This notice explains how Vouchsafe uses your personal data when your details are checked using our services.
We follow UK data protection law and operate in line with applicable trust framework rules, including the UK Digital Identity and Attributes Trust Framework.
1. Who we are (and the different roles we may have)
Vouchsafe provides identity, age, address and related verification services to businesses such as lenders, employers and service providers.
For most verification activity, Vouchsafe acts on behalf of the business that asked us to run a check. That business decides why the check is needed, which checks to run, and what happens as a result. In those cases, that business is the controller and Vouchsafe is the processor.
Sometimes, Vouchsafe also carries out fraud prevention activity to protect our service and to help prevent misuse. For this fraud prevention activity (including checks with fraud prevention agencies such as Cifas where enabled), Vouchsafe may act as a controller (or joint controller) for that specific processing.
2. What data we process
Depending on the check, we may process:
- Personal details – such as your name, date of birth, address, or contact information
- Documents – such as identity or address documents you provide:
- Biometric data – such as a facial image used for identity matching
- Technical information – such as device or session information
- Authoritative source data – from trusted third-party sources used to confirm details
We only process data that is relevant to the check being carried out.
3.1 Special category data
We process biometric data for the sole purpose of uniquely identifying a person, in accordance with UK GDPR Article 9(2)(g) and the Digital Identity & Attributes Trust Framework.
We do not intentionally process other special category data, and take steps to minimise collection.
4. Why we process your data (legal basis)
We process personal data only when we have a lawful reason to do so.
Verification processing (when we act on behalf of a business)
Where we act on behalf of a business, that business (as controller) is responsible for determining the lawful basis for the verification it requests and for providing you with relevant information under its own terms.
Depending on the context, lawful reasons may include:
- processing is necessary to provide the verification you are completing directly; or
- the business has a legitimate interest in checking your details as part of an application or assessment; or
- the business has a legal obligation to carry out checks.
Fraud prevention processing (where Vouchsafe acts as controller)
Where Vouchsafe carries out fraud prevention processing (including checks with fraud prevention agencies such as Cifas where enabled), we do so on the basis of our legitimate interests in preventing fraud and misuse of our service, and to comply with legal obligations that apply to us.
5. Automated processing
Some verification checks use automated systems to assess information. These checks:
- support decision-making
- may produce probabilistic results; and
- do not, on their own, determine final outcomes.
Your rights in relation to automated processing are explained below.
6. Who your data is shared with
Your data may be shared with:
- the business that requested the check;
- trusted third-party services that help us deliver verification (see a list);
- fraud prevention agencies (including Cifas); and
- authorities, where we are required to do so by law or trust framework rules. If data is transferred outside the UK, appropriate safeguards are used.
Vouchsafe does not:
- profile users for third party marketing; or
- create aggregate data sets without appropriate anonymisation that prevents users from being re-identified, in line with ICO best practices.
7. How long we keep your data
We keep personal data only for as long as needed to provide the service and meet our obligations.
In general:
- verification data relating to individuals is deleted within a reasonable period after the check; and
- data may be kept longer where required for fraud prevention, legal reasons, or trust framework rules.
Where fraud prevention agencies are used (including Cifas), those agencies can hold personal data for different periods of time. If you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.
Data is deleted securely.
8. Fraud prevention agencies (including Cifas)
This section applies where a fraud prevention check is enabled as part of a Vouchsafe check.
General
Before we provide the verification service, we may undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to process personal data about you.
The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and money laundering, and to verify your identity.
Details of the personal information that will be processed include, for example: name, address, date of birth, contact details, financial information, employment details, device identifiers including IP address and vehicle details. (Not all of this will be used in every check.)
We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.
We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing may also be a contractual requirement of the services you have requested.
Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.
Automated decisions
As part of the processing of your personal data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your previous submissions, or you appear to have deliberately
hidden your true identity. You have rights in relation to automated decision making: if you want to know more please contact us using the details below.
Consequences of processing
If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services you have requested, or we may stop providing existing services to you.
A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, finance, or employment to you. If you have any questions about this, please contact us using the details below.
Data transfers
Fraud prevention agencies may allow the transfer of your personal data outside of the UK. This may be to a country where the UK Government has decided that your data will be protected to UK standards, but if the transfer is to another type of country, then the fraud prevention agencies will ensure your data continues to be protected by ensuring appropriate safeguards are in place.
9. Your rights
You have rights under UK data protection law, including the right to:
- access your data;
- ask for incorrect data to be corrected;
- ask for data to be deleted, in some circumstances;
- object to certain types of processing;
- ask for processing to be restricted; and
- request a human review of certain automated processing.
To use these rights, contact us using the details below.
10. Complaints and questions
If you have questions about why a check was carried out or how the result was used, you should contact the organisation that asked for the check.
If you have questions about how Vouchsafe processes personal data, you can contact us using the details below.
Email: help@vouchsafe.id
Data Protection Officer: jaye@vouchsafe.id
To report a security issue, contact: security@vouchsafe.id
If you are not satisfied with our response, you can complain to the UK data protection regulator:
Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, SK9 5AF
0303 123 1113