GDPR Notice | ID.me

NOTICE TO RESIDENTS OF THE EUROPEAN UNION AND UNITED KINGDOM

ID.me is committed to protecting your Personal Information in its role as a Data Controller of the Personal Information we collect from and about our users. This Notice, in conjunction with the general ID.me Privacy Policy, explains how we process, disclose, transfer, and store your Personal Information in accordance with the General Data Protection Regulation (“GDPR”) which establishes the applicable data protections for individuals residing in the European Union (EU) and United Kingdom (UK). For additional information about how ID.me may use your Personal Information, including the third-parties with whom it may be shared, please see the ID.me Privacy Policy.

Your use of ID.me’s Services demonstrates your review and acceptance of the ID.me Terms of Service and Privacy Policy, and shall be understood as consent for ID.me to collect, process, and retain your Personal Information.

1. Purposes of Processing:

We collect and process your Personal Information for the following purposes:

Identity verification
Community affiliation verification (e.g., status as a student, veteran, etc.)
Detection and prevention of identity theft and fraud on the ID.me platform

2. Types of Personal Information ID.me May Collect:

We may collect the following types of Personal Information, additional details may be found in the general ID.me Privacy Policy:

First and last name
Date of birth
Social security number and/or other government issued identification numbers
Email address
Phone number
Mailing address
Photographic images (e.g., copy of qualifying government issued identification card)
Biometric data (e.g., facial geometry)
Community affiliations (e.g., Military, First Responder, Student, Veteran, etc.)
Educational degrees
Professional certifications
Personal preferences.

3. Lawful Basis for Processing:

We rely on the following legal bases for processing your Personal Information, additional details may be found in the general ID.me Privacy Policy:

Your consent to the processing of your Personal Information for one or more specific purposes.
ID.me also maintains a legitimate interest in the processing of the Personal Information of individuals who use, or have previously used, the ID.me platform for verification of identity or group affiliation in order to detect and prevent fraud and identity theft.

4. International Data Transfers:

ID.me complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. ID.me has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of Personal Information received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in ID.me’s Privacy Policy or Notice to Residents of the EU an UK, and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

ID.me is based in the United States, all data processing and storage shall occur within the United States. ID.me may transfer your Personal Information to carefully selected service providers, business partners, and other third parties for the purposes described in the ID.me Privacy Policy.

With respect to personal data received or transferred pursuant to the Data Privacy Frameworks, ID.me is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.

Pursuant to the Data Privacy Frameworks, individuals in the EU and UK have the right to obtain our confirmation of whether we maintain Personal Information relating to you in the United States. Upon request, we will provide you with access to the Personal Information that we hold about you. You may also correct, amend, or delete the Personal Information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under the Data Privacy Frameworks, should direct their query to privacy@id.me. If requested to remove data, we will respond within a reasonable timeframe.

We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your Personal Information, please submit a written request to privacy@id.me.

In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

ID.me’s accountability for personal data that it receives in the United States under the Data Privacy Frameworks and subsequently transfers to a third party is described in the Data Privacy Framework Principles.

In particular, ID.me remains responsible and liable under the Data Privacy Framework Principles if third-party agents that it engages to process personal data on its behalf do so in a manner inconsistent with the Data Privacy Framework Principles, unless ID.me proves that it is not responsible for the event giving rise to the damage.

5. Data Retention:

We will retain your Personal Information and account history for up to 3 years following account closure for the detection and prevention of fraud on the ID.me platform. For additional details regarding ID.me’s retention of your Biometric Information, please review the Biometric Information Privacy Policy.

6. Your Rights:

Under GDPR, you have the right to:

Access your Personal Information
Rectify inaccurate or incomplete Personal Information
Erase your Personal Information under certain circumstances
Restrict or object to the processing of your Personal Information
Access a transferable file of certain Personal Information.

In order to exercise these rights you must submit a verified request via your ID.me Account, for additional questions or concerns please contact our support team.

7. Withdrawal of Consent:

You have the right to withdraw your consent at any time by closing your ID.me account. If you withdraw consent, it will not affect our processing performed before its withdrawal. ID.me will continue to retain certain Personal Information in account with the terms disclosed in our general Privacy Policy, as required for legal and compliance purposes as well as for the prevention and detection of fraud on the ID.me platform.

8. Complaints:

ID.me takes your concerns and rights very seriously. However, if you believe that we have not responded in an appropriate manner to your complaints or concerns, or if you believe your rights have been infringed, you have the right to lodge a complaint with the relevant supervisory authority.

In compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, ID.me commits to resolve complaints about our collection or use of your Personal Information transferred to the U.S. pursuant to the EU-U.S. DPF. EU and UK individuals with inquiries or complaints should first contact privacy@id.me.

ID.me has further committed to refer unresolved DPF Principles-related complaints to a U.S.-based independent dispute resolution mechanism, BBB NATIONAL PROGRAMS. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf

9. Contact Us:

If you have any questions or concerns about your Personal Information or this notice, please contact our Data Protection Officer at privacy@id.me.

Corporate Address.
ID.me, Inc. 8280 Greensboro Drive, Suite 800 McLean, VA 22102

For Users and Customers.
Member Service Inquiries may be directed to our support team.