ShareID's Logo

Privacy Policy

 

ShareID provides a solution to enable businesses to verify the user’s identity attributes in real time. It can be either through onboarding or authentication. With ShareID, businesses can be confident that the person behind the screen is who they say they are. Individuals, on the other hand, can ensure that their personal data is safe and secure while accessing their service providers without having to continually justify their identity. ShareID enables digital trust between businesses and individuals at every transaction that requires identity verification or personal data sharing. The protection of personal data is ShareID’s priority.  Privacy is a fundamental right that must be preserved. 

 

As a French company, ShareID refers to French and European legislation. In accordance with the provisions of the General Data Protection Regulation (“GDPR”) of April 27, 2016 and the law of January 6, 1978 relating to Data Processing, Data Files and Individual Liberties, ShareID therefore informs you about the processing of your personal data in this section.  

 

This privacy policy aims at describing our commitments regarding the collection, use and disclosure of your personal data when you use our site, application and services, and to help and inform you about your privacy rights. This policy doesn’t apply to sites and services offered by third parties and for which ShareID may act as a subcontractor. In this situation, we recommend you to read the privacy policy on their sites.  

 

This policy may change over time to reflect changes in our site, our application and our services, as well as French and European legislation or recommendations of judicial authorities. Therefore, you are advised to consult this privacy policy periodically for any changes.  

 

Changes will be effective as of the date of posting.  

 

 

 

Definitions

 

Personal data

 

According to the French National Commission for Information Technology and Civil Liberties ("CNIL"), "personal data" is "any information relating to an identified or identifiable individual". A person can be identified directly (e.g. name, first name) or indirectly (e.g. by an identifier (customer number), a (telephone) number or biometric data).  

The identification of a person can be made from a single piece of data (e.g.: social security number, DNA), or from the cross-referencing of a set of data (e.g.: a woman living at such an address, born on such a day, subscribing to such a magazine and being active in such an association).  

  

Biometric data

 

According to the CNIL, this is a "physical or biological characteristic that makes it possible to identify a person" (such as DNA, hand contour, fingerprints, etc.).  

  

Processing of personal data

 

According to the CNIL, personal data processing is "an operation or set of operations concerning personal data, regardless of the process used (collection, recording, organisation, storage, adaptation, modification, retrieval, consultation, use, communication by transmission or dissemination or any other form of provision, matching).  

The processing of personal data is not necessarily computerised: paper files are also concerned and must be protected under the same conditions.  

Data processing must have an objective, a purpose determined prior to the collection of data and their exploitation."  

  

Data controller

 

According to the CNIL, the data controller is "the legal entity (company, municipality, etc.) or individual who determines the purposes and means of a processing operation, i.e. the objective and the way in which it is carried out. In practice and in general, it is the legal person embodied by its legal representative."  

  

Terminal

 

The terminal is represented by any computer equipment of the user that can host one of the versions of the ShareID-VID application.  

 

 

 

Who is the data controller? 

 

ShareID may act as a subcontractor, as well as a data controller on behalf of its partners. 

 

In the context of its mission of identity verification and personal data authentication, the data collected are processed by the Company "ShareID", SAS, registered in the RCS of Nanterre under the number 884 932 203, whose head office is located at 20 bis, rue Louis Philippe, in Neuilly-sur-Seine (92 200), France, represented by its President Mrs Sara SEBTI.  

 

As a subcontractor for the service providers who have subscribed to one of ShareID’s services, the contractors are responsible for the personal data collected and used in the context of their services.   

 

  

What data is collected ? 

 

ShareID collects various personal information that you provide directly to ShareID and that is strictly limited and relevant to the purposes for which it is processed.    

 

In accordance with Article 6(1)(a) of the GDPR, your express consent guides the processing of your data. However, you can stop consenting at any time. Furthermore, you are not legally obliged to provide us with your personal data. However, without it, we will not be able to verify your identity remotely and therefore provide you with our services.  

 

The personal data that may be processed are :   

 

  1. Data allowing the identification of the user:  
  • Name   
  • Usual name  
  • First name(s) ;   
  • Date of birth  
  • Country of birth  
  • Department of birth  
  • Place of birth  
  • The nationality 
  • Sex 
  • Height and eye color  
  • Postal address  
  • User's photograph taken from the title  
  • User's photograph taken with its electronic communications terminal equipment for static facial recognition   
  • Video taken by the user with its electronic communications terminal equipment for dynamic facial recognition  
  • E-mail address  
  • Phone number of the electronic communications terminal equipment  
  • Technical identifier associated with the user's account;   

 

And any other information that is readable on the identity document provided for your onboarding.  

 

  1. Data allowing the identification of the identity document held by the user and its electronic component:  

 

  • Document number 
  • Authority issuing the document   
  • Date of issuance of the document  
  • Expiration date of the document  
  • Public key allowing to certify the authenticity of the document   
  • Type of document  
  • Entity issuing the document  
  • Country issuing the document  

  

  1. Transaction history data associated with the ShareID digital identity:  

 

  • Name of the service provider   
  • Category of the transaction   
  • Short description of the service provider   
  • Long description of the service provider   
  • Status of the transaction   
  • Date of the transaction   
  • Date of the transaction was updated  
  • Expiration date of the transaction if any
  • Priority of the transaction  
  • Validity status of the security   
  • Enhanced level qualification status of the electronic component of the credential for high assurance level electronic identifications  

 

  1. The unique identifier of the notification service, for the purpose of identifying the electronic communications terminal equipment ;  

 

  1.  Data related to the user's consent to ShareID processing:  

 

  • Consent to the processing of their personal data  
  • Explicit consent to the processing of their biometric data.  

  

  1. Navigation data : cookies and IP address when authorised by the user.  

 

  1. Data allowing the identification of the user via the contact form:  

 

  • Name  
  • First name  
  • E-mail address  
  • Telephone number

 

In order to perform the identity verification, the user must use his own terminal, through the application of the company he wants to authenticate with and which integrates the ShareID solution - or after being redirected to a ShareID page on the web version of our solution. However, no terminal information is processed or saved by ShareID.   

 

To securely verify your identity, ShareID goes through an initial automatic verification by computer vision algorithms to issue an opinion, and then by a human operator to issue a final verdict in accordance with the french regulatory requirements for remote identity verification. These algorithms are trained on real and fake data sets. However, no use of your biometric data will occur outside of the identity verification phase. Also, no personal data that can be traced back to the user is stored in this log.   

 

 

Why is data collected? 

 

ShareID collects your personal data only to the extent necessary for the purposes for which they are processed. In accordance with Article 6 of the GDPR, this processing may be justified by the consent of its users, by law, by legitimate interest or by a contract between ShareID and service providers.   

 

ShareID's main activity is to verify the identity of its customers' users by collecting the user's identification information through two elements, which are (1) a video showing the user's face and, (2) a video of the identity document that the user presents. These videos, sent through a secure channel, will then be checked by artificial intelligence algorithms to issue a first report, identified by "failure", "success" or "doubt". These checks prevent identity fraud. The user's consent is required to collect their information and perform an identity check. Nevertheless, the user has the right to refuse it but ShareID will be unable to provide its services.   

 

In order to verify the identity of its users, ShareID also relies on the consent of its users to access and activate the camera of their device to capture videos.   

 

ShareID also offers a re-authentication service. Once the identity has been verified and integrated into the platform, ShareID issues a reusable digital identity without storing user’s personal data as they are defined by GDPR in accordance with the French National Commission for Information Technology and Civil Liberties ("CNIL"). The user's identification data are encrypted in a way that they can not be exploitable even by ShareID. The only person who can claim these personal data is the owner of the identity. This service is also based on the consent of its users. 

 

For the purpose of identity fraud prevention, the processing of your data is also motivated by the legitimate interest of ShareID in the management of the company and its services, to ensure the security and trust of its users and to comply with legal requirements. In addition, an evidence file containing all the data used to validate the digital identity is kept for legal reasons, in case of litigation. 

 

The contact form allows you to make a complaint, ask a question or answer a message. Through this form, data can be processed to establish a commercial relationship with users or to receive feedback on our services. Its use is based on the consent of its users, and the legitimate interest of ShareID in managing its services. ShareID may also process data related to the use of its platform, such as connection data or IP address, in order to respond to requests for assistance made by users.  

 

Finally, ShareID may act as a subcontractor for service providers. In this case, the transmission of users' personal data is motivated by the performance of its contracts, in accordance with Article 6, paragraph 1, point b of the GDPR. 

 

 

Who are the recipients of this data? 

 

When a user intends to authenticate himself with a service provider, the data available on the identity document provided by the user can be transmitted to the business after the user’s consent. In General, the informations below are required by the business : 

 

  • Last name   
  • If applicable, usual name   
  • First name(s)   
  • Date of birth   
  • Place of birth   
  • Sex 
  • Postal address   
  • E-mail address  
  • Phone number of the electronic communication terminal equipment  
  • Nationality 
  • Number of its identity document.   
  • Copy of its identity document  

 

Still, some businesses may require other information available on the identity document provided by the user when verifying his identity. The transmission of this information is done only when the user consents to the sharing.

 

No personal data collected will be transmitted to commercial actors without your consent. 

  

Only persons authorised to access personal data and who have received the necessary training in the protection of personal data, have access to the processing of such data for remote identity verification.   

 

In the case of assistance sent via the contact form, only persons authorised to access personal data have access to the processing of such data.  

 

All our servers on which your data is stored and those of the service providers used to exchange and store this data are located in Europe. However, in the event that a transfer of data would take place in a third country, ShareID undertakes and ensures that the necessary data protection measures are put in place and comply with the provisions of the GDPR and Data Processing, Data Files and Individual Liberties Act.   

 

 

How is the data stored? 

 

In accordance with Article 32 of the GDPR, ShareID commits to "implement all appropriate technical and organisational measures to ensure a level of security appropriate to the risk".  

 

In doing so, ShareID does not make any copy of documents and media that may contain personal data entrusted to it other than in the strict context of the execution of its customer contracts. Unless otherwise stipulated in the customer contract, ShareID will not use or exploit documents and media that may contain personal data for purposes other than those specified in the contract.  

 

ShareID takes all measures to prevent any breach of personal data, including unauthorised access, destruction, loss, alteration, unauthorised disclosure, or misuse of personal data. Your personal data is stored on our servers and is subject to strict protection.  

 

ShareID implements all measures to ensure that the system it deploys at its customers' premises and the data processed are protected against external intrusions.  

 

In case of subcontracting, ShareID undertakes to ensure that its subcontractor, whatever its nature, presents the same sufficient guarantees as to the appropriate technical and organisational implementation so as to meet the requirements of the European Data Protection Regulation. If the subcontractor does not fulfil its data protection obligations, ShareID shall remain fully liable to the Controller for the performance by the other subcontractor of its obligations.    

 

 

How long will your data be kept ? 

 

ShareID will retain your personal data only as long as necessary for the purposes set in this Privacy Policy. ShareID will retain and use your personal data to the extent necessary to comply with its legal obligations, resolve disputes and enforce its legal agreements and policies.  

 

An account is suspended after three years of inactivity and its data is completely deleted.  

Business traces, such as account registration or user authentication with a service provider, are deleted after three years of generation.  

 

In the case of static and dynamic automated facial recognition, the photograph of the user and the video taken by the user with its electronic communications terminal equipment are deleted as soon as the facial recognition is completed.  

 

The videos that allowed the human operator to validate the artificial intelligence report are deleted as soon as the validation is completed.  

 

The validity status of the secure identity document and the status of qualification at the enhanced level of the electronic component of this document for high guarantee level electronic identifications, processed for the sole purpose of verifying the validity of the document and the status of qualification at the enhanced level of its electronic component, are deleted as soon as these verifications are completed.  

 

Data that may be transmitted to a service provider when a user intends to authenticate with that service provider, processed for the sole purpose of transmitting the information necessary for his electronic identification, shall be erased as soon as such transmission is completed.   

 

The evidence file is an audit trail allowing the competent authorities in case of legal dispute to verify the data used to validate a remote identity. It contains all the data used to validate the digital identity (such as videos, the order of the challenges, the user's device identifier or the email address...). The evidence file is protected in confidentiality and authenticity. It is kept on a security server designed for this purpose and respecting the security standards for archiving servers for this type of information. Accessible only in case of litigation, it is destroyed five years after its creation.   

 

 

What are your rights ?  

 

In accordance with the provisions of the GDPR, you can exercise your rights on your personal data and decide on their fate :   

 

  • The right of access (art. 15 of the GDPR) : you can obtain confirmation that your personal data have been processed or not. In case they are, you can have access to this data, as well as information on the purpose of this processing, the recipients of this data, their storage period and the categories of personal data concerned from our service.   

 

  • The right to rectification (art. 16 of the GDPR) : you have the possibility to ask ShareID to rectify, complete or update information about you if there are errors, inaccuracies or if you notice the presence of data whose collection, use or storage is prohibited. It applies to the authentication account.

 

However, this right is not absolute.  When using our services, an evidence file is created containing all the data used to validate the digital identity. This file cannot be modified, completed or updated for auditing purposes and for preservation in case of legal disputes.   

 

  • The right to be forgotten (art. 17 of the GDPR) : you have the possibility and the right to ask ShareID to erase your personal data, which will then be deleted at the latest 48 hours after your request. However, in some cases, it cannot be deleted: if it is necessary for the performance of a legal obligation (such as a contract), or if legal retention and archiving periods prevent it.   

 

  • The right to restriction of processing (art. 18 of the GDPR) : your data will be kept but cannot be used. In this case, any processing of this data can only be carried out with your consent.   

 

  • The right to object and withdraw consent : you can withdraw your consent at any time when the processing of your personal data is based on it. You also have the right to object to any processing of your personal data.   

 

  • The right to data portability (Art. 20 GDPR) : you have the possibility to receive all the personal data you have provided to us and to transfer them to another controller without being objected to. 

  

The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.  

 

 

Who to contact to exercise your rights ?  

 

For any question related to this Privacy Policy or for any complaint relating to the protection of your data, you can contact ShareID’s Data Protection Officer by email : dpo@shareid.ai

 

If, after having contacted us, you feel that your rights regarding your personal data are still not respected, you can send a complaint to the CNIL at the following address : https://www.cnil.fr/fr/plaintes  

 

Or, you can send them a letter at : 

Commission Nationale de l’Informatique et des Libertés (CNIL)  

3 Place de Fontenoy,   

TSA 80715,   

75334 PARIS CEDEX 07