We do not provide services directly to individual end users. Individual end users should contact our clients and/or review their own privacy policies for information on how our clients use their personal data. In this regard, we are a “data processor” or a “service provider” under applicable data protection laws except where otherwise stated for specific services in which Mitek is a “data controller”. If you are an individual end user with questions about Mitek’s collection and use of biometric information or biometric identifiers through the Client Services, please see Section 10 below.
|Category of Personal Information Collected||Source||Purpose for Collection||Categories of Recipients|
|Contact information: such as name, address, and phone number.||Site visitors, client contacts, including employees and representatives we work with provide this information when they visit the Site, call us, or otherwise interact with us.||To communicate with and respond to our clients about the work we do for them and deliver the Client Services to them and their customers, including validation of identity or to meet legal obligations.||We may share this information with select marketing or other service providers and partners.|
|Recruitment and Job Application information: such as name, address, and phone number, or information on a resume or a curriculum vitae.||Site visitors or job applicants.||To consider you for an employment position or to respond to an employment inquiry.||Our service providers who help us with employee matters or job fulfillment.|
|Health and safety information: details about your health, including temperature.||From employees and visitors to our corporate offices.||To help ensure that our offices are safe for employees and visitors and meet applicable legal requirements.||Our People Operations department and third-party providers who assist with health and safety screenings, in all cases subject to strict confidentiality and applicable law.|
|Payment information: name, card issuer and card type, credit or debit card number, expiration date, CVV code, and billing address.||From our clients and their payment card issuers.||Authorizing of credit card and other financial transactions for our clients.||Our service providers who process payments for us—they are prohibited from using personal information for any other purposes and are contractually required to comply with all applicable laws and requirements, which includes the Payment Card Industry Data Security standards|
|Data through our technology platform: Pursuant to the contractual requirements with our clients and through the Client Services, we may collect information about individual end users including images of government-issued IDs, selfies, and other personal information. Some of this information may be considered to be biometric identifiers or biometric information under applicable law. For more information, please see our Biometric information Retention Policy, Section 10, below.||Through end users’ devices and computers, pursuant to and as directed by our clients.||Compliance with the contracts and related obligations of our clients, typically used to verify your identity and provide other services as directed by our clients as part of the Client Services. We may retain and use this data for legitimate interests (including retention of images for the improvement of our facial recognition technology), public interest and/or substantial public interest especially for crime/fraud prevention. In these instances, Mitek operates as a data controller for specific identity verification services and where it retains images for its own purposes.||With our clients and service providers subject to strict confidentiality obligations and other precautions intended to limit the volume and retention period for any personal information. This information will be subject to the privacy policies and practices of our clients, and you should consult with them before sharing your information with them through our technology products.|
In Connection with Business Transfers: In the event that a division, a product or all of Mitek is bought, sold or otherwise transferred, or is in the process of a potential transaction, personal information will likely be shared for evaluation purposes and included among the transferred business assets, subject to client contractual requirements and applicable law.
To Comply with Laws: Mitek may also disclose specific personal information when such disclosure appears necessary to comply with applicable law, a subpoena in the course of managing a dispute, governmental inquiry or other litigation process. We may also disclose information to our accountants, auditors, agents, lawyers and other advisors in connection with the enforcement or protection of our legal rights or to protect the interests or safety of our clients, our clients’ customers or employees or others, in accordance with or as authorized by law.
For legitimate interests: Mitek may also use and share personal information for its legitimate interests or those of a third-party, such as our clients, where we reasonably consider that the processing is proportionate to the legitimate interest and privacy rights will not be adversely affected by those legitimate interests. This will include the use of personal information for marketing purposes, internal analysis, investigations, improvements of our products and services (including retention of images), protection of our network and systems, crime/fraud prevention (including retention and use of fraudulent information), administration, identifying public security threats or potential criminal acts or other misconduct and similar legitimate interests. Where required under applicable laws, we conduct a legitimate interests assessment.
Interest-Based Ads: We may use third-party advertising companies that use tracking technologies to serve our advertisements across the Internet. These companies may collect information about your visits to the Site and other websites and your interaction with our advertising and other communications. These advertising companies serve ads on behalf of us and others on non-affiliated sites, and some of those ads may be personalized, meaning that they are intended to be relevant to you based on information collected about your visits to the Site and elsewhere over time. Other companies may also use such technology to advertise on our Site.
You have the choice to tell us not to collect and use this information. If you would like more information about this practice and to know your choices concerning interest-based ads, visit:
In Canada, please visit: http://youradchoices.ca/choices/
For European countries, please visit: http://www.youronlinechoices.eu/
Mitek may use Google Analytics to evaluate use of the Site for our internal purposes such as evaluating usage of the Site. To learn how Google Analytics collects and processes data, please visit: “How Google uses data when you use our partners’ sites or apps” located at www.google.com/policies/privacy/partners.
Do Not Track (DNT): This is a privacy preference that users can set in some web browsers, allowing users to opt out of tracking by websites and online services. At the present time, the World Wide Web Consortium, or W3C, has not yet established universal standards for recognizable DNT signals, and therefore Mitek and the Site do not recognize DNT.
Personal information that we collect, access or process will be retained only as long as necessary for the fulfilment of the purposes for which it was collected and for a period of time afterwards for legal purposes. We then take measures to delete or de-identify personal information. For information collected through contracts with our clients, that time is dictated by our services contracts or as otherwise required or authorized by law. For specific information about retention of biometric identifiers and biometric information, please see Par. 10, below.
Mitek may, subject to applicable laws, use personal information from our clients and their employees to contact them about our Site and Client Services, including to provide them with information on additional products from Mitek that may be of interest to them. Client contacts may exercise choices regarding these communications as follows:
- Mail marketing, Telephone marketing, Surveys and Quality control communications. You may decide that you prefer Mitek not to use your personal information to promote new and/or additional products and/or services which may be of interest to you and refuse that we contact you by mail or telephone for marketing purposes or by email or telephone for quality control purposes. If this is the case, you may advise us by contacting customer service or contacting us using the information detailed in the Contacting Us section below.
- Emails/Commercial Electronic Communications. You can always limit the communications that Mitek sends to you. To opt-out of commercial emails, simply click the link labeled “unsubscribe” or “opt-out” at the bottom of any commercial electronic communication we send you. Please note that even if you opt-out of promotional communications, we may still need to contact you with important information about your account.
Applicable European data privacy laws give individuals at our clients the right to access their personal information in accordance with the applicable European data privacy laws. If you would like to request a copy of your personal information being held by us, or request that it is deleted or restricted or to update and/or correct your personal information or request that we provide a copy to another data controller of your personal information that you have provided to us, please contact us in the Contacting Us section below. We will need enough information to ascertain your identity as well as the nature of your request. We will aim to respond to your request within one calendar month of receipt of the request. Where we were unable to do so within the calendar month, we will notify you of the soonest practicable time within which we can respond to your request (and within three months from the date of your request). There are certain exemptions and restrictions of these rights under the European data privacy laws that enable personal information to be retained, processed or withheld from access and we will inform you of these if applicable.
For personal information collected pursuant to contracts with our clients, Mitek depends primarily on our clients to notify and provide their customers and employees choices regarding the personal information that they provide. Our clients are therefore responsible for notification of purpose and for obtaining appropriate consent, to the extent required by law, when they collect personal information that is transferred to Mitek.
Our Client Services and our Site are not directed toward children and we do not knowingly solicit or collect personal information online from children under the age of 13 (or such applicable higher age of consent) without prior verifiable parental consent. If Mitek learns that a child under the age of 13 (or such higher applicable age) has submitted personal information online without parental consent, we will take all reasonable measures to delete such information from our databases and to not use such information for any purpose (except where necessary to protect the safety of the child or others as required or allowed by law). If you become aware of any personal information we have collected from children under age 13 (or such higher applicable age), please contact us using the information detailed in the Contacting Us section below.
In certain jurisdictions, you may have the right to obtain confirmation as to whether your personal information is being processed, information about the purposes of that processing, and information about the recipients to whom your personal data have been or will be disclosed. You may also have the right to receive a copy of the personal data you have provided and/or request its deletion.
Our clients are responsible for managing any request made by their employees or customers regarding access to and rectification of their personal information that is transferred to us. However, if you have questions about your rights, please feel free to contact using the contact information detailed in the Contacting Us section below.
Important: As described above, to the extent that Mitek collects personal information, it does so primarily as a service provider acting pursuant to contracts to provide the Client Services. If you provided your personal information to our clients, you should contact the particular client to whom you provided your personal information if you have questions about your rights under the state consumer privacy laws in California and elsewhere.
If you are a resident of California, Colorado, Connecticut, or Virginia, the laws in those states do provide you with the following rights with respect to your personal information:
- The right to know the categories or specific personal information we have collected, used, disclosed and sold about you. To submit a request to know, you may contact us at firstname.lastname@example.org. You also may designate an authorized agent to make a request for access on your behalf.
- The right to correct personal information we have collected, used, disclosed and sold about you. To submit a request to know, you may contact us at email@example.com. You also may designate an authorized agent to make a request for access on your behalf.
- The right to request that we delete any personal information we have collected about you. To submit a request for deletion, you may contact us at firstname.lastname@example.org. You also may designate an authorized agent to make a request for deletion on your behalf.
When you exercise these rights and submit a request to us, we will verify your identity (or the identity and authorization of your agent) by asking you for information such as your email address, telephone number, information about your company’s contract with Mitek, or the last four digits of a credit or debit card used with Mitek. We also may use a third party verification provider to verify your identity.
Your exercise of these rights will have no adverse effect on the price and quality of our goods or services.
Separate from the above-disclosed rights, California law does permit California residents to request certain information regarding our disclosure of personal information to third parties for the third parties’ direct marketing purposes. Mitek does not share personal information of California residents with third parties for their own direct marketing. For questions, please contact us by sending an e-mail to email@example.com.
This Biometric Information Retention Policy is provided pursuant to the Illinois Biometric Information Privacy Act (“BIPA”) and other applicable laws that govern the collection of biometric data. It also describes the purpose for which your biometric data may be collected, an applicable retention schedule, and guidelines for permanently destroying your biometric data.
Purpose of Collection. Mitek’s access to or collection of your Personal Information in connection with the Client Services, if any, may include biometric identifiers and/or biometric information (collectively, “biometric data”). Mitek does not interact directly with you with respect to collection of your biometric data. Through our clients and at their specific direction, Mitek may access, process, and store your biometric data for the purpose of verification services, fraud prevention, and/or long-term proof of inspection of your provided form of identification, on behalf of and as instructed by our clients. Where required by law, Mitek’s clients must obtain consent to collect or possess your biometric data. Mitek will not sell, lease, trade, or otherwise profit from your biometric data.
Retention of Biometric Data. BIPA provides that biometric data must be destroyed at the earliest of three years of the last interaction with you or when collection purpose has been met. Mitek will, therefore, destroy your biometric data, if any, within the time required by law. Specifically, Mitek will permanently destroy your biometric data, if any such data is in its possession, (1) when the initial purpose for collecting or obtaining such data has been satisfied, or (2) within 3 years of your last interaction with our client, whichever occurs first. Where actually in our possession and subject to the direction of our clients, Mitek will strive to retain your biometric data only for as long as necessary to detect fraud and will then seek to permanently destroy such data within approximately 90 days where no fraud had been detected.
In some cases, personal information that we process, including information from our clients and their employees and/or customers located in various countries, including in Canada, the European Economic Area, the UK and Switzerland or relative to queries or visitors to the Site may be transferred to the United States or other countries that may not have data privacy laws that provide equivalent protection as the countries where you reside. Mitek is certified under the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework, and our full Privacy Shield Policy is available below. Recognizing that the Privacy Shield is not currently recognized in Europe, we will execute the Standard Contractual Clauses where appropriate. Regardless, you understand that your personal information may be transferred, processed and stored outside of your country of residence, and therefore may be available to government authorities under lawful orders and laws applicable in such foreign jurisdictions.
We are transparent about the ways in which we collect and use personal information, and welcome your questions and concerns. If you have any concern or complaint about the way we handle your personal information, please contact us as described below. To the extent you believe we have not addressed your concerns or otherwise choose to do so, or you choose not to contact us first, you have the right to lodge a complaint with a supervisory authority in the country where you reside and/or in the United States. For information on how you can file a privacy complaint with the Federal Trade Commission, please visit: https://www.ftccomplaintassistant.gov/
Where applicable under European data privacy laws, you have the right to make a complaint to your local supervisory authority.
This policy is effective September 2022.
Mitek Systems, Inc. and its U.S. affiliates IDChecker Inc. (collectively “Mitek”) comply with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework (the “Privacy Shield”) as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries, the United Kingdom, and Switzerland. Although we recognize that the European Court of Justice has invalidated the Privacy Shield, Mitek continues its commitment to the Privacy Shield Principles and program. Under the circumstances where its customers want to rely on international data transfers, Mitek will adhere to applicable Standard Contractual Clauses, incl. the supplementary measures, to support its customers.
“Personal Data” means information that (1)is transferred from the EU/EEA, the United Kingdom, or Switzerland to the United States; (2) is recorded in any form; (3) is about, or pertains to a specific individual; and (4) can be linked to that individual.
“Sensitive Personal Information” means personal information that reveals race, ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, trade union membership or that concerns an individual’s health.
Mitek may receive Personal Data from itself as well as from its affiliates and other parties located in the EU/EEA/UK. Such information may contain names, addresses, email addresses, personal information contained on government issued identity documents, biometric data and payment information and may be about customers, clients of customers, business partners, consultants, employees, and candidates for employment and includes information recorded on various media as well as electronic data.
Mitek generally does not collect Personal Data directly from individuals. Mitek, however, may receive Personal Data indirectly via its customers. Mitek expects that those customers comply with the Principles. Mitek will cooperate with its customers to enable them to comply with the Principles, to the extent a Principle is applicable to Mitek.
Whenever Mitek collects Personal Data directly from individuals, Mitek complies with the Principles:
Notice. We shall inform an individual of the purpose for which we collect and use their Personal Data and the types of third parties to which our Company discloses or may disclose that Personal Data. Our Company shall provide the individual with the choice and means for limiting the use and disclosure of their Personal Data. Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Data to our Company, or as soon as practicable thereafter, and in any event before our Company uses or discloses the Personal Data for a purpose other than for which it was originally collected. Mitek may be required to disclose Personal Data in response to lawful request by public authorities, including to meet national security or law enforcement requirements.
Choice. We will offer individuals the opportunity to choose (opt out) whether their Personal Data is (1) to be disclosed to a third party or (2) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. For Sensitive Personal Information, our Company will give individuals the opportunity to affirmatively or explicitly (opt in) consent to the disclosure of the information to a third party or for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. Our Company shall treat Sensitive Personal Information received from an individual the same as the individual would treat and identify it as Sensitive Personal Information.
Agents, technology vendors and/or contractors of Mitek or Mitek affiliates may have access to an individual’s Personal Data on a need to know basis for the purpose of performing services on behalf of Mitek or providing or enabling elements of the services. All such agents, technology vendors and contractors who have access to such information are required to keep the information confidential and not use it for any other purpose than to carry out the services they are performing for Mitek or as otherwise required by law.
Accountability for Onward Transfer. Prior to disclosing Personal Data to a third party, we shall notify the individual of such disclosure and allow the individual the choice (opt out) of such disclosure. Our Company shall ensure that any third party to which Personal Data may be disclosed subscribes to the Principles or is subject to laws providing the same level of privacy protection as is required by the Principles and agrees in writing to provide an adequate level of privacy protection. Mitek may be held responsible in cases of onward transfers to third parties.
Data Security. We shall take reasonable steps to protect the Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction. Our Company has put in place appropriate physical, electronic and managerial procedures to safeguard and secure the Personal Data from loss, misuse, unauthorized access or disclosure, alteration or destruction. However, our Company cannot guarantee the security of Personal Data on or transmitted via the Internet.
Data Integrity and Purpose Limitation. We shall only process Personal Data in a way that is compatible with and relevant for the purpose for which it was collected or authorized by the individual. To the extent necessary for those purposes, our Company shall take reasonable steps to ensure that Personal Data is accurate, complete, current and reliable for its intended use.
Access and Recourse. We acknowledge the individual’s right to access their Personal Data. We shall allow an individual access to their Personal Data and allow the individual to correct, amend or delete inaccurate information, except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated.
For complaints that cannot be resolved between the Company and the complainant, the Company agrees to participate in the dispute resolution procedures of the panel established by the European Union data protection authorities (DPAs) and Swiss Federal Data Protection and Information Commissioner (FDPIC) to resolve disputes pursuant to the Privacy Shield Principles. The EU DPA panel may be contacted at firstname.lastname@example.org and the EU DPAs may be contacted directly via the information provided at http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm
Mitek agrees to cooperate with the decisions of the EU DPA Panel and the FDPIC. The services of EU DPAs are provided at no cost to you.
Please note that if your complaint is not resolved through any of the above channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel.
This Privacy Statement may be amended from time to time consistent with the requirements of the Shield Frameworks. We will post any revised policy on this website.
D). Information Subject to Other Policies
We are committed to following the Principles for all Personal Data within the scope of the Privacy Shield Frameworks. However, certain information is subject to policies of Mitek that may differ in some respects from the general policies set forth in this Privacy Statement.
Updated: September 2022