Privacy Policy: Biometry and Liveness

1. INTRODUCTION

We, OZ FORENSICS SOFTWARE TRADING LLC, (hereinafter referred to as “Company”, “we”, “us”, and “our”) – the developer of applications and services for facial biometric authentication and/or liveness check. Not only convenience and opportunities provided by our services, but also the right of each person to private life and protection of their personal data are equally important for us. In our everyday practice the Company does everything to prevent illegal use of personal data, as well as strives towards the protection of privacy of all parties.

The objective of this Privacy Policy is to inform you – the user of the device or services of the Company – on the purposes, scope and methods of protection, periods of processing of personal data and your rights within the framework of our personal data processing procedures.

For details about the information we collect on our websites, including how we use cookies, please visit our Website Privacy Policy.

2. BASIC DEFINITIONS

This Privacy Policy uses the following basic definitions:

Policy – the present Privacy Policy.

End User or User – a natural person who is using or interfacing with the Application to authenticate themselves when gaining access to a service or product provided by the Customer.

Application – Oz Forensics provides various software and support services, including Device SDKs, the Oz Forensics API, and a demonstration tool. These Applications offer facial biometrics recognition, authentication, and liveness detection functionalities.

Customer – the legal entity that purchases the Application from the Company.

Personal data – any information that the Application may collect capable of, directly or indirectly, identifying a person.

Data subject — natural person, who either directly, or indirectly is identified or can be identified by means of personal data.

Data processing – any operation performed on personal data by using automated equipment or without such equipment, for instance, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, etc.

Third party – a person that is not a representative of the Company, its employee, subsidiary, representative office, associated company and (or) a partner, which is bound with the Company by contractual liabilities regarding non-disclosure of personal data, as well as persons that are not identified by the respective personal data.

User device – tablet, smartphone, or any other device operated by the end user to use an Application of the Company.

Media – in context of this policy, media is any file sent to the Company for the purpose of offering our solutions, such as a photo or video of your face, photo of your ID. Telemetry – information about the end-user device (IP address, browser used, etc).

Metadata – additional information collected along with images or videos, when applicable. It contains IP address, device ID, camera information, browser version, iOS/Android version, etc.

Service – Biometry and Liveness detection softwares with each detailed scope and features available here, including, individually and collectively, the applicable software, Software Development Kits (SDK), updates, API, Documentation, and all associated services provided by the Company to its Customers.

3. AREA OF POLICY APPLICATION

This Privacy Policy is in effect regarding any personal data in the meaning of the applicable law that the Company and/or affiliated persons of Company may obtain regarding you in the process of the use of any Application of the Company (hereinafter jointly – Services).

This Privacy Policy determines the category of personal data collected or received by the Company, procedures and objectives of the use of data, as well as the conditions of granting access to such data.

While this Privacy Policy governs personal information we collect and manage from external sources, it does not extend to the data practices of our Customers or other third parties, which are subject to their own distinct privacy policies.

4. PERSONAL DATA PROCESSED AND COLLECTION METHODS

In context of Biometry and Liveness Applications and services provided to its customers, the Company operates as a Processor of personal data, while the customer acts as the Controller. This applies to both the core services and any related offerings.

The Company receives personal data in the following ways:

Facial Biometric Comparison (“Biometry”). Our Application employs Biometry, a technology that analyzes facial images uploaded by Customers, using a proprietary biometrics algorithm. This process involves:

• Extracting numerical biometric data from the images using our biometrics algorithm.

• Comparing this data to assess the probability of a match between two or more faces.

In essence, Biometry, powered by our biometrics algorithm, enables the comparison of multiple media files (images, videos, and scanned documents, including photos) to verify if they depict the same individual. The analysis requires a minimum of two media files as input.

The purposes for using Biometry are defined by the Customer, such as: verifying if the facial photo on a document matches the user's facial photo (selfie); verifying if a facial photo (selfie) matches a facial photo (selfie) in the client's database, collected during a previous interaction; comparing several facial photos; among others.

Liveness check. Our Liveness solution confirms the authenticity and real-time capture of a User's image in media, protecting you and our customers against fraud.

Telemetry and metadata. Depending on the service model, the Applications may collect user device telemetry and media metadata for analysis, services improvement and development of new services anti-fraud related. This data can include technical details such as IP address, browser type and version, and device identifiers.

Access to camera. In order to work and perform our services, we may request permission to access your device’s Camera.

We may also use your personal data to provide and maintain the services to our customers, through the following processes: (i) control license/service consumption by our customers; (ii) provide report to our Customer, with details of the results of the Biometry and Liveness checks, generated from different machine learning models.

Additionally, we may use the personal data collected in the processes presented above to perform the following processing, acting as controller of the personal data and based on the purposes also presented below:

• Substantial public interest, preventing or detecting unlawful acts: (i) develop, maintain and improve the features and functionalities of our technology; (ii) develop new products or services related to fraud prevention; (iii) enable analyses related to information security, as well as its improvement and development to enhance the purpose of fraud prevention; (iv) investigate fraud.

• Legitimate interest, bringing benefits to you, the user: (i) evaluation of statistics related to the number of accesses and use of our technology; (ii) improve your user experience.

• Legal obligation: (i) comply with regulatory, legal, judicial orders, or even administrative orders from authorized bodies.

Our Biometry and Liveness Applications employ a fully automated system, eliminating the need for manual human involvement in the standard process. This automated approach ensures efficiency and scalability across a large volume of verifications. Human intervention is reserved for specific and exceptional circumstances, to analyze fraud attempts. These cases are escalated to specialized teams for thorough investigation.

5. DATA SHARING

Data Sharing Practices:

We may share your data with the following entities:

• Our Professionals: To deliver, maintain, and enhance our services and develop new services regarding anti-fraud.

• Our Customers: As necessary for the provision of the agreed-upon services.

• Advisors and Auditors: In connection with corporate transactions, where data may be treated as a business asset.

• Service Providers: To enable and facilitate the operation of our services, including security measures, data storage, and customers’ service consumption.

• Public and Government Authorities: When legally obligated to disclose information.

Data confidentiality and security are maintained when sharing. We strive to anonymize data whenever feasible.

6. DATA STORAGE

Personal data collected by the Company or received by our customers are stored on secured networks, the access to which can be granted to representatives, employees, subsidiaries, associated companies, representative offices and partners of Company that are bound to Oz Forensics by contractual obligations on non-disclosure of personal data to third parties. Personal data is stored in the Company's databases until the purposes described in this Privacy Policy are achieved.

Personal data collected by our customers may be stored in locations and for periods defined by them. For further details, please consult the privacy policy of the company through which you underwent the liveness and/or biometric authentication process.

You are entitled to receive information regarding the processing of your personal data provided for by regulatory enactments and to send the request containing the requirement to provide information on your personal data that are stored and processed by Oz Forensics (refer to the “YOUR RIGHTS” section).

7. INTERNATIONAL DATA TRANSFER

Oz Forensics processes personal data, which may be stored in the United States via Google (“GCP”) or Amazon (“AWS”) cloud services during the data processing period. Our databases are located in the USA. To ensure compliance with international data transfer regulations, Oz Forensics has established contracts with Google and Amazon that offer the required legal framework for these cloud storage services.

Oz Forensics may transfer personal data internationally to databases located in other countries, ensuring the same level of data protection as required by GDPR through secure protocols and contractual agreements with cloud storage providers.

The data is transferred through secure protocols to the aforementioned clouds, where it will remain stored in encrypted form.

You have the option to directly exercise your GDPR rights with Oz Forensics at any point in time (refer to the “YOUR RIGHTS” section).

8. MEASURES IMPLEMENTED FOR DATA PROTECTION PURPOSES

The Company stores collected personal data on secure networks. Access to this data is limited to representatives, employees, subsidiaries, associated companies, representative offices, and partners contractually obligated to Oz Forensics to maintain the confidentiality of personal data.

The Company implements the following technical measures to protect Personal Data:

• We use GDPR-compliant AWS servers with internationally recognized certifications for data security and retention (more details at https://aws.amazon.com/compliance/iso-certified/). Additionally, Oz Forensics has a signed agreement in place with AWS to guarantee data safeguards and confidentiality.

• To prevent physical access of unauthorized personnel, all premises owned by the Company have been equipped with means of technical security alarm, fire alarm, video surveillance and access control system;

• Data encryption during data transfers (SSL encryption);

• Firewall;

• Intrusion detection and protection software;Other protective measures in accordance with the current possibilities of technology.

Personal data protection measures, as outlined in this Section, will remain in effect until the data is depersonalized.

9. YOUR RIGHTS

As a data subject under the GDPR, you possess the following rights:

• Obtain confirmation of the existence of the processing of your data;

• Request a copy of your personal data;

• Correct incomplete, inaccurate, or outdated data;

• Request deletion of personal data that is unnecessary, excessive, or processed in violation of GDPR.

• Withdraw previously given consent to process your personal data;

• Request restriction of personal data processing or object to the personal data processing;

• Request the portability of data to another service or product provider.

To exercise your rights, please send an email to [email protected] with the specifics of your request.

Exercising your right to receive a copy of your personal data cannot infringe upon the rights and freedoms of other individuals.

To ensure your security and enable you to exercise your data rights, we need to verify your identity. This verification may involve requesting additional personal information. By submitting a rights request, you authorize us to collect, use, process, and store your personal data as described in this Privacy Policy.

We will receive and analyze all requests. If your request is denied, we will provide a proper justification for the refusal.

Oz Forensics commits to processing requests received according to this section. This will be done as quickly as possible, but within one month at the latest. The one-month timeframe begins upon confirmation of your identity or, if not requested by the company, upon receipt of your request. The requested information will then be provided to you. For complex or numerous requests, the company may extend the information provision period by an additional two months, provided you are notified beforehand.

In addition, you can also file a complaint with a supervisory authority.

Please note that even though we use automated processes, Oz's participation in the authentication and/or liveness check process ends with the processing of your facial biometrics and sending the result to our customer. This means that our customer is responsible for the final decision on whether or not to approve the transaction or service provision.

10. POLICY CHANGES

This policy may be occasionally amended to the extent permitted by the laws of the UAE, Singapore, and the EU, as well as internationally recognized standards for personal data protection.

All amendments to the Privacy Policy will be reflected in the present website, indicating the date, when the amendment has come into effect.

11. CONTACT US

All queries regarding the provisions of the Policy may be sent to us by one of the following means:

OZ FORENSICS SOFTWARE TRADING LLC Office 384, Saih Shuaib Bldg 2 area, DIC, Dubai, UAE

Office e-mail: [email protected]

Email for GDPR enquire: [email protected]