Legal Center

Last updated: 08 July, 2025

Privacy Policy - Service

Preamble

This Privacy Policy applies to Personr Pty Ltd, incorporated in Australia with ACN 654 135 430 ("Personr," "we," or "us"). It outlines how we collect, use, store, disclose, and protect your personal data in accordance with the Australian Privacy Act 1988 (Cth), Australian Privacy Principles (APPs), EU General Data Protection Regulation (EU GDPR), UK GDPR, California Consumer Privacy Act (CCPA), and Biometric Information Privacy Act (BIPA) (Illinois, USA).

This Privacy Policy has been developed in accordance with all 13 Australian Privacy Principles (APPs) contained in Schedule 1 of the Privacy Act 1988 (Cth). It is also designed to demonstrate compliance with Articles 5-30 of the EU/UK GDPR, Sections 1798.100-1798.199 of the CCPA, and the BIPA requirements for the collection, use, and retention of biometric identifiers and personal information.

1. Scope

This Privacy Policy explains how Personr handles personal data in its capacity as:

A data processor (when acting on behalf of Clients who control data);

A data controller (when developing services or complying with public interest obligations).

This Policy does not govern how our Clients manage personal data. Their practices are set out in their respective privacy notices or policies.

Collection notice before the time of collection

In accordance with APP 1.4, GDPR Article 13, and CCPA 1798.100(b), we provide individuals with clear, and timely consent collection notices before the time personal information is collected.

These notices include:

The identity and contact details of Personr;

The purposes of collection;

The lawful basis for processing (consent, contract, legal obligation);

Categories of third parties to whom the data may be disclosed;

Whether we are likely to disclose personal data overseas and the relevant jurisdictions; and

Information on their rights, and instructions on how to correct personal data or lodge a complaint.

This consent to Privacy and Personal Data Processing is displayed before collection during onboarding, and is available to view online within our legal centre.

Processing on behalf of Clients

Personr acts as a data processor on behalf of its clients (the Controller) when processing personal data. When we do this, we:

Only process personal data in accordance with the instructions of that Client, unless required to do otherwise by law or legislation;

Implement appropriate technical and organisational measures to ensure the security and integrity of the data; 

Assist Clients in fulfilling their obligations under privacy laws, including responding to data subject requests; and

Ensure all sub-processors, verification partners, and other third parties are contractually bound to the same privacy and security standards.

These responsibilities are defined in our Data Processing Agreement with each Client, in accordance with GDPR Article 28, APP 6, and relevant CCPA/BIPA requirements.

2. Definitions

Definitions used in this Privacy Policy include:

APPs refer to the Australian Privacy Principles;

BIPA means the Illinois Biometric Information Privacy Act;

CCPA refers to the California Consumer Privacy Act;

Client means an organisation, business, or government entity that engages Personr to provide identity verification or compliance services. Clients are typically the data controllers and determine the purposes and means for processing personal data collected via Personr services.

Consent means a freely given, specific, informed, and unambiguous indication of a data subject’s agreement to process their personal data;

Controller means the entity that determines the purpose and means of processing personal data;

Data Subject is an identified or identifiable individual;

EU GDPR means Regulation (EU) 2016/679;

UK GDPR means the EU GDPR as retained in UK law;

Privacy Act
refers to the Privacy Act 1988 (Cth), the primary data protection legislation in Australia. It sets out the 13 APPs, regulating how personal information must be collected, used, disclosed, and managed by entities covered under the Act.

Processor is the entity processing personal data on behalf of a Controller;

Special categories of personal data refers to data including racial/ethnic origin, political views, religious beliefs, biometric data, and health data;

Third Party, or Verification Partner means authorised third parties processing data under Personr’s authority, which include document holders, authorised record holders, and credit reporting agencies;

Personal Data Breach means unauthorised access, disclosure, loss, or misuse of personal data.

3. Legal framework

We comply with:

The Privacy Act 1988 (Cth) and all 13 APPs as applicable to Australian data subjects;

The EU and UK GDPR, specifically Articles 6 (lawfulness of processing), 9 (special categories), and 30 (records of processing) as applicable to EU and UK data subjects;

The California Consumer Privacy Act (CCPA), including the rights to know, delete, and opt out of sale, as applicable to individuals residing in California;

The Biometric Information Privacy Act (BIPA), including the requirements for written informed consent prior to biometric collection, as applicable to residents of Illinois;

Local laws applicable in the jurisdictions where our Clients or individuals are based.

We rely on:

Consent (APP 3, GDPR Article 6(1)(a), CCPA 1798.120);

Performance of a contract (GDPR Article 6(1)(b));

Legal obligations (APP 6, GDPR Article 6(1)(c)); or 

Legitimate interests (APP 6, GDPR Article 6(1)(f)).

Lawful basis

Depending on jurisdiction, we may rely upon a lawful basis to collect, store, and process the personal data and biometric information of a given Data Subject:

4. Personal data collected

Depending on the type of services provided, and in compliance with APP 3.2 and GDPR Article 5(1)(c), we may collect:

Full name, address, email, phone number, and date of birth;

Biometric data and information such as facial scans or selfie images (as defined under APP 3.3, BIPA, and GDPR Article 9);

Government-issued identification details;Location information (IP address, geography);

Technical device information (camera name, type, device);

PEP, sanctions, and adverse media listing statuses;

Risk scoring indicators and metadata.

We do not knowingly process data from individuals under the age of 16 years.

Minimisation and accuracy

Under APP 10 and GDPR Article 5.1(1)(d), we take reasonable steps to ensure personal data is:

Accurate, up-to-date, and complete; and

Limited to what is necessary for the purposes stated.

Handling of sensitive information

In compliance with APP 3.3 and GDPR Article 9(2)(a), we only collect biometric data:

With express, written consent; 

Where necessary for lawful identity verification purposes;

Subject to retention and destruction obligations under BIPA 15(a) and APP 11.

5. Purpose of processing

We process personal data for:

Identity verification and know your customer compliance;

Fraud detection and prevention;

AML/CTF requirements and other applicable legislation;

Service development and training algorithms (with consent);

Providing Clients with verification outcomes, recommendations, and analytics;

Responding to data subject access requests; and

Compliance with legal, regulatory, or litigation obligations.

Our purpose in processing personal data and biometric information of Data Subjects aligns with:

Use and disclosure (APP 6);Purpose limitation (GDPR Article 5(1)(b);

Notice at collection (CCPA 1798.100(b); andSole use for identification and fraud prevention (BIPA).

Verification and processing

When a Data Subject engages in identity verification, depending on the Client’s requirements, the following may occur:

The individual is prompted to upload or capture a live image of their identity document and a selfie (or video, for liveness);

The system extracts text and analyses security features from the identity document;

Facial biometrics, where applicable, are compared between the selfie and identity document;

Liveness detection may be performed to prevent spoofing (presentation attacks, deepfakes) and to ensure the individual is live and present;

Metadata and behavioural signals (device integrity, geolocation, duplicate attempts) may be assessed; and

Results are securely logged and made available to the Client who requested the verification.

This process is conducted in compliance with APPs 1, 3, 6, and 11, GDPR Articles 5-9, and BIPA 15.

In addition to individual identity verification and know your customer, we may perform Know Your Business (KYB) checks on legal entities and their associated representatives (such as directors, shareholders, and ultimate beneficial owners). This process helps Clients meet their legal obligations under:

AML/CTF Act 2006 (Cth) and AUSTRAC guidelines;

EU AML Directives; or

US FinCEN Customer Due Diligence (CDD) Rule.Checks on legal entities and associated representatives may involve:

Retrieving business registry data (such as registration number, address, registry status);

Verifying company documents (such as a certificate of incorporation);

Identifying and verifying associated individuals;

Screening entities and associated individuals against sanctions, watchlists, and politically exposed persons (PEP) databases;

Performing adverse media and financial crime risk assessments.

Automated decision-making and profiling

We do not make final decisions that produce legal or similarly significant effects solely through automated means. Any identity verification or risk scoring performed by our systems supports Clients’ decision-making, which may be subject to human review. Client decision-making is not governed by this Policy.

We comply with GDPR Article 22 by avoiding fully automated decision-making that has legal effects. Where profiling is used (eg. for fraud detection), we ensure human review is available on request in accordance with APP 12.6 and GDPR Article 22(3).

We may conduct limited profiling to:

Detect high-risk behaviours (device spoofing, identity fraud);

Recommend secondary verification steps;

Flag duplicate or suspicious identities.

Where legally required, we ensure Data Subjects are able to contest automated results, express their point of view, and request human review.

Audit trails and law enforcement assistance

Under APP 6.2(e), GDPR Recital 49, and relevant Australian and US criminal legislation, we:

Maintain auditable logs for identity verification activities;

Disclose logs only under a lawful request;

Protect all logs under APP 11 and GDPR Article 32.

We comply with APP 6 and all applicable laws, including the Telecommunications (Interception and Access) Act 1979 (Cth), when disclosing any personal or biometric data to authorities.

6. Cross-border transfers

Where data is transferred outside of:

Australia:

We comply with APP 8 and take reasonable steps (including contracts, assessments, and technical safeguards) to ensure the overseas recipient does not breach the APPs; 

EU/UK:

We use Standard Contractual Clauses (SCCs) or rely on Adequacy Decisions;

US:

Data is stored and handled per BIPA and CCPA obligations.

Data sharing

Your data may be shared with third parties to confirm details, such as:

Verification partners (document holders, authorised record holders, or credit reporting agencies);

Cloud service providers or secure storage providers;

Government regulators or law enforcement where legally obligated; 

Other entities upon your consent.

Depending on jurisdiction and residency, personal data is only disclosed to third parties that meet:

APP 6 and 8 obligations;

GDPR Article 28 (processor contracts);

CCPA 1798.140 (contractual service provider rules); or

BIPA 15(d) (written disclosure requirements).

All third parties are contractually obligated to protect your personal data and comply with relevant data protection laws.

7. Retention

Data retention and the deletion of your data is determined by:

Client instructions (acting as Controllers);

Applicable legal requirements;

Statutory periods (such as 1 year in Texas, and 3 years in Illinois);

Litigation hold requirements;

Fraud detection and service development needs (in pseudonymised form).

Our retention practices comply with:

Reasonable destruction of unneeded personal data (APP 11.2);

Storage limitation (GDPR Article 5(1)(e));

Data deletion requests (CCPA 1798.105(c));

Retention for no longer than 3 years after last interaction (BIPA 15(a));

Data is deleted securely per our Data Disposal Policy.

8. Data Subject Rights

Depending on a Data Subject’s jurisdiction and residency, a Data Subject may:

Access, correct, or delete data;

Restrict or object to processing;

Request data portability;

Lodge complaints with:

Office of the Australian Information Commissioner (OAIC):

www.oaic.gov.au

Document Verification Service (DVS): www.idmatch.gov.au/individuals

Information Commisioner’s Office (UK): www.ico.org.uk

Your EU national Data Protection Authority

Your state privacy regulator (for US residents)

We uphold rights under:

APP 12 and 13 (access and correction);

GDPR Chapter III (Article 12-23);

CCPA 1798.100-1798.130;

BIPA 15(b-e); and

Applicable jurisdictional legislation where personal data processing occurs.

A Data Subject may additionally contact the Client as the Controller of data, or Personr as the Processor of data to exercise these rights.

Our Data Protection Officer can be contacted by emailing:

privacy@personr.co

Right to non-discrimination

In accordance with CCPA 1798.125, and regardless of jurisdiction or residency, we will not discriminate against a Data Subject for exercising privacy and data rights. In this context, this includes providing a different level of service or quality. Where certain functionality requires personal data (eg. for identity verification), a Data Subject may not be able to access those features without consent.

9. Processing of children’s data

In accordance with GDPR Article 8, CCPA 1798.120(c), and APP 3.4, we do not knowingly collect or process personal data of children under the age of 16. If we become aware of such data, it will be deleted without delay.

10. Security

We implement:

End-to-end encryption during transit and at rest of data;

Secure cloud infrastructure;

Regular data protection audits;

Staff training and background checks;

Role-based access control;

Secure deletion practices (AWS, device sanitisation).

The security implementations are met under the obligations of APP 11.1 (reasonable security), GDPR Article 32 (integrity and confidentiality), CCPA 1798.150(a)(1) (reasonable security procedures), and BIPA (reasonable standard of care).

Staff and contractor access

All access to personal or biometric data is governed by strict internal policies and technical safeguards. In compliance with APP 11 and BIPA 15(e), we:

Grant access only to trained and authorised personnel;

Maintain detailed access logs;

Regularly review user access permissions; and

Require role-based access and multi-factor authentication for sensitive environments.

Staff and contractors undergo privacy and security training during onboarding, and annually thereafter.

Cookies and Analytics

Our website and services may use cookies and third-party analytics tools to enhance user experience and monitor website or service performance.

This may involve the collection of:

IP address;

Browser and device type;

Session behaviour and navigation.

You may disable cookies in your browser settings.

Data breach notifications

We take the security of personal information seriously and have procedures in place to detect, contain, and manage data breaches. In accordance with:

APP 11.1 and the Notifiable Data Breaches (NDB) Scheme under the Privacy Act 1988 (Cth); GDPR Article 33; and

CCPA 1798.150,

we will promptly assess and respond to any actual or suspected data breach involving personal or biometric information.

Where a breach is likely to result in serious harm or risk to individuals’ rights and freedoms, we will:

Notify the affected individuals and the relevant supervisory authority (such as the OAIC, ICO, EDPB);

Provide details of the nature and scope of the breach;

Describe the type of data involved;

Outline steps taken to mitigate harm and prevent recurrence.

Our internal incident response plan sets out these obligations and is reviewed regularly. Individuals who suspect a privacy breach involving their data can contact our Data Protection Officer by emailing privacy@personr.co

11. Roles and responsibilities

Data Protection Officer Responsibilities

Our appointed Data Protection Officer (DPO) is responsible for:

Monitoring compliance with privacy laws, this Privacy Policy, and other applicable policies;

Advising on data protection impact assessments;

Responding to regulatory inquiries and privacy complaints; and

Serving as the point of contact for Data Subjects and supervisory authorities.The DPO contact details can be found in Section 15.

Personnel Responsibilities

All Personr employees, contractors, and representatives who handle personal or sensitive information must:

Complete mandatory privacy and data protection training;Handle data only as authorised and necessary for their duties;

Follow internal policies for secure access, transmission, and storage; and

Promptly report suspected data breaches in accordance with our incident response plan.

12. Sale of data

We do not sell personal information or data, in accordance with CCPA 1798.140(t), APP 6.1, GDPR Articles 6-7, and BIPA 15(c).

13. Biometric data (BIPA/US-specific notice)

In accordance with BIPA 15(a-e), biometric identifiers (such as facial geometry) are processed only:

With explicit informed consent;

For specific, legitimate identity verification purposes;

With secure retention and destruction policies (see Section 7).

14. Changes to this Policy

This Policy may be updated at any time and is reviewed regularly.

Continued use of the Website or Services constitutes your acceptance of any amendments. We strive to improve our services, and as such our policies, and invite you to periodically review these documents from time-to-time.

Privacy impact assessments

Where our processing activities are likely to result in high risk to individuals (such as biometric information, or decision-making), we conduct formal Privacy Impact Assessments or Data Protection Impact Assessments.

These assessments are conducted in accordance with APP 1.2 and GDPR Article 35 to evaluate risks and ensure appropriate controls are implemented.

15. Contact

To contact our Data Protection Officer, please email: privacy@personr.co