Master Service Agreement

• ID Dataweb, Inc. (“ID Dataweb”) collects personal data, which may include biometric data, of individuals with their explicit consent only on behalf of its clients.  The data collected is the minimum deemed necessary to verify the individual’s identity for the purpose of mitigating fraud.
• ID Dataweb may process data about visitors to its website and services (“usage data”). The usage data may include IP addresses, location data, and details about the user’s computer, as well as data about the timing and pattern of their visit.
• If a person contacts us, whether through the contact form on this website or through other means, we may process personal data that that was provided, which may include their name and email address, as well as metadata created by the website associated with the contact web forms.

“Data Protection Legislation” means, for the purposes of this Privacy Policy, all applicable data protection laws as now or as may become effective and/or amended, including without limitation the Swiss Data Protection Act, the GDPR, the California Consumer Privacy Act (“CCPA”), the U.S. Health Insurance Portability & Accountability Act of 1996, as amended and implemented (“HIPAA”), and the Canada Personal Information Protection and Electronic Documents Act.

“Biometric data” means personal information collected by ID Dataweb and/or its Processors about an individual’s physical characteristics that can be used to identify that person. As used in this Policy, biometric data includes “biometric identifiers” and “biometric information” as defined in the Illinois BIPA, 740 ILCS § 14/10.

“Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include biological materials regulated under the Genetic Information Privacy Act. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.

“Biometric information” means any information, regardless of how it is captured, converted, stored, or shared, based on the individual’s biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.

“Client” means a company that has contracted with ID Dataweb for the purpose of processing personal data, that may include the collection and processing biometric data, for the purpose of verifying identity in order to mitigate fraud.

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

“Personal data” means information that can be used to uniquely identify an individual. Personal data includes biometric data.  Personal data includes “Personal information” as defined in the Canadian Personal Information Privacy and Electronic Documents Act (PIPEDA).

“Processor” means a vendor selected or approved by the Client for the purpose of collecting and/or evaluating personal data and providing a response regarding the accuracy and consistency of the biometric data. This Policy does not include the privacy policy of our Processors, also known as Sub-Processors, but the processing and retention of personal data is subject to the terms and conditions contained in contracts between ID Dataweb and its Sub-Processors.

“Transaction” means a series of events in which personal data is collected, transmitted to a processor, a response is returned from the processor, the response is evaluated in combination with other data, and a decision is transmitted to the client. The decision returned to the Client may include the personal information, including biometric data, collected from the individual.

ID Dataweb retains enough metadata about a transaction to be able to identify the transaction and the decision returned. ID Dataweb does not retain personal data about an individual any longer than necessary to complete a transaction. Upon completion of each transaction, all personal data is permanently deleted.

Individuals who believe that ID Dataweb has processed or possesses their personal data may make requests with respect to their personal data by contacting the company through the general-purpose contact form, located at the bottom of the Home Page at iddataweb.com or by email to compliance@iddataweb.com. The company’s Data Protection Office (“DPO”) will promptly evaluate the request. The company’s validation criteria provide that requests may be rejected in certain circumstances, including where (i) the identity of the requester cannot be authenticated, (ii) the requester fails to provide sufficient information to allow the company to reasonably respond to the request, (iii) the request is overly broad or excessive when balanced with the resource and cost implications of responding to the request, (iv) the request is repetitive of a previous request submitted by, or behalf of, the same requester or (v) the request is clearly intended to circumvent reasonable document production restrictions under legal, administrative or similar proceedings. If the request is rejected during the validation process, the requester will be given reasons and have the opportunity to request reconsideration by the DPO. If the DPO confirms a rejection decision, you will also have an opportunity to appeal to a Privacy Review Panel. The Privacy Review Panel consists of senior company individuals who are independent of the DPO team and who have not been involved in validating, assessing or responding to a request. The Privacy Review Panel will conduct an independent review of any matter brought before it for appeal. Upon completion of its appeal review, the Privacy Review Panel will require the DPO to make available (i) any additional information it determines is appropriate and consistent with the Privacy Policy or (ii) its decision on what actions, if any, should be taken by the company. Decisions of the Privacy Review Panel are final.