Privacy Policy

This Privacy Policy was last updated on May 3, 2023.

This Privacy Policy describes how we handle and protect your personal data and the privacy rights available to you. You can read the full policy below. But before we get into the details, we want to give you a digestible high-level summary of our privacy policy that should allow you to make informed decisions when you use our services.

Midy helps you prove that you are who you say you are…

Midy makes it simpler and safer to verify and prove your identity online. We perform document and face checks against accepted government-issued photo IDs and then enable you to securely store that document’s information in Midy. We refer to the information we stored from your document as ‘Extracted ID information’. Learn more about these features.

in a privacy-preserving way…

We offer a service that helps you to prove your identity in a privacy-preserving way. This means that when you consent to share information with a Midy partner (e.g. a social media provider), only the information that is needed by that partner for the current transaction will be provided and no additional identity information will be shared. The documents you add to Midy for proving your identity are not shared with the partners. Learn more about these features.

while you stay in control of your ID.

Midy will ask for your consent before providing any information related to you (referred to below as ‘confirmations’) and will tell you which organization will receive that information. Once verified, your identity data is securely stored on your device and under your control. Data extracted from your ID can only be accessed when you authorize us to help you with a verification. You can delete your Midy account and the Extracted ID information will be permanently removed. Learn more about these features.

In this policy “we”, “us”, etc. refers to NortonLifeLock Foreign Holding II Inc.

Main Features of the Service

In today’s digital world, people are often asked to prove their identity to be able to use online services. Frequent examples include online shopping, loans, social media, banking, insurance, and health services. This identity proofing is commonly done by presenting a document that states a legal name (for example by uploading a scan of a state or government issued ID or driver’s license). This process often reveals more personal information than is necessary, such as when full identity information is shared when the online service provider only wants to know that you are not a bot or that you are above a certain age.

We believe it should be easy to verify you are a real person and at the same time to keep control over your data in the digital world. So we designed Midy to help you prove the information in online transactions without sharing unnecessary identity details. Read below for more information about how the Midy verification service works.

Identity checks

Midy helps to prove that you are who you say you are by carrying out document and facial biometric checks. While we perform these checks, the partner that you agree to share the requested confirmation with does not have access to your ID, photos or videos taken during the verification process or any other ID details. It receives only the information that you agree to share with them. For example, a confirmation from Midy if the identity verification was successful or not – without sharing any detailed personal data. Midy will show you the information the partner asks for. In order to carry out the verification, the partner shares with us an identifier (e.g. your account handle).

Document verification and information

Identity verification is backed by document checks against accepted government-issued photo IDs. Document checks are done in cooperation with our service provider Onfido Inc. We analyze the document (which may include machine-readable zones, barcodes, QR codes and security chips) to verify that the document is genuine and to detect fraud. We extract relevant information from the document to create a Verified ID (see Midy Account section for more information) and to send confirmations requested by a partner (e.g., confirmation that you are a real person). To carry out the checks and extract the information, the document is kept for 48 hours by Onfido and then it is deleted from their systems.

Facial Biometric Checks and Authentication

We compare the live capture of your face with the photo from your Verified ID to verify you are a real person. This verification is done in cooperation with our service provider Onfido Inc. and in accordance with our Biometrics Notice and Onfido’s Facial Scan Policy and Release, Privacy Policy and Terms of Service. For more information about this process, please read the above-mentioned policies.

Face scan photos or videos and biometric data are kept only when performing biometric checks and are deleted once the check is complete (no later than in 48 hours from the moment they are captured). Read our Biometrics Notice for more information about biometric data processing.

Rechecks 

A partner may also ask us to check from time to time that your account is still associated with you and that it was not transferred to another person. In order to verify this we will ask you to retake the selfie photo or video and compare it to your Verified ID. This verification is done in cooperation with our partner Onfido Inc. and in accordance with our Biometrics Notice and their Onfido Facial Scan Policy and Release, Privacy Policy and Terms of Service. 

Name check 

A partner may ask to check if your first name and last name used in their service matches the name on your ID document. We extract the first name and last name from your ID and match it against the first name and last name provided by the partner. The only feedback the partner receives is the ‘yes’ or ‘no’ answer to whether the names match or not. We use various matching techniques to determine if names match with a sufficient level of certainty. In some cases, the match does not have to be perfect and there may be slight differences between the name used in the partners’ services and your ID. 

Data processing details

Feature
Categories of data processed
Legal basis
To carry out the identity check Extracted ID information – personal information extracted from your Verified ID, for example name, document number, date of birth, nationality, type of document, issuing country, expiration date, information embedded in barcodes, QR codes, security chips and features (which will vary depending on the type of document). Service provision
Photo/video – may include images, videos and/or sound recordings of you and related image metadata Service provision
Face scan data – facial scan data and numerical biometric data calculated from it Service provision, consent for biometric data
To perform the name check Name – first name, last name provided by a partner requesting the name check against your ID Service provision
To enable further verifications and rechecks ID image – image of your identity document Service provision
To establish the connection between your identity, document and partner that asked for the verification Identifiers – information relating to you as a user, your installed Midy app, Verified IDs, partners and confirmations Service provision

Duration of the processing: Extracted ID information, partner account handle and photos of your IDs are stored on your device only and you can delete them anytime. Photos or videos and face scan data are only used during the verification process and are not stored beyond that. Identifiers are processed for the duration of the account.

Selected categories of data are archived for legal, compliance and security reasons for 3 years (read more in the Legal, compliance and security section).

Misuse detection

Midy helps partners detect misuse or other similar irregular activities (e.g. excessive use of verified accounts). To do that, we create a connection between the verified ID and the user of the platform.

Data processing details

Feature
Categories of data processed
Legal basis
To help check if an identity or a document has not been misused (e.g. used multiple times without justification) Identifiers – information relating to you as a user, your installed Midy app, Verified IDs, partners and confirmations Legitimate interest

Duration of the processing: we process Identifiers for this purpose for 3 years after the account is deleted.

Midy account

Midy requires that you sign up to the service and establish an account. To set up the account we will ask for your email address or phone number to use as your account username, as well as to send you a verification code. To help protect the account we use both passkey authentication process and local device authentication, where the system will ask you to unlock your device, preferably using biometric identification (such as a fingerprint or facial recognition).

You can view your Verified IDs and information extracted from these documents such as your name, surname, date of birth, address, nationality, type of document, issuing country, issuance/expiration date. The precise extent of the data depends on a particular ID that you will choose to use. You will also find an image of the ID document with your photo in Midy. Transactions records (e.g. that a confirmation was provided to a partner) are logged.

Data processing details

Purpose
Categories of data processed
Legal basis
To create the account and enable verification Contacts – Email address, phone number Service provision
To maintain the account and enable the related verification services Extracted ID information – Personal information extracted from your Verified ID, for example name, document number, date of birth, nationality, type of document, issuing country, expiration date, information embedded in barcodes, QR codes, security chips and features (which will vary depending on the type of document) Service provision
Identifiers – information relating to you as a user, your installed Midy app, Verified IDs, partners and confirmations. Service provision
Public key generated and stored on the user’s device only Service provision
ID image – Image of your identity document Service provision
Transaction records – account-related events (creation, acceptance of terms, sign-in), verification-related events (e.g. process started/stopped/canceled/completed), Verified ID-related events (e.g. Verified ID created/deleted), partner-related events (request received, response sent). Service provision

Duration of the processing: Extracted ID information and ID images are stored on your device only and you can delete them anytime. Contacts, Identifiers and Transaction records are processed in our systems for the duration of the account.

Selected categories of data are archived for legal, compliance and security reasons for 3 years (read more in the Legal, compliance and security section).

Other processing activities

Aside from providing you with the Midy services, we also process your personal data for additional reasons. These concern our ability to conduct our business activities in compliance with both regulations and our users’ expectations, and to ensure you can access our services quickly, easily – and most important of all – securely. Here are the details of this additional processing.

Communication with customers (feedback, support)

We process data:

  • To provide you with service information, customer and technical support;
  • To collect customer feedback.

Information used: Contacts, Transaction records, information provided by you within the communication (e.g. information relating to your ID, identifiers, descriptions of the issue)

Legal basis: Service provision, consent for voluntary surveys and feedback collection

Duration of storage: 3 years

As a business we have to ensure necessary internal administrative and commercial processes (e.g. finances, business intelligence, legal & compliance, information security etc.), prove our services and transactions were carried out properly and, if necessary, defend our rights.

We also collect information from your device to comply with global legal obligations and the increasing number of biometric and privacy laws that apply to identity verification services. This is done in cooperation with our partner Onfido Inc. and in accordance with their Privacy Policy. For this purpose, your broad geographic location (e.g. country or city-level location) is collected, either directly or by approximating this based on your device’s IP address. This enables us to provide a localized service and collect any necessary biometric consents where required to meet our legal obligations.

Information used: Identifiers, Transaction records, Contacts, Communications, Location approximated from the IP address

Legal basis: Legal obligations, Legitimate interest

Duration of storage: 3 years (IP address is kept for 48 hours only)

How We Use Other Providers

Service Providers

We may use contractors and service providers to process your personal data for the purposes described in this Privacy Policy. We contractually require service providers to keep data secure, confidential and use it only for the purposes of our agreement with them.

Twilio 

Twilio helps us with the authentication of your email address or phone number. They deliver a security code to you during the account creation, and they keep audit logs containing either an email address or phone number with a timestamp. 

Onfido Inc.

Onfido helps us verify users’ identity, carry out document and face checks and provide user authentication services (see the Main features section for more detail).

Onfido also keeps logs of how you interact with their services; it does this to comply with legal and regulatory obligations, monitor the security and performance of their service and to make improvements to it. This includes timestamps of when the information was submitted to Onfido, the method used to upload information and information about the device used to submit that information. Onfido pseudonymizes, aggregates and/or de-identifies information for statistical analysis and business insight reporting. The processing is performed in accordance with their Privacy Policy.

Data of users residing in the United Kingdom or the European Economic Area are transferred to Onfido on the basis of standard contractual clauses.

Other service providers

These service providers may include external customer support providers, professional consultants including to defend or to exercise our rights, and software suppliers such as office apps providers.

Cookies 

Our websites use cookies to personalize your experience on our sites – to tell us which parts of our websites people have visited, to help us measure the effectiveness of campaigns, and to give us insights into user interactions and user base as a whole so we can improve our communications and products. While using our websites, you will be asked to authorize the collection and use of cookie data through a cookie banner with the detailed settings and information about categories of cookies. 

How We Store and Transfer Your Personal Data

We are a global business that provides products and services all around the world. The servers that are part of this infrastructure may therefore be located in a country different from the one where you live. In particular, we store data in the Amazon Web Services cloud platform (read their privacy information).

We retain the data only as long as needed to provide our services, or where it’s necessary to protect our legitimate interests and rights – as well as the rights of our users or service providers. The respective retention periods are always subject to maximum time frames imposed by applicable laws. Specific retention periods are described in the Main features and Other processing activities sections. Where we have a legitimate legal reason, we may also store information for longer than described above – for example, where we are under a binding legal order not to destroy information.

How We Disclose Your Personal Data

We have an internal policy and process to make sure that we only disclose personal data when it is legitimate and compliant with the applicable laws. If we do not have access to your personal data (e.g. when it is stored only locally on your device) or if it is encrypted, and we do not have the decryption key, we cannot provide any information.

Where we have access to personal data we may disclose it: (a) to our contractors and service providers as described above, (b) to any governmental authority where required by law, (c) in response to a court order, subpoena, discovery rule, or other lawful request, (d) as otherwise required under any applicable law, rule, or regulation, (e) in good faith, if an investigation is required (for example, as a result of a potential privacy breach or unauthorized transaction(s)), or (f) to protect or defend our rights or property or those of other persons.

Mergers, Acquisitions and Corporate Restructurings

Like any other company, we too go through our own cycle of growth, expansion, streamlining and optimization. Our business decisions and market developments affect our structure. As a result of such transactions, we may transfer your personal data to a related affiliate in order to maintain our relationship with you and continue providing you services.

If we are involved in a reorganization, merger, acquisition or sale of our assets, your personal data may be transferred as part of that transaction. We will notify you of any such deal and outline your choices in that event, when applicable. Information, including personal data relating to our business, may be shared with other parties in order to evaluate and conclude the transaction. This would also be the case if we were required by law to make such changes.

Privacy rights

You have the following rights regarding the processing of your personal data:

  • Right to information: Right to receive information about the processing of your personal data, prior to processing as well as during the processing, upon request.
  • Right of access: You have the right to receive a copy of your personal data.
  • Right to rectification: We should process accurate personal data; if you discover inaccuracy, you have the right to seek correction of inaccurate personal data.
  • Right to erasure (“right to be forgotten”): You have the right to erasure of your personal data, but only in specific cases stipulated by law, e.g., if there is no legally recognized title on our part for further processing of your personal data (incl. protection of our legitimate interests and rights).
  • Right to data portability: You have the right to receive personal data which you have provided and is being processed on the basis of consent or where it is necessary for the purpose of conclusion and performance of a contract, in machine-readable format. This right applies exclusively to personal data where processing is carried out by automated means.
  • Right to object: Applies to cases of processing carried out in legitimate interest. You have the right to object to such processing, on grounds relating to your particular situation, and we are required to assess the processing in order to ensure compliance with all legally binding rules and applicable regulations. In case of direct marketing, we shall cease processing personal data for such purposes after the objection.
  • Right to withdraw consent: In the case of processing based on your consent you can withdraw your consent at any time, by using the same method (if technically possible) you used to provide it to us (the exact method will be described in more detail with each consent when you provide it). The withdrawal of consent shall not affect the lawfulness of processing based on your consent before its withdrawal.
  • Right to restriction of processing: You have the right to restriction of processing of your personal data if: (i) you are contesting the accuracy of your personal data, for a period enabling us to verify the accuracy of your personal data; (ii) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead; (iii) we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims; or (iv) you have objected to processing of your personal data, and there is a pending verification whether our legitimate grounds override your interests.
  • Right to contact a supervisory authority: You may lodge a complaint with the supervisory authority.

You can submit your requests relating to your data subject rights through our contacts described below (Contact Us).

The fulfillment of your rights listed above will depend on the category of personal data and the processing activity. In all cases, we strive to fulfill your request. We will action your request within the time frames set by the applicable laws. When we are faced with an unusually large number of requests or particularly complicated requests, the time limit may be extended in accordance with the applicable laws. If we fail to meet these deadlines, we would, of course, prefer that you contact us to resolve the situation informally.

If you are a California resident, you may have certain additional privacy rights (see below).

California Privacy Rights

This section applies to you if you are a resident of the state of California, and it explains your privacy rights, as well as other information about our treatment of California residents’ information.

Information about processing

  • Categories of collected personal information. To provide our services and for other business purposes described in this policy, we collect certain categories of your personal information. You can see all of these categories listed in the Main features and Other processing activities sections. Generally, these categories include identifiers and contact information; customer records information (transaction records) and account log-in; characteristics of protected classifications (e.g. when you ask us to verify your age); ID information including driver’s license, state identification card, or passport number; device/network data and geolocation data; biometric information (facial recognition data) used for the verification services; audio/visual information (images, videos and audio recordings); inferences drawn from other information. Midy is not targeted at minors under 16 years of age. We do not use or disclose your sensitive personal information for purposes other than the limited purposes permitted by the California Consumer Privacy Act.
  • Sources from which the personal information is collected. Our primary source of your personal information is you – we collect this information when you provide it in a form, for instance, when you’re signing up for an account, when you upload ID documents or when you communicate with us. Certain information related to your identity verification and ID data is provided by our verification service providers (identity check results). Technical identifiers and transaction records are created automatically when you set up your account or when you use the verification service. For security and business intelligence purposes, we may create or infer additional information from the collected information.
  • Business or commercial purpose for collecting or selling personal information. You can find all our purposes for processing your personal information in the Main features and Other processing activities sections.
  • Categories of third parties with whom the business discloses, sells, or shares personal information. You can find categories of recipients of personal information listed in the How We Use Other Providers section. Midy does not sell or share (as such terms are defined in the California Consumer Privacy Act) your personal information. The third-party recipients may include external customer support providers (categories of data used: identifiers, contact details, customer records, commercial information, characteristics of protected classifications – age, app activity information); professional consultants including to defend or to exercise our rights (categories of data used: identifiers, contact details, customer records, commercial information, characteristics of protected classifications – age, app activity information); and software suppliers such as office apps providers (categories of data used: identifiers, contact details, customer records, commercial information).
  • How long we store your personal information. You can find retention periods for specific categories of data in the Main features and Other processing activities sections.

Your Rights

You have the right to:

  • know what personal information is being collected about you and how it’s processed;
  • know whether your personal information is sold, shared or disclosed, and to whom;
  • request that we correct the personal information we have about you that is incorrect;
  • say no to the sale or sharing of your personal information (right to opt out). In that respect, we’d like to note that Midy app does not sell or share personal information, nor has it sold or shared any personal information in the past 12 months – of either adults or minors under the age of 16.
  • limit the use and disclosure of your sensitive personal information;
  • request deletion of your personal information; information will be deleted if no exception applies (including our right to defend our lawful interests);
  • access your personal information; specific information shall be provided in a portable and, to the extent technically feasible, in a readily useable format but not more than twice in a 12-month period;
  • non-retaliation, including the right to receive equal service and price, even if you exercise your privacy rights (also known as the right to non-discrimination).

Right To Opt Out Of Sale or Sharing

Midy app does not sell or share your personal information. That being said, if you have any questions or concerns about the use of your personal information, do feel free to submit a privacy request following the instructions below.

Request Submission

You can submit your requests using contacts indicated below in the Contact Us section. We may ask you to provide information to verify your request and related account. You can also designate an authorized agent to exercise these rights on your behalf. We may require that you provide the authorized agent with written permission to act on your behalf and that the authorized agent verify their identity directly with us.

Contact Us

To exercise any of your rights, or if you have any other questions or complaints about our use of your Personal Data and its privacy, write our Privacy Team through the most convenient channel below:

You can submit your privacy requests through our email at privacy@midy.com.

If you prefer, you can send paper mail to NortonLifeLock Foreign Holding II Inc., 60 East Rio Salado Parkway, Suite 1000, Tempe AZ 85281. Be sure to write “Attention: MIDY PRIVACY” in the address so we know where to direct your correspondence.

Changes

We’ll update this policy whenever we make material changes to our practices, and we’ll announce it to let you know. We hope you’ll find any changes agreeable, but if you’re not comfortable with changes to the info we collect or how we use it, we understand your choice to stop using our service.