Terms and Privacy Notice for iProov.me
iProov Limited (“iProov,” “we” or “us”) are committed to protecting privacy when we process our users’ data. These Terms set out what personal information we collect and process when you use the iProov.me application (“iProov.me”), your data rights and how to exercise them, and some limited obligations you have when using iProov.me.
Our Relationship With You
We are a controller of your facial authentication data and of the identity document data (we collectively call this your “digital credential”) that you provide when using iProov.me and we process it:
- for your travel contract with Eurostar and these Terms;
- for uniquely identifying you for the purposes of your travel, with your consent; and
- for our legitimate interest in preventing fraud
You can’t proceed to use iProov.me unless you both agree to these Terms and give us your consent to processing your facial imagery in order to identify you – by clicking each of the buttons at the bottom of these Terms.
If you don’t agree with something you see in these Terms or feel uncomfortable about allowing the use of your digital credential to authenticate your identity, then you should not click those buttons, and use other channels for authenticating yourself when you travel – such as the standard ticket check service – and not use the Eurostar SmartCheck Lane.
Once you have given your consent you can withdraw it (see Your Consent below), but if you do so after you Confirm Travel (see The Process below), your digital credential will have already been sent to Eurostar.
The copyright and other intellectual property in iProov.me is either owned by or licensed to us. You have certain obligations that are intended to protect our rights (see Your Obligations below). We licence you the limited, personal right to use iProov.me in the manner and for the purposes stated in these Terms.
Our Responsibilities
iProov is responsible for adhering to applicable data protection law and for protecting your privacy and data in line with these Terms.
Your Consent
In order to use iProov.me for identifying you, you must provide us with your consent by clicking on the appropriate consent button.
You are given the opportunity to consent to iProov processing your digital credential for the purposes described in these Terms. If you wish not to share your data or if you wish to withdraw your consent, you can do so by deleting your digital credential from iProov.me – by opening iProov.me and following the instructions given there. Note that if you withdraw your consent after you Confirm Travel (see The Process below), your digital credential will already have been sent to Eurostar.
Other Uses of Your Personal Data
When you enrol with iProov.me and create your digital credential, an image is taken of you and the NFC chip on your passport and is used by iProov for fraud checks. These checks may continue for up to 30 days after enrolment. If you have deleted your digital credential or if you would like this data deleted from iProov’s systems, you can send an email to deletemydata@iproov.com where we will delete your data if we can identify you.
Once you have been authenticated using your digital credential, we send certain parts of your data to Eurostar (who then send it on to UK Border Force) – more detail is provided in The Process below.
The Process
When you use iProov.me for your Eurostar travel
- We capture an image of the photo page of your passport, and we scan the MRZ (Machine Readable Zone) – which is the alphanumeric data at the bottom of your passport photo page. We use the information from the MRZ to unlock an NFC microchip that is embedded within your passport to access your passport photo imagery. Your passport’s photo page also usually includes your full name, data of birth, place of birth, passport number, expiry date, your sex and country of birth – and we also collect this data so we can confirm that your passport and identity are genuine.
- iProov then scans your face to take a reliable image of it and authenticates this image against your passport photo image.
- Following this image authentication, iProov creates a biometric profile of your face – for use later in the process where it will be used to identify you.
- You then capture a selfie image using the iProov.me app. This image is used for fraud prevention purposes and is compared against your passport image.
- All the above data is used to create your digital credential – which is stored on your mobile device, but is deleted from our systems within a few minutes (except for the facial scan taken by iProov and your passport’s facial image – see how long is your data kept below)
- You then have the option to add your Eurostar ticket.
- When you click to “Confirm Travel” (on the day before you are scheduled to travel), the biometric profile of your face and the passport data from your digital credential are sent to iProov’s kiosk at the Eurostar terminal in St Pancras station in advance of your travel. Please note: Eurostar is the controller of your ticket data and associated information; IProov remains the controller of your biometric profile, your passport data and your selfie image (used for fraud prevention).
- When you arrive at iProov’s kiosk on the day of travel and use the Eurostar SmartCheck Lane that leads to iProov’s kiosk, your face is matched to your biometric profile and passport data by iProov, and your ticket information is validated with Eurostar. If the face match and ticket validation is successful, your MRZ (Machine Readable Zone) data – the alphanumeric data at the bottom of your passport photo page – is sent to Eurostar who then send it on to the UK Border Force.
How Long Is Your Data Kept?
- On your mobile device: Your digital credential is stored on your mobile device upon its creation.
- On iProov’s kiosk at the Eurostar terminal: the biometric profile of your face and the passport data from your digital credential are deleted:
- when you travel, within a few minutes after your face match and ticket validation are completed
- if you do not travel, within a maximum of 3.5 days.
- On iProov’s and its processors’ remote systems: We continue to process your selfie scan and your passport’s facial image for up to 30 days after you enrol to check for fraud (such as an attempt to deceive our systems), and if a fraud attempt is reasonably suspected we may use it to train our systems for up to one year for fraud prevention purposes.
You can easily stop our processing on your mobile device and on iProov’s kiosk by deleting your iProov.me account. However, note that if you do so after you Confirm Travel the biometric profile of your face and the passport data from your digital credential will have automatically been sent to iProov’s kiosk at the Eurostar terminal, and will continue to be processed and transferred as described in The Process above and:
- If you do not enter the Eurostar SmartCheck Lane for your planned travel, the biometric profile of your face and the passport data from your digital credential will be deleted automatically within a maximum of three and a half days after you confirmed travel; and
- If you do enter the Eurostar SmartCheck Lane for your planned travel, the data held within the kiosk will be used to identify you even after deletion of your iProov.me account from your mobile device – but will be deleted from the kiosk a few minutes later.
If you have downloaded iProov.me, you have done so to register for travel with Eurostar. Eurostar and iProov are separate companies. Eurostar have their own privacy notice explaining their privacy practices and how they control or process your data. Their terms are different to iProov’s, and we recommend that you review their privacy notice where it is identified to you.
The day before you are scheduled to travel with Eurostar, you will see a “Confirm Travel” button. You will need to click this button to proceed with using SmartCheck.
When You Arrive at the Station to Start Your Journey
When you arrive at iProov’s kiosk on the day you travel your face is matched to your biometric data by iProov. Your ticket information is validated with Eurostar – if the face match and ticket validation are successful, your MRZ is sent to Eurostar who then sends it on to the UK Border Force.
Our Legal Basis for Processing Your Data
Consent
We process your biometric data used to identify you based upon your consent. You can withdraw that consent at any time using the information provided in these Terms.
Contract
We process some of your personal data to help facilitate your travel contract with Eurostar and these Terms and Privacy Notice.
Legitimate Interests
iProov has a legitimate interest in fraud prevention and detection, and processes some of your personal data for those purposes.
Data Transfer
Your data is not transferred outside of the UK or EU.
iProov and its business partners host all the data they collect in the United Kingdom and countries located within the European Union. Data is not transferred anywhere else.
Our Obligations and How We Support You
You can contact iProov to provide access to your data if we have any about you and we’re able to associate with you, and ask us to restrict or suspend any processing we undertake.
You can withdraw consent, delete, or correct your data held within iProov.me yourself by following the instructions that are given within iProov.me.
Under data protection legislation you have a range of rights:
- Request access to the personal data iProov holds on you. Note that we minimise the data we hold about you and delete it as and when we don’t need to process it any longer, so we may have deleted or anonymised your personal data at that time.
- Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where you believe our use of your data is unlawful but you do not want us to erase it; or (c) where you need us to hold on to the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
- Request correction of your personal information that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us. Note: you can affect this yourself by deleting and re-entering your information in iProov.me – see Correct Data below.
If you wish to exercise any of the rights set out above, please contact us at the email address specified below. You will not have to pay a fee to exercise any of your legal rights as specified above. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the relevant personal information (or to exercise any of your other legal rights). This is in part a security measure we take to help avoid your personal information being disclosed to a person who has no right to receive it, but also because we hold very limited information from which we can identify users. We will also need you to provide some information found within iProov.me at the bottom of your profile on the privacy profile page. This information is your unique identifier under the build number called ID.
We try to respond to all legitimate requests within one month. However, it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Note that iProov.me gives you a lot of control over your data. Where you wish to exercise the following rights, you can do so in iProov.me yourself:
- Correct Data. You can delete and re-enter your information.
- Withdraw consent to the processing of your personal data. You can do this by deleting the data held within iProov.me. This will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent after you confirm Travel, your details will continue to be processed for the relevant journey.
- Delete your data stored on your mobile device. You can delete the data contained within iProov.me by following the instructions detailed within iProov.me. If you delete iProov.me without following the instructions data may still be retained on your mobile device.
How Is My Personal Data Secured?
Your data is securely stored on your mobile device and is encrypted wherever it is transferred or stored by iProov. iProov tests security to ensure your data is well protected at all times.
iProov has implemented several key security and privacy policies, controls, and measures to adhere to and to meet the requirements of the GDPR / Data Protection Act 2018. These include regular security tests, independent assessment and certification to certain international information security standards that meet the requirements of data protection law. The data held within your mobile device and any transactions from it are encrypted.
Children
Children under the age of 16 should not attempt to use iProov.me.
Contacting Us
If you want to contact us about data protection or privacy, please send an email to deletemydata@iproov.com.
If you have any questions about these Terms or about any requests to exercise your legal rights, please send an email to DPO@iproov.com.
Questions or Complaints
If you would like to ask a question or make a complaint, please send an email to DPO@iproov.com If you feel we cannot help you, you can contact the ICO or a supervisory authority in your country.
If you have any questions about these Terms or about any requests to exercise your legal rights, please send an email to this address DPO@iproov.com and we will assist you.
You also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection issues (www.ico.org.uk) if you are based in the UK. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so would request that you contact us in the first instance.
We are registered with the ICO under number ZA441165.
If you live in the EU, iProov’s EU representative can be contacted at:
IProov Netherlands B.V.
Siriusdreef 17 Transpolispa,
Hoofddorp,
213WT
Company number 74408259
Email: eurepresentative@iproov.com
If you are not happy with the way that iProov has dealt with your data or your rights, you can make a complaint at any time to a Data Protection Supervisory Authority in your country. A list of EU Supervisory Authorities can be found here: https://edpb.europa.eu/about-edpb/about-edpb/members_en
Your Obligations
In order to protect our and third parties’ rights in iProov.me, you must not:
- attempt to defeat, circumvent or disable any security mechanism in iProov.me;
- modify, alter, duplicate, tamper with iProov.me;
- reverse engineer, disassemble, or decompile iProov.me or apply any other process or procedure to derive the source code of any software included in iProov.me (except to the extent applicable legal requirements don’t allow this restriction, and then only after you have given us notice and an opportunity to resolve any interoperability issues);
- access all or any part of iProov.me in order to build or facilitate the build of another product or service;
- introduce any infringing, obscene or otherwise unlawful data or material into iProov.me;
- introduce into iProov.me any imagery or other content that does not meet iProov’s stated guidelines or requirements, is sexually explicit or indecent, or is capable of causing damage or injury to any person or property;
- interfere with or disrupt the integrity or performance of iProov.me;
- knowingly generate iProov.me transactions that are prevented from completing;
- attempt to deceive iProov.me;
- attempt to probe, penetrate, or test the vulnerability of iProov.me;
- attempt to test the throughput, performance, latency, simultaneous transaction capacity or other performance parameters of iProov.me;
- publish or publicly disclose iProov.me or information as to iProov.me or its performance; or
- access or use iProov.me other than as expressly permitted by these Terms.
“SmartCheck” and “Eurostar” are trade marks or registered trade marks of Eurostar International Limited
“iProov” and “iProov.me” are trade marks or registered trade marks of iProov Limited