LAST UPDATED: October 19, 2019
VERIFIED.ME SERVICE – PRIVACY NOTICE
The Verified.Me service is an information management and sharing service provided by SecureKey Technologies Inc. (“SecureKey”, “us”, “we” or “our”). SecureKey is committed to respecting and protecting your privacy and the security of your Personal Information. This Privacy Notice explains how information about an identifiable individual (“Personal Information”) is collected, used, disclosed, stored, retained, processed and safeguarded in connection with use of the Verified.Me service and the Verified.Me mobile and web applications (collectively, the “Service”). By using the Service, you agree and consent to the collection, use, disclosure, storage, retention, processing and safeguarding of your Personal Information in accordance with this Privacy Notice.
About the Service
The Service allows you to authorize your selected Identity & Data Providers to share certain of your information with Relying Parties.
Activity Data means Personal Information and other information that is collected or generated by SecureKey and its authorized service providers for the purposes of operating and maintaining the Service. Activity Data collected for these purposes includes general information about your transactions, such as the type of Relying Party with which you consented to share your User Information, as well as the type and the sensitivity level of the information you are sharing.
Identity & Data Provider (which may sometimes be referred to as a ‘connection’) means an eligible organization in Canada that participates in the Service and that generates or holds certain information about you. Examples of Identity & Data Providers include financial institutions, credit bureaus, telecommunications providers, government departments and agencies and other eligible third parties.
Relying Party means an eligible organization in Canada that participates in the Service and that asks you to provide certain of your User Information through the Service to facilitate its interactions with you, for example, to help verify your identity or eligibility for product or service offerings. Examples of potential Relying Parties include financial institutions (e.g., for online bank account applications), telecommunications service providers (e.g., for account opening and service or device eligibility), online merchants (e.g., for hotel bookings), government departments and agencies (e.g., for program eligibility) and other eligible third parties. When adding a new Identity & Data Provider as a connection, you may be asked to share certain User Information with that new Identity & Data Provider. For the purposes of that sharing of User Information, that Identity & Data Provider will be deemed to be a Relying Party.
User Information means Personal Information that is generated or held by Identity & Data Providers and that is available to be shared through the Service.
You, you or your means the person who wishes to use the Service, and whose Credentials (as defined below) have been used to register for the Service.
How we collect and use your information
The Service registration process requires you to select the financial institution in Canada that is participating in the Service (“Financial Institution” or “FI”) that you have an active and existing business relationship with to create your Verified.Me profile, which will form the basis of your Canadian Verified.Me account (the “Verified.Me account”). This FI will become your first Identity & Data Provider.
As part of the registration process, and prior to each use of the Service, your FI will authenticate you using your existing banking credentials that you use for authentication purposes to access services at your FI or which are otherwise required by your FI to access the Service, such as username, password, card number, biometric identifiers (including fingerprints, voice patterns and facial recognition), one-time passcode or other information (collectively, “Credentials”). Once you are initially authenticated by your FI, your FI will create and store an individualized Verified.Me account identifier for you which is distinct from your Credentials, and will register this identifier with the Service.
Neither the Service nor SecureKey has access to your Credentials.
Following your successful authentication using your Credentials during the registration process, your selected FI will provide a summary of your User Information available for you to share with Relying Parties. If any of your User Information displayed during registration is incorrect, you must discontinue the registration process and contact your FI to update your User Information in its files, to the extent required.
CONSENT TO SHARE YOUR INFORMATION
SecureKey may, but is not obligated to, monitor the Service in an effort to identify unauthorized use and to protect users and Service participants (namely, FIs and other Identity & Data Providers and Relying Parties).
Activity Data collected or generated by the Service also includes information about activities that occur with your Verified.Me account, including, for example, your registration with the Service, successful and failed logins from your electronic access device (as defined below), information about your electronic access device, such as its model, operating system, device ID and MAC address, connections established with new Identity & Data Providers, and consents to share your User Information. (For the purposes of this Privacy Notice, “electronic access device” includes your cell phone, smart phone, mobile device, desktop or personal computer, tablet or other electronic device that you may use to access the Service.) Certain details about these activities are stored and viewable in your Verified.Me mobile application activity log (which is not viewable in the web application). This activity log does not contain your Credentials or any of your User Information that you have agreed to have an Identity & Data Provider send to a Relying Party through the Service.
MOBILE PHONE NUMBER COLLECTION AND USE BY RELYING PARTY IN RELATION TO VERIFIED.ME
Protecting your information
All of your User Information that you authorize an Identity & Data Provider to share with a Relying Party through the Service will be protected with security mechanisms intended to prevent your User Information from being identified, accessed or misused when it is sent through the Service.
Your Activity Data is stored in protected form. Only authorized personnel will have the ability to retrieve Activity Data from the Service’s audit systems. Details of certain activities are available to you through the activity log in your Verified.Me mobile application (which is not available in the web application).
Disclosing your information
The Service allows you to authorize your selected Identity & Data Providers to share certain of your User Information with a Relying Party to facilitate your interactions with the Relying Party (or if that Relying Party is another Identity & Data Provider, to facilitate its addition as a connection) with your express consent. Because your User Information may include private or confidential Personal Information, please ensure that you understand how it will be used and further disclosed by a Relying Party before giving your consent to share any of your User Information.
SecureKey may report suspected fraudulent activity to Service participants, including the FI you selected when first registering for the Service, or other parties as permitted or required by law, and certain of your Personal Information may be included in those reports to assist with fraud prevention, detection, investigation and remediation.
In connection with providing the Service, SecureKey may transfer or provide access to your Personal Information to outside agents or service providers that perform services on our behalf (e.g., data hosting or processing services), or that otherwise collect, use, disclose, store, retain, process or safeguard information on our behalf for the purposes described in this Privacy Notice. SecureKey requires such service providers to maintain comparable protections over Personal Information shared with them.
We may also disclose Personal Information: (a) to any governmental authority where required by law, (b) in response to a court order, subpoena, discovery rule, or other lawful request, (c) as otherwise required under any applicable law, rule, or regulation, (d) in good faith, if an investigation is required (for example, as a result of a potential privacy breach or unauthorized transaction(s)), or (e) to protect or defend our rights or property or those of other persons.
If we sell our business or any part thereof that operates any portion of the Service, we may transfer Activity Data to prospective purchasers to the extent necessary to enable consideration of the transaction. We may also transfer any Personal Information in our control at the time of such a transaction to the purchaser so that the purchaser can continue to operate the Service after the transaction has been completed.
Storing and retaining your information
When you consent to the sharing of your User Information from an Identity & Data Provider to a Relying Party through the Service, your User Information is temporarily held in our networks to facilitate the successful transfer. Information is purged from the network in accordance with our record retention policies.
User Information that is made available on your electronic access device for your review before you consent to having it shared with a Relying Party by the applicable Identity & Data Provider(s) is maintained within the Identity & Data Provider’s systems, and is not stored locally on your electronic access device.
Other information that we generate or collect in order to provide the Service, such as account identifiers and other Activity Data, is only retained for as long as necessary to administer the Service.
Activity Data is stored by the Service for legal, regulatory, suspected fraudulent activity investigations and dispute resolution purposes in accordance with our record retention rules.
Personal Information that is stored by the Service is maintained on our servers, or those of our service providers, and is accessible only by our authorized employees, representatives and service providers who require access in connection with their responsibilities.
Suspending or closing your Verified.Me account
Authorized personnel of SecureKey or its service providers supporting the operation of the Service have the ability to suspend or delete (close) your Verified.Me account in accordance with the Verified.Me Terms and Conditions governing your use of the Service. In the event your Verified.Me account is suspended and you wish to have it re-activated, you can obtain information at https://verified.me/support/knowledge-base/. You may also wish to contact your FI’s Customer Support team to obtain additional details and required steps in order to reactivate your Verified.Me account.
You may discontinue your use of the Service at any time by closing your Verified.Me account.
You may close your Verified.Me account in the mobile application by following the steps listed in the ‘Delete Verified.Me Profile’ section of the Verified.Me mobile application. If you are using the Verified.Me web application, please follow the steps outlined here: How to Close your Verified.Me Account. You may also be able to close your Verified.Me account through your FI.
Closing your Verified.Me account will mean that you no longer have an active Verified.Me account, you will not be able to initiate new transactions to share your User Information with Relying Parties, sharing transactions that you previously authorized may not be completed, and you will not have access to any transaction records that summarize previous Verified.Me account activities. However, closing your Verified.Me account will not affect (1) any of your User Information held by your Identity & Data Providers or previously shared with your Relying Parties, or (2) any transaction records or other Activity Data maintained by the Service.
If you wish to use the Service in the future after closing your Verified.Me account, you will need to complete the Service registration process again and set up a new Verified.Me account. You can use your existing Credentials to open your new Verified.Me account.
Deleting the Verified.Me mobile application from your electronic access device will not close your Verified.Me account and will not affect any sharing transaction that you previously authorized. You will be able to access your Verified.Me account in the future by reinstalling the Verified.Me mobile application on your electronic access device and re-entering your then current Credentials for your FI.
Accessing and correcting your information
Your User Information resides with your applicable Identity & Data Providers and with Relying Parties with which you have chosen to share it. Although your User Information may be shared with Relying Parties (with your consent) via the Service, SecureKey is not an Identity & Data Provider, and cannot access your User Information to correct or modify it. Requests for access to your User Information, including requests to correct or modify it, must therefore be made by you directly to your Identity & Data Providers or Relying Parties.
In connection with sharing transactions, you will have an opportunity to view a summary of certain of your User Information within the Verified.Me application before you authorize your User Information to be shared with a Relying Party. The viewable User Information will be displayed within the Verified.Me application. For mobile app Users, even when you are not engaged in a sharing transaction, you may have an opportunity to view certain of your User Information that is maintained by Identity & Data Providers that you have connected to. The Identity & Data Providers may provide you with details on how to update or correct your User Information within the Identity & Data Provider’s files, or you may have to contact them to update or correct your User Information.
You may access your activity log information through your Verified.Me mobile application (which is not accessible in the Verified.Me web application).
You can obtain additional information on how to access or correct your Personal Information by visiting our Support Centre at https://verified.me/kb/020-how-do-i-update-personal-information-in-the-app/.
Depending on the FI you select to associate your Verified.Me account with, you may receive notifications of some of your Service activities from your FI, such as registration completion and on authentication events occurring within your Verified.Me account. These notifications are intended to provide you with information on Service usage so that you may act upon notifications that you do not recognize as yours. None of the Relying Parties or Identity & Data Providers that participate in the Service are permitted to send you unprompted emails or text messages asking for personal details through the Service.
Dispute resolution, questions or concerns
In the event you identify transaction(s) that you have not authorized or receive a notification from your FI regarding (or otherwise become aware of) unauthorized activity with your Verified.Me account, please contact customer support of your FI with which you associated your Verified.Me account. Upon your authorization, your FI’s customer support personnel will be able to retrieve your Verified.Me activity information and work with you to report unauthorized transactions to SecureKey and/or its service providers.
General queries or concerns on the privacy aspects of the Service may be directed to the SecureKey Privacy Officer. Contact details are provided below.
Third party participants
This Privacy Notice applies to the collection, use, disclosure, storage and retention of Personal Information in connection with the operation of the Service by SecureKey and its service providers, including third parties that host and operate certain components of the Service on behalf of SecureKey. This Privacy Notice does not apply to your FI or any of the Identity & Data Providers and Relying Parties that use, handle, disclose or retain your Personal Information in connection with your dealings with them that are distinct from the Service, and such parties will be governed by their own privacy policies and agreements with you when they collect, use, disclose, store, retain, process or safeguard your User Information in the ordinary course of their dealings with you outside of the Service.
Privacy Notice changes
This Privacy Notice is effective as of the date shown above and may be revised from time to time. We encourage you to review this Privacy Notice frequently to obtain the current version. Your continued use of the Service following any changes to this Privacy Notice constitutes your acceptance of any such changes.
For more information
If you require clarification about this Privacy Notice, or would like to request more information about the Service, including who to contact to request access for your Verified.Me account information, please contact our Chief Privacy Officer online at https://verified.me/privacy-request or by mail at:
SecureKey Privacy Officer
501 – 4101 Yonge Street
Toronto, Ontario M2P 1N6