our services.

For more information on the exact purposes defined by the Controller and other relevant circumstances of the processing please refer to the Controller’s own privacy notice.

4.1.2 When SEON processes Personal Data for the purposes set out in Section 4.1.1 above, thus, where SEON acts as the Processor, the following shall apply regarding the legal basis of the processing: 

As it follows from the applicable data protection laws, the lawfulness for the entirety of the processing lies with the Controller,  thus the appropriate legal basis for the processing of Personal Data by us as a Processor is dependent on the legal basis that the Controller identifies and applies (the exact use cases and applicable legal obligations differ from one Customer to another). 

Based on our assessment, as the processing by SEON may involve Biometric Personal Data, your explicit consent will be the most common legal basis determined by the Controller (please see Art. 9 (2) of the  Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: “GDPR”) that requires your explicit consent for the processing of your Biometric Personal Data). However, for a Controller in highly regulated industries (e.g. financial institutions, iGaming companies), a legal obligation to perform KYC checks serving substantial public interest may also be considered as a legal basis.

SEON may, at its discretion and as deemed appropriate, opt to collect consent from you directly for one or more specific purposes. However, this does not impact the relationship between you and the Controller. Please note that our service cannot be provided for anonymous users, and therefore, using our service requires the disclosure of Personal Data to us and allows for its processing by both SEON and the Controller. While providing consent is completely voluntary and you have the right to withdraw your consent at any time, however please note that declining or withdrawal of your consent may prevent us from delivering the service, since, for instance, we will be unable to confirm your identity.

If you have given consent to the Controller and/or us to process your Personal Data, the details of those processes and their purposes will be detailed in the consent itself.

As allowed by the applicable law and the service agreement concluded by Controller and SEON, SEON may also process your Personal Data for other operational purposes reasonably necessary for delivering the service, under the agreement or rely on its legitimate interest for such processing, as outlined in the following section.

Please refer to the Controller’s privacy notice for specific details about the legal basis for processing your Personal Data.

SEON as Controller: Legitimate interests

4.1.3. For the purposes of our legitimate interest, we may process Personal Data for purposes that serve SEON’s legitimate interests, at all times in compliance with applicable data protection laws. This refers to our interest in effectively managing and directing our business to provide the best possible identity verification services in the market. 

For SEON’s  legitimate interest, we may process Personal Data for the following purposes:

• With the exception of Biometric Personal Data and with the consent of the Controller, we, aimed at preventing and detecting fraud and other unlawful activities, may process Personal Data to develop, test, optimize, enhance, improve, further develop and alter our identity verification service via, among others, automatic algorithms and machine learning;
• Strengthen and enhance the security of our identity verification services helping to protect against (identity) fraud, criminal activity, money laundering and similar practices;
• With the exception of Biometric Personal Data, we may aggregate and/or anonymize the Personal Data and generate statistical or aggregated reports for service improvement, without identifying any individuals;
• To fulfill our legal obligations regarding the processing and retention of Personal Data, including securing the appropriate legal basis for processing certain Personal Data related to specific end-users. It is crucial for us to obtain and keep records confirming that this legal basis has been established, as it enables us to demonstrate compliance with applicable data protection laws; 
• For reasons of substantial public interest based on requirements under the applicable law, including, but not limited to, efforts aimed at fraud prevention and non-discrimination (e.g. reducing bias);
• To investigate, deter, or take measures against unlawful activities, suspected fraudulent behavior, or any threats to our property or the physical safety of individuals or third parties;
• To comply with valid and enforceable subpoenas, court orders, or other legal directives, or as mandated by law;
• To establish, assert, or defend against legal claims; and
• To adhere to legal and regulatory obligations.

In such cases SEON acts as the Controller concerning the Personal Data processed for such purposes.

Please note that we process your Personal Data on the basis of our legitimate interest only after conducting a thorough legitimate interest assessment to ensure that our legitimate interest aligns with the your fundamental rights and interests (following the test required by the applicable data protection laws) and as permitted by law and the service agreement concluded by the Controller and SEON, where applicable. 

Except with your consent, SEON does not “sell”, “lease”, “share” or “trade” your Personal Data, when defined by applicable law to mean the use of your Personal Data for cross contextual behavioral advertising.

4.1.4. When SEON processes Personal Data for the purposes set out in Section 4.1.3 above, thus, where SEON acts as the Processor, it relies on Article 6(1)(f) of the GDPR  –  its legitimate interest. Such legitimate interest arises from the essential need for internal analysis and the continuous development and improvement of SEON’s identity verification services, which are used by our customers to detect fraud and illegal activities, helping to prevent money laundering, terrorist financing, and other matters of significant public concern. In these instances, we rely on our legitimate interest, provided that our customer grants permission to process Personal Data for such purposes, and that SEON’s objectives align with the original purposes for which the Personal Data was collected. Such purposes are deemed compatible due to our customers’ obligations and interests in preventing fraud and identifying unlawful activities.

If the Personal Data we process for SEON’s own purposes are Biometric Personal Data, we rely on substantial public interest as the basis for processing as provided in Article 9(2)(g) of the GDPR.

4.2.  Data Processing Activities.

SEON performs various forms of automated data processing, which include, but are not limited to, activities such as collecting, recording, organizing, structuring, storing, modifying, retrieving, consulting, using, transmitting, sharing, disseminating or otherwise making data accessible, aligning or combining, restricting, erasing, or destroying or retaining it.

4.3 Principles for processing your Personal Data at SEON.

SEON follows the principles of Personal Data protection outlined in the GDPR, the United Kingdom General Data Protection Regulation (hereinafter: UK GDPR), and other applicable data protection laws. In line with these principles, SEON helps our Controllers ensuring that your Personal Data is: 

• Processed fairly, lawfully, and transparently;
• Collected and processed solely for specified, explicit, and legitimate purposes, and not used in ways that are incompatible with those purposes;
• Adequate, relevant, and limited to what is necessary for the purposes for which it is processed;
• Kept accurate and regularly updated;
• Stored in an identifiable form for no longer than necessary for the processing purposes;
• Processed in a way that ensures appropriate security;
• Not transferred outside the European Economic Area (EEA) or the UK without sufficient protection.

5. PERSONAL DATA PROCESSED: 

5.1 SEON will/may process certain Personal Data about you that SEON collects from 

• the Controller directly in the context of providing our identity verification services to the Controller and/or from you as you go through the verification service flow; and
• if applicable, other third-party service providers that assist SEON in providing its identity verification services, to the extent permitted by applicable law. In the course of this we may combine the Personal Data obtained from the Controller with additional information received from these third-party providers.

5.2 Personal Data processed by us under Section 5.1 may include, but is not limited to:

• Personal Data on the identification document or Personal Data extracted from the identification document, for example  name, sex, personal identification number or national equivalent, date of birth, estimated age, legal capacity, nationality, citizenship, eye color, weight and height, address, as well as historic data of the end-user (you) that may have been stored by SEON during previous interactions within the retention periods and at all times within the scope of the specific Controller;
• Contact data, for example  address, e-mail address, telephone numbers, IP address and, if relevant, presented document type (e.g. bank statement or utility bill);
• Details of the document, for example the name of the document, issuing country, document number, expiration date, data encoded in the document barcodes (which may vary based on the type of document) and security features;
• Identity verification data, for example images (photographs) and recordings (videos) taken from you and your identification document, as well as video recordings of the verification process, along with the results of the verification checks;
• Biometric identifiers which are data generated by measurements of your biological characteristics such as face scans (scan of your face geometry), retina or iris scans and other measurements, extracted from an image (e.g. selfie) and/or a video which are used to verify you or compare your face to the identity document photos via facial recognition or similar technologies; biometric information which is information based on a biometric identifier that can be used to identify you; and any personal data that results from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data (Art. 4 (14) of the GDPR);. Please note that some of this data may be considered biometric data under the applicable data protection laws (hereinafter: “Biometric Personal Data”); 
• Technical data, which includes, but is not limited to, details such as the date, time, and your activity within the services, your IP address and domain name, information about your software and hardware, as well as your general geographic location (e.g., city, state, country); 
• Session metadata, which is technical data, such as login information, device information; and
• Documentation and records of legal basis (including consents), such as in instances where we are required or choose to obtain consent, a written release, or another legal basis before processing certain Personal Data.

(hereinafter together referred to as: “Personal Data”)

5.3 Please note that the exact categories of your Personal Data that SEON processes can vary depending on several factors, such as the specific use case of the Controller in utilizing our identity verification services, the type of identification document or proof of address being verified, and the issuing country of the document. For example, different countries may require or include different types of information on IDs or proof of address documents (e.g., national ID cards, passports, utility bills), and the scope of verification may differ based on the regulatory requirements in that jurisdiction. Similarly, the Controller’s needs (specific use-case) for identity verification may require different types of data to be collected and processed, such as additional security checks for high-risk activities.

5.4 Biometric Personal Data. 

5.4.1 As stated in Section 5.2, processing of Personal Data by us may include data that is classified as Biometric Personal Data in certain jurisdictions. SEON processes this data to provide our identity verification services and to maintain long-term proof of verification of the identification document you submitted, at all times strictly for the purposes defined in this Privacy Notice and within the data retention period outlined in Section 6.1. Please note that SEON does not share such Biometric Personal Data with the Controller, this type of personal data does not leave SEON’s infrastructure.

5.4.2 SEON will also permanently and securely destroy Biometric Personal Data if the Controller instructs us to do so, however not longer than either (i) when Controller’s relationship with SEON ends or (ii) after the expiry of the data retention period outlined in Section 6.1.

5.5 Children.

5.5.1. Our services are intended for business use, and we refrain from processing Personal Data on behalf of any Controller for individuals under the age limit set by the relevant Controller.

5.5.2 This means that we rely on the instructions of the Controller regarding their required age limit. If the Controller indicates that an end-user is below their specified age limit, we will terminate the verification session immediately and permanently erase any data collected up to that point. 

6. HOW LONG DO WE PROCESS YOUR DATA? (DATA RETENTION)

6.1 We retain your Personal Data during the period set forth in our service agreement concluded with the Controller – our standard offered data retention period is 1 year following the completion of the verification session, unless the Controller instructs us otherwise. This retention period is designed to fulfill the purposes of the identity verification service and to comply with any legal or regulatory requirements.

6.2 After the data retention period expires, we will securely delete your Personal Data processed by us, unless we are required by law or instructed by the Controller to retain it for a longer period.

6.3 If the Controller provides different instructions regarding the data retention period, we will process and store your data according to those instructions.

6.4 For more information on the data retention period defined by the Controller for your Personal Data please refer to the Controller’s own privacy notice.

7. HOW DO WE SHARE YOUR PERSONAL DATA?

7.1 Recipients.

7.1.1. We share your Personal Data (excluding your Biometric Personal Data) directly with the specific Controller (our customer that directed you to our services), regarding the transaction you have with this Controller. Please note however that we do not cross-share your Personal Data with other customers of SEON: your Personal Data processed by SEON stays in the scope of the Controller whom you have a direct relationship with.

7.1.2. At SEON’s side, your Personal Data will be primarily processed by the employees at SEON for the above listed purposes. This may include sharing your Personal Data between SEON group entities. 

7.1.3. We may also share your Personal Data with certain third-party service providers that support us in providing, developing and improving the services. Such third-party service providers include but are not limited to third-party cloud service providers and analytic tool providers and they are considered SEON’s (sub)processors regarding your Personal Data.

7.1.4 In addition, in certain circumstances we may share your Personal Data with:

• Legal consultants;
• Auditors conducting assessments;
• Authorities and supervisory authorities, including but not limited to the data protection supervisory authorities, judicial bodies and governmental agencies.
• Any potential buyer or successor in the case of a corporate sale, merger, restructuring, dissolution, or similar circumstances, where your Personal Data may be included among the assets we transfer or disclose in anticipation of such transactions.

7.2 International Data Transfers.

7.2.1. Please note that we may share your Personal Data with SEON entities (see Section 7.1.2 above) outside the EEA, in particular, we may transfer your Personal Data to the UK. We rely on the adequacy decision adopted by the European Commission for transfers of Personal Data to the UK.

7.2.2. Please note that we may share your Personal Data with some third-party service providers (see Section 7.1.3 above) outside the EEA, Switzerland, or the United Kingdom (“UK”) in particular, we may transfer your Personal Data to countries outside of your country of residence, including the US and various third countries. 

7.2.3 The data protection laws in these countries may differ from or be less strict than those in your home country. Therefore, we take measures to help protect your Personal Data, including  (i) entering into standard contractual clauses adopted by the European Commission or by the UK Information Commissioner’s Office with these third-party service providers to ensure the adequate protection of your Personal Data; (ii) relying on European Commission adequacy decisions or UK adequacy regulations for certain countries; and (iii) conducting data transfer impact assessments to evaluate the risks associated with international transfers.

8. AUTOMATED DECISION-MAKING

8.1 SEON’s identity verification service qualifies as automated processing since the system employs automated technologies, including Optical Character Recognition (OCR), facial recognition, and liveness detection, to verify the identities of the Controller’s end-users (you).

8.2 However, please note that the verification results provided by SEON are solely recommendations towards the Controller and SEON does not make final decisions on behalf of the Controller. SEON’s role is to deliver reports to the Controller that include information on the identity verification process and its outcomes, along with explanations that indicate any potential levels of fraud or other risks detected. It is ultimately the Controller’s responsibility to determine how to proceed with the end-user (you), taking into account the insights provided by SEON as well as any additional information they may possess or choose to obtain from the end-user (you).

8.3 The explanation provided is based on our system’s processes and algorithms, which integrate machine learning models with human oversight and intervention. The final decision regarding the end-user lies with a human representative on the side of the Controller after they receive the verification results. The Controller uses this information to decide whether to accept or reject an end-user application, transaction etc., request additional checks, or continue serving the end-user in line with their own risk assessment and investigative procedures.

8.4 This means human intervention is primarily managed by the Controller, who determines when to implement it based on their specific needs and policies. However, SEON explicitly recommends human intervention for certain outcomes (“Review” outcome) to ensure the highest level of accuracy and reliability in the verification process. This recommendation serves as a guideline for the Controller to follow, helping them identify scenarios where manual review is crucial.

8.5 Thus, the automated processing activities by SEON do not qualify as automated decision-making (as defined in the applicable data protections laws) that would have legal consequences or similarly significant impacts on you. If the Controller uses the verification results we provide to make decisions about you, please direct any questions or concerns about your rights related to automated decision-making to the Controller who holds responsibility for your Personal Data.

9. SECURITY OF YOUR DATA

9.1 At SEON, we recognize the critical importance of securing your Personal Data and are committed to implementing robust measures to protect it. We employ a comprehensive approach to data security, utilizing a combination of advanced technologies, strict policies, and regular training for our staff. This multifaceted strategy is designed to prevent unauthorized access, alteration, disclosure, loss, or misuse of your Personal Data.

9.2 While we make every effort to ensure the safety of your data, it is important to understand that no security measures are infallible. Therefore, we cannot guarantee absolute security against data breaches or unauthorized access.

9.3 SEON is certified under the ISO 27001 standard, which demonstrates our commitment to maintaining a comprehensive information security management system that meets internationally recognized standards. Additionally, we undergo a SOC 2 Type 2 audit annually, affirming that our systems and processes align with rigorous security, availability, and confidentiality criteria. These certifications reflect our dedication to safeguarding your data and continuously improving our security practices.       

9.4 For more information about SEON’s security framework please visit SEON’s Privacy & Security Whitepaper located at: https://seon.io/legal-and-security/seon-privacy-and-security-whitepaper

9.5 If you suspect that your Personal Data has been compromised, we encourage you to first reach out to the Controller, as they are responsible for your Personal Data. Additionally, you can contact us directly at [email protected]. We will collaborate with the Controller to investigate the matter and take appropriate action.

10. YOUR RIGHTS 

It is important to note that you can primarily exercise the rights listed below through the Controller whom you have a direct relationship with. However, we also provide a means for you to submit requests directly to us, and we will facilitate the process in coordination with the Controller.

However, when we process your Personal Data as a Controller (as set out in Section 4.2.3 of this Privacy Notice), you should submit your requests directly to us. In this context, any reference to  the Controller in this section should be interpreted as referring to SEON.

10.1 What are your rights?

Depending on where you reside (thus, what data protection laws are applicable to you) you may have the following rights regarding the processing of your Personal Data carried out by us:

12. Right to access

You may have the right to request access to your Personal Data and obtain information regarding (among others): the purpose of processing; what categories of Personal Data are processed; to whom your Personal Data is transferred or disclosed; for what period is your Personal Data processed (data retention period); your rights in connection with data processing carried out regarding your Personal Data; your right to lodge a complaint with a supervisory authority regarding the processing; in case your Personal Data is being collected from other sources than from you, any available information as to the source; the existence of automated decision-making and related information, including the logic involved, as well as the significance and the envisaged consequences of such processing for you; whether your Personal Data is transferred outside the EEA and regarding the conditions of these transfers. 

13. Right to rectification

You may have the right to request to rectify your inaccurate Personal Data and to request to complete your incomplete Personal Data by means of providing with a supplementary statement.

14. Right to erasure

If you request to do so, any of your Personal Data will be erased in the event of the following:

• your Personal Data is no longer necessary for the purpose concerned;
• you withdraw your consent and there is no other legal basis for the processing;
• you object to the processing and there are no overriding legitimate grounds for the processing;
• your Personal Data has been processed unlawfully;
• your Personal Data has to be erased according to relevant laws.

Please note that the Controller or we  are entitled to not erase your Personal Data if it is necessary – inter alia – for exercising the right of freedom of expression and information, for compliance with legal obligations, and for the establishment, exercise or defense of legal claims.

15. Right to restriction of processing

You may have the right to obtain a restriction of processing where one of the following applies:

• you have contested the accuracy of your Personal Data, in which case you will obtain restriction for a period of time enabling us to verify the accuracy of your Personal Data;
• the processing is unlawful, and you oppose the erasure of your Personal Data and request the restriction of the use of your Personal Data instead;
• your Personal Data is no longer needed for the purposes of the processing, but your Personal Data are required by you for the establishment, exercise or defense of legal claims; or
• you objected to the processing and the verification is pending whether the Controller’s legitimate grounds override yours.

Where processing has been restricted, Personal Data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the European Union or of an EU member state.

16. Right to object to processing

You may have the right to object to the processing of your Personal Data on grounds relating to your particular situation, where the legal basis of the processing activity is the Controller’s legitimate interest (or the legitimate interest of a third party). Your Personal Data will no longer be processed unless the Controller demonstrates compelling legitimate grounds, which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. 

17. Right to data portability

If certain conditions apply, you may have the right to receive your Personal Data in a structured, commonly used and machine-readable format and have the right to transmit that data from the Controller or from SEON to another controller without hindrance, where technically feasible.

18. Right to withdraw your consent

If consent is the applicable legal basis for the processing of your Personal Data, you may have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on your consent before its withdrawal.

19. Right not to be subject to automated-decision making

You  may have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. However, please note that the automated processing activities by SEON do not qualify as automated decision-making (as defined in the applicable data protections laws) that would have legal consequences or similarly significant impacts on you. For more information about this please refer to Section 8 of this Privacy Notice.

10.2 How can you exercise your rights?

 SEON as Processor.

10.2.1. Since SEON primarily acts as a Processor of your Personal Data that is processed by SEON in our role as a provider of identity verification services towards our customers and our customer(s) are considered the Controller(s) of your Personal Data under the applicable data protection laws, you can primarily exercise the rights listed above through the Controller whom you have a direct relationship with and they should execute your request.

10.2.2.However, we also provide means for you to submit requests directly to us relating to your Personal Data processed by us on behalf of the Controller you have direct relationship with. When you send a request to our Data Protection Officer (DPO) at [email protected], we will facilitate the process by forwarding your request to the respective Controller on your behalf without undue delay. Since we act as an intermediary, please understand that we do not have the authority to fulfill such requests arbitrarily or directly unless specifically instructed to do so by the Controller after notifying them about the request. Furthermore please note that we may ask you to verify your identity before taking further action on your request.

10.2.3. If you have contacted SEON directly regarding your request, we will provide information on the actions taken on your request (forwarding your request to the Controller)  within a reasonable time but no later than required by the applicable law. We will take the necessary actions free of charge except when your request is manifestly unfounded or excessive. In case we have reasonable doubts as to the identity of the natural person making the request, we may request additional information necessary to confirm your identity. 

10.2.4. If the Controller does not instruct us to take action to complete your request, we will inform you within a reasonable time but no later than required by the applicable law about the reasons for and the possibility of lodging a complaint with a data protection supervisory authority and seeking a judicial remedy. 

   SEON as Controller.

10.2.5. When we process your Personal Data as a Controller (as set out in Section 4.2.3 of this Privacy Notice), you should submit your requests directly to us by sending a request to our Data Protection Officer (DPO) at [email protected]. In this case, SEON will act in accordance with the requirements set out in the applicable law applicable to the data controller in relation to data subject requests.

10.2.6. We will provide information on the actions taken on your request without undue delay and in any event within one month of the receipt of your request (or sooner if required by applicable law). This period may be extended with a reasoned notification to you by two months where necessary, taking into account the complexity and number of requests. 

10.2.7. Please note that we may ask you to verify your identity before taking further action on your request.

10.2.8. We will take the necessary actions free of charge except when your request is manifestly unfounded or excessive. In case we have reasonable doubts as to the identity of the natural person making the request, we may request additional information necessary to confirm your identity. We will inform all recipients of all rectification, erasure, or restriction of processing to whom Personal Data was disclosed except if it is impossible or requires disproportionate effort.

10.2.9. In case we do not take any action regarding your request, we will inform you within one month of the receipt of your request (or sooner if required by applicable law) as to the reasons and the possibility of lodging a complaint with a data protection supervisory authority and seeking a judicial remedy.

11. JURISDICTION SPECIFIC NOTICES

Please note that in case of any conflict or ambiguity between the special notices of this Section 11 and the other provisions of this Privacy Notice, the former prevails.

11.1 EU Data Subjects and Extra-Territorial

11.1.1. SEON is committed to safeguarding your Personal Data from the United Kingdom (“UK”), European Union (“EU”), or European Economic Area (“EEA”) regulated by the GDPR (or UK GDPR) when such data is transferred to third countries, including the United States. We are committed to protecting such GDPR Personal Data in accordance with our obligations under applicable law, such as GDPR Articles 45 to 50, and the Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability.

11.1.2. SEON has implemented appropriate cross-border transfer solutions in accordance with the GDPR, such as European Commission Standard Contractual Clauses (also known as Model Contractual Clauses) and the UK’s International Data Transfer Addendum (UK Addendum) as the legal basis for transferring Personal Data to third countries, including the United States. To the extent permitted by applicable law, your consent to the Personal Data processing provided to the Controller constitutes the consent to the transfer of your Personal Data to SEON in the United States in the context of the EU-US Data Privacy Framework as set out in Commission Implementing Decision of July 10, 2023 pursuant to the GDPR on the adequate level of protection of Personal Data under the EU-US Data Privacy Framework.

11.1.3. SEON complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. SEON has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of Personal Data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/

11.1.4. In all cases where SEON transfers Personal Data to a third party acting as a controller, SEON will comply with this Privacy Notice. SEON will enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by you and that the recipient will provide the same level of protection as the Principles and will notify SEON if it makes a determination that it can no longer meet this obligation. The contract also provides that when such a determination is made the third party controller will cease processing or take other reasonable and appropriate steps to remediate.

11.1.5. In all cases where SEON transfers Personal Data to a third party acting as an agent (processor for GDPR purposes), SEON will: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the Personal Data transferred in a manner consistent with the organization’s obligations under the Principles; (iv) require the agent to notify SEON if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under (iv), take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) provide a summary or a representative copy of the relevant privacy provisions of SEON’s contract with that agent to the U.S. Department of Commerce upon request.

11.1.6. When we transfer your Personal Data to third parties we comply with the requirements of the legal protections that cover your information. For example, when we perform an onward transfer of your information protected under the GDPR, we remain responsible for the processing of your Personal Data. For information subject to an onward transfer by us under the Data Privacy Framework, we will remain liable under the Data Privacy Framework Principles if a recipient of your protected Personal Data processes such Personal Data in a manner inconsistent with the Principles, unless we are able to prove that we are not responsible for the event giving rise to the damage.

11.2 California, Colorado, Connecticut, Utah, and Virginia Residents

11.2.1. Under the California Consumer Privacy Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah  Protection of Personal Information Act  and the Virginia Consumer Data Protection Act, residents of these states have certain rights regarding the Personal Data that businesses collect and process about them. This includes the rights to request access or deletion of your Personal Data, as well as the right to direct a business to stop selling or sharing your Personal Data. Consistent with Section 4,  “WHY AND HOW ARE WE PROCESSING YOUR PERSONAL DATA,“, we, during providing our identity verification services to our customers (Controllers/Businesses) collect certain categories and specific pieces of Personal Data about individuals that are considered “personal information” the States listed above. As detailed above, we may collect this personal information (Personal Data) directly from the Controller/Business (indirectly from you) and other third party service providers, if applicable. We collect, share and disclose personal information (Personal Data)  for the purposes determined by the Controller/Business as described in Section 4, “WHY AND HOW ARE WE PROCESSING YOUR PERSONAL DATA” and  Section 7, HOW DO WE SHARE YOUR PERSONAL DATA?”.

11.2.2. SEON’s use of personal information (Personal Data) is not a sale of personal information (Personal Data) under California law.

11.2.3. Subject to certain exceptions, as a California, Colorado, Connecticut, Utah or Virginia consumer, you have the right to: (i) access your personal information (Personal Data); (ii) obtain deletion of your personal information (Personal Data); (iii) receive information about the personal information (Personal Data) about you that we have “sold” (as such term is defined under California law) to third parties within the past 12 months; and (iv) opt-out of the “sale” of your personal information (Personal Data). To the extent permitted by applicable law, we may be required to retain some of your personal information (Personal Data), and certain personal information (Personal Data) is strictly necessary in order for us to fulfill the purposes described in this Privacy Notice.

Please refer to Section 10.2 (“How can you exercise your rights?”) and Section 12 (“REMEDIES”)  if you have questions or wish to exercise such rights.

If you are a consumer residing in one of the above states and you wish to exercise your rights as outlined in this Section 11.2, please note that since SEON acts only as a service provider regarding of any of your personal information (Personal Data) that may have been collected and processed by SEON in our role as a service provider of our identity verification services provided to our customers and our customer(s) are considered Controllers/Businesses under the applicable data protections laws, you can primarily exercise these rights through the Business with whom you have a direct relationship and they should execute your request.

However, we also provide a means for you to submit requests directly to us relating to your Personal Information (Personal Data) processed by us on behalf of the Controller/Business you have direct relationship with. When you send a request to our Data Protection Officer (DPO) at [email protected], we will facilitate the process by forwarding your request to the respective Controller/Business on behalf of you without undue delay. Since we act as an intermediary, please understand that we do not have the authority to fulfill such requests arbitrarily or directly unless specifically instructed to do so by the Controller/Business after notifying them about the request.

When we process your personal information as a Controller/Business (as set out in Section 4.2.3 of this Privacy Notice), you should submit your requests directly to us by sending a request to our Data Protection Officer (DPO) at [email protected]. In this case, SEON will act in accordance with the requirements set out in the applicable data protection laws applicable to the data controller/business in relation to your Privacy RIghts Request.

11.2.4. Right to appeal.  If you have contacted SEON regarding your Privacy Rights Request, and SEON does not take action (forwarding your request to the Controller/Business) on your Privacy Rights Request within (i) a reasonable time but no later than required by law (if SEON acts as the data processor/service provider); or (ii) within the 45 day response period, or when applicable, in the event of an extension, within the maximum 90-day response period (if SEON acts as the data controller/business), we will inform you in writing for the reasons for not taking action, as well as provide an explanation of any rights you have to appeal the decision. 

● California residents may contact the California Privacy Protection Agency.

● Colorado residents may contact the Colorado Attorney General.

● Connecticut residents may contact the Connecticut Attorney General.

● Utah residents may contact the Utah Division of Consumer Protection.

● Virginia residents may contact the Virginia Attorney General.  

11.3. Illinois and Texas Residents

11.3.1. The Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq., and the Texas Business and Commerce Code § 503.001 govern the collection, storage, use, and retention of “biometric identifiers” and “biometric information.” A “biometric identifier” includes retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry but excludes writing samples, signatures, photographs, biological samples for scientific testing, demographic data, tattoo descriptions, and physical traits like height, weight, or eye color. “Biometric information” refers to any data based on a biometric identifier, regardless of its method of capture, storage, or sharing, used for identifying an individual. (hereinafter collectively: “Biometric Personal Data”).

11.3.2. SEON collects specific Biometric Personal Data, specifically face scan data (such as face geometry and related information), as part of the identity verification process. This data helps SEON to verify identities, prevent  (identity) fraud, criminal activity, money laundering and similar practices  and provide ongoing authentication services to our customers (Controllers/Businesses).

11.3.3. For Illinois residents, SEON permanently deletes Biometric Personal Data when the original purpose for collection is fulfilled or within 1 year following the completion of the verification session, whichever is sooner.

11.3.4. For Texas residents, SEON permanently deletes Biometric Personal Data when the original purpose for collection is fulfilled or within 1 year following the completion of the verification session, whichever is later.

11.3.5. Except as restricted by the applicable law, access to your Biometric Personal Data and other personal information (Personal Data) is limited to the Controller/Business, SEON and our third-party service providers, who process this information solely on our behalf to deliver the identity verification services. SEON does not share Biometric Personal Data with any additional third parties. 

11.3.6. Whenever Biometric Personal Data is used as part of the services provided by SEON to a Controller/Business, SEON will process this data on the Controller/Business’s behalf and permanently delete it in accordance with this Section. In this case, SEON will only store Biometric Personal Data for the period outlined in this section but not later than the period mandated by applicable law and will not perform any other operations involving this type of Personal Data.

11.3.7. Our customers are independently responsible for ensuring compliance with privacy regulations, including the data protection laws set out in this section, by providing all required information and obtaining the necessary consents.

11.3.8. Except where prohibited by applicable law, SEON may use your personal information (Personal Data) (excluding Biometric Personal Data from Illinois and Texas residents) for service improvement (as described in lit. (ii) of Section 4.2.2.) The Controller/Business for whom SEON processes your personal information Personal Data) may receive your personal information (Personal Data) from SEON, such as copies of your ID and photo, as well as verification status, though we do not share your Biometric Personal Data with them – such type of data does not leave SEON’s infrastructure.

11.3.9. By selecting the relevant options before the verification or authentication process and choosing to proceed, you acknowledge that you have read the disclosures and voluntarily consent to SEON’s collection, storage, retention, use, and sharing of your Biometric Personal Data.

11.3.10. SEON uses the reasonable standards of care within its industry to store, transmit, and protect from disclosure your Biometric Personal Data, in a manner that is the same as or more protective than the manner in which it stores, transmits, and protects other confidential and/or sensitive information. Veriff does not sell, lease, trade or otherwise profit from the biometric data.

12. REMEDIES

12.1. If you have contacted SEON,  and you do not agree with our response or action, or if you consider that your rights have been infringed, you may lodge a complaint with the data protection supervisory authority in the UK or the EU Member State of your habitual residence, place of work or place of the alleged infringement, in particular, with the following data protection supervisory authorities: 

• Hungarian National Authority for Data Protection and Freedom of Information (address: HU-1055 Budapest, Falk Miksa utca 9-11, mailing address: 1363 Budapest, Pf.: 9.; tel.: +36-1-391-1400; e-mail: [email protected]); website: naih.hu);
• Information Commissioners Office (address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, online contact form: https://ico.org.uk/global/contact-us/).
• EU authorities at http://ec.europa.eu/justice/article-29/structure/data-protectionauthorities/index_en.htm

12.2. In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, SEON commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

12.3. You may, subject to its terms, invoke binding arbitration in accordance with Annex I of the DPF Principles:  https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf.

12.4. This provides that you may invoke binding arbitration by delivering notice to SEON and following the procedures and subject to conditions set forth in Annex I of the Principles.

13. UPDATES

Please note that we review this Privacy Notice from time to time and we reserve the right amend it as necessary. When we amend this Privacy Notice, we will announce and publish it on our Website. We encourage you to review this Privacy Notice regularly.