Versions: Spanish (Mexico) | French (Canada) | Portuguese (Brazil)

Welcome. This Global Privacy Statement relates to Socure Inc. (collectively, “Socure,” “we,” “us,” or “our”), a platform providing digital identity verification and fraud prevention products and services (the “Services”), and describes How Socure Works, the Personal Information We Collect (and the Sources), our Cookie Policy, Where We Store And Transfer Your Personal Information, How We Use Your Personal Information, How We Disclose Your Personal Information, How Long We Retain Your Personal Information, How We Protect Your Personal Information, our Lawful Bases for Processing, Your Data Rights, How to Exercise Your Data Rights, and How to Contact Us. This Global Privacy Statement applies when we verify your identity on behalf of our business customers and prospects, when we market and sell our Services to you, and when you visit and engage with us in person or online, across our websites and digital content (the “Sites”). 

Subject to applicable law, we may update this Global Privacy Statement from time to time by publishing a new version on this website. Socure also maintains a DocV Privacy Notice that applies specifically to Socure’s predictive document verification product (“DocV”). If our business customers use DocV and our other products and services, both policies apply. (If you’re not sure which products our customers use, ask them!)

How Socure Works

Socure is a platform that provides digital identity verification and fraud prevention products and services to business customers, who provide us with your personal information so we can verify your identity and prevent fraud. Socure uses predictive analytics, artificial intelligence, and machine learning to assess the information we receive from you, our customers, and our our data sources to answer a number of questions relating to identity verification and fraud prevention, such as:

  • Does this identity actually exist?
  • Have we seen this identity before? 
  • Does the identity belong to the person who provided it?
  • What fraud risks are associated with the identity?

Because Socure does not provide any goods or services directly to consumers, you may not interact directly with Socure (outside of DocV, described above). This means that Socure processes your personal information at the request our business customers who might need to assess risks associated with an online transaction, like opening a bank account, wiring money, placing a bet on a sporting event, or updating the contact information in your account. 

Only the Socure business customer decides:  (a) whether and for what reason(s) your information is provided to Socure; (b) which elements of personal information we collect and analyze on their behalf; (c) which alternative verification methods are available; and (d) whether and under what circumstances to accept, review, or reject a particular transaction.

Personal Information We Collect (and the Sources)

Socure may collect personal information about you from our business customers or prospects, from your device, from you, from data vendors, and/or from our third-party service providers. The categories of personal information we collect in connection with the products and services we provide our business customers are outlined below, together with information about the sources.

Chart A summarizes the categories of personal information Socure collects about individuals whose identities we verify on behalf of our business customers. Chart B summarizes the personal information Socure collects about individuals who work for our business customers and prospects. 

CHART A – PERSONAL INFORMATION SOCURE USES FOR IDENTITY VERIFICATION AND FRAUD PREVENTION

Categories of Personal Information Collected Sources of Information Collected

Identifiers, such as legal name, alias or nickname, mailing or physical address, email address, telephone number, social security number, driver’s license or state identification card number, national identification number, passport or other government-issued identity document number, death records, or other similar identifiers.

Business Customers or Prospects may provide this information to Socure in connection with a specific transaction. 

Data Vendors may provide this information to Socure.

Financial Account Information, including routing and account numbers and transaction history. 

Business Customers or Prospects may provide this information to Socure in connection with a specific transaction.

Photographs, including selfies and photographs of a government-issued or other identity document, and information about the photographs, such as the image EXIF data, the time of image capture, and the time of image upload, where applicable.

Business Customers or Prospects may provide this information to Socure in connection with a specific DocV transaction.

You provide this information to Socure in connection with a specific DocV transaction.

Biometric information, such as facial landmarks (coordinates of corners of eyes and mouth, tip of nose or chin) and facial embeddings (vector representation of facial features) derived from the facial photographs on your government-issued identity document and/or selfie.

You provide this information to Socure in connection with a specific DocV transaction.

Third-party service providers used to extract biometric information from your photographs may provide this information to Socure. 

Device, Browser, and Network Information, including Geolocation Data, such as Global Positioning System (GPS) coordinates, Internet Protocol (IP) address, unique device identifier, device serial number, device type, device make and model, device operating system, mobile carrier, online identifier, SIM swap activity, language and time zone settings, referrer URL, and other information about the browsers, network, and devices you use when interacting with Socure.

You and Your Device may automatically provide this information to Socure, if you have enabled such collection in your device settings, in connection with a specific transaction or when you interact with our Business Customers’ or Prospects’ apps or websites.

Data Vendors may provide this information to Socure.

Behavioral data and inferences about how you typically interact with your device during a session, including session timing, which components of our app or website you interact with, and how quickly you capture your photos or click submit.

You and Your Device may automatically provide this information to Socure, if you have enabled such collection in your device settings, in connection with a specific DocV transaction or when you interact with our Business Customers’ or Prospects’ apps or websites.

Characteristics of protected classifications, such as age, sex, apparent gender, immigration status, race, apparent skin color, and national origin.

Business Customers or Prospects may provide this information to Socure in connection with a specific transaction or to support fairness in outcomes and bias testing.

You provide this information to Socure in connection with a specific DocV transaction.

Socure may infer this information about you.

 

CHART B – PERSONAL INFORMATION SOCURE USES FOR SALES AND MARKETING TO BUSINESS CUSTOMERS

Categories of Personal Information Collected Sources of Information Collected

Identifiers, such as legal name, alias or nickname, mailing or residence address, email address, or other similar identifiers.

You, the Business Customer or Prospect may provide this information to Socure when you engage with Socure via the Sites.

Data vendors and Third-Party Service Providers may provide this information to Socure.

Commercial Information, such as information about your company, including IP address, information about which Socure products and services you purchase or inquire about, chatbot transcripts, your engagement history with Socure’s website and with our general marketing efforts, such as webinars you attend, and which Socure content you download. 

You provide this information to Socure when you engage with Socure via the Sites or via in-person or virtual events.

Data Vendors and Third-Party Service Providers may provide this information to Socure.

Browser and Network Information, including Geolocation Data, such as Internet Protocol (IP) address, language and time zone settings, referrer URL, and other information about the browsers and network you use when interacting with the Sites.

You provide this information to Socure when you engage with Socure via the Sites or via in-person or virtual events.

Data Vendors and Third-Party Service Providers may provide this information to Socure.

Behavioral data and inferences about how you typically interact with the Sites during a session, including session timing, which components of our app or website you interact with, and how quickly you capture your photos or click submit.

You provide this information to Socure when you engage with Socure via the Sites or via in-person or virtual events.

Data Vendors and Third-Party Service Providers may provide this information to Socure.

 

California Residents: We collect the same information above for you. Under the California Consumer Privacy Act (CCPA), we’re required to let you know that information may also fall  under these categories:  Personal Information Categories Listed in the California Customer Records Statute (Cal. Civ. Code § 1798.80(e)); Internet or Other Electronic Network Activity Information; Audio, Electronic, Visual, Thermal, Olfactory, or Similar Information; Inferences; and Sensitive Personal Information.

Our Sites use cookies to enhance your browsing experience and provide personalized services. This policy explains what cookies are, how we use them, and your choices regarding their use. By continuing to use the Sites, you consent to the use of cookies in accordance with this policy.

What are Cookies? Cookies are small text files placed on your device by websites you visit. They are widely used to make websites work more efficiently, as well as to provide information to the owners of the site. 

Types of Cookies We Use – Socure uses four types of cookies when you visit the Sites:

  1. Necessary Cookies: These cookies are essential for the website to function properly. They enable basic features such as page navigation and access to secure areas of the website.
  2. Preferences Cookies: Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
  3. Statistics/Analytics Cookies: These cookies help us understand how visitors interact with the Sites by collecting and reporting information anonymously. They allow us to measure and improve the performance of the Sites.
  4. Marketing Cookies: These cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third-party advertisers.

Third-Party Cookies – The Sites use third-party cookies for marketing and analytics purposes. These third parties may collect information about your online activities over time and across different websites.

Managing Cookies – You can control and/or delete cookies as you wish. For details, please visit http://aboutcookies.org. You can delete all cookies that are already on your computer and set most browsers to prevent them from being placed. However, if you do this, you may have to manually adjust some preferences every time you visit a site, and some services and functionalities may not work. 

Where We Store and Transfer Your Personal Information

Socure stores your personal information in the United States. If you are not already located in the United States, your personal information is transferred to the United States. Where Socure uses third-party service providers, the exact locations where they process data may sometimes be beyond our control. 

How We Use Your Personal Information

We use your personal information in accordance with law and our customer contracts to: 

  • perform identity verification and fraud prevention services on behalf of our business customers; 
  • help ensure the security and integrity of the Services; 
  • identify and repair errors that impair existing or intended Services functionality or performance; and 
  • conduct internal research to develop, improve, test, or repair Services or related services or technology.

Where permitted or required by law, Socure may also use your personal information to:

  • comply with federal, state, or local laws, rules, or regulations, such as by verifying and fulfilling data rights requests;
  • comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
  • cooperate with law enforcement agencies concerning conduct or activity that we or our customers reasonably and in good faith believe may violate federal, state, local, or international laws, rules, or regulations; 
  • investigate, establish, exercise, prepare for, or defend legal claims; and/or 
  • perform internal operations aligned with your reasonable expectations or otherwise compatible with processing your personal information in our provision of the Services.

Socure’s use of biometric information does not meet the definition of “consumer health data” for purposes of U.S. state health privacy laws, including because the personal information is used to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities.

Socure does not market or advertise directly to consumers in connection with our provision of Products to our business customers. However, if you engage with certain content on the Sites, such as demo or trial systems, white papers, webinars, or our chatbot, you may receive marketing or advertising communications from Socure in accordance with this Privacy Statement. 

How We Disclose Your Personal Information

The following table describes the recipients to whom Socure may disclose your personal information in connection with the Services, the purposes for the disclosure, and the categories of personal information disclosed.

Chart A summarizes how Socure discloses your personal information for identity verification and fraud prevention. Chart B summarizes how Socure discloses your personal information for sales and marketing to business customers. 

CHART A – PERSONAL INFORMATION SOCURE DISCLOSES FOR IDENTITY VERIFICATION AND FRAUD PREVENTION

Recipients of Personal Information and Purpose(s) for Disclosure Categories of Personal Information Disclosed

Business Customers or Prospects may receive your personal information for the purpose of verifying your identity and preventing fraud.

  • Identifiers
  • Financial Account Information
  • Characteristics of protected classifications
  • Device, Browser, and Network Information, including Geolocation Data
  • Behavioral data and inferences about how you typically interact with your device during a session
  • Photographs

Third-Party Service Providers may receive your personal information for the purpose of:  (a) supporting Socure’s provision of the Services; and/or (b) storing information in the cloud.

  • Identifiers
  • Financial Account Information
  • Biometric information (cloud storage only)
  • Characteristics of protected classifications (cloud storage only)
  • Device, Browser, and Network Information, including Geolocation Data (cloud storage only)
  • Behavioral data and inferences about how you typically interact with your device during a session (cloud storage only)
  • Photographs

Corporate Subsidiaries and Affiliates may receive your personal information for the purpose of:  (a) supporting Socure’s provision of the Services; (b) internal research, such as studying fraud and identity trends over time; (c) performing bias and fairness testing; and/or (c) training, development, validation, and/or improvement of machine learning models.

  • Identifiers
  • Financial Account Information
  • Biometric information
  • Characteristics of protected classifications
  • Device, Browser, and Network Information, including Geolocation Data
  • Behavioral data and inferences about how you typically interact with your device during a session
  • Photographs

 

CHART B – PERSONAL INFORMATION SOCURE DISCLOSES FOR SALES AND MARKETING TO BUSINESS CUSTOMERS

Recipients of Personal Information and Purpose(s) for Disclosure Categories of Personal Information Disclosed

Third-Party Service Providers may receive your personal information for the purpose of:  (a) supporting Socure’s efforts to market and sell the Services to business customers; and/or (b) storing information in the cloud.

  • Identifiers
  • Commercial Information
  • Browser and Network Information
  • Behavioral data and inferences about how you typically interact with your device during a session

Corporate Subsidiaries and Affiliates may receive your personal information for the purpose of:  (a) supporting Socure’s provision of the Services; (b) internal research, such as studying fraud and identity trends over time; (c) performing bias and fairness testing; and/or (c) training, development, validation, and/or improvement of machine learning models.

  • Identifiers
  • Commercial Information
  • Browser and Network Information
  • Behavioral data and inferences about how you typically interact with your device during a session

 

Targeted Advertising. Socure does not market or advertise directly to consumers in connection with our provision of Services to our customers. Please review our Cookie Policy above for information about the cookies we use when you visit the Sites. To the extent we use third-party service providers to assist us with targeted (i.e. cross-contextual behavioral) advertising, we may disclose to them your identifiers, professional or employment-related information, and/or personal information categories listed in the California Customer Records statute, alone or in combination with information from other sources (like our data vendors and offline customer data), and they may use various tracking technologies.

Socure does not sell, lease or trade biometric data or other personal information to third parties and has no actual knowledge that it sells or shares the personal information of consumers under 16 years of age, as defined by applicable law. Socure does not disclose sensitive personal information for purposes other than those specified in section 7027(l) of the California Consumer Privacy Act Regulations.

How Long We Retain Your Information 

We have seen some fraudsters create hundreds of fake identity documents and selfies over time. Accordingly, Socure analyzed the predictive value of your personal information in identity verification and ongoing fraud prevention, and Chart A summarizes Socure’s maximum retention periods for personal information collected and used in providing the Services to our business customers. Chart B summarizes how long Socure retain your personal information for sales and marketing to business customers. 

CHART A – MAXIMUM RETENTION PERIOD FOR PERSONAL INFORMATION SOCURE USES FOR IDENTITY VERIFICATION AND FRAUD PREVENTION

Categories of Personal Information Retention Period

Identifiers

No more than 7 years from collection

Biometric information

No more than 3 years from your last interaction with Socure

Characteristics of protected classifications

No more than 3 years from your last interaction with Socure

Device, Browser, and Network Information, including Geolocation Data

No more than 7 years from collection

Behavioral data and inferences about how you typically interact with your device during a session

No more than 7 years from collection

Photographs

No more than 3 years from your last interaction with Socure

 

CHART B – MAXIMUM RETENTION PERIOD FOR PERSONAL INFORMATION SOCURE USES FOR SALES AND MARKETING TO BUSINESS CUSTOMERS

Categories of Personal Information Retention Period

Identifiers

As long as you are a customer of Socure, and thereafter for 5 years

Commercial Information 

As long as you are a customer of Socure, and thereafter for 5 years

Browser and Network Information, including Geolocation Data

No longer than 25 months from collection

Behavioral data and inferences about how you typically interact with the Sites during a session

No longer than 25 months from collection

 

Your personal information may be retained for a shorter period of time than outlined above if deletion is required by law or contract, or if the purpose for which that information was collected has expired.

Special Notice re Data Rights Requests: Personal information used to verify your identity in connection with your exercise of a data rights request will be deleted within 7 days of verification. Records of your request to exercise your data rights, and our compliance with our fulfillment obligations, are maintained in accordance with applicable law.

How We Protect Your Information 

Socure uses commercially reasonable physical, electronic, and procedural safeguards to protect information from loss, theft, misuse, unauthorized access, disclosure, alteration, and destruction, in accordance with applicable law, and we require our customers and third-party service providers to do the same. Biometric information receives the same rigorous privacy and security protections as other sensitive personal information. This includes encryption in transit and at rest, strict access controls, data minimization, and data governance procedures. Socure’s data protection practices are audited on a recurring basis, and we maintain ISO 27001 and SOC 2 Type 2 certifications. That said, there is simply no way to guarantee that any safeguards or security measures will be sufficient to prevent a security incident.

Your Data Rights

Generally, you have the right to file or lodge a complaint with the relevant supervisory authority and to not be discriminated against for exercising your rights. In addition, based on where you reside, you may be subject to one or more of the following data rights:

  • Right to Know / Be Informed as to the personal information or categories of personal information we have about you. 
  • Right to Access a copy of the personal information we have about you.
  • Right to Correction / Rectification inaccurate personal information that we have about you.
  • Right to Deletion / Erasure of personal information about you. 
  • Right to Opt Out of / Object to Certain Processing, such as certain types of profiling.
  • Right to Restrict Processing, if you meet certain limited applicable circumstances.
  • Right to Withdraw Consent at any time, free of charge. Any such withdrawal only applies prospectively and will not impact prior processing conducted in accordance with your prior freely given consent.
  • Right to Appeal a refusal to take action on a request within a reasonable period of time after you receive the initial decision.

Any withdrawal of consent only applies to future processing and does not impact prior processing conducted in accordance with your prior freely given, explicit consent. The right to data portability does not apply to Socure, but we use reasonable efforts to provide you with information in response to an access request that is in a structured, commonly used, and machine-readable format.

How to Exercise Your Data Rights

To exercise your data rights relating to a specific transaction or to our customers’ use of the Services for automated decision-making, please submit your request to the Socure business customer who sent you to us. As a service provider to our business customers, we cannot take action on their data without their written instructions. 

To exercise your rights as they relate to Socure’s data, such as employment, marketing, or third-party vendor data, please complete our Data Rights Form. Because data rights around the world keep changing, the form lists a variety of data rights that may or may not be available to you based on your residence. Keep in mind that we may not be able to fulfill your request if the law does not grant you the right you attempt to exercise. 

Opt Out Preference Signals: We respond to signals or mechanisms enabled in web browsers and on mobile devices, such as the Global Privacy Control, that indicate a preference to exercise the rights listed above as required by applicable law. You may also opt out via our Data Rights Form.

Verifiable Data Protection Rights Requests: Socure will use commercially reasonable methods to confirm that you submitted a verifiable request, where applicable or required. This means that we may need to ask you for additional information, verify your identity, and retain some personal information to prove that we complied with your request. Verification of your identity may involve document and biometric verification using our own product, use of which is subject to Terms of Use.

Authorized Agent:  Where permitted by law, you may designate an authorized agent to make a data rights request on your behalf using Socure’s data rights form linked above, subject to appropriate verification and other applicable legal requirements.  Your authorized agent will need to provide documentation supporting the agent’s authority to make the request on your behalf.  We also may require you to verify your identity directly with us and confirm the request.

Lawful Bases for Processing (Non-U.S. Persons)

Residents of Canada: Your personal information is processed with your express consent. 

Residents of the United Kingdom or European Economic Area:  (a) your biometric information is processed with your explicit consent; (b) your racial or ethnic origin data is processed for reasons of substantial public interest; and (c) your remaining personal information is processed for the purpose of legitimate interests such as fraud prevention. Personal information processed to evaluate and fulfill data rights requests are processed for compliance with a legal obligation. Where Socure relies on legitimate interests, we take into consideration your reasonable expectations based on your relationship with our business customers and balance them against Socure’s needs to support our business customers’ requests to validate identities, assess risk, and prevent, detect, protect or defend against, or respond to security incidents, identity theft, fraud, harassment, malicious, deceptive, or illegal activities.

Data Privacy Frameworks (UK, EEA, Switzerland only)

Socure complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Socure has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal information received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.  Socure has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal information received from Switzerland in reliance on the Swiss-U.S. DPF. Socure subject to the investigatory and enforcement powers of the Federal Trade Commission.

Pursuant to the Data Privacy Frameworks, EU, UK, and Swiss individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under the Data Privacy Frameworks, should submit their request via this form. If requested to remove data, we will respond within a reasonable timeframe. 

We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request via this form

In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. 

Socure’s accountability for personal data that it receives in the United States under the Data Privacy Frameworks and subsequently transfers to a third party is described in the Data Privacy Framework Principles. In particular, Socure remains responsible and liable under the Data Privacy Framework Principles if third-party agents that it engages to process personal data on its behalf do so in a manner inconsistent with the Principles, unless Socure proves that it is not responsible for the event giving rise to the damage.

In compliance with the EU-U.S DPF, the UK Extension to the EU-U.S DPF, and the Swiss-U.S DPF Principles, Socure commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the EU-U.S DPF, the UK extension to the EU-U.S DPF, and the Swiss-U.S DPF Principles. European Union, United Kingdom, and Swiss individuals with inquiries or complaints should first contact Socure at privacy@socure.com.

Socure has further committed to refer unresolved privacy complaints under the EU-U.S. DPF program to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit this website for more information and/or to file a complaint. This service is provided free of charge to you.

If your EU-US DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. Click here for more information.

If there is any conflict between the terms in this Privacy Statement and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the relevant Principles shall govern.  To learn more about the EU-U.S. DPF program, please visit this website. You can verify Socure’s participation here.

How to Contact Us

Please do not email us your identity documents, selfies, or other personal information. If you are having trouble submitting your documents or need help troubleshooting or understanding the outcome of a specific transaction, please contact the Socure business customer who sent you to us.

To contact the Socure Privacy team, including our Data Protection Officer (DPO), you may email privacy@socure.com or call 1-888-690-3709. Our DPO is Socure’s General Counsel and VP of Legal, Aviad Levin-Gur.

Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Socure has appointed the European Data Protection Office (EDPO) as its GDPR Representative in the EU. You may contact EDPO regarding matters pertaining to the GDPR: (1) by using EDPO’s online request form; or (2) by writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium.

Pursuant to Article 27 of the UK GDPR, Socure has appointed the EDPO UK Ltd as its UK GDPR representative in the UK. You may contact EDPO UK regarding matters pertaining to the UK GDPR: (1) by using EDPO’s online request form; or (2) by writing to EDPO UK at 8 Northumberland Avenue, London WC2N 5BY, United Kingdom.