Omni Privacy

What does Incode do?

Incode is headquartered in the United States, but with offices and group companies located around the world. Incode provides Incode Omni, an end-to-end identity platform that offers a frictionless customer experience at every point of contact with a consistent level of security across multiple channels (“Incode Omni Service”). The Incode Omni Service is deployed on third-party websites or mobile applications that belong to our customers (“Customers”) and allows our Customers to securely verify the identity of their customers or users (“User” or “Users”). You can find more information about us and the Incode Omni Service here.

What does this Privacy Notice cover?

This Privacy Notice covers how we treat personal data that we gather in the usual course of business, for example when you engage with Incode directly or on our website at https://incode.com/ (the “Website”), or when you access or use the Incode Incode Omni Service, either as a Customer’s employee or a User or through responses to surveys or questionnaires and when you send us an email or otherwise contact us (together the “Services”). In such case, we act as a data controller of your personal data.

Please note that we also act as a processor when providing identity verification services to our Customers. This Privacy Notice does not apply to the personal data that we process as data processors on behalf of our Customers in the course of providing our Services. In those cases, we invite you to contact the relevant company or organization if you have any questions about their privacy practices.

The above, notwithstanding the specifics to be observed as per the local legal requirements applicable and included herein.

What personal data does Incode collect and how do we share it?

The information we collect depends on the context of your interactions with Incode and the choices you make (including your privacy settings), the products and features you use, your location and applicable law. As mentioned above, this Privacy Notice does not apply to the personal information that we process as data processors on behalf of our Customers in the course of providing our Services (other than to the extent specified otherwise as per local legal requirements set out herein).

The charts below detail the categories of information that we collect and have collected as data controllers over the past 12 months and how we share it:

1. 1. Information you provide voluntarily:
   • A. Customers, prospects and visitors personal data

   If you are a Customer’s or a prospective customer’s employee or otherwise interact with us or our Website, you may provide us with the following categories of information that we share with the third parties listed in the chart below. You provide us with that information when you create an account or use our interactive tools and Services, when you voluntarily provide information in free-form text boxes through the Services or through responses to surveys or questionnaires and when you send us an email or otherwise contact us.

   You can find more information about how we use and share your personal data in the sections “Our Commercial or Business Purposes for Collecting Personal Data” and “How We Share Your Personal Data” below.

   Category of Personal Data	Examples of Personal Data We Collect	Categories of Third Parties With Whom We May Share this Personal Data
   Profile or Contact Data	First and last name Email Phone number Unique identifiers such as user logins and passwords	Service Providers Analytics Partners Business Partners Parties You Authorize, Access or Authenticate
   Payment Data	Payment card type Last 4 digits of payment card Billing address, phone number, and email	Service Providers (specifically our payment processing partner, currently Stripe, Inc) Business Partners Parties You Authorize, Access or Authenticate
   Commercial Data	Purchase history	Service Providers (specifically our payment processing partner, currently Stripe, Inc) Parties You Authorize, Access or Authenticate
   Professional or Employment-Related Data	Job title Job history	Service Providers Business Partners Parties You Authorize, Access or Authenticate
   Other Identifying Information that You Voluntarily Choose to Provide	Unique identifiers such as passwords or access codes to Business Partner platforms or services, if a Business Partner platform has already been set out for your organization Identifying information in emails or letters that you send to us	Service Providers Business Partners Parties You Authorize, Access or Authenticate
   Audio, electronic, visual, or similar information	Content of the messages, emails or other communications that you send to us	Service Providers Business Partners Parties You Authorize, Access or Authenticate
   Other	Survey information, including your personal data (and biometric data)	Service Providers Analytics Partners Advertising partners Business Partners Parties You Authorize, Access or Authenticate

If you ever communicate directly with us, we will maintain a record of those communications and responses.

Where we process personal data as required as part of our provision of the Services to our Customers (i.e. where we act as a data processor), it is primarily our Customers (the ‘data controllers’) who control what personal data we process and how we use it. Accordingly, you should contact the relevant Customer directly for more information, or otherwise review their or (where applicable) their organization’s privacy notices.

B. User Information

If you are a User of the Incode Omni Service, you will be able to voluntarily provide your personal data, including biometric information, primarily to verify your identity, authenticate your information, and prevent fraud when you use our Customers’ websites or mobile applications. We collect your information through the photographic function in the applicable hardware, in each case when you initiate the capturing of a photograph, and/or when and if you manually include it.

In most cases, we process your personal data, including your biometric information, on behalf of our Customers and as noted above in order to provide our identity verification solution. As mentioned above, this Privacy Notice does not apply to the personal data that we process as data processors on behalf of our Customers in the course of providing our Services (other than to the extent specified otherwise as per local legal requirements set out herein). However, in some instances, we may use your personal data, including your biometric information, for our own purposes (such as to improve our products and services) when you have provided your consent for us to do so (which you can withdraw at any time) or, where permitted under applicable law, on the basis of our legitimate interests.

This chart reflects the categories of Users’ personal data that we may process both on our Customers’ behalf (as a processor) as well as for our own purposes to develop and improve our Services (for which we will be a data controller) and the categories of third parties with whom we may share such data. You can find more information about how we use and share your personal data in the sections “Our Commercial or Business Purposes for Collecting Personal Data” and “How We Share Your Personal Data” below.

* Solely when we provide the Incode Omni Services to our Customers, we may (as required by the Customer) share your personal data (namely the information on your government issued ID) and your biometric information/data (a type of personal data resulting from specific technical processing were we face-match the picture in your selfie with the picture in your government issued ID) for the sole purpose of verifying your identity against the official source of such ID document, solely to obtain a YES/NO answer (i.e. you are or are not on the official database). As of the date of this Privacy Notice, we may share personal data with official sources in Mexico.

Where we process personal data as required as part of our provision of the Services to our Customers (i.e. where we act as a data processor), it is primarily our Customers (the ‘data controllers’) who control what personal data we process and how we use it. Accordingly, you should contact the relevant Customer directly for more information, or otherwise review their or (where applicable) their organization’s privacy notices.

2. Information Collected Automatically

Like most companies that offer online services, we collect the following information automatically (through cookies and other tracking technologies) when you use or interact with the Incode Omni Service as a Customer’s employee or a User or when you visit our Website.

The chart bellows list the categories of personal data we collect automatically and how we share it. For more information about our use of cookies and similar tracking technologies, please see the “Cookies and Similar Tracking technologies” section.

3. Information we Obtain from Third Party Sources

From time to time, we may receive personal data about you from third party sources but only when these third parties have confirmed to us that they either have your consent or are otherwise legally permitted or required to disclose this information to us. This typically includes Business Partners, advertising networks, analytics providers, credit reference agencies, lead generation providers or others. Where we act as data controllers, we use that information to maintain and improve the accuracy of the records we hold about you, improve our products and services and to send you personalized content. We will combine this personal data with personal information we already hold about you and use this combined information for the purposes set out above.

The chart below lists the categories of personal data we obtain from third-party sources and how we share it. You can find more detailed information about how we use and share your personal data in the sections “Our Commercial or Business Purposes for Collecting Personal Data” and “How We Share Your Personal Data” below.

The third party sources of personal data that we collect are:

• Public Records: From the local government or other relevant sources.
• Third Parties: This includes the following:

o Service Providers: We may use providers to analyze how you interact and engage with the Services, help us provide you with customer support, or to otherwise facilitate provision of the Services to you.

o Business Partners and other Third Parties: We may receive information about you from our Business Partners and other third parties if you provide your credentials to us or otherwise authorize access by the Services to a third-party site or service.

Where we process personal data as required as part of our provision of the Services to our Customers (i.e. where we act as a data processor), it is primarily our Customers (the ‘data controllers’) who control what personal data we process and how we use it. Accordingly, you should contact the relevant Customer directly for more information, or otherwise review their or (where applicable) their organization’s privacy notices.

Our Commercial or Business Purposes for Collecting Personal Data

Where we act as data controller, we may use personal data we obtain about you for the following purposes:

• Providing, Customizing and Improving the Services

o Creating and managing your account.

o Providing you with the products, services or information you request, including operating and administering Incode Omni.

o Providing support and assistance for the Services.

o Improving the Services, including Service improvement, testing, research, internal analytics and product development.

o Personalizing the Services, Website content and communications based on your preferences.

o Doing fraud protection, security and debugging.

o Verifying and authenticating your identity and user accounts (where relevant and applicable).

• Meeting Legal Requirements and Enforcing Legal Terms

o Fulfilling our legal obligations under applicable law, regulation, court order or other legal process, such as preventing, detecting and investigating security incidents and potentially illegal or prohibited activities.

o Protecting the rights, property or safety of you, Incode or another party.

o Enforcing any agreements with you.

o Responding to claims that any posting or other content violates third-party rights.

o Resolving disputes.

• Corresponding with You

o Responding to correspondence that we receive from you, contacting you when necessary or requested, and sending you information about Incode or the Services.

o Sending marketing or sales related emails and other communications to promote our Services according to your preferences or that display content that we think will interest you.

In general, we will use the personal data we collect only for the purposes described in this Privacy Notice or for purposes that we explain to you at the time we collect your personal data. However, we may also use your personal data for other purposes that are not incompatible with the purposes we have disclosed to you if and where this is permitted by applicable data protection laws or with your express consent, for example when you choose to use a service or participate in a program we offer with another entity.

We may create aggregated, de-identified or anonymized data from the personal data we collect, including by removing information that makes the data personally identifiable to a particular user. We may use such aggregated, de-identified or anonymized data and share it with third parties for our lawful business purposes, including to analyze, build and improve the Services and promote our business. We may also share de-identified information with public interest organizations, health care organizations and researchers. We will not share such data in a manner that could identify you and will prohibit these third parties from attempting to re-identify any such data

Where we process personal data as required as part of our provision of the Services to our Customers (where we act as a data processor), it is primarily our Customers (the ‘data controllers’) who control what personal data we process and how we use it. Accordingly, you should contact the relevant Customer directly for more information, or otherwise review their or (where applicable) their organization’s privacy notices.

How we share personal data

We disclose your personal data to the categories of service providers and other parties listed in this section. Depending on state laws that may be applicable to you, some of these disclosures may potentially constitute a “sale” of your personal data. For more information, please refer to the state-specific sections below. We never sell or rent your biometric information or the personal data we process about you on behalf of our Customers.

• Service Providers: These parties help us provide the Services or perform business functions on our behalf. These third parties will only process your information for purposes described in this Privacy Notice or that are notified to you when we collect your information. They include:

o Hosting, technology and communication providers.

o Security and fraud prevention consultants.

o Support and customer service vendors.

Please note that in connection with the Incode Omni service, we may disclose your personal data to third-party service providers such as identity verification and fraud detection agencies to help us verify your identity, gather background information about you and protect our Customers against fraud. We do so solely at the direction and on behalf of our Customers and we do not retain any information we receive from such agencies for our own purposes. Please contact the relevant Customer if you have any questions about the disclosure of your information.

• Analytics Partners: These parties provide analytics on web traffic or usage of the Services. They include:

o Companies that track how users found or were referred to the Services.

o Companies that track how users use and interact with the Services.

• Business Partners: These parties collaborate with us in offering various services. They include:

o Businesses that you have a relationship with.

o Companies that we partner with to offer joint offerings or opportunities.

• Parties You Authorize, Access or Authenticate: These include third parties you access through the Services and other parties authorized by you.
• Legal Obligations: We may share any personal data that we collect with third parties in conjunction with any of the activities set forth under “Meeting Legal Requirements and Enforcing Legal Terms” in the “Our Commercial or Business Purposes for Collecting Personal Data” section above.

• Business Transfers: Your personal data may be transferred to a third party (and their agents and advisers) if we undergo a merger, acquisition, bankruptcy or other transaction in which that third party assumes control of our business (in whole or in part) provided that we inform the third party it must use your personal information only for the purposes disclosed in this Privacy Notice.
• Consent:We may share your personal data with any other person if we have obtained your consent to such disclosure.

Where we process personal data as required as part of our provision of the Services to our Customers (i.e. where we act as a data processor), it is primarily our Customers (the ‘data controllers’) who control what personal data we process and how we use it. Accordingly, you should contact the relevant Customer directly for more information, or otherwise review their or (where applicable) their organization’s privacy notices.

Cookies and other similar tracking technologies

Incode and its third-party partners use cookies and similar technologies such as pixel tags, web beacons, clear GIFs and JavaScript (collectively, “Cookies”) on the Services to enable our servers to recognize your web browser, tell us how and when you visit and use our Services, analyze trends, learn about our user base and operate and improve our Services. Cookies are small pieces of data– usually text files – placed on your computer, tablet, phone or similar device when you use that device to access our Services. We may also supplement the information we collect from you with information received from third parties, including third parties that have placed their own Cookies on your device(s).

We partner with third parties to either display advertising on our Website or to manage our advertising on other sites. Our third-party partners may use technologies such as cookies to gather information about your activities on our Website and other sites in order to provide you advertising based upon your browsing activities and interests.

For further information about the types of cookies and similar tracking technologies other we use, why, and how you can control them, please see ourCookie Notice.

Please note that because of our use of Cookies, the Services do not support “Do Not Track” requests sent from a browser at this time. However, you can opt out from the use of tracking technologies as explained in our Cookie Notice.

Google Analytics. We use Google Analytics, a web analytics service provided by Google, Inc. (“Google“), to help analyze how people use our Services, compile reports and improve the quality and relevance of our Services. The information generated by Google Analytics is transmitted to and stored by Google and is subject to Google’sprivacy policies.To learn more about Google’s partner services and how to opt out of analytics tracking by Google, click here.

Data security

We seek to protect your Personal Data from unauthorized access, use and disclosure using appropriate physical, technical, organizational and administrative security measures based on the type of Personal Data and how we are processing that data. You should also help protect your data by appropriately selecting and protecting your password and/or other sign-on mechanism; limiting access to your computer or device and browser; and signing off after you have finished accessing your account. Although we work to protect the security of your account and other data that we hold in our records, please be aware that no method of transmitting data over the internet or storing data is completely secure.

The following are examples of security measures we use to safeguard your Personal Data:

• Procedures for identification and classification of Personal Data, and implementation of appropriate security measures appropriate to the sensitivity of the information;
• Access control procedures designed to verify a business need before access to Personal Data is granted, and procedures for the periodic review of access permissions;
• Procedures for termination of access to Personal Data designed to limit access when there is no longer a business need for access;
• Personnel controls designed to reduce the risk of human error, theft, fraud or misuse of facilities; and

Physical and environmental procedures designed to prevent unauthorized

Data retention

We retain personal data about you for as long as necessary for the purpose(s) for which it has been collected and in accordance with applicable laws and regulations. For example, we will retain your personal data for as long as you have an open account with us or as otherwise necessary to provide you with our Services. In some cases we retain personal data for longer when we have an ongoing legitimate need to do so, (for example to comply with our legal, tax or accounting obligations, resolve disputes or collect fees owed), or where it is otherwise permitted or required by applicable law, rule or regulation. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible.

Personal data of children

We do not knowingly collect or solicit personal data about children under 18 years of age; if you are a child under the age of 18, please do not attempt to register for or otherwise use the Services or send us any personal data. If we learn we have collected personal data from a child under 18 years of age, we will delete that information as quickly as possible. If you believe that a child under 18 years of age may have provided personal data to us, please contact us atlegalcompliance@incode.com

Additional Information for Illinois residents

If you are an Illinois resident from whom we have collected biometric information, we may retain your biometric information only until the first of the following occurs, unless otherwise required by law or our contracts with Customers: (i) the initial purpose for collecting such biometric information has been satisfied; or (ii) 3 years after your last interaction with the Incode Omni Service, in accordance with Illinois law.

Additional information for California residents

If you are a California resident, the following information also applies to you and supplements the information contained in this Privacy Notice.

Information we collect and sources

In the past 12 months, we have collected the following information:

• Identifiers:such as your contact details (names, email, phone number, email address etc.), IP address, passport number, driver’s license number etc.
• Internet and other electronic network activity information:such as your browser type and language, device information, webpage interaction etc.
• Demographic information / protected classification characteristics:such as your age, gender and nationality
• Commercial information: such as records of services purchased
• Biometric information:such as your faceprints and fingerprints;
• Professional or employment-related information: such as your job title and job history
• Geolocation data: such your locale, zip code, and general geolocation information (based on your IP address or address provided).
• Audio, Video and other Electronic Data: such as audio, electronic, visual or similar information such as chat and any interaction that you may have with us (such as for customer service purposes).

Our Privacy Notice contains a more detailed description of the information we collect and the sources of information – see the above section “Categories of Personal Data We Collect”.

How we use and share information

• We collect and use personal information for the business and commercial purposes as described in the section “Our Commercial or Business Purposes for Collecting Personal Data” above.

• We share personal information as described in the section “How we share your personal data” above.

• We do not sell your personal information.

Your privacy rights

Under the CCPA, California residents have the following rights:

• Right to Know: You have the right to request that we disclose to you the personal information we have collected, used and disclosed over the past 12 months, and information about our data practices;
• Right to Request Deletion: You have the right to request that we delete your personal information that we have collected from you;
• Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.

Right to Opt-Out of Sales: We do not sell your personal information.

• Right to be Notified of Financial Incentives: You have the right to be notified of any financial incentives offers and their material terms, the right to opt-out of such incentives at any time, and may not be included in such incentives without their prior informed opt-in consent. We do not offer any such incentives at this time.

California law also permits you to request certain information regarding the disclosure of your personal information by us and our related companies to third parties for the third parties’ direct marketing purposes. We do not disclose your personal information to third parties for their own direct marketing purposes.

Your browser may offer you a “Do Not Track” option, which allows you to signal to operators of websites and web applications and services that you do not wish such operators to track certain of your online activities over time and across different websites. Our Services do not support Do Not Track requests at this time. To find out more about “Do Not Track,” you can visitwww.allaboutdnt.com

Exercising Your Rights

To exercise the rights described above, you or your Authorized Agent (defined below) must send us a request that (1) provides sufficient information to allow us to verify that you are the person about whom we have collected personal information, and (2) describes your request in sufficient detail to allow us to understand, evaluate and respond to it. Each request that meets both of these criteria will be considered a “ Valid Request.” We may not respond to requests that do not meet these criteria. We will only use personal information provided in a Valid Request to verify your identity and complete your request. You do not need an account with Incode to submit a Valid Request.

We will work to respond to your Valid Request within 45 days of receipt. We will not charge you a fee for making a Valid Request unless your Valid Request(s) is excessive, repetitive or manifestly unfounded. If we determine that your Valid Request warrants a fee, we will notify you of the fee and explain that decision before completing your request.

You may submit a Valid Request using the following methods:

• Call us at: +1 650 446 3444
• Email us at:legalcompliance@incode.com

You may also authorize an agent (an “Authorized Agent”) to exercise your rights on your behalf. To do this, you must provide your Authorized Agent with written permission to exercise your rights on your behalf, and we may request a copy of this written permission from your Authorized Agent when they make a request on your behalf.

Additional Information for Nevada residents

If you are a resident of Nevada, you have the right to opt-out of the sale of certain Personal Data to third parties who intend to license or sell that Personal Data. You can exercise this right by contacting us at legalcompliance@incode.comwith the subject line “Nevada Do Not Sell Request” and providing us with your name and the email address associated with your account. Please note that we do not currently sell your Personal Data as sales are defined in Nevada Revised Statutes Chapter 603A.

Additional information for European residents

If you are a resident of the European Union (“EU”), United Kingdom, Lichtenstein, Norway or Iceland, you may have additional rights under the EU General Data Protection Regulation (the “GDPR”), the UK GDPR and other European privacy laws with respect to your personal data, as outlined below. If there are any conflicts between this this section and any other provision of this Privacy Notice, the policy or portion that is more protective of personal data shall control to the extent of such conflict. If you have any questions about this section or whether any of the following applies to you, please contact us at legalcompliance@incode.com. Note that as explained at the top of this Privacy Notice, we may also process personal data of our customers’ employees or Users on behalf and at the direction of our Customers in connection with our provision of certain services to customers. In such case, we are the processor of such personal data.

Legal Basis for Processing Personal Data

We will only process your personal data if we have a legal basis for doing so. The legal basis on which we rely depend on the personal data concerned and the specific context in which we collect it. Generally, we rely on the following legal bases:

• Contractual Necessity:We process your personal data as a matter of “contractual necessity”, meaning that we need to process the data to perform a contract with you, such as to provide you with the Services through our Customers application and/or website. When we process data due to contractual necessity, failure to provide such personal data will result in your inability to use some or all portions of the Services that require such data.
• Legitimate Interest: We may also process your personal data when we believe it furthers the legitimate interest of us or third parties and such interest is not overridden by your data protection interests or fundamental rights and freedoms. Examples of these legitimate interests include:

o Providing, customizing and improving the Services.

o Corresponding with you.

o Promoting our Services

o Maintaining the security of our Services

o We may have other legitimate interests and if applicable, we will make clear to you at the relevant time what those legitimate interests are.

• Consent: In some cases, we process personal data based on the consent you expressly grant to us at the time we collect such data. When we process Personal Data based on your consent, it will be expressly indicated to you at the point and time of collection.
• Legal Obligation: From time to time we may also need to process personal data to comply with a legal obligation, if it is necessary to protect the vital interests of you or other data subjects, or if it is necessary for a task carried out in the public interest.

European Data Subject Rights

You have certain rights with respect to your personal data, including those set forth below. For more information about these rights, or to submit a request, please email us at legalcompliance@incode.com. Please note that we will respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. In some cases, we may also need you to provide us with additional information, which may include personal data, if necessary to verify your identity and the nature of your request.

• Access: You can request more information about the personal data we hold about you and request a copy of such personal data.
• Rectification: If you believe that any personal data we are holding about you is incorrect or incomplete, you can request that we correct or supplement such data.
• Erasure: You can request that we erase some or all of your personal data from our systems.
• Withdrawal of Consent: If we are processing your personal data based on your consent (as indicated at the time of collection of such data), you have the right to withdraw your consent at any time. Please note, however, that if you exercise this right, it will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent.
• Portability: You can ask for a copy of your personal data in a machine-readable format. You can also request that we transmit the data to another controller where technically feasible.
• Objection: You can contact us to let us know that you object to the further use or disclosure of your Personal Data for certain purposes, such as for direct marketing purposes.
• Restriction of Processing: You can ask us to restrict further processing of your personal data.
• Opt-out of marketing communications: You have the right to opt-out of marketing communications we send you at any time. To opt-out of other forms of marketing (such as postal marketing or telemarketing), then please email us atlegalcompliance@incode.comcontact us using the contact details provided under the “Contact Information” heading below.
• Right to File Complaint: You have the right to lodge a complaint about Incode’s practices with respect to your Personal Data with the supervisory authority of your country or EU Member State. A list of Supervisory Authorities is available here: https://edpb.europa.eu/about-edpb/board/members_en

Additional information for Australian residents

If you reside in Australia or are using our services or interacting with Incode in Australia, the following applies to you. This section supplements, supersedes and extends the scope of this Privacy Notice generally. The remaining sections of this Privacy Notice, other than those sections which are expressly limited to foreign jurisdictions outside of Australia or are inconsistent with the specifics of this section, also apply to you and you should consider this Privacy Notice in full for full details of how we manage your personal information (“personal data”), including the kinds of personal data we collect, how we collect your personal data and the purposes for which your personal data is collected, held, used and disclosed.

Are we a Data Controller or Data Processor?

Some privacy regimes that we are subject to distinguish how we may collect, use and disclose your personal data depending on whether we are classified as a ‘data processor’ or ‘data controller’. Under these regimes, we act as a processor when providing identity verification services to our Customers. The ‘data processor’ and ‘data controller’ distinction is not relevant to you to the extent Australian privacy law applies and we have obligations to you with respect the personal information we hold about you, even when acting as a ‘data processor’. The ‘data processor’ section below explains how we collect and process personal data as data processors on behalf of our Customers in the course of providing our Services. However, these practices are dependent on, and connected with, the data collection and use practices of our Customers.

Information we collect as a Data Processor

In certain instances where you use the Incode Omni Service, we are acting as a data processor on behalf of our Customers for the purposes of certain applicable privacy laws. In these circumstances, there is no difference in the manner of how we collect your personal data, the type of personal data collected or the third parties to whom we may disclose personal data collected to. Accordingly, the information in the table at Section B of the “Information You Provide Voluntarily” section above, applies equally to data that we collect as data processors. You should refer to that section for information regarding what personal data we collect and how we collect and disclose personal data when acting as data processors on behalf of our Customers.

The purpose for which we collect your personal data when using the Incode Omni Service remains to verify your identity, authenticate your information and prevent fraud when you use our Customers’ websites or mobile applications. When we act as data processors, exactly how and to what extent the Incode Omni Service is applied or operated may be subject to our Customer’s instructions or control. When acting as a data processor, the personal data that you input into the Incode Omni Service may also be collected by, or held at the direction of, our Customers. Our Customers will use and disclose such personal data in accordance with their own privacy practices and obligations and in accordance with applicable law. We invite you to contact or refer to the relevant Customer if you need any further information regarding the privacy practices of our Customers.

While your use of the Incode Omni Service is always voluntary and subject to your consent, we note that our Customers may be required by law to verify your identity to certain prescribed standards prior to offering services to you. For further information regarding your personal data in those cases beyond the details herein included regarding Incode’s activity, we invite you to contact the relevant company or organization if you have any questions about their privacy practices. In all other cases, we act as a data controller of your personal data for the purposes of applicable privacy law.

Your rights under Australian privacy law

You are entitled to access the personal data we hold about you and may request that we correct any errors in the information we hold. If you would like to access or correct your personal data held by us, please contact us at:

• legalcompliance@incode.com
• Australia Square
• Level 33, 264 George Street
• Sydney, NSW 2000.

We will take reasonable steps to allow you to access your personal data unless reasonable circumstances exist that would prohibit us from doing so.

We will correct your personal data where we are satisfied that the information is inaccurate, out of date, incomplete, irrelevant or misleading. If we correct any personal data that we have disclosed to third parties we will take reasonable steps to notify those parties of the change or update. You accept that, following a request to correct your information, we may be required to take reasonable steps to verify your identity or the personal data, which may include confirmation with third parties.

If you are concerned that we may have breached the Australian Privacy Principles, please contact us immediately at the contact details set out above. We will undertake a reasonable and expeditious assessment of the concern and suggest relevant resolution processes. This process will be completed as soon as practicable and in any event within 30 days. If you are unsatisfied with our response to, or resolution of, your complaint you may choose to contact the Office of the Australian Information Commissioner at their websitewww.oaic.gov.au.

Direct marketing in Australia

Where we use your personal data to send you marketing and promotional information you will be provided with the opportunity to opt-out of receiving such information. Unless you exercise your right to opt-out of such communication, you will be taken to have consented to receive similar information and communications in the future.

Transfers of Personal Data

Incode is a US company and our and our service providers are located in the US and other countries. This means that your personal information may be transferred to, and processed in, countries other than the country in which you are located. Primarily, these disclosures will be made to our group (further information on the Incode Group here) and service providers located within the United States, however some service providers are located elsewhere, including Europe when providing services in the European Union. These countries may have data protection laws that are different to the laws of your country (and, in some cases, may not be as protective). However, we take appropriate safeguards to ensure that your information remains protected in accordance with this Privacy Notice and applicable data protection laws. If you are located in the European Economic Area, United Kingdom or Switzerland these safeguards include transferring your information to a country that the European Commission or UK authorities (as applicable) have determined provides an adequate level of protection for personal information, or by implementing standard contractual clauses with our customers, third party service providers and partners. If you wish to obtain a copy of the Standard Contractual Clauses please visit the EU websitehereor contact us by sending an email tolegalcompliance@incode.com.

Changes to this Privacy Policy

We’re constantly trying to improve our Services, so we may need to change this Privacy Notice from time to time. When we update our Privacy Notice, we will take appropriate measures to alert you consistent with the significance of the changes we make. We will obtain your consent to any material Privacy Notice changes if and where this is required by applicable data protection laws.

You can see when this Privacy Notice was last updated by checking the “last updated” date displayed at the top of this Privacy Notice.

Contact Information

If you have any questions or comments about this Privacy Notice, the ways in which we collect and use your Personal Data or your choices and rights regarding such collection and use, please do not hesitate to contact us at:

• Tel: +1 650 446 3444
• Email: legalcompliance@incode.com
• Mail: Incode Technologies, Inc., 221 Main Street, Suite 520, San Francisco, CA 94105

If you are a resident in the European Economic Area (“EEA”), UK or Switzerland, the controller of your personal information (excluding the processing performed on behalf of our Customers) is Incode Technologies, Inc.