BehavAuth Privacy Policy
The purpose of this Privacy Policy is to inform you about how your personal information is collected and how we use it when you interact with Quadible. This privacy policy relates to the Quadible continuous behavioural authentication App (“The App”) and hereinafter are referred to as “Services”.
Topics:
- What data do we collect?
- How do we collect your data?
- How will we use your data?
- How do we store your data?
- How long do we keep your data?
- What are your data protection rights?
- Change to our privacy policy
- How to contact us
- How to contact the appropriate authorities
1. What data do we collect?
- Through our Services we collect different types of data in order to perform authentication of the user towards mitigating fraud, enhancing the user experience and improving the performance of our App.
- The App may collect personal data including biometric and behavioural data for the purpose of uniquely authenticating a natural person to a third-party service or for risk assessment purposes to continuously verify that the person interacting with a third-party service is who they say they are.
In order to fulfil that purpose i.e. to authenticate a person to a service the following data are collected: (a) face biometric data, (b) fingerprint authentication result, (c) GPS location, (d) accelerometer, (e) gyroscope, (f) magnetic field, (g) Bluetooth fingerprints, (h) WiFi fingerprints, (i) touch, swipe, and gestures on the smartphone screen, (k) data typed through a smartphone keyboard, (l) device information and (m) financial transactions.
2. Consent
2.1. Quadible’s policy focuses on being transparent towards you regarding the personal data collected and how they are used. Thus, our Services inform you about what we do, the data collection and processing that takes place in each of our Services.
2.2. Our App collects several behavioural and biometric data from you through a module placed inside a third-party mobile app that you may use. The first time you launch the third party mobile app, an installation wizard is prompted (a) to inform you about the App i.e. what is does, (b) to educate you about the behavioural and biometric data to be collected including the purpose of why they are needed and (c) to request explicit consent from you about the data collection and processing (responsibility of host app). At any point that you do not feel comfortable with the process you are able to skip it and opt out from the data collection and the data processing as well as delete any data and knowledge we hold about you, falling back to the existing authentication mechanisms of the host app.
3. How do we collect your data?
3.1. Our Services collect your data in order to authenticate you at a service, mitigate fraud and improve the user experience and to best fit your demands in terms of privacy and security. To achieve that goal, our Services collect data through our App.
3.2. Our App collects behavioural and biometric data through a module (i.e. “Library”) that integrates with third-party mobile apps that require continuous authentication or/and continuous risk assessment to mitigate risk and fraud. The Library collects behavioural and biometric data, encrypts and uploads them to our cloud platform that performs the knowledge extraction and storage at encrypted infrastructure.
4. How will we use your data?
Category | Personal data | Extracted knowledge | Lawful basis for processing | Retention Period |
Mobile Authentication module (Solution) | Biometrics (face, fingerprint result), GPS, accelerometer, gyroscope, magnetic field, Bluetooth traces, WiFi traces, keystrokes, screen touch events, device information, financial transactions | Biometrics (face and fingerprint recognition), and behavioural patterns such as pattern for location, speed, distance, device and user interactions, device holding, screen touch, swipe, gestures, typing behaviour and financial transaction patterns. | Legitimate Interests. This information is required to provide continuous authentication and risk assessment through the Quadible behavioural authentication solution (“App”). | As long as the user keeps the account at our platform. If the organization stops the collaboration with Quadible, the data are deleted. At any point the user can opt out and delete the account including the data and knowledge collected. |
Web Authentication module (Solution) | Biometrics (face, fingerprint result), GPS, IP Address, keystrokes, mouse event, device information (e.g. screen resolution, window resolution, speed of CPU), financial transactions | Biometrics (face and fingerprint recognition), and behavioural patterns such as pattern for location, device info, network info, device and user interactions, mouse patterns, typing behaviour and financial transaction patterns. | Legitimate Interests. This information is required to provide continuous authentication and risk assessment through the Quadible behavioural authentication solution (“App”). | As long as the user keeps the account at our platform. If the organization stops the collaboration with Quadible, the data are deleted. At any point the user can opt out and delete the account including the data and knowledge collected. |
Mobile Banking Demo (Solution) (For demonstration purposes only) | Biometrics (face, fingerprint), GPS, accelerometer, gyroscope, magnetic field, Bluetooth traces, WiFi traces, keystrokes, screen touch events, financial transactions | Biometrics (face and fingerprint recognition), and behavioural patterns such as pattern for location, speed, distance, device and user interactions, device holding, screen touch, swipe, gestures, typing behaviour and financial transaction patterns. | Legitimate Interests. This information is required to showcase through a demo app the continuous behavioural authentication offered by Quadible. | As long as the user keeps the account at our platform. At any point the user can opt out and delete the account including the data and knowledge collected. |
5. How do we store your data?
5.1. Quadible takes the appropriate measures to protect and store your data securely through our Services.
5.2. The App securely stores your data at a Netherlands-based cloud infrastructure as long as you maintain an account. At any point, you have the ability to stop the data collection as well as to delete any data collected and knowledge extracted. The data collected at the mobile/web device level are encrypted at the collection point, transmitted through an encrypted channel to our platform where they are stored at encrypted infrastructure.
5.3. The App collects biometric and behavioural data (See the Table in Section 4). The sensor data are anonymised at the device level and in particular the following sensitive information Wi-Fi MAC Addresses and Bluetooth MAC Addresses. For the transactional patterns, trusted beneficiaries are anonymised by the third-party organisation (e.g. bank app that hosts the Quadible solution) before provided to the Quadible solution, so the solution does not have access to the actual bank account number.
5.4. No raw biometric data are stored such as images (face, fingerprint) or voice recordings. Biometric profile is a sequence of numbers that does not allow rebuilding of the initial image. The biometric profiles are stored at the platform, where data anonymisation techniques are applied before storing, making the biometric profiles revocable in case of a breach.
6. How long do we keep your data?
6.1 We will keep your personal data as long as you maintain an account at our Services. At any point, you can delete your account. We may also retain aggregate information beyond this time for research purposes and to help us improve and develop further our Services. We will keep records if required to do so by law.
6.2 We will not retain your data for longer than necessary for the purposes set out in this policy. Different retention periods apply for different types of data. If you would like to know the retention period for a specific type of data please contact our Data Protection Officer at dpo@quadible.co.uk
6.3 The biometric profiles and the behavioural data (Section 4, columns Personal Data and Extracted Knowledge) are used only to authenticate the user at a particular system, and are kept until the user’s account is deleted or the organisation that the user belongs to is deleted. Data such as the image of a user are not stored by the App and are kept only until the extraction of the biometric profile is completed and then the images are deleted. Data such as the Bluetooth/Wifi MAC addresses and the account beneficiary of a transaction are immediately converted into hashes and then the raw data are deleted.
7. What are your data protection rights?
7.1. Subject to applicable law including relevant data protection laws, you may have a number of rights in connection with the processing of your personal data, which you can exercise through the host app of the solution, including:
- The right to be informed about the collection and the use of your personal data. This means we must inform you how we are going to use your personal data. We do this through this privacy policy and by informing you how your data will be used each time we collect it.
- The right to access personal data and supplementary information including a copy of the data stored about you; in a structured, commonly used and machine-readable format and to have your personal data transferred to another controller, to the extent applicable by law. We must respond to your request within one month. To request access to your data please email dpo@quadible.co.uk
- The right to have inaccurate personal data rectified, or completed if it is incomplete. If you think the data we hold on you is incorrect, tell us so we can put it right. You can do this through the contact form at our website https://www.quadible.co.uk/#contact
- The right to erasure (to be forgotten) in certain circumstances. You have the right to request that we delete your data. We will do so, provided that we do not have a compelling reason for keeping it. To request this, please email dpo@quadible.co.uk
- The right to restrict processing in certain circumstances. You can change your communication preferences by contacting us through the contact form at our website https://www.quadible.co.uk/#contact . For the App, to restrict processing for continuous authentication, you can login to your account and suppress the processing of your personal data through the Host app.
- The right to data portability, which allows the data subject to obtain and reuse their personal data for their own purposes across different services. To request this, please email dpo@quadible.co.uk
- The right to object to processing in certain circumstances. You have the right to object to a) the App by stopping the processing through the functionality available at the Host app, b) Any processing where our lawful basis is legitimate interest including the data processing for continuous authentication (App). If you would like to formally object to any of our legitimate interest processing please email dpo@quadible.co.uk You can also object processing for continuous authentication (App) through your account on the mobile app.
- Rights in relation to automated decision making and profiling. You have the right to object to automated decision making and profiling regarding the App (continuous behavioural authentication). If you would like to object to processing, automated decision making and profiling, you can login to your account at the Host app and stop the data collection, processing and decision making..
- The right to withdraw consent at any time (where relevant) You have the right to withdraw the consent through the Host app by stopping the processing and if required, you can delete any data collected.
- The right to complain to the Information Commissioner. If you feel that Quadible has not addressed properly the personal information, you can complain at the Information Commissioner Office (See Section 16 below)
- The right to lodge complaints regarding the processing of your personal data with the Information Commissioner’s Office or other relevant supervisory body. Please see https://ico.org.uk/concerns/for how to do this.
- If you would like to exercise any of the rights set out above, please: email or write to our Data Protection Officer;
- let us have enough information to identify you, (e.g. your full name and any reference number used in communications with us; and
- let us know what right you wish to exercise and the information to which your request relates.
8. Change to our privacy policy
8.1. Quadible keeps its privacy policy under regular review and places any updates on this web page. The privacy policy was last updated on 21 March 2020.
9. How to contact us
- Data controller and contact details
- For the purposes of relevant data protection legislation, we are a controller of your personal data and as a controller we use the personal data we hold about you in accordance with this Privacy Notice.
- If you need to contact us in connection with our processing of your personal data, then our contact details are:
Data Protection Officer, Quadible Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom;
dpo@quadible.co.uk ;
Telephone: +44 (0) 7775741977.
10. How to contact the appropriate authorities
10.1. Should you wish to report a complaint or if you feel Quadible has not addressed your concern in a satisfactory manner, you may contact the Information Commissioner’s Office.
Website: https://ico.org.uk/make-a-complaint/
Email: casework@ico.org.uk
Address: Information Commissioner’s Office,
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF