‍

This Privacy Notice explains how WhoYou (Pty) Ltd (registration no. 2011/110552/07) and its affiliated entities and trading divisions (collectively, “WhoYou”, “we”, “us”, “our”) process personal data when delivering identity verification, fraud prevention, authentication, document trust, and related services (“Services”).

Contact: support@whoyou.co.za

Controller/Processor roles:

When we verify users on behalf of our enterprise customers (“Clients”), the Client is the Controller (they decide the purposes and retention), and WhoYou is the Processor (we act on written instructions). In limited cases — e.g., service improvement, security/fraud controls, WhoYou-style “reusable KYC” equivalents, product analytics, and WhoYou ID (if enabled) — WhoYou may act as Controller (see Sections 4–5 & 8).

For South African users, this Notice is aligned with POPIA (Protection of Personal Information Act) and PAIA where applicable.

Contents

• Scope
• Definitions
• Principles of processing
• Purposes of processing
• Data processing activities
• Categories of personal data
• Children’s data
• Lawful bases
• Retention
• Data subject rights
• Withdrawing consent & objecting to legitimate interests
• Responsibilities & DPO
• Security measures
• Personal data breaches
• Disclosures & recipients
• Group entities, DPO & EU/UK representative
• International transfers
• Sale of personal data & CCPA reference
• Changes to this Notice

1) Scope

This Notice covers personal data processing while we provide the Services to Clients and, where indicated, for WhoYou’s own purposes (e.g., service improvement, anti-fraud). It does not cover how Clients use your data independently — please refer to the relevant Client’s privacy notice.

2) Definitions

Agreement – Contract between WhoYou and a Client governing the Services.

AML/CFT – Anti-Money Laundering / Combating the Financing of Terrorism laws.

Client – Entity using the Services under an Agreement.

Controller / Processor – As defined by GDPR / POPIA.

Data Providers – Third-party or public sources used for validation/screening.

Data Subject / User / Applicant – Natural person verified via the Services.

Personal data – Information relating to an identified/identifiable person.

PAIA – Promotion of Access to Information Act

POPIA – Protection of Personal Information Act

Special categories – Sensitive data under GDPR/POPIA (e.g., biometrics, health).

Processing – Any operation on personal data (collection through deletion).

Services – WhoYou verification, fraud detection, authentication, document trust etc.

Website – whoyou.co.za (and subdomains).

3) Principles of processing

We support Controllers to ensure personal data is:

• lawful, fair, transparent
• purpose-limited
• data-minimised
• accurate
• storage-limited
• secure
• transferred with adequate safeguards (GDPR/UK GDPR/POPIA)

4) Purposes of processing

(a) Performance of Agreements (Processor role)

We process Users’ data on Client instructions, including to:

• perform identity, liveness, document, device and risk checks
• assist Clients with legal/AML/CFT/customer due-diligence requirements
• produce verification results and audit logs
  

On instruction or upon expiry of the Client’s purpose/retention, we return and/or delete data (Section 10).

(b) WhoYou’s legitimate interests (Controller role)

Where permitted by law and subject to Client permission when required, we may process limited data to:

• develop and improve algorithms, models, and product features (incl. anti-fraud, spoofing detection, quality assurance)
• detect and prevent fraud, money laundering, and abuse (incl. profiling and statistical analysis)
• support security, incident response, and legal claims
• verify identity for data subject access and account security (e.g., repeat authentications)
  

(c) WhoYou ID (if enabled)

A reusable identity profile that lets Users re-use their verified data across participating Clients at their request. WhoYou acts as Controller for profile creation/storage and Processor when sharing with a specific Client per the User’s instruction.

5) Data processing activities

• Document checks: automated extraction, authenticity/security-feature analysis (MRZ, barcodes/QR, chips/NFC)
• Biometrics & liveness: facial feature extraction/compare; liveness and spoof detection; repeat authentication
• Video identification: real-time operator-assisted verification where required by Client law/policy
• Data validation & screening: checks with sanctioned/PEP/adverse media and other Data Providers; email/phone/IP/device risk
• Fraud network & risk scoring: device/email/phone reuse, emulator detection, duplicate identity attempts, rule-based and ML-assisted scoring
• Automated decisioning: We do not make final onboarding decisions; we provide results/tags. Clients decide.

6) Categories of personal data

Depending on Services and Client configuration, we may process:

• General: name, DOB, nationality, ID numbers, addresses
• Identity document: type, number, issuing country, expiry, MRZ, embedded barcode/NFC/other security data, images/video
• Facial/biometric: selfies, video/sound, extracted facial features
• Contact: email, phone, postal address
• Financial (where enabled): masked card data; open banking attributes (account info, balances, transactions)
• Transaction/crypto: originator/beneficiary identity fields, wallet address, hashes, asset/chain metadata
• Technical/telemetry: IP, device/browser attributes (e.g., camera type), locale, geolocation (approx. via IP), session events, device fingerprint/behavioural data
• Public risk data: sanctions/PEP/adverse media
• Additional: data provided via support channels
• Health: only if strictly required (e.g., COVID pass fields) and permitted by law/Client policy

7) Lawful bases

• Processor activities: covered by the Client’s lawful bases (e.g., legal obligation, public interest, consent, contract)
• WhoYou legitimate interests (GDPR Art. 6(1)(f); POPIA sec. 11(1)(f)): service improvement, safety/security, anti-fraud — balanced against data subject rights and enabled only where allowed and, where required, with Client permission
• Special categories/biometrics: processed only where a Client has a valid basis (e.g., GDPR Art. 9(2)(g) substantial public interest; 9(2)(a) explicit consent) or where WhoYou has obtained explicit consent (e.g., WhoYou ID)
• Legal obligations & claims: we may retain/process data to comply with law or defend legal claims

8) Retention

• As Processor: the Client defines retention; we delete/return data per instruction, legal obligation, or contract
• As Controller (e.g., improvement, fraud, WhoYou ID): we store only as long as needed for the stated purpose and applicable limitation periods. Where law specifies, we follow those maximums
  

We implement secure deletion across databases, storage, equipment, removable media, and mobile devices. Typical DSAR-driven deletions are completed within 30 days unless law allows longer for complex systems.

9) Data subject rights

Depending on your jurisdiction (GDPR/UK GDPR/POPIA/CCPA, etc.), rights may include:

• access
• rectification
• erasure
• restriction
• portability
• objection
• not to be subject solely to automated decisions
• complaint to a regulator
  

If your data was processed for a Client, contact that Client first (Controller).

If your request concerns WhoYou’s own purposes, email support@whoyou.co.za.

We may need to verify identity and may extend the response time where legally permitted for complex requests (we’ll notify you).

10) Withdrawing consent & objecting to legitimate interests

Where processing relies on consent, you may withdraw it at any time (does not affect prior lawful processing).

Where processing relies on legitimate interests, you may object; we will assess and either cease processing or demonstrate compelling legitimate grounds (e.g., fraud prevention / public interest).

11) Responsibilities & DPO

WhoYou establishes policies to comply with GDPR/UK GDPR/POPIA and conducts training.

Our Data Protection Officer (DPO): support@whoyou.co.za

Staff must protect confidentiality, escalate incidents promptly, and follow security procedures.

Sub-processors must sign data processing terms with equivalent safeguards.

12) Security measures

We implement administrative, technical, and physical safeguards, including:

• encrypted transit & storage
• strict access controls / least privilege
• audit logging
• secure SDK/iFrame flows that post data directly to WhoYou
• vetted staff and background checks where required
• regular internal/external audits and certifications (e.g., ISO 27001/27017/27018, SOC 2 Type 2, PCI DSS, as applicable)
• data minimisation and selective masking/blurring where required by local laws
• secure development practices, vulnerability management, and disaster recovery

13) Personal data breaches

We assess, contain, and remediate suspected/actual incidents without undue delay.

Where legally required, we notify regulators, Clients, and where applicable affected individuals, with details and mitigation steps.

14) Disclosures & recipients

(a) Third parties

We may share data with:

• Sub-processors to deliver Services under the Agreement
• Data Providers (e.g., ID registries, sanctions/PEP, address/credit bureaus, adverse media, device risk, open banking providers)
• WhoYou group entities and representatives supporting service delivery and representation
  

Third parties are contractually obligated to safeguard data and only process for specified purposes.

(b) Recipients required by law

We may disclose data to governmental / judicial / regulatory bodies or other Clients where legally justified (e.g., fraud prevention), or as instructed by the Controller.

15) International transfers

We host/process primarily in South Africa and may transfer data cross-border to vetted providers/affiliates under appropriate safeguards (e.g., SCCs, UK Addendum, adequacy decisions, or POPIA-compliant transfer mechanisms).

We maintain records of transfer tools used and apply supplemental measures where needed.

16) Sale of personal data & CCPA reference

We do not sell personal data.

For CCPA/CPRA rights (access, deletion, correction, opt-out of sale/sharing, limit use of sensitive PI, non-discrimination), contact support@whoyou.co.za or use our request form:

Download Form

We honour opt-out preference signals where applicable.

17) Changes to this Notice

We may update this Notice from time to time.

Material changes will be posted here with a new “Last updated” date.

Prior versions are available upon request at support@whoyou.co.za.

Identity Verification Processing Notice

The personal data you provide in connection with the identity verification process will be processed by:

(i) The Company – the organisation with which you intend to establish a business relationship after completing the KYC process. The Company will process your personal data in line with its internal policies and applicable legal requirements.

(ii) WhoYou (hereinafter referred to as the “Service Provider” or “WhoYou”) – which will process your personal data on behalf of the Company to perform identity verification services and for its own separate purposes. For more information, including the identity and contact details of WhoYou, please refer to the Privacy Notice.

1. Identity Establishment

Your name and other means of identification for the purposes of obtaining this Notification shall be established in the course of the processing of your personal data carried out in accordance with this Notification.

2. Purpose of Processing

The processing shall be done for the purposes of the Company and may include:

• Compliance with applicable AML/CFT, anti-fraud laws and regulations, age restriction laws, and/or other legal obligations
• Company customer due diligence procedures in accordance with applicable laws governing the intended business relationship
  

Additionally, processing will be carried out for compatible purposes of the Service Provider acting as a separate data controller, including:

• Service development and training of AI models
• Fraud and criminal activity prevention
• Litigation hold
• Statutory obligations
  

These purposes are explained in detail in the [Privacy Notice available here].

3. Delegation of Processing by the Company

3.1. The company details (including address) of the Company (as Data Controller) have been provided by the Company. Instructions for processing, including the purpose and data to be processed, are the responsibility of the Company.

3.2. The Company may entrust processing to data processors (e.g., the Service Provider). Personal data may be disclosed to entities associated with WhoYou that are contractually obliged to implement appropriate technical and organisational safeguards. Storage may occur in Azure Cloud or the Company Cloud, depending on Company requirements.

3.3. Personal data may be disclosed to other entities associated with the Service Provider. These entities are required to implement appropriate technical and organisational measures to ensure safety of the data.

4. Data Processing Methods

Personal data shall be processed by means of:

• Automated text extraction
• Verification of document authenticity/validity
• Other automated processing of photos and scanned documents
  

This includes the following activities:

• Collection, recording, organisation, structuring, storage
• Retrieval, consultation, use, disclosure (to the Company or processors)
• Cross-border transfer (if necessary)
• Profiling, alignment or combination, restriction, erasure, destruction
  

Data may be checked in multiple databases, such as:

• International PEPs
• Sanctions lists
• Country-specific sanctions
• Watchlists and media sources
  

Where transfers occur outside the EEA, WhoYou and the Company implement appropriate safeguards (e.g., Standard Contractual Clauses, adequacy decisions, UK adequacy regulations).

Biometric Processing

Biometric data will be processed as follows:

• Automated facial scan reading
• Liveness detection
• Video-selfie or video ID comparison
• Face comparison between ID photo and submitted selfie
• Detecting multiple identity creation attempts
• Development of fraud control networks
  

All biometric processing is explained in detail in the [Privacy Notice available here].

5. Types of Personal Data Processed

The following categories of data may be processed:

• General data: full name, sex, ID number, date of birth, nationality, legal capacity, location (street, city, country, postcode)
• Facial image data: face photos (including selfies), video, sound recordings
• Biometric data: facial scans
• Identity document data: document type, issuing country, number, expiry, MRZ, barcode info, security features
• Banking details: cardholder name, expiry, first 6 and last 4 digits, source of funds documents
• Contact details: address, email, phone number, IP address
• Technical data: timestamps, domain, software/hardware info, device location
• Unique identifier: Applicant ID linked to your data
• Publicly available data: PEP or sanctions list inclusion
• Additional data: provided by you or from the Company
  

Your facial images are processed to confirm you are a living person and that the face matches the ID document provided.

Categories of Data Used in Profiling

In efforts to prevent fraud, the following are analysed:

• Full name, age, DOB, address
• Facial image and biometric data
• Document type, language, applicant country
• Document and ID number
• IP address, geolocation, browser information

Why Profiling is Used

Profiling helps WhoYou offer Clients a risk label based on relevant data. This label is analysed by Clients to make an informed decision about access to services.

The final decision is always made by the Client — not by WhoYou. There is always human involvement in the process.

6. Data Subject Rights

You have the right to:

• Withdraw consent (where applicable)
• Access and adjust your personal data
• Suspend processing for a justified reason
• Object to processing or third-party involvement
• Object to decisions based solely on automated profiling
• Request data erasure (subject to applicable laws)
  

These rights can be exercised by contacting:

• The Company directly
• The Service Provider via sales@whoyou.co.za
  

Note: Some rights may be limited by legal obligations.

You also have the right to lodge a complaint with a supervisory authority. For Company-related concerns, please follow their privacy policy. For WhoYou-related concerns, see [details in our Privacy Notice].

7. Retention and Destruction

Personal data will be:

• Retained and stored by both the Company and WhoYou
• Permanently destroyed once:
  • The Company’s original purpose is fulfilled, or
  • The legally required retention period expires
    

For data processed by WhoYou for its own compatible purposes, retention is as per the [Privacy Notice].

8. Supplementary Notice

This Notification is complemented by the [Privacy Notice available here].

Let me know if you’d like this in .pdf, .docx, or .rtf format for uploads or document sharing.

‍

1.1 This privacy policy sets out how WhoYou (Pty) Ltduses and protects any information that you give WhoYou when you use this service. WhoYou is the Responsible Party as defined in the Protection of Personal Information Act, 2013 (“the POPI Act”). All information is processed and stored in compliance with the POPI Act. WhoYou’s solutions have had numerous IT audits from clients both in government and the private sector to ensure the safe storage of information related to an individual.

1.2. WhoYou is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified you can be assured that it will only be used in accordance with this privacy statement.

1.3. WhoYou may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This policy is effective from 1 June 2020.

What we collect

1.4. We may collect the following information:

• Full name
• Identity number or passport number
• Contact information including email address
• Employment information such as the name of employer and job title
• Demographic information such as postcode, preferences and interests
• Biometric information in the form of fingerprint, facial or other biometric scans
• Credit card or other information required to pay for the services offered by WhoYou
• Other information relevant to identity verification

What we do with the information we gather

1.5. We require this information to be able to accurately verify your identity either against your existing enrolled fingerprint or face biometric image or against a third-party database. This information will not be shared with any third parties without your specific approval. The app is used for Fraud Prevention Purposes and according to the National Credit Regulator (NCR) is a permissible purpose in order to collate biometric data, including fingerprint or face data in order to verify who you say that you are. We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so. Should you wish this information to be no longer stored you may advise WhoYou in writing and your information will immediately be permanently deleted.

Security Policy

2.1. We are committed to comply with all relevant legislation, including the POPI Act and GDPR, and to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect.

2.2. You may be concerned about allowing your personal information and your fingerprint and/or face biometric data to reside on a server in the cloud because you fear that this very identity could be misused. WhoYou addresses this issue by following best practices and stringent security guidelines for identity protection and ensuring it complies with all legislation and best practices for protection of personal information.

2.3. In order to achieve this, the demographic data for users is held separately to the fingerprint or face biometric data. The link between the two can only be established by applying a unique algorithm based association, generated and managed by WhoYou Protection Algorithm (WhoYou PA) that combines the application certificate and unique record identifiers. The WhoYou PA server itself is held separately from the WhoYou Trusted Identity (WhoYou TI) physical infrastructure. The data is encrypted and meaningless to a hacker and can only be retrieved via secured HTTP access onto WhoYou TI with a biometrically verified user. Your data can only be accessed or modified when your identity has been biometrically confirmed. Only the WhoYou PA server knows where your biometric identity is hidden in the cloud; only the WhoYou TI server can communicate with the WhoYou PA server, and the WhoYou TI server itself can only be accessed with biometric authentication. In addition, You are informed every time “you” are verified online or your details are amended. For the first time, You are guaranteed of knowing what the digital “you” is doing. A complete audit trail is kept of all enquiries, amendments, additions or deletions to your personal information. This audit log records the date and time of the activity as well as who accessed the information.

We do not use cookies

3.1. A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.

3.2. This Service does not use these “cookies” explicitly. However, the app may use third party code and libraries that use “cookies” to collect information and improve their services. You have the option to either accept or refuse these cookies and know when a cookie is being sent to your device. If you choose to refuse our cookies, you may not be able to use some portions of this Service.

Log Data

4.1. Whenever you use our Service we collect data and information (through third party products) on your phone called Log Data. This Log Data may include information such as your device Internet Protocol (“IP”) address, device name, operating system version, the configuration of the app when utilizing our Service, the time and date of your use of the Service, and other statistics.

Links to other websites

5.1. Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

Controlling your personal information

6.1. You may choose to restrict the collection or use of your personal information in the
following ways:

• whenever you are asked to fill in a form on the website, look for the box that you can click to indicate that you do not want the information to be used by anybody for direct marketing purposes
• if you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by writing to or emailing us at www.trustedidentity.co.za.

6.2. If you believe that any information we are holding on you is incorrect or incomplete, or you wish your information to be deleted, please write to or email us as soon as possible, at the above address. We will promptly correct any information or delete it if required.

Contact Us

If you have any questions or suggestions about our Privacy Policy, do not hesitate to contact us.

‍