Privacy Policy for Online Services

Last Updated: December 19, 2022

Rank One Computing Corporation (“ROC”) respects the privacy of our users. This Privacy Policy (“Policy”) describes our privacy practices concerning information collected in connection with ROC’s payment, verification, and related online services, including but not limited to image capture, liveness, user verification, document verification, ID verification and identity verification (the “Services”). A separate policy, available here, describes our privacy practices in connection with our online website, located at roc.ai. ROC makes the Services available to third parties for integration into those third parties’ websites, applications, and online services. ROC collects, uses, and discloses individual users’ information only as directed by these third parties and, accordingly, under applicable data protection laws, ROC is a processor or service provider (“data processor”) of user information with respect to the Services and not a controller or business (“data controller”). Further, some features of the Services may be disabled or altered by the data controller, or the data controller may require ROC to collect, use, disclose, or otherwise process data in ways that differ from those described below. Thus, to fully understand how your information will be handled when you use the Services, you must review not just this Policy, but also the privacy policy of the third party with whom you are dealing directly (the “Customer Data Controller”). As an exception to the above, ROC processes personal information in the capacity of a data controller and a business to comply with its regulatory obligations. For further information please review the section “ROC acting as a data controller” below.

Notwithstanding the above and strictly in compliance with applicable law, ROC may process certain individual users’ personal information for its own purposes, including but not limited to performing analytics and research concerning the Services, improving the Services and creating additional products and Services.

ROC is headquartered in the United States at 1290 Broadway, Suite 1200, Denver, CO 80203.

What personal and other information ROC collects about you

ROC collects “personal information” about users of the Services. “Personal information” is information such as a name, email address, or identification card image, which refers to an identified or identifiable person. ROC processes personal information on behalf of the Customer Data Controller. For its own purposes, ROC only processes the personal information described in section “ROC acting as a data controller.” Please note, ROC asks that you not provide physical documentation, via mail service or otherwise, to ROC. All documentation to be collected should be provided either through a ROC or Customer Data Controller native app or website portal, or presented to a trusted referee where applicable.

Categories of personal information collected. Generally, we collect the following types of personal information:

Name, contact information and other identifiers: direct identifiers such as a name, alias, user ID, username, account number, unique personal identifier, IP address and other online identifiers or unique identifiers, email address, phone number, physical address and other contact information, account name, government identifiers, social security number, driver’s license number, state or national ID card number, passport number, other ID card number, credit or debit card number, CVV, expiration date, date of birth and/or other similar identifiers.
Visually scanned or photographed image of your face and/or your identification card, driver’s license, passport, utility bill, bank account statement, insurance card, or credit/debit card. This image may include your photograph and other information from the imaged document, such as your eye color, weight, height, and organ donor status.
Customer records: personal information that individuals provide us in order to purchase or obtain our products and services, such as name, signature, contact information and payment information.
Commercial information: records of products and services our Customer Data Controllers and prospective customers have purchased, obtained or considered.
Usage data: browsing history, clickstream data, search history, access logs and other usage data and information regarding an individual’s interaction with our website and online services, and our marketing emails and online ads.
Audio, video and other electronic data: audio, electronic, visual, thermal, olfactory, or similar information such as, CCTV footage (e.g., collected from visitors to our premises), selfies and other photographs and images, and call recordings (e.g., of customer support calls).
Professional information: professional or employment-related information, such as current and former employer(s) and position(s), title and business contact information.
Inferences: inferences drawn from personal information that we collect to create a profile reflecting an individual’s preferences or other characteristics.
Biometrics: physiological characteristics that can be used to establish an individual’s identity, such as facial recognition templates derived from “selfies” and photos on identity documents.
Geolocation data: precise location information about a particular individual or device.
Protected classifications: characteristics of protected classifications under applicable laws, such as disability information (as part of and to the extent included on identity documents provided to us) and information that you voluntarily provide to us.

Purposes of use. In general, we may use and disclose personal information for the following purposes:

Providing our services related support: to provide and operate our Services and website, communicate with you about your use of our Services or website, to provide troubleshooting and technical support, respond to your inquiries, fulfill your orders and requests, process payments, communicate with you, and for similar service and support purposes.
Analyzing and improving our Services: to better understand how our Services and website are accessed and used, in order to administer, monitor, and improve our Services, for our internal purposes, and for other research and analytical purposes.
Communicating with you: to respond to your requests or otherwise communicate with you relating to our Services or business.
Personalizing content and experiences: to tailor content we may send or display on the website or otherwise, to offer location customization and personalized help and instructions, and to otherwise personalize your experiences.
Marketing and promotional purposes: to promote ROC’s products and Services to Customer Data Controllers and prospective customers.
Securing and protecting assets and rights: to protect the services and our business operations, to prevent, detect and investigate fraud, misuse, harassment or other types of unlawful activities; where we believe necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety or legal rights of any person or third party, or violations of this Policy and our applicable agreements and terms of use.
Complying with legal obligations: to comply with the law or legal proceedings. For example, we may disclose information in response to subpoenas, court order, and other lawful requests by regulators and law enforcement, including responding to national security or law enforcement disclosure requirements.
In support of our general business operations: related to the administration of our general business, operational, accounting, recordkeeping and legal functions. For example, as part of any merger, sale, transfer of assets, acquisition, financing and/or restructuring, bankruptcy or similar event, including related to due diligence conducted prior to such event where permitted by law.
Creating aggregate, anonymous and de-identified data: to improve and develop our business and Services, and for similar research and analytics purposes.
Through the use of software, automated processes, artificial intelligence, and machine learning: we may analyze data, which helps us improve our Services and identify fraud patterns.

If you are an Illinois resident, California resident, or resident of the European Economic Area, please review the “Information for Illinois residents,” “Information for California residents” and “California Residents” or “Additional information for users of the Services from outside the United States” section below as applicable for important information about the categories of personal information we collect and disclose, as well as your rights under applicable privacy laws.

Information for Illinois residents: ROC’s collection of personal information may include biometric identifiers and/or biometric information (collectively “biometric data”), and ROC may share such biometric data with the Customer Data Controller. ROC may collect, process and store your biometric data for the purpose of verification services and long-term proof of inspection of your provided form of identification, on behalf of and as instructed by the Customer Data Controller. ROC will store your biometric data for as long as the Customer Data Controller requests (e.g., the duration of your use of its services), which shall be no longer than the earlier of the date when (i) the Customer Data Controller ceases to have a relationship with ROC or (ii) within three (3) years after the Customer Data Controller informs ROC that its last interaction with you has occurred. In addition, ROC may process certain individual users’ personal information for its own purposes, including but not limited to performing analytics and research concerning the Services, improving the Services and creating additional products and Services, which may involve the use of automated processes, artificial intelligence and machine learning.

Facial recognition. If you agree to use our facial recognition Services, ROC will collect an image of your face that you provide through a mobile app (i.e. a selfie) and a photo or scan of your face as it appears on an identification document. ROC will use facial recognition technology only for the purpose of verifying your identity as the person who appears on the identification document. ROC may share the facial scans with the Customer Data Controller through which you used ROC’s identity verification service. ROC will retain your facial recognition information, including the photo of your face and photo or scan of your identification document, for the amount of time requested by the Customer Data Controller through which you used ROC’s identity verification service.

Data provided by third parties. We may receive personal information or anonymized and/or aggregated information about you from the Customer Data Controller that integrates the Services into its website, application, or other online service. This information may include for example, a customer ID, selected by the Customer Data Controller, that uniquely identifies you in the third party’s database, or as another example, a previously visually scanned or photographed image of your face and/or your identification card, driver’s license, passport, utility bill, bank account statement, insurance card, or credit/debit card. For additional information, please review the privacy policy of the Customer Data Controller.

At the direction of the Customer Data Controller, ROC also might obtain information about you from other third parties, such as consumer reporting agencies and fraud-prevention services.

Cookies and other tracking data. When you use the Services, we automatically receive and record certain information from your computer (or other device) and/or your web browser. This may include such information as the third-party website or application into which the Services are integrated, the date and time that you use the Services, your IP address and domain name, your software and hardware attributes (including operating system, device model, and hashed device fingerprint information), and your general geographic location (e.g., your city, state, or metropolitan region; or your geolocation (GPS coordinates) if available). If you use the Services, we may install little pieces of software (called: service workers) on your device to implement the application and increase the speed of the next and following verifications. The service worker does not collect any data about you and does not track you. We will process such data only as instructed by the Customer Data Controller, or as required for ROC to meet its obligations relating to its own regulatory compliance.

We also use cookies in connection with the Services. For further information please refer to the section entitled “Cookies” below.

Cookies

What are cookies? Cookies are small files that are stored on your computer or other device by your web browser. A cookie allows ROC to recognize whether you have used the Services before and may store user preferences and other information.

How are cookies used? For example, cookies can be used to collect information about your use of the Services during your current session and over time, your computer or other device’s operating system and browser type, your Internet service provider, your domain name and IP address, and your general geographic location or geolocation. We process personal information generated by cookies only as instructed by the Customer Data Controller.

What kind of cookies are used on the Website? Our website primarily uses the following types of cookies:

Cookie Name	Cookie Type	Purpose
__refreshToken	Persistent	This cookie holds a JSON Web Token (JWT) which is used to refresh a browser login without requiring the user to re-authenticate and expires after 12 hours by default, configurable via server configurations.
__token	Session	This cookie is used to hold the baseline JWT when a user successfully authenticates and expires after 15 minutes by default, configurable via server configurations.

“Session cookies” are temporary bits of information which are deleted when you exit your web browser. Session cookies are typically used to improve navigation and to collect web statistics.

“Persistent cookies” are more permanent bits of information that are stored and remain on your computer until they are deleted by you. This type of cookie stores information on your computer for a number of purposes; such as saving your passwords. Persistent cookies delete themselves after a certain period of time but are renewed each time you visit the website.

How do you avoid cookies? If you are concerned about having cookies on your computer or device, you can set your browser to refuse all cookies or to indicate when a cookie is being set, allowing you to decide whether to accept it. You can also delete cookies from your computer. However, if you choose to block or delete cookies, certain features of the Services may not operate correctly.

How ROC uses the personal information that we collect

In general, ROC uses the personal information that we collect in connection with the Services as discussed in this section of the Policy.

Other than as described under the section “ROC acting as a data controller” personal information is used by ROC only as directed by the Customer Data Controller that integrates the Services into its website, application, or other online service. Subject to the privacy policy of the Customer Data Controller, we use your personal information as follows on behalf of the Customer Data Controller.

ROC may use your personal information to provide the Services. For example, we might use your credit card information or ID card information to populate an online form, or to verify your identity in connection with your use of another online service. We also may use your personal information to fulfill the terms of any agreement between us and the Customer Data Controller; to complete a transaction that you initiate; to deliver confirmations, account information, notifications, and similar operational communications; and to comply with legal and/or regulatory requirements.

We process the provided personal information automatically with the use of our software, automated processes, artificial intelligence and machine learning capabilities or manually. When we process the personal information automatically, we apply especially the following criteria:

Checks on the integrity and quality of the photographs;
Checks on the integrity and recognition of the document;
Extracting and analysis of text, graphical layout, and any other available information on the document, face photographs and face maps, background;
Analysis of results of all the steps combined, considering multiple variables, predictions and confidence values for a final score;
Lookups against known images as well as known cases;
In case of identity verification, your selfie is compared to the photo on the document and is used to ensure your liveness in the selfie.

Please reach out to the Customer Data Controller responsible for your personal information with any inquiries regarding the rights you may have in case your personal information is subject to automated decision-making.

How ROC shares personal information with other entities

In general, ROC shares the personal information that we collect in connection with the Services as discussed below.

Other than as described under the section “ROC acting as a data controller” below, ROC shares personal information only as directed by the Customer Data Controller, and thus the following language is subject to the privacy policy of the Customer Data Controller.

Customer Data Controller. We share the personal and pseudonymized information that we collect on behalf of a particular Customer Data Controller with that Customer Data Controller.

ROC service providers. ROC also may use third-party service providers to help us deliver, manage, and improve the Services. These service providers may collect and/or use your personal information or anonymized and/or aggregated information to assist us in achieving the purposes discussed above in the section entitled “How ROC uses the personal and anonymized/aggregated information that we collect.” “Anonymized information” is information which does not relate to an identified or identifiable person or is rendered anonymous in such a manner that the person is no longer identifiable. “Aggregate information” means information about groups or categories of customers or users, which does not identify and cannot reasonably be used to identify an individual customer or user.

We also may share your personal information with other third parties when necessary to fulfill your requests for Services; to complete a transaction that you initiate; or to meet the terms of any agreement that you have with us or our partners.

Analytics providers. We may partner with certain other third parties to collect anonymized and/or aggregated information and engage in analysis, auditing, research, and reporting.

Legal purposes. We also may use or share your personal information with third parties when we have reason to believe that doing so is necessary:

to comply with applicable law or a court order, subpoena, or other legal process;
to investigate, prevent, or take action regarding illegal activities, suspected fraud, violations of our terms and conditions, or situations involving threats to our property or the property or physical safety of any person or third party;
to establish, protect, or exercise our legal rights or defend against legal claims; or
to facilitate the financing, securitization, insuring, sale, assignment, bankruptcy, or other disposal of all or part of our business or assets.

Aggregated information. From time to time, ROC may also share anonymized and/or aggregated information about users of the Services, such as by publishing a report on trends in the usage of the Services.

Information for California residents. ROC processes your personal information on behalf of the Customer Data Controller pursuant to a written agreement for verification services. As such, ROC acts as a service provider to the Customer Data Controller. Moreover, ROC does not sell your personal information as the terms “sell” and “personal information” are defined by the California Consumer Privacy Act (the “CCPA”) and the California Privacy Rights Act (the “CPRA”) and, in providing its services to the Customer Data Controller, ROC will not retain, use, or disclose your personal information to any other third parties that would constitute “selling” as the term is defined by the CCPA and CPRA. Any questions or requests regarding ROC’s processing of your personal information in respect of your rights under the CCPA and CPRA should be directed to the Customer Data Controller that is responsible for your personal information.

Security

ROC uses commercially reasonable administrative, personnel, physical, technical, electronic, and procedural safeguards designed to protect your personal information against loss or unauthorized access, use, modification, or deletion. However, no security program is foolproof, and thus we cannot guarantee the absolute security of your personal or other information. Moreover, we cannot guarantee the safety of your information when in the possession of other parties, such as the Customer Data Controller.

Reviewing and updating your information

With the exception of ROC acting as a data controller (please see below), ROC will grant you access to your personal information only as directed by the Customer Data Controller that integrates the Services into its website, application, or online service. ROC also will retain your personal information as directed by the Customer Data Controller and, accordingly, we may retain your personal information for as short as a few minutes or longer as directed by the Customer Data Controller.

Thus, if you want to learn more about the personal information that ROC has about you, or you would like to submit a request to update or change that information, please contact the Customer Data Controller. You also may reach us by email at [email protected].

ROC acting as a data controller

Processing of GPS coordinates and IP addresses

ROC acts as a data controller when processing GPS coordinates and IP addresses collected when rendering its services to Customers Data Controllers.

The data subjects whose personal information is processed are end-users using the Services.

Purpose and legal basis for processing

The purpose of processing is to provide legal notices to data subjects and allow them to grant their informed consent relating to the use of biometric information by ROC in connection with the Services, as required under the laws applicable to ROC concerning the respective user (e.g. the Illinois Biometric Information Privacy Act or “BIPA”).

ROC processes the personal information – GPS coordinates and IP addresses – on the basis of Article 6(1)(f) GDPR, specifically:

(i) the prevailing legitimate interest of ROC to comply with its legal obligations in jurisdictions outside of the European Union;

(ii) the prevailing legitimate interest of data subjects using ROC’s services to be notified of biometric information processing by ROC and express their consent, under the laws applicable to ROC concerning the respective user.

Processing of visually scanned or photographed images of faces and/or identification cards, driver’s licenses or passports and biometric data

ROC acts as a data controller when processing visually scanned or photographed images of faces and/or identification cards, driver’s licenses or passports and biometric data for its own purposes, including but not limited to performing analytics and research concerning the Services, improving the Services and creating additional products and Services.

ROC will not share any visually scanned or photographed images of faces and/or identification cards, driver’s licenses or passports and biometric data to be used for ROC’s own purposes with any third party other than the Customer Data Controller and will store and process all such data as described in the section “Security” above.

The data subjects whose visually scanned or photographed images of faces and/or identification cards, driver’s licenses or passports is processed for ROC’s own purposes are end-users using the Services, who are not residents of California, Illinois, the European Economic Area or any other geography that regulates biometric data.

Recipients of the personal information

The personal information is entrusted to data processors acting on ROC’s behalf, providing hosting services, technical staff and relevant technical infrastructure. In such case the processors shall process personal information on the basis of an agreement with ROC and exclusively in accordance with ROC’s instructions.

The personal information may be received by competent state authorities operating on the basis of generally applicable legal provisions.

ROC’s authorized employees and contractors may have access to the personal information.

The period for which the personal information will be stored

GPS coordinates and IP addresses will only be stored for the period necessary to establish the location of the data subject and deleted immediately afterwards.

Data subjects’ rights in regard to personal information – GPS coordinates and IP addresses

In accordance with applicable law, you may have the right to: (i) request confirmation of whether we are processing your personal information; (ii) obtain access to or a copy of your personal information; (iii) receive an electronic copy of personal information that you have provided to us, or ask us to send that information to another company (the “right of data portability”); (iv) object to or restrict our uses of your personal information; (v) seek correction or amendment of inaccurate, untrue, incomplete, or improperly processed personal information; and (vi) request erasure of personal information held about you by us, subject to certain exceptions prescribed by law.

We will process such requests in accordance with applicable laws. To protect your privacy, we will take steps to verify your identity before fulfilling your request. If we are unable to verify your identity, we will not be able to fulfill your request.

California Residents

For purposes of the California Consumer Privacy Act, ROC does not “sell” personal information.

California residents have the right not to receive discriminatory treatment by ROC for the exercise of their rights conferred by the California Consumer Privacy Act. In general, California residents have the following rights with respect to their personal information:

Do-not-sell (opt-out): to opt-out of our sale of their personal information. We do not sell personal information about California consumers, including those we have actual knowledge are younger than sixteen (16) years old.
Right of deletion: to request deletion of their personal information that we have collected about them and to have such personal information deleted (without charge), subject to certain exceptions.
Right to know: with respect to the personal information we have collected about them in the prior 12 months, to require that we disclose the following to them (up to twice per year and subject to certain exemptions):
- categories of personal information collected;
- categories of sources of personal information;
- categories of personal information about them we have disclosed for a business purpose or sold;
- categories of third parties to whom we have sold or disclosed for a business purpose their personal information;
- the business or commercial purposes for collecting or selling their personal information; and
- a copy of the specific pieces of personal information we have collected about them.
Right to non-discrimination: the right not to be subject to discriminatory treatment for exercising their rights under the CCPA.

Submitting CCPA requests. California residents may submit CCPA requests to know (access) and requests to delete their personal information by email at [email protected].

When you submit a request to know or a request to delete, we will take steps to verify your request by matching the information provided by you with the information we have in our records. You must email us with any requested information (or otherwise provide us with this information to verify your request. In some cases, we may request additional information in order to verify your request or where necessary to process your request. If we are unable to adequately verify a request, we will notify the requestor. Authorized agents may initiate a request on behalf of another individual by contacting us through the above listed method; authorized agents will be required to provide proof of their authorization and we may also require that the relevant consumer directly verify their identity and the authority of the authorized agent. If you would like to submit a CCPA request regarding personal information we process on behalf of a Customer Data Controller (i.e., in our role as a service provider data processor), you should contact the relevant Customer Data Controller directly; if you submit such request to us, we will endeavor to forward your request to the relevant Customer Data Controller (where known) so that they may respond to your request.

Data Subjects Located in the European Economic Area – Supervisory Authority

If you are located in the European Economic Area, you have the right to file a complaint with a supervisory authority. To exercise your rights please contact us at the address provided below.

Additional information for users of the Services from outside the United States

The personal information that ROC collects through or in connection with the Services is transferred to and processed in the United States for the purposes described above. ROC also may subcontract the processing of your data to, or otherwise share your data with, its affiliates or third parties in the United States or countries other than your country of residence. The data protection laws in these countries may be different from, and less stringent than, those in your country of residence.

However, we only transfer your personal information to countries where the EU Commission has decided that they have an adequate level of data protection or we take measures to ensure that all recipients provide an adequate level of data protection. We do this for example by entering into appropriate data transfer agreements based on Standard Contractual Clauses (2010/87/EC and/or 2004/915/EC).

Children’s Privacy

The Services are not directed to children under the age of 13, and ROC will never knowingly collect personal or other information from anyone it knows is under the age of 13. We recommend that persons over 13 but under 18 years of age ask their parents for permission before using the Services or sending any information about themselves to anyone over the Internet.

Changes to this Policy

Technology and the Internet are rapidly changing. ROC therefore is likely to make changes to the Services in the future and as a consequence will need to revise this Policy to reflect those changes. When we revise the Policy, ROC will post the new Policy on the ROC website (roc.ai), so we encourage you to review that website periodically to review this Policy for the latest updates. If we make a material change to the Policy, we will endeavor to provide you with appropriate notice of such change, such as by sending a notice to the primary email address associated with your account or by posting a notice on ROC’s website (roc.ai). If we maintain your email address, we also may email you a copy of the revised Policy at your most recently provided email address. It is therefore important that you update your email address if it changes.

Questions or comments

If you have any questions or comments regarding our Policy, please mail or email us at:

Rank One Computing Corporation
1290 Broadway, Suite 1200
Denver, CO 80203

Email: [email protected]

The Data Protection Officer can be reached by email at: [email protected]

We may request that you confirm your identity in order to continue with your request.

Effective date: December 19, 2022