Privacy Policy.
Updated June 2024
1. Introduction
a) VERIFYMY LIMITED operates www.verifymyage.co.uk (“Site”), an age verification and estimation solution (“Service” or “VMA”). We are a limited company registered in England & Wales under company number 12050874 and ICO registration number ZA529836.
b) In the UK and EU, VERIFYMY LIMITED is known as the data controller of the personal data described in this Privacy Policy which means it holds and manages your personal data.
c) This Privacy Policy describes our practices regarding personal data generally in the context of the Site and Service. For more detail regarding our collection, use, disclosure, and retention of biometric data (which is more limited than for most other personal data) in this context, please see the VerifyMyAge Biometric Data Policy. Please read this Privacy Policy carefully and ensure that you understand it.
2. What is personal data?
a) Personal data is any information about you that enables you to be identified. Personal data covers information such as your name and contact details, but it also includes information such as identification numbers, electronic location data, and other online identifiers. The types of personal data that we collect and why is set out below.
3. What do we do with your personal data?
a) VMA is a Service provided to business customers in different ways and this affects how we interact with you as an individual and who is responsible for your personal data.
b) In some cases, when we provide our Service to business customers, such as eBay, we are acting on behalf of them. They provide personal data to us and we carry out our Services without any direct interaction from you. Here we are a data processor, processing your personal data on their behalf and on their instruction and they are the data controller. The business customer will be responsible for protecting, keeping and using your personal data in line with data protection laws and if you have any queries in relation to this, please contact the business customer in question.
c) At other times, when we provide our Service to business customers, we will need to interact with you directly to provide more information or if you set up an account with us. Where this happens we will be the data controller, collecting and processing your personal data and be responsible for using it in line with data protection laws.
d) Finally, where you are our business customer we will collect and process certain personal data about you as part of our business relationship. We will be the data controller for this and be responsible for keeping it securely and responsibly.
4. What data do we collect and how?
We collect personal data about you either directly from you, from our business customer (who you have a relationship with), or from third parties. We have set these out below.
a) As an individual utilising our Service, we will collect and process the following personal data:
| Verification method | Data collected | How we collect the data |
|---|---|---|
| Database check to verify you on various databases (User account/transaction details) | Full name | Provided by the business customer to us |
| Full address | Provided by the business customer to us | |
| Telephone number | Provided by the business customer to us | |
| Email address | Provided by the business customer to us | |
| Customer website ID | Provided by the business customer to us | |
| Customer website purchase / access | Provided by the business customer to us | |
| Date and time of purchase / or access | Provided by the business customer to us | |
| ID check and face match | Email address | Provided by you via our Site |
| IP address | Provided by you via our Site | |
| ID document image, name, expiry date, document number | Provided by you via our Site | |
| Image containing your face (“facial image”) (sometimes referred to as a “selfie image”) and an image of your identification card to create biometric scans of facial geometry from each image (“face maps”). | Provided by you via our Site | |
| ID check | Email address | Provided by you via our Site |
| IP address | Provided by you via our Site | |
| ID document image, name, expiry date, document number | Provided by you via our Site | |
| Mobile number check | Email address | Provided by you via our Site |
| IP address | Provided by you via our Site | |
| Telephone number | Provided by you via our Site | |
| Credit card check | Email address | Provided by you via our Site |
| IP address | Provided by you via our Site | |
| Credit card information, such as credit card number, expiry date and security code | Provided by you via our Site | |
| Facial age estimation check | Email address | Provided by you via our Site |
| IP address | Provided by you via our Site | |
| Image containing your face (“facial image”) (sometimes referred to as a “selfie image”) | Provided by you via our Site | |
| Face maps created using biometric scans of facial geometry to confirm your image is of a live person and to estimate your age. | Created by us using biometric scans of your facial image. | |
|
Email address age estimation check (For Google age assurance using email address click here) | Email address | Provided by you via our Site |
| IP address | Provided by you via our Site |
b) As a business customer contracting with us for the Services, we will collect and process the following personal data:
| Data Collected | How We Collect the Data |
|---|---|
| Business customer website ID | Provided by the business customer to us |
| Email address | Provided by you via our Site |
| Full name | Provided by you via our Site |
| Full business address | Provided by you via our Site |
| Payment information | Provided by you via our Site |
| Business name | Provided by you via our Site |
| Telephone number | Provided by you via our Site |
| EIN or VAT number | Provided by you via our Site |
| Bank details | Provided by you via our Site |
| Company registration information | Provided by you via our Site |
5. How do we use your personal data?
| What we do | What personal data we use | Our lawful basis under the GDPR where this is relevant |
|---|---|---|
| Registering you on our Site and communicating with you to provide support, answer your queries or requests |
| Your consent. |
| Supplying our Service to you (when making a purchase or accessing a website) | This will depends on the nature of the check conducted as set out in section 4(a): Database check, ID check and face match (biometric data), Mobile number check, credit card check or facial age estimation check (biometric data) | Your consent and our legitimate interests to improve our Services |
| Supplying our Service to you (as a business customer) | All personal data listed under section 4(b). | Fulfilment of our legal contract with you or the business you represent. |
| Protect against, identify and prevent fraud and other prohibited or illegal activity, claims and other liabilities | All personal data listed under section 4. | Our legitimate interests in operating a business and upholding our legal rights and obligations. |
| Compliance with applicable legal requirements and our policies | All personal data listed under section 4. | The legal obligations to which we are subject. |
| Establish, exercise and defend legal claims | All personal data listed under section 4. | Our legitimate interests in operating a business and to uphold our legal rights and obligations. |
We also use data for statistical analysis in order to operate, evaluate and improve our business. Such analysis is only done on personal data at an aggregated and anonymised level.
a) We use the following automated systems for carrying out certain kinds of decision-making If at any point you wish to query any action that we take on the basis of this or wish to request ‘human intervention’ (i.e. request that someone review the action themselves, rather than relying only on the automated method), data protection laws give you the right to do so in certain circumstances. Please contact us to find out more using the details in section 12.
b) The following automated decision-making method(s) may be used depending on the check carried out:
- using facial biometrics and/or
- scanning and authenticating government issued identification documentation
- performing a soft credit look-up
- performing a mobile phone number check
- performing an email address check
6. How long will we keep your personal data?
a) We will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected. When we conduct a check, we typically plan to keep the personal data for the periods provided below.
b) However, the exceptions to the table below are:
- where we provide age verification for adult sites in certain US states we are prohibited by the laws of those states from retaining identifiable personal information and therefore this data is deleted immediately after we have completed the age verification process (this currently applies in the states of Arkansas, Louisiana, Mississippi, Montana, North Carolina, Texas, and Utah); and
- where you do not successfully complete our age verification process, and we believe you are a minor, we will delete any personal data we hold immediately upon confirmation of such a result.
| Type of Data | Time Held Since the Date of Last Verification |
|---|---|
| Full name | 28 days |
| Date of birth | 28 days |
| Full Address | 28 days |
| Email address | 28 days after which it is hashed and stored for 24 months in case of re-authentication. |
| IP Address | Deleted immediately once check is complete |
| Telephone number | 28 days |
| Facial image from your live image | 28 days |
| Face map | Destroyed/Deleted immediately once check is complete |
| Credit card information | This information is collected by our payment services provider. We do not ever view, access or store this. |
| Images of your government-issued identification (including the image of you), and other pertinent information on that identification such as name, expiry date, document number | 28 days |
| Business customer website unique identifier (e.g. account username, account ID) | 28 days |
| Business customer website purchase / access details (Customer website ID, Customer website purchase(s), Date and time of purchase(s)) | 28 days |
7. How and where do we store your personal data?
a) All personal data is stored by us within the EEA.
b) We may share your data with external third parties, as detailed below in section 8, that are based outside your country of residence such as in the EEA. In such cases we will take suitable steps in order to ensure that your personal data is treated just as safely and securely as it would be within the UK or EU.
8. Do we share your personal data?
a) We share face maps only in the limited ways described in our VerifyMyAge Biometric Data Policy. We share other personal data as set forth in this section.
b) We share the results of our age verification service with our business customers when you make a purchase or access their site (or attempt to do these things) and they request that we verify your age.
c) We contract with third parties to supply certain services related to our Service. This may include sharing any personal data you have given us or data that we have obtained from a third party source to improve the accuracy of our Service.
d) When any of your personal data is shared with a third party, as described above, we will take steps to ensure that your personal data is handled safely, securely, and in accordance with your rights, our obligations, and the third party’s obligations under the law.
e) If any personal data is transferred outside of the UK or EEA, we will take suitable steps in order to ensure that your personal data is treated just as safely and securely as it would be within the UK or the EEA or the US and under data protection laws.
f) We have put in place appropriate safeguards (such as regulator approved standard contractual terms) in accordance with applicable legal requirements to provide adequate protection for your personal data. For more information on the appropriate safeguards in place and to obtain a copy of such safeguards, please contact us as set out at section 12 below.
g) If we sell, transfer, or merge parts of our business or assets, your personal data may be transferred to a third party in connection with that event. Any new owner of our business or assets and their suppliers may continue to use your personal data in the same way(s) that we have used it, as specified in this Privacy Policy.
h) In some limited circumstances, we may be legally required to share certain personal data, which might include yours, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.
9. How do we protect your personal data?
We implement physical, technical, and organisational security measures designed to safeguard the personal data we process through our Services, such as high-end cryptography to protect customers’ data. All data is encrypted at rest and in-transit using a combination of 256-bit encryption and hashing algorithms. These measures are aimed at providing on-going integrity and confidentiality for your personal data. We evaluate and update these measures on a regular basis.
10. What are your rights?
If applicable, under the EU and UK data protection laws, you may have the following rights:
- The right to be informed about our collection and use of your personal data. This Privacy Policy should tell you everything you need to know, but you can always contact us to find out more or to ask any questions using the details in section 12.
- The right to access the personal data we hold about you.
- The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete.
- The right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of any of your personal data that we hold.
- The right to restrict (i.e. prevent) the processing of your personal data.
- The right to object to us using your personal data for a particular purpose or purposes.
- The right to withdraw consent. This means that, if we are relying on your consent as the legal basis for using your personal data, you are free to withdraw that consent at any time. Any withdrawal of consent will apply to any future processing of personal data (and not any personal data processed before any withdrawal of consent).
- The right to data portability. This means that you can ask us for a copy of that personal data to re-use with another service or business.
- The right not to be subject to automated decision processing which produces an adverse legal effect or significantly affects you.
b) To exercise any of the rights outlined above, please contact us using the details provided in section 12. There is not normally any charge for making a request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.
c) We will respond to your request within a month of receiving it. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request.
d) If you have any cause for complaint about our use of your personal data, you have the right to lodge a complaint with the data protection regulator. In the UK, this is the Information Commissioner’s Office. We would welcome the opportunity to resolve your concerns ourselves, however, so please contact us first, using the details in section 12.
11. Third party websites
Our Site may contain links to other websites. Please note that we have no control over how your data is collected, stored, or used by other websites and we advise you to check the privacy policies of any such websites before providing any data to them.
12. How do you contact us?
o contact us about anything to do with your personal data and data protection, including to make requests or exercise any rights you may have (such as rights under Nevada law to opt out of certain disclosures), please use the following details:
By email:
[email protected]
By post:
VERIFYMY LIMITED
Unit 213 The Frames
1 Phipp Street
London
England
EC2A 4PS
13. Changes to this Privacy Policy
a) We may change this Privacy Policy from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects how your personal data is protected.
b) Any changes will be posted on our Site. We recommend that you check this page regularly to keep up-to-date.
c) This Privacy Policy was last updated June 2024.