Hi and welcome to what we hope will be the kind of Privacy Notice you end up wanting to read - because this bit’s written in easy-to-digest language and tells you the parts you most need to know in a way that will make sense.
However, we, of course, understand that at times you might actually want to read the long, legalese version, so just to be sure, that’s further down for you. Whichever version you read, if you have any questions, definitely reach out to us and we’ll be happy to help.
So, why do we have a Privacy Notice? Well, you’re legally entitled to know what data of yours we keep on our servers, as well as how it’s used, and we’re legally obliged to tell you… something that we’re happy to do.
In terms of the LeverID app itself, if you’ve downloaded and want to use it, there are pieces of data that we keep and there are others that our trusted verification partner, Onfido, keeps.
All that we keep is your name (as entered when you register) and whatever identification code you used to confirm your identity (the one issued by your local authority).
The Leversign product doesn’t even store that data, beyond you having registered with a name, which produces an ID number. We only store the ID number.
That’s it, folks, that’s all we keep at our end! Not even your shoe size. Just what we mention now.
The stuff that Onfido keeps are things like facial imagery and sound files, out of necessity - full details in Section 2 of the long version - oh and they have a Privacy Notice too - here!
Why do we ‘keep’ some of your data anyway? Well, if we don’t, neither LeverID nor Leversign will work. Simples. It’s the same with Onfido - we both only keep what we need to ensure the app works and your identity is always verifiable. Also simples. Otherwise, you’d have to go through identity re-verification and re-registration every time you opened the app. Which would kinda kill the convenience element…
Here’s the reassuring bit - we don’t sell your data to anyone else; we don’t even reveal it to anyone else unless we a) have to (by law) and b) need to (in order to keep the services working) - and if we need to do that, we take appropriate steps to ensure security of your data. See 3.1 and 3.2 of the long version for more info on that bit.
By the way, you have a whole host of rights when it comes to knowing stuff about what we do - and we’ve listed them in the long version, see part 5 there - everything you have the right to know and how you can exercise such rights.
Here’s another thing about data and privacy notices - we’re called a ‘Data Controller’ but only because we’re in (necessary) possession of your data and we need to control (which in many languages also means “check”) that it is not misused in any way. It’s not like we control you 🙂
Yes, it’s our product - but it’s your data….and we work hard to keep it secure.
So, thank you for trusting us with it - we hope the above (and the below) will give you the reassurance you need so you can click ‘accept’ (in the app), relax, and just enjoy the convenience that our service has been designed to provide you with.
If you need any more info, or have a question, or just want to tell us how your day has been made easier by using LeverID or Leversign, we’re happy to hear from you - drop us a message on [email protected] any time.
The LeverID Team
(And now the legalese version. Enjoy! 😀)
This privacy notice (hereinafter “notice”) explains how Lever ID OÜ (hereinafter “we” or “us”) processes personal data of users (hereinafter “you” or the “data subject”) of the LeverID application available on iOS and Android platforms (hereinafter “application”).
This notice describes the processing of personal data by us as a data controller. This means that we individually, or along with others, determine the purposes and means of the processing of personal data.
As stated above, this privacy notice provides information on processing of personal data in regard to the application. In order to run the application, you provide us with your name, a personal code of your country of residence and an email address. In this way, we process your personal data as little as possible. However, processing of certain personal data is unavoidable, otherwise the application will simply not work properly on your device. The personal data we need to process for that reason is described in Section 2 below.
1. DATA CONTROLLER
Lever ID OÜ
Registry code: 16410674
Address: A. H. Tammsaare tee 47, Kristiine linnaosa, Harju maakond, Tallinn, 11316, Estonia.
Email: [email protected]
Contact details of Data Protection Officer: [[email protected]]
2. THE PURPOSES AND THE LEGAL GROUNDS FOR THE PROCESSING OF PERSONAL DATA
When we process your personal data, we rely on the following legal ground: processing is necessary for the performance of a contract to which you are the party, or in order to take steps, at your request, prior to entering into a contract.
Purposes of processing:
Personal data that we process:
LeverID does not collect face data but, in order to use LeverID, we must verify your identity. LeverID uses the Onfido Biometric Verification service ‘SDK’, which records a video of the user speaking a number and moving their head to a specified direction. We do use Apple’s Face ID functionality to enter Pin 1 or Pin 2, although this can be toggled on or off by the user. LeverID only stores in its servers your name and your personal country code. Onfido Stores all ‘KYC’ process-related personal information on its own servers.
We use Onfido as a ‘KYC’ provider to verify a user's identity via uploading a photo-based identity document, a selfie image and artificial intelligence algorithms. When verifying the identity of a user, Onfido will ask for an image, or images, of the user’s identity document, as well as a picture or video of their face. Onfido then seeks to verify whether the identity document is likely to be genuine and whether the person in the photo or video is likely to be the same person pictured in the identity document. We will also look to identify signs of fraud (for example, someone wearing a mask to impersonate another person or to conceal their own real identity). If the user is successful on both the document and facial verification checks, Onfido will likely consider the user to have proven their identity. In some cases, Onfido may also further check whether or not we have previously verified you as a user for LeverID, (e.g., on two different devices, such as on iOS and Android) by comparing the picture of your face to any picture previously provided by you. This helps us to not only verify your identity, but it further protects you by helping us to understand whenever a user may be attempting to generate multiple identities.
During the KYC stage of registration, your data is processed only within Onfido and is not shared with any other parties at that point.
To complete the registration process, the following personal data is required by both LeverID and Onfido for the provision of our services, i.e., to allow you to use the application.
Name, country’s personal code, email, your device’s ID, public keys, MAC key, encrypted PINs (authentication and signing); unique ID (LeverID in UUID form) that is strictly bound to the device and remembered in the core of the application as an application/user identifier.
Sources of collection of personal data: we receive the personal data from you when you download, install and launch the application on your device.
Once the registration and KYC processes are completed, the only data that LeverID retains on its servers is your name (as entered during registration) and the personal country code as issued by your local authority. Onfido keeps all the data from the identity document used, the facial imagery and the audio file in an encrypted form on its servers and their own privacy notice can be found here.
3. CATEGORIES OF RECIPIENTS OF PERSONAL DATA AND TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
In some cases, we may transfer your personal data to certain recipients who are categorized as follows:
3.1. Partners who provide the services to us and who process the personal data on our behalf (data processors), e.g.:
(a) Providers of ICT services (including providers of website and platform hosting services and other providers of cloud services)
(b) Various contractors (IT development, support)
3.2. Public authorities and supervisory bodies, e.g., court, law enforcement authorities, Data Protection Inspectorate. We transfer your personal data to public authorities and supervisory bodies only if the law requires it.
Unless necessary for the provision of services, we do not transfer your personal data outside the European Union (EU) or the European Economic Area (EEA), nor to such third country or international organization the level of data protection of which the European Commission has not considered adequate. If your personal data is transferred outside of the EU or EEA, such transfer of personal data will take place only upon appropriate legal basis and we will take appropriate protective measures.
You have the right to receive additional information about the transfer of your personal data by sending us the relevant request at [email protected].
4. RETENTION OF PERSONAL DATA
We keep your personal data for the period necessary for the achievement of purposes stated in this notice or until the law requires it. LeverID retains only the user's name and personal country code for the time that a user is using our services. Onfido retains data required only for verifying your identity.
Specific terms of retention can be exercised by accessing your personal data. Please see the explanation in Section 5, “Your rights regarding the personal data”. LeverID only collect your name and personal code
5. YOUR RIGHTS REGARDING THE PERSONAL DATA
You have the right to know:
- whether or not personal data concerning you are being processed
- what the purpose of processing is
- what the categories of personal data are
- to whom the personal data is disclosed (especially the recipients in third countries)
- for how long the personal data is retained
- what your rights concerning rectification, erasure and restriction of the processing are
Right of rectification: you have the right to demand rectification of the personal data concerning you if the data are inaccurate or incomplete.
Right of erasure: in some cases, you have the right to demand erasure of the personal data concerning you, for example in case when you withdraw your consent and there are no other legal grounds for the processing of the personal data.
Right to restrict the processing: in some cases, you have the right to restrict processing of the personal data concerning you for a certain time (e.g., if you have objected to the processing of personal data).
Right to object: you have the right to object to the processing of personal data, which is processed based on the legitimate interest, including profiling. Upon objection, we will no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms. Please be aware though that this will render the application unusable as we will no longer be able to ‘prove beyond reasonable doubt’ via Onfido that your identity integrity is secure.
Right to data portability: if processing your personal data is based on your consent or the contract with us, and the data processing is carried out by automated means, then you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format. Also, you have the right to claim to transmit those personal data to another service provider, if it is technically possible.
Right to turn to us, a supervisory authority, or a court: if you want to exercise the above-mentioned rights, please send us an email at [email protected]. If you find that your rights have been breached, you have the right to turn to the Data Protection Inspectorate (Andmekaitse Inspektsioon) and/or court. The contact details of the Data Protection Inspectorate are available at www.aki.ee.
6. AMENDMENT OF THIS NOTICE
We have the right to amend this notice unilaterally. We will notify users of any amendment to this notice via an updated version of the application, or by email or in other appropriate manner.