ReadID Ready is an application for mobile identity document verification. By reading the NFC chip in your identity document, ReadID Ready can verify this is an authentic identity document and extract the personal data from the chip. In some cases, the identity document verification is followed by facial matching: by comparing a selfie with the face image from the identity document you can prove you are the rightful holder of the document.
Who are we?
ReadID Ready is provided by Inverid BV. Visit our company page for more information on our company. Inverid provides identity document verification on behalf of the customer - the organization that referred you here. Inverid is the data processor, the customer is the controller (or represents the controller).
What personal information is processed?
We need to process the personal data that is on the chip within your electronic identity document. This includes, but is not limited to:
Data about you: your surname and given name, date of birth, gender, nationality and face image
Data about your identity document: the document number, the country that issued the document, and the date of expiry
For security reasons, we need to process your personal data on our servers for a short period of time. How long is determined by the customer, but this is never longer than 50 days. After this period, Inverid will no longer have a copy of your personal data, but the customer may store your personal data for a longer period.
None of the information that is scanned or read from the chip, is stored in the application or on your phone. As soon as you close the app, the information is deleted from your phone.
Since we verify your identity document on behalf of our customer, we transfer your personal data to this organization. What information exactly is determined by this organization, and this will depend on why they need to verify your identity document. We refer to their privacy policies for information on how your personal data is handled by the customer.
What sub-processors are involved?
Inverid is involved as a sub-processor. In addition, AWS and/or Azure (in the EU) are used as public cloud providers and are therefore also sub-processors.
In case a facial matching takes place, then a sub-processor does this. This is iProov Limited (UK). iProov uses AWS, Azure and Google Cloud Platform as public cloud providers, located in the Economic European Area or the UK.
What non-personal information is collected and why?
The ReadID Ready application, including the underlying ReadID software, are constantly improved. To gain insight into where improvements are possible, we need to collect the app's usage information. This usage information does not contain personal information. Thus Inverid cannot directly or indirectly relate the usage information to a specific person. Usage information will only be used for improving the quality of our software and not for any other purposes.
Inverid collects the following usage information:
Phone details, including phone type, Android/iOS version, memory size. We do not collect information that is unique for a certain phone.
What type of identity document was scanned and read: was the scan successful, was the chip read successfully, what country issued the identity document, the document signing certificate as stored on the chip and the date of expiry. We collect the date of expiry since this allows us to determine the version of the scanned identity document.
Usability information: how long the different steps take, if a user managed to go through all steps and the usage frequency.
Inverid uses servers under its own control as well as Matomo Analytics to collect usage information.
Is my data secure?
Inverid and all her sub-processors are ISO27001 certified, which means that an independent auditor checked that we have appropriate security measures. Of course, we comply to relevant legislation, including GDPR.
More information, complaints and rights
Since the customer is the controller, we refer you to that organization for more information on why we process your personal information, or if you would like to invoke your rights, such as the right to be forgotten. You can also contact the Privacy Authority in your country. Inverid has a Data Privacy Officer, who can be contacted via firstname.lastname@example.org