Legal | Biometric Policy
Last updated: Oct 13, 2023
Table of Contents
Additional information for how we generally manage personal data may be found in our privacy statement.
Purpose of our collection of biometric data
We may collect, retain, and use individuals biometric data for the purposes of assisting our customers with their legal obligations for verifying the identities of their end-users for fraud prevention purposes (e.g. anti-money laundering). For example, you may be asked to provide a photo of yourself (selfie) and a copy of your government issued photo identification for facial comparison purposes to legally access sports wagering applications or financial services organizations. GeoComply does not create or store biometric models or data; we provide our customers access to the following vendors for processing biometric data:
IDVerse (OCR Labs)
GeoComply customers may use an identity verification service performed by IDVerse, which is a trading name of OCR Labs. If you are resident in the USA or Canada then it is performed by OCR Labs Global (USA) Inc (a Delaware corporation), if you are resident in Europe, the Middle East or Africa then it is performed by OCR Labs Global Limited (an English company) and if you are resident anywhere else then it is performed by OCR Labs Pty Ltd (a New South Wales, Australia company).
IDVerse verifies your ID is genuine and then extracts all of the data on the identity document. Data extracted includes the data written on the ID doc and your picture, and also data in any barcode, machine readable zone or in the chip (if the chip is being read). IDVerse sends that data to us. In the user flow you can correct any data extracted incorrectly. If you do correct any incorrect data then IDVerse will take just the incorrect character (and no personal data) from the ID document to make sure it does not make that mistake again.
IDVerse uses your biometric data to check you are a real person, to extract your face from the ID document and to compare that against your selfie to ensure you are the right person, and for anti-fraud purposes. IDVerse deletes your biometric data within 7 days of initial collection.
IDVerse also uses location information from your device for anti-fraud purposes.
GeoComply Customers may use an identity verification service performed by Aristotle. Aristotle uses your biometric data to check you are a real person, to extract your face from the ID document and to compare that against your selfie to ensure you are the right person, verify your age, and for anti-fraud purposes. Aristotle maintains your biometric data for up to 3 years for audit and age verification challenge purposes.
We will not disclose individual biometric data to any third party, other than vendors who directly assist with the biometric verification process unless:
- You or your legally authorized representative provide consent to such disclosure;
- The disclosure is required by local, state, or federal law; or
- The disclosure is required pursuant to a valid warrant or subpoena.
Please see our “Law Enforcement Request Policy” for more information.
Storage and security
We use commercially reasonable organizational, technical, and administrative methods designed to protect biometric data within our organization. This includes ensuring that any storage and transmission of biometric data is encrypted. Our security controls are independently reviewed by a SOC2 Type II auditor on an annual basis. Please see our Trust Center for more information on our privacy policies and security controls.
Retention schedule and destruction
GeoComply will retain biometric data only for as long as needed, as reasonably required by our customers, or as permitted for the purposes stated in this policy, unless a longer retention period is permitted or required by applicable law. We will request that our vendors permanently destroy such data when the initial purpose for collecting or obtaining such biometric data has been satisfied in compliance with their data retention policies.