Mitek Privacy Policy
Mitek Systems, Inc. (“Mitek”, “we”, “our” or “us”) is committed to protecting the privacy of those who entrust us with their personal information. Our clients and employees trust and expect that we will protect their personal information in accordance with the promises we make. “Personal information” means any information pertaining to an identified or identifiable individual and may include, for example, email addresses, contact details and any similar information provided to us in the course of our business operations. Personal information that is de-identified or anonymized is not considered personal information. This Privacy Policy details our commitment to your privacy.
1. What does this Privacy Policy cover?
Mitek provides various technology solutions to our clients focused on identity verification, mobile capture, mobile pre-fill, and document scanning solutions. This Privacy Policy describes our privacy practices concerning information collected on our website, www.miteksystems.com (the “Site”) and when you otherwise interact with us in connection with the services and products we provide to our clients (the “Client Services”). This Privacy Policy is primarily directed to our clients and client employees and representatives.
We do not provide services directly to individual end users. Individual end users should contact our clients and/or review their own privacy policies for information on how our clients use their personal data. In this regard, we are a “data processor” or a “service provider” under applicable data protection laws except where otherwise stated for specific services in which Mitek is a “data controller”. If you are an individual end user with questions about Mitek’s collection and use of biometric information or biometric identifiers through the Client Services, please see Section 10 below.
By using our Client Services, visiting the Site or otherwise interacting with us, our clients are accepting the practices described in this Privacy Policy. We recommend that our clients review this Privacy Policy periodically, as it may be updated from time-to-time.
2. What information does Mitek collect, and how is it used and shared?
For the 12-month period prior to the date of this Privacy Policy, we explain here what categories of personal information we may have collected, where we got it from, and with whom we may have shared it:
Category of Personal Information Collected | Source | Purpose for Collection | Categories of Recipients |
Contact information: such as name, address, and phone number. | Site visitors, client contacts, including employees and representatives we work with provide this information when they visit the Site, call us, or otherwise interact with us. | To communicate with and respond to our clients about the work we do for them and deliver the Client Services to them and their customers, including validation of identity or to meet legal obligations. | We may share this information with select marketing or other service providers and partners. |
Browsing information: such as your IP address, MAC address or other device identifier, the kind of browser or computer you use, pages and content that you visit on the Site, what you click on, the state and country from which you access the Site, date and time of your visit, and web pages you linked to our Site from. | Our Site and your interactions with the Site, including through the use of cookies and other tracking technologies explained further below. | To evaluate usage of the Site and improve performance and Client Services; to protect the security and integrity of the Site and our business, such as preventing fraud, hacking, and other criminal activity or to meet legal obligations. | Our service providers who help us with fraud protection and Site analytics. |
Recruitment and Job Application information: such as name, address, and phone number, or information on a resume or a curriculum vitae. | Site visitors or job applicants. | To consider you for an employment position or to respond to an employment inquiry. | Our service providers who help us with employee matters or job fulfillment. |
Health and safety information: details about your health, including temperature. | From employees and visitors to our corporate offices. | To help ensure that our offices are safe for employees and visitors and meet applicable legal requirements. | Our People Operations department and third-party providers who assist with health and safety screenings, in all cases subject to strict confidentiality and applicable law. |
Payment information: name, card issuer and card type, credit or debit card number, expiration date, CVV code, and billing address. | From our clients and their payment card issuers. | Authorizing of credit card and other financial transactions for our clients. | Our service providers who process payments for us—they are prohibited from using personal information for any other purposes and are contractually required to comply with all applicable laws and requirements, which includes the Payment Card Industry Data Security standards |
Data through our technology platform: Pursuant to the contractual requirements with our clients and through the Client Services, we may collect information about individual end users including images of government-issued IDs, selfies, and other personal information. Some of this information may be considered to be biometric identifiers or biometric information under applicable law. For more information, please see our Biometric information Retention Policy, Section 10, below. | Through end users’ devices and computers, pursuant to and as directed by our clients. | Compliance with the contracts and related obligations of our clients, typically used to verify your identity and provide other services as directed by our clients as part of the Client Services. We may retain and use this data for legitimate interests (including retention of images for the improvement of our facial recognition technology), public interest and/or substantial public interest especially for crime/fraud prevention. In these instances, Mitek operates as a data controller for specific identity verification services and where it retains images for its own purposes. | With our clients and service providers subject to strict confidentiality obligations and other precautions intended to limit the volume and retention period for any personal information. This information will be subject to the privacy policies and practices of our clients, and you should consult with them before sharing your information with them through our technology products. |
Mitek will only use personal information to the extent it is necessary to deliver the Site and as directed by our clients to deliver the Client Services or as stated in this Privacy Policy. In some jurisdictions, individuals may have the right to withdraw consent from certain uses where consent is relied upon. If you reside in such jurisdictions, you may have additional rights that are detailed in sections 8 and 9. In all cases, any service providers will be contractually limited in the way they may use personal information maintained by Mitek, including requirements that such information be maintained in a confidential and secure manner. Where Mitek operates as a data controller, it has direct obligations to use personal information in a lawful and transparent manner.
In Connection with Business Transfers: In the event that a division, a product or all of Mitek is bought, sold or otherwise transferred, or is in the process of a potential transaction, personal information will likely be shared for evaluation purposes and included among the transferred business assets, subject to client contractual requirements and applicable law.
To Comply with Laws: Mitek may also disclose specific personal information when such disclosure appears necessary to comply with applicable law, a subpoena in the course of managing a dispute, governmental inquiry or other litigation process. We may also disclose information to our accountants, auditors, agents, lawyers and other advisors in connection with the enforcement or protection of our legal rights or to protect the interests or safety of our clients, our clients’ customers or employees or others, in accordance with or as authorized by law.
For legitimate interests: Mitek may also use and share personal information for its legitimate interests or those of a third-party, such as our clients, where we reasonably consider that the processing is proportionate to the legitimate interest and privacy rights will not be adversely affected by those legitimate interests. This will include the use of personal information for marketing purposes, internal analysis, investigations, improvements of our products and services (including retention of images), protection of our network and systems, crime/fraud prevention (including retention and use of fraudulent information), administration, identifying public security threats or potential criminal acts or other misconduct and similar legitimate interests. Where required under applicable laws, we conduct a legitimate interests assessment.
3. What are cookies and how do we use them and other technologies?
A cookie is a small piece of information that a website, online application, or email may save to your browser or your computer’s hard drive for use in subsequent visits to the website or online application. The “help” portion of the toolbar on most browsers will tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive new cookies or how to disable cookies altogether. If you reject cookies, you may not be able to participate in certain activities or receive a promotion tailored to you. Mitek does not control and does not guarantee the effectiveness of browser-based tools for managing cookies. Where required by applicable laws, we request your consent to use cookies that are not essential for the service you require, such as analytics cookies and performance cookies.
Interest-Based Ads: We may use third-party advertising companies that use tracking technologies to serve our advertisements across the Internet. These companies may collect information about your visits to the Site and other websites and your interaction with our advertising and other communications. These advertising companies serve ads on behalf of us and others on non-affiliated sites, and some of those ads may be personalized, meaning that they are intended to be relevant to you based on information collected about your visits to the Site and elsewhere over time. Other companies may also use such technology to advertise on our Site.
You have the choice to tell us not to collect and use this information. If you would like more information about this practice and to know your choices concerning interest-based ads, visit:
http://www.networkadvertising.org/choices/
http://optout.aboutads.info/
In Canada, please visit: http://youradchoices.ca/choices/
For European countries, please visit: http://www.youronlinechoices.eu/
Mitek may use Google Analytics to evaluate use of the Site for our internal purposes such as evaluating usage of the Site. To learn how Google Analytics collects and processes data, please visit: “How Google uses data when you use our partners’ sites or apps” located at www.google.com/policies/privacy/partners.
Any and all personal information collected on the Site will be kept strictly confidential and will not be sold, reused, rented, disclosed, or loaned to third parties, except as otherwise described in this Privacy Policy.
Do Not Track (DNT): This is a privacy preference that users can set in some web browsers, allowing users to opt out of tracking by websites and online services. At the present time, the World Wide Web Consortium, or W3C, has not yet established universal standards for recognizable DNT signals, and therefore Mitek and the Site do not recognize DNT.
4. How does Mitek protect personal information?
Where applicable, Mitek uses industry-standard technology in connection with our Client Services and on the Site to help protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction. Personal information received from our clients or others in connection with Client Services is typically stored on our servers, on our vendor’s servers, on servers hosted by our clients, or their vendors. Except otherwise described in this Privacy Policy, access to client-specific information is limited and controlled by our clients, typically managed through each client’s own administrative account. Personal information collected by our clients is not stored on our or our service provider’s servers.
5. How long does Mitek retain my personal information?
Personal information that we collect, access or process will be retained only as long as necessary for the fulfilment of the purposes for which it was collected and for a period of time afterwards for legal purposes. We then take measures to delete or de-identify personal information. For information collected through contracts with our clients, that time is dictated by our services contracts or as otherwise required or authorized by law. For specific information about retention of biometric identifiers and biometric information, please see Par. 10, below.
6. What are my choices concerning my personal information?
Mitek may, subject to applicable laws, use personal information from our clients and their employees to contact them about our Site and Client Services, including to provide them with information on additional products from Mitek that may be of interest to them. Client contacts may exercise choices regarding these communications as follows:
- Mail marketing, Telephone marketing, Surveys and Quality control communications. You may decide that you prefer Mitek not to use your personal information to promote new and/or additional products and/or services which may be of interest to you and refuse that we contact you by mail or telephone for marketing purposes or by email or telephone for quality control purposes. If this is the case, you may advise us by contacting customer service or contacting us using the information detailed in the Contacting Us section below.
- Emails/Commercial Electronic Communications. You can always limit the communications that Mitek sends to you. To opt-out of commercial emails, simply click the link labeled “unsubscribe” or “opt-out” at the bottom of any commercial electronic communication we send you. Please note that even if you opt-out of promotional communications, we may still need to contact you with important information about your account.
Applicable European data privacy laws give individuals at our clients the right to access their personal information in accordance with the applicable European data privacy laws. If you would like to request a copy of your personal information being held by us, or request that it is deleted or restricted or to update and/or correct your personal information or request that we provide a copy to another data controller of your personal information that you have provided to us, please contact us in the Contacting Us section below. We will need enough information to ascertain your identity as well as the nature of your request. We will aim to respond to your request within one calendar month of receipt of the request. Where we were unable to do so within the calendar month, we will notify you of the soonest practicable time within which we can respond to your request (and within three months from the date of your request). There are certain exemptions and restrictions of these rights under the European data privacy laws that enable personal information to be retained, processed or withheld from access and we will inform you of these if applicable.
For personal information collected pursuant to contracts with our clients, Mitek depends primarily on our clients to notify and provide their customers and employees choices regarding the personal information that they provide. Our clients are therefore responsible for notification of purpose and for obtaining appropriate consent, to the extent required by law, when they collect personal information that is transferred to Mitek.
7. What is Mitek’s policy on kids’ privacy?
Our Client Services and our Site are not directed toward children and we do not knowingly solicit or collect personal information online from children under the age of 13 (or such applicable higher age of consent) without prior verifiable parental consent. If Mitek learns that a child under the age of 13 (or such higher applicable age) has submitted personal information online without parental consent, we will take all reasonable measures to delete such information from our databases and to not use such information for any purpose (except where necessary to protect the safety of the child or others as required or allowed by law). If you become aware of any personal information we have collected from children under age 13 (or such higher applicable age), please contact us using the information detailed in the Contacting Us section below.
8. Access, Objection, Correction and Deletion
In certain jurisdictions, you may have the right to obtain confirmation as to whether your personal information is being processed, information about the purposes of that processing, and information about the recipients to whom your personal data have been or will be disclosed. You may also have the right to receive a copy of the personal data you have provided and/or request its deletion.
Our clients are responsible for managing any request made by their employees or customers regarding access to and rectification of their personal information that is transferred to us. However, if you have questions about your rights, please feel free to contact using the contact information detailed in the Contacting Us section below.
9. Your California and other State Privacy Rights
Important: As described above, to the extent that Mitek collects personal information, it does so primarily as a service provider acting pursuant to contracts to provide the Client Services. If you provided your personal information to our clients, you should contact the particular client to whom you provided your personal information if you have questions about your rights under the state consumer privacy laws in California and elsewhere.
If you are a resident of California, Colorado, Connecticut, or Virginia, the laws in those states do provide you with the following rights with respect to your personal information:
- The right to know the categories or specific personal information we have collected, used, disclosed and sold about you. To submit a request to know, you may contact us at privacy@miteksystems.com. You also may designate an authorized agent to make a request for access on your behalf.
- The right to correct personal information we have collected, used, disclosed and sold about you. To submit a request to know, you may contact us at privacy@miteksystems.com. You also may designate an authorized agent to make a request for access on your behalf.
- The right to request that we delete any personal information we have collected about you. To submit a request for deletion, you may contact us at privacy@miteksystems.com. You also may designate an authorized agent to make a request for deletion on your behalf.
When you exercise these rights and submit a request to us, we will verify your identity (or the identity and authorization of your agent) by asking you for information such as your email address, telephone number, information about your company’s contract with Mitek, or the last four digits of a credit or debit card used with Mitek. We also may use a third party verification provider to verify your identity.
Your exercise of these rights will have no adverse effect on the price and quality of our goods or services.
For the 12-month period prior to the date of this Privacy Policy, Mitek has not sold any personal information about its Clients or their employees or about the customers of our clients; nor does it have any plans to do so in the future.
Separate from the above-disclosed rights, California law does permit California residents to request certain information regarding our disclosure of personal information to third parties for the third parties’ direct marketing purposes. Mitek does not share personal information of California residents with third parties for their own direct marketing. For questions, please contact us by sending an e-mail to privacy@miteksystems.com.
10. Biometric Information Retention Policy (Illinois Residents and Others)
This Biometric Information Retention Policy is provided pursuant to the Illinois Biometric Information Privacy Act (“BIPA”) and other applicable laws that govern the collection of biometric data. It also describes the purpose for which your biometric data may be collected, an applicable retention schedule, and guidelines for permanently destroying your biometric data.
Purpose of Collection. Mitek’s access to or collection of your Personal Information in connection with the Client Services, if any, may include biometric identifiers and/or biometric information (collectively, “biometric data”). Mitek does not interact directly with you with respect to collection of your biometric data. Through our clients and at their specific direction, Mitek may access, process, and store your biometric data for the purpose of verification services, fraud prevention, and/or long-term proof of inspection of your provided form of identification, on behalf of and as instructed by our clients. Where required by law, Mitek’s clients must obtain consent to collect or possess your biometric data. Mitek will not sell, lease, trade, or otherwise profit from your biometric data.
Retention of Biometric Data. BIPA provides that biometric data must be destroyed at the earliest of three years of the last interaction with you or when collection purpose has been met. Mitek will, therefore, destroy your biometric data, if any, within the time required by law. Specifically, Mitek will permanently destroy your biometric data, if any such data is in its possession, (1) when the initial purpose for collecting or obtaining such data has been satisfied, or (2) within 3 years of your last interaction with our client, whichever occurs first. Where actually in our possession and subject to the direction of our clients, Mitek will strive to retain your biometric data only for as long as necessary to detect fraud and will then seek to permanently destroy such data within approximately 90 days where no fraud had been detected.
11. Cross-border Transfer of Personal Information
In some cases, personal information that we process, including information from our clients and their employees and/or customers located in various countries, including in Canada, the European Economic Area, the UK and Switzerland or relative to queries or visitors to the Site may be transferred to the United States or other countries that may not have data privacy laws that provide equivalent protection as the countries where you reside. Mitek (including A2IA, Corp. and IDRnD, Inc., our subsidiaries) is certified under the EU-US Data Privacy Framework (including the UK Extension to the EU-US DPF) and the Swiss-US Data Privacy Framework (the “DPF”), and our full Data Privacy Framework Policy is available below. Regardless, you understand that your personal information may be transferred, processed and stored outside of your country of residence, and therefore may be available to government authorities under lawful orders and laws applicable in such foreign jurisdictions.
12. Right to Lodge Complaints
We are transparent about the ways in which we collect and use personal information and welcome your questions and concerns. If you have any concern or complaint about the way we handle your personal information, please contact us as described below. To the extent you believe we have not addressed your concerns or otherwise choose to do so, or you choose not to contact us first, you have the right to lodge a complaint with a supervisory authority in the country where you reside and/or in the United States. For information on how you can file a privacy complaint with the Federal Trade Commission, please visit: https://www.ftccomplaintassistant.gov/
In compliance with the EU-U.S. DPF and the Swiss-U.S. DPF, Mitek commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.
Where applicable under European data privacy laws, you have the right to make a complaint to your local supervisory authority.
13. Changes to our Privacy Policy
Mitek will review and update its Privacy Policy as required to keep current with rules and regulations, new technologies and security standards. We will post those changes on the Site and/or update the Privacy Policy modification date below. In certain cases and if the changes are material, we will provide written notice to clients directly by email or otherwise.
This policy is effective November 2023.
14. Contacting Us
If there are any questions regarding this Privacy Policy or to request a copy of this Privacy Policy in another format you may contact us using the information below.
For US:
|
For EU:
|
For UK:
Hooyu Limited DPO Fora, 180 Borough High Street London SE1 1LB E-mail: privacy@MitekSystems.com |
15. Data Privacy Framework Statement
Mitek Systems, Inc. and its U.S. affiliates IDChecker Inc. (collectively “Mitek”) complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Mitek has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF. Mitek has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/
Mitek has certified that it adheres to the Data Privacy Framework Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. This Privacy Statement outlines our general policy and practices for implementing the Principles, including the types of information we gather, how we use it and the notice and choice affected individuals have regarding our use of and their ability to correct that information.
A). Definitions
“Personal Data” means information that (1) is transferred from the EU/EEA, the United Kingdom, or Switzerland to the United States; (2) is recorded in any form; (3) is about or pertains to a specific individual; and (4) can be linked to that individual.
“Sensitive Personal Information” means personal information that reveals race, ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, trade union membership or that concerns an individual’s health.
B). Principles
Mitek may receive Personal Data from itself as well as from its affiliates and other parties located in the EU/EEA/UK. Such information may contain names, addresses, email addresses, personal information contained on government issued identity documents, biometric data and payment information and may be about customers, clients of customers, business partners, consultants, employees, and candidates for employment and includes information recorded on various media as well as electronic data.
Mitek generally does not collect Personal Data directly from individuals. Mitek, however, may receive Personal Data indirectly via its customers. Mitek expects that those customers comply with the Principles. Mitek will cooperate with its customers to enable them to comply with the Principles, to the extent a Principle is applicable to Mitek.
Whenever Mitek collects Personal Data directly from individuals, Mitek complies with the Principles:
Notice. We shall inform an individual of the purpose for which we collect and use their Personal Data and the types of third parties to which our Company discloses or may disclose that Personal Data. Our Company shall provide the individual with the choice and means for limiting the use and disclosure of their Personal Data. Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Data to our Company, or as soon as practicable thereafter, and in any event before our Company uses or discloses the Personal Data for a purpose other than for which it was originally collected. Mitek may be required to disclose Personal Data in response to lawful request by public authorities, including to meet national security or law enforcement requirements.
Choice. We will offer individuals the opportunity to choose (opt out) whether their Personal Data is (1) to be disclosed to a third party or (2) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. For Sensitive Personal Information, our Company will give individuals the opportunity to affirmatively or explicitly (opt in) consent to the disclosure of the information to a third party or for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. Our Company shall treat Sensitive Personal Information received from an individual the same as the individual would treat and identify it as Sensitive Personal Information.
Agents, technology vendors and/or contractors of Mitek or Mitek affiliates may have access to an individual’s Personal Data on a need to know basis for the purpose of performing services on behalf of Mitek or providing or enabling elements of the services. All such agents, technology vendors and contractors who have access to such information are required to keep the information confidential and not use it for any other purpose than to carry out the services they are performing for Mitek or as otherwise required by law.
Accountability for Onward Transfer. Prior to disclosing Personal Data to a third party, we shall notify the individual of such disclosure and allow the individual the choice (opt out) of such disclosure. Our Company shall ensure that any third party to which Personal Data may be disclosed subscribes to the Principles or is subject to laws providing the same level of privacy protection as is required by the Principles and agrees in writing to provide an adequate level of privacy protection. Mitek may be held responsible in cases of onward transfers to third parties.
Data Security. We shall take reasonable steps to protect the Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction. Our Company has put in place appropriate physical, electronic and managerial procedures to safeguard and secure the Personal Data from loss, misuse, unauthorized access or disclosure, alteration or destruction. However, our Company cannot guarantee the security of Personal Data on or transmitted via the Internet.
Data Integrity and Purpose Limitation. We shall only process Personal Data in a way that is compatible with and relevant for the purpose for which it was collected or authorized by the individual. To the extent necessary for those purposes, our Company shall take reasonable steps to ensure that Personal Data is accurate, complete, current and reliable for its intended use.
Access and Recourse. We acknowledge the individual’s right to access their Personal Data. We shall allow an individual access to their Personal Data and allow the individual to correct, amend or delete inaccurate information, except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated.
Enforcement and Liability. The International Trade Administration has jurisdiction over Mitek’s compliance with the Data Privacy Framework. In compliance with the Data Privacy Framework Principles, Mitek commits to resolve complaints about privacy and our collection or use of Personal Data. European Union, UK, or Swiss individuals with inquiries or complaints regarding this privacy policy should first contact us at using the 14. Contacting Us section of this privacy policy.
For complaints that cannot be resolved between the Company and the complainant, the Company agrees to participate in the dispute resolution procedures of the panel established by the European Union data protection authorities (DPAs) and Swiss Federal Data Protection and Information Commissioner (FDPIC) to resolve disputes pursuant to the Data Privacy Framework Principles. The EU DPA panel may be contacted at ec-dppanel-secr@ec.europa.eu and the EU DPAs may be contacted directly via the information provided at http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm
Mitek agrees to cooperate with the decisions of the EU DPA Panel and the FDPIC. The services of EU DPAs are provided at no cost to you.
Please note that if your complaint is not resolved through any of the above channels, under limited circumstances, a binding arbitration option may be available under the Data Privacy Framework.
C). Amendments
This Privacy Statement may be amended from time to time consistent with the requirements of the Data Privacy Framework. We will post any revised policy on this website.
D). Information Subject to Other Policies
We are committed to following the Principles for all Personal Data within the scope of the Data Privacy Framework. However, certain information is subject to policies of Mitek that may differ in some respects from the general policies set forth in this Privacy Statement.
Updated: November 2023